WO2022179115A1 - User authentication method and apparatus, server and storage medium - Google Patents

User authentication method and apparatus, server and storage medium Download PDF

Info

Publication number
WO2022179115A1
WO2022179115A1 PCT/CN2021/123635 CN2021123635W WO2022179115A1 WO 2022179115 A1 WO2022179115 A1 WO 2022179115A1 CN 2021123635 W CN2021123635 W CN 2021123635W WO 2022179115 A1 WO2022179115 A1 WO 2022179115A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
data acquisition
acquisition request
random number
key pair
Prior art date
Application number
PCT/CN2021/123635
Other languages
French (fr)
Chinese (zh)
Inventor
郑如刚
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2022179115A1 publication Critical patent/WO2022179115A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present application relates to the technical field of security protection, and in particular, to a user authentication method, device, server and storage medium.
  • the business system With the increasing demand for information security, usually when the client requests data in the business system, the business system will perform user authentication on the client.
  • the inventor realized that when the business system receives data from multiple clients at the same time When requesting data acquisition, multiple clients need to be authenticated, so that the threads of the business system are occupied and the business system cannot process other requests.
  • the token sent by the business system to the client is stored in the client's local file, and the client's local file is easily attacked maliciously, the token is easily leaked, thereby reducing the data security in the business system.
  • a first aspect of the present application provides a user authentication method, which is applied to a server, where the server communicates with a client and a plurality of business systems respectively, and the user authentication method includes:
  • a second aspect of the present application provides a server including a processor and a memory, the processor being configured to execute computer-readable instructions stored in the memory to implement the following steps:
  • a third aspect of the present application provides a computer-readable storage medium having at least one computer-readable instruction stored thereon, the at least one computer-readable instruction being executed by a processor to implement the following steps:
  • a fourth aspect of the present application provides a user authentication device, which runs in a server, and the server communicates with a client and a plurality of business systems respectively, and the user authentication device includes:
  • the generating unit is configured to, when receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and generate the first key pair in the first key pair
  • the public key is sent to the client;
  • a verification unit configured to receive a data acquisition request generated by the client based on the first public key, and to verify the data acquisition request by using the private key in the first key pair;
  • an acquisition unit configured to determine a system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed if the private key is successfully verified against the data acquisition request;
  • an encryption unit configured to obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext
  • a sending unit configured to send the access ciphertext to the system to be accessed.
  • the application does not need to verify the data acquisition request through the business system, which avoids the occupation of threads of the business system and improves the high availability of the business system.
  • the data acquisition request is verified by using the private key. Since the private key is different from the first public key sent to the client, it is ensured that the client has access to the system to be accessed. There is an access right, and at the same time, after the private key successfully verifies the data acquisition request, the second public key is used to encrypt the acquired access instruction, which can prevent the access instruction from being tampered with, thereby improving the The security of the business system ensures data security in the business system.
  • FIG. 1 is an application environment diagram of a preferred embodiment of the user authentication method of the present application.
  • FIG. 2 is a flowchart of a preferred embodiment of the user authentication method of the present application.
  • FIG. 3 is a functional block diagram of a preferred embodiment of the user authentication device of the present application.
  • FIG. 4 is a schematic structural diagram of a server implementing a preferred embodiment of the user authentication method of the present application.
  • FIG. 1 it is an application environment diagram of a preferred embodiment of the user authentication method of the present application.
  • the application environment diagram includes a server 1 , a client 2 and a business system 3 .
  • the server 1 communicates with a client 2, and the client 2 is used to generate a request.
  • the server 1 communicates with a plurality of business systems 3, and each business system stores a variety of business data.
  • FIG. 2 it is a flowchart of a preferred embodiment of the user authentication method of the present application. According to different requirements, the order of the steps in this flowchart can be changed, and some steps can be omitted.
  • the user authentication method is applied in a smart security scenario, thereby promoting the construction of a smart city.
  • the user authentication method is applied to one or more servers, the server is a device that can automatically perform numerical calculation and/or information processing according to pre-set or stored computer-readable instructions, and its hardware includes but not Limited to microprocessors, application specific integrated circuits (ASICs), programmable gate arrays (Field-Programmable Gate Arrays, FPGAs), digital signal processors (Digital Signal Processors, DSPs), embedded devices, etc.
  • ASICs application specific integrated circuits
  • FPGAs Field-Programmable Gate Arrays
  • DSPs Digital Signal Processors
  • embedded devices etc.
  • the server can be any electronic product that can interact with users, such as personal computers, tablet computers, smart phones, personal digital assistants (Personal Digital Assistant, PDA), game consoles, interactive network televisions (Internet Protocol Television, IPTV), smart wearable devices, etc.
  • personal computers tablet computers, smart phones, personal digital assistants (Personal Digital Assistant, PDA), game consoles, interactive network televisions (Internet Protocol Television, IPTV), smart wearable devices, etc.
  • PDA Personal Digital Assistant
  • IPTV Internet Protocol Television
  • smart wearable devices etc.
  • the server may include network equipment and/or user equipment.
  • the network device includes, but is not limited to, a single network server, a server group formed by multiple network servers, or a cloud formed by a large number of hosts or network servers based on cloud computing (Cloud Computing).
  • the network where the server is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), and the like.
  • VPN Virtual Private Network
  • the information carried in the access requirement includes, but is not limited to, an access object and the like.
  • the first key pair includes the first public key and the private key.
  • the first key pair refers to a key between the server and the client.
  • generating, by the server according to the access requirement, a first key pair corresponding to the client includes:
  • obtaining a permission list where device information of multiple devices is stored in the permission list, and the multiple devices have permissions to access the business system, and the business system includes multiple systems connected to the server;
  • the first key pair is generated according to the first random number and the second random number.
  • the permission list it can be detected whether the client has the permission to access the business system, and then when the client has the permission to access the business system, the first random number is generated according to the serial number and the second random number, since the order of different devices in the permission list is different, the unique first key pair can be generated.
  • generating the first key pair by the server according to the first random number and the second random number includes:
  • both the first random number and the second random number are prime numbers, calculating the product of the first random number and the second random number to obtain a target value;
  • the first candidate value is determined as the first value, and the target value and the first value are concatenated to obtain the first key pair in the public key;
  • the second candidate value is determined as the second value, and the target value and the second value are concatenated to obtain the private key in the first key pair .
  • the preset value refers to a preset value, and the present application does not limit the specific value of the preset value.
  • the first key pair is generated according to the first random number and the second random number, and the security of the first key pair can be improved.
  • the method further includes:
  • S11 Receive a data acquisition request generated by the client based on the first public key, and verify the data acquisition request by using the private key in the first key pair.
  • the information carried in the data acquisition request includes, but is not limited to, the access object and the like.
  • the method before receiving the data acquisition request generated by the client based on the first public key, the method further includes:
  • the server using the private key in the first key pair to verify the data acquisition request includes:
  • the verification efficiency can be improved.
  • the method further includes:
  • the prompt information can be generated in time to remind the client to learn the response of the data acquisition request.
  • the second key pair may also be stored in a node of a blockchain.
  • the system to be accessed refers to a system to which the data acquisition request acquires business data.
  • the second key pair refers to a key between the server and the system to be accessed.
  • the server determining the system to be accessed from the data acquisition request includes:
  • a system corresponding to the system code is determined as the system to be accessed.
  • system code can uniquely identify the system.
  • the system to be accessed can be quickly determined through the mapping relationship between the system code and the system.
  • obtaining, by the server, the second key pair corresponding to the system to be accessed includes:
  • the key pair corresponding to the system code is obtained from the key list as the second key pair.
  • the second key pair can be accurately acquired from the system to be accessed.
  • the access instruction refers to a message of the data acquisition request, and the access instruction includes a label of service data in the system to be accessed.
  • the obtaining, by the server, the access instruction from the data obtaining request includes:
  • the information corresponding to the message location is acquired from the data acquisition request as the access instruction.
  • the access instruction can be quickly acquired from the data acquisition request.
  • the server encrypts the access instruction by using the second public key in the second key pair, and obtaining the access ciphertext includes:
  • each instruction block includes the access instructions in the number of the configuration value
  • the multiple sub-ciphertexts are spliced to obtain the access ciphertext.
  • the configuration value is determined according to hardware configuration resources of the server.
  • the generation efficiency of the access ciphertext can be improved without affecting the operation of the server.
  • the sending, by the server, the access ciphertext to the system to be accessed includes:
  • the access ciphertext can be accurately sent to the system to be accessed.
  • the method after sending the access ciphertext to the system to be accessed, the method further includes:
  • the access ciphertext after the access ciphertext is sent, it can be fed back to the client in time.
  • the application does not need to verify the data acquisition request through the business system, which avoids the occupation of threads of the business system and improves the high availability of the business system.
  • the data acquisition request is verified by using the private key. Since the private key is different from the first public key sent to the client, it is ensured that the client has access to the system to be accessed. There is an access right, and at the same time, after the private key successfully verifies the data acquisition request, the second public key is used to encrypt the acquired access instruction, which can prevent the access instruction from being tampered with, thereby improving the The security of the business system ensures data security in the business system.
  • the user authentication device 11 includes a generation unit 110 , a verification unit 111 , an acquisition unit 112 , an encryption unit 113 , a transmission unit 114 , a detection unit 115 and a reception unit 116 .
  • the module/unit referred to in this application refers to a series of computer-readable instruction segments that can be acquired by the processor 13 and can perform fixed functions, and are stored in the memory 12 . In this embodiment, the functions of each module/unit will be described in detail in subsequent embodiments.
  • the generating unit 110 When receiving the access requirement sent by the client, the generating unit 110 generates a first key pair corresponding to the client according to the access requirement, and generates the first public key in the first key pair sent to the client.
  • the information carried in the access requirement includes, but is not limited to, an access object and the like.
  • the first key pair includes the first public key and the private key.
  • the first key pair refers to a key between the server and the client.
  • the generating unit 110 generating the first key pair corresponding to the client according to the access requirement includes:
  • obtaining a permission list where device information of multiple devices is stored in the permission list, and the multiple devices have permissions to access the business system, and the business system includes multiple systems connected to the server;
  • the first key pair is generated according to the first random number and the second random number.
  • the permission list it can be detected whether the client has the permission to access the business system, and then when the client has the permission to access the business system, the first random number is generated according to the serial number and the second random number, since the order of different devices in the permission list is different, the unique first key pair can be generated.
  • the generating unit 110 generating the first key pair according to the first random number and the second random number includes:
  • both the first random number and the second random number are prime numbers, calculating the product of the first random number and the second random number to obtain a target value;
  • the first candidate value is determined as the first value, and the target value and the first value are concatenated to obtain the first key pair in the public key;
  • the second candidate value is determined as the second value, and the target value and the second value are concatenated to obtain the private key in the first key pair .
  • the first key pair is generated according to the first random number and the second random number, and the security of the first key pair can be improved.
  • the verification unit 111 receives the data acquisition request generated by the client based on the first public key, and uses the private key in the first key pair to verify the data acquisition request.
  • the information carried in the data acquisition request includes, but is not limited to, the access object and the like.
  • the acquisition unit 112 before receiving the data acquisition request generated by the client based on the first public key, acquires the first sending address of the access request, and acquires the data acquisition request the second sending address of the request;
  • the detection unit 115 detects whether the second sending address is the same as the first sending address
  • the receiving unit 116 receives the data acquisition request.
  • the verification unit 111 using the private key in the first key pair to verify the data acquisition request includes:
  • the verification efficiency can be improved.
  • the generating unit 110 determines that the private key fails to verify the data acquisition request, and generates prompt information for the data acquisition request;
  • the sending unit 114 sends the prompt information to the client.
  • the prompt information can be generated in time to remind the client to learn the response of the data acquisition request.
  • the acquisition unit 112 determines the system to be accessed from the data acquisition request, and acquires a second key pair corresponding to the system to be accessed.
  • the second key pair may also be stored in a node of a blockchain.
  • the system to be accessed refers to a system to which the data acquisition request acquires business data.
  • the second key pair refers to a key between the server and the system to be accessed.
  • the obtaining unit 112 determines from the data obtaining request that the system to be accessed includes:
  • a system corresponding to the system code is determined as the system to be accessed.
  • system code can uniquely identify the system.
  • the system to be accessed can be quickly determined through the mapping relationship between the system code and the system.
  • the acquiring unit 112 acquiring the second key pair corresponding to the system to be accessed includes:
  • the key pair corresponding to the system code is obtained from the key list as the second key pair.
  • the second key pair can be accurately acquired from the system to be accessed.
  • the encryption unit 113 acquires the access instruction from the data acquisition request, and encrypts the access instruction with the second public key in the second key pair to obtain the access ciphertext.
  • the access instruction refers to a message of the data acquisition request, and the access instruction includes a label of service data in the system to be accessed.
  • obtaining the access instruction from the data obtaining request by the encryption unit 113 includes:
  • the information corresponding to the message location is acquired from the data acquisition request as the access instruction.
  • the access instruction can be quickly acquired from the data acquisition request.
  • the encryption unit 113 encrypts the access instruction by using the second public key in the second key pair, and obtaining the access ciphertext includes:
  • each instruction block includes the access instructions in the number of the configuration value
  • the multiple sub-ciphertexts are spliced to obtain the access ciphertext.
  • the configuration value is determined according to hardware configuration resources of the server.
  • the generation efficiency of the access ciphertext can be improved without affecting the operation of the server.
  • the sending unit 114 sends the access ciphertext to the system to be accessed.
  • the sending unit 114 sending the access ciphertext to the system to be accessed includes:
  • the access ciphertext can be accurately sent to the system to be accessed.
  • the generating unit 110 after sending the access ciphertext to the system to be accessed, the generating unit 110 generates a feedback packet of the data acquisition request;
  • the sending unit 114 sends the feedback packet to the client.
  • the access ciphertext after the access ciphertext is sent, it can be fed back to the client in time.
  • the application does not need to verify the data acquisition request through the business system, which avoids the occupation of threads of the business system and improves the high availability of the business system.
  • the data acquisition request is verified by using the private key. Since the private key is different from the first public key sent to the client, it is ensured that the client has access to the system to be accessed. There is an access right, and at the same time, after the private key successfully verifies the data acquisition request, the second public key is used to encrypt the acquired access instruction, which can prevent the access instruction from being tampered with, thereby improving the The security of the business system ensures data security in the business system.
  • FIG. 4 it is a schematic structural diagram of a server implementing a preferred embodiment of the user authentication method of the present application.
  • the server 1 includes, but is not limited to, a memory 12, a processor 13, and computer-readable instructions stored in the memory 12 and executable on the processor 13, such as user authentication procedures.
  • the schematic diagram is only an example of the server 1, and does not constitute a limitation on the server 1. It may include more or less components than the one shown in the figure, or combine some components or
  • the server 1 may further include input and output devices, network access devices, buses, and the like.
  • the processor 13 may be a central processing unit (Central Processing Unit, CPU), or other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc.
  • the processor 13 is the computing core and control center of the server 1, and uses various interfaces and lines to connect the entire server 1. Each part, and the operating system that executes the server 1 and various installed applications, program codes, and the like.
  • the computer-readable instructions may be divided into one or more modules/units, and the one or more modules/units are stored in the memory 12 and executed by the processor 13 to Complete this application.
  • the one or more modules/units may be a series of computer-readable instruction segments capable of accomplishing specific functions, and the computer-readable instruction segments are used to describe the execution process of the computer-readable instructions in the server 1 .
  • the computer-readable instructions may be divided into a generating unit 110 , a checking unit 111 , an obtaining unit 112 , an encryption unit 113 , a sending unit 114 , a detecting unit 115 and a receiving unit 116 .
  • the memory 12 can be used to store the computer-readable instructions and/or modules, and the processor 13 executes or executes the computer-readable instructions and/or modules stored in the memory 12 and invokes the computer-readable instructions and/or modules stored in the memory 12.
  • the data in the server 1 realizes various functions of the server 1.
  • the memory 12 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, an application program required for at least one function (such as a sound playback function, an image playback function, etc.), and the like; the storage data area may Stores data etc. created according to the usage of the server.
  • the memory 12 may include non-volatile and volatile memory such as: hard disk, internal memory, plug-in hard disk, Smart Media Card (SMC), Secure Digital (SD) card, Flash memory card (Flash) Card), at least one disk storage device, flash memory device, or other storage device.
  • non-volatile and volatile memory such as: hard disk, internal memory, plug-in hard disk, Smart Media Card (SMC), Secure Digital (SD) card, Flash memory card (Flash) Card), at least one disk storage device, flash memory device, or other storage device.
  • the memory 12 may be an external memory and/or an internal memory of the server 1 . Further, the storage 12 may be a storage in physical form, such as a memory stick, a TF card (Trans-flash Card) and the like.
  • TF card Trans-flash Card
  • modules/units integrated in the server 1 are implemented in the form of software functional units and sold or used as independent products, they may be stored in a computer-readable storage medium, and the computer-readable storage medium may be non-volatile. It can also be a volatile storage medium.
  • the present application can implement all or part of the processes in the methods of the above embodiments, and can also be completed by instructing relevant hardware through computer-readable instructions, and the computer-readable instructions can be stored in a computer-readable storage medium.
  • the computer-readable instructions when executed by the processor, can implement the steps of the above-mentioned method embodiments.
  • the computer-readable instructions include computer-readable instruction codes
  • the computer-readable instruction codes may be in source code form, object code form, executable file, or some intermediate form, and the like.
  • the computer-readable medium may include: any entity or device capable of carrying the computer-readable instruction code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM, Read-Only). Memory), random access memory (RAM, Random Access Memory).
  • the blockchain referred to in this application is a new application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • Blockchain essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information to verify its Validity of information (anti-counterfeiting) and generation of the next block.
  • the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
  • the memory 12 in the server 1 stores computer-readable instructions to implement a user authentication method
  • the processor 13 can execute the computer-readable instructions to implement:
  • the computer-readable storage medium stores computer-readable instructions, wherein the computer-readable instructions are used to implement the following steps when executed by the processor 13:
  • modules described as separate components may or may not be physically separated, and components shown as modules may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional module in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of hardware plus software function modules.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Computational Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A user authentication method and apparatus, a server and a storage medium. The method comprises: when an access requirement sent by a client is received, generating, according to the access requirement, a first key pair corresponding to the client, and sending a first public key in the first key pair to the client (S10); receiving a data acquisition request generated by the client on the basis of the first public key, and verifying the data acquisition request by using a private key in the first key pair (S11); if the verification is successful, determining, from the data acquisition request, a system to be accessed, and acquiring a second key pair corresponding to said system (S12); acquiring an access instruction from the data acquisition request, and encrypting the access instruction by using a second public key in the second key pair, so as to obtain access ciphertext (S13); and sending the access ciphertext to said system (S14). By means of the method, the security of data in a service system can be improved. In addition, the method further relates to blockchain technology. The second key pair can be stored in a blockchain.

Description

用户认证方法、装置、服务器及存储介质User authentication method, device, server and storage medium
本申请要求于2021年02月25日提交中国专利局,申请号为202110215281.2,发明名称为“用户认证方法、装置、服务器及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on February 25, 2021 with the application number 202110215281.2 and the invention titled "User Authentication Method, Device, Server and Storage Medium", the entire contents of which are incorporated by reference in in this application.
技术领域technical field
本申请涉及安全防护技术领域,尤其涉及一种用户认证方法、装置、服务器及存储介质。The present application relates to the technical field of security protection, and in particular, to a user authentication method, device, server and storage medium.
背景技术Background technique
随着对信息的安全需求的提高,通常在客户端请求业务系统中的数据时,业务系统会对客户端进行用户认证,然而,发明人意识到,当业务系统同时接收到来自多个客户端的数据获取请求时,需要对多个客户端进行验证,从而导致业务系统的线程被占用,造成业务系统无法处理其他请求。此外,由于业务系统向客户端发送的令牌存储在客户端的本地文件中,而客户端的本地文件容易被恶意攻击,因此,容易导致令牌泄露,从而造成业务系统中的数据安全性降低。With the increasing demand for information security, usually when the client requests data in the business system, the business system will perform user authentication on the client. However, the inventor realized that when the business system receives data from multiple clients at the same time When requesting data acquisition, multiple clients need to be authenticated, so that the threads of the business system are occupied and the business system cannot process other requests. In addition, since the token sent by the business system to the client is stored in the client's local file, and the client's local file is easily attacked maliciously, the token is easily leaked, thereby reducing the data security in the business system.
发明内容SUMMARY OF THE INVENTION
鉴于以上内容,有必要提供一种用户认证方法、装置、服务器及存储介质,能够提高业务系统中数据的安全性。In view of the above content, it is necessary to provide a user authentication method, device, server and storage medium, which can improve the security of data in the business system.
本申请的第一方面提供一种用户认证方法,应用于服务器中,所述服务器分别与客户端及多个业务系统相通信,所述用户认证方法包括:A first aspect of the present application provides a user authentication method, which is applied to a server, where the server communicates with a client and a plurality of business systems respectively, and the user authentication method includes:
当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the the client;
接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
本申请的第二方面提供一种服务器,所述服务器包括处理器和存储器,所述处理器用于执行所述存储器中存储的计算机可读指令以实现以下步骤:A second aspect of the present application provides a server including a processor and a memory, the processor being configured to execute computer-readable instructions stored in the memory to implement the following steps:
当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the the client;
接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
本申请的第三方面提供一种计算机可读存储介质,所述计算机可读存储介质上存储 有至少一个计算机可读指令,所述至少一个计算机可读指令被处理器执行以实现以下步骤:A third aspect of the present application provides a computer-readable storage medium having at least one computer-readable instruction stored thereon, the at least one computer-readable instruction being executed by a processor to implement the following steps:
当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the the client;
接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
本申请的第四方面提供一种用户认证装置,运行于服务器中,所述服务器分别与客户端及多个业务系统相通信,所述用户认证装置包括:A fourth aspect of the present application provides a user authentication device, which runs in a server, and the server communicates with a client and a plurality of business systems respectively, and the user authentication device includes:
生成单元,用于当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;The generating unit is configured to, when receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and generate the first key pair in the first key pair The public key is sent to the client;
校验单元,用于接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;a verification unit, configured to receive a data acquisition request generated by the client based on the first public key, and to verify the data acquisition request by using the private key in the first key pair;
获取单元,用于若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;an acquisition unit, configured to determine a system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed if the private key is successfully verified against the data acquisition request;
加密单元,用于从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;an encryption unit, configured to obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
发送单元,用于向所述待访问系统发送所述访问密文。A sending unit, configured to send the access ciphertext to the system to be accessed.
由以上技术方案可以看出,本申请无需通过所述业务系统对所述数据获取请求进行验证,避免了所述业务系统的线程被占用,提高了所述业务系统的高可用性,此外,本申请通过所述私钥对所述数据获取请求进行验证,由于所述私钥与发送至所述客户端中的所述第一公钥是不同的,确保了所述客户端对所述待访问系统存在访问权限,同时,在所述私钥对所述数据获取请求校验成功后,利用所述第二公钥对获取到的访问指令进行加密,能够避免所述访问指令被篡改,进而提高了所述业务系统的安全性,确保了所述业务系统中的数据安全。It can be seen from the above technical solutions that the application does not need to verify the data acquisition request through the business system, which avoids the occupation of threads of the business system and improves the high availability of the business system. The data acquisition request is verified by using the private key. Since the private key is different from the first public key sent to the client, it is ensured that the client has access to the system to be accessed. There is an access right, and at the same time, after the private key successfully verifies the data acquisition request, the second public key is used to encrypt the acquired access instruction, which can prevent the access instruction from being tampered with, thereby improving the The security of the business system ensures data security in the business system.
附图说明Description of drawings
图1是本申请用户认证方法的较佳实施例的应用环境图。FIG. 1 is an application environment diagram of a preferred embodiment of the user authentication method of the present application.
图2是本申请用户认证方法的较佳实施例的流程图。FIG. 2 is a flowchart of a preferred embodiment of the user authentication method of the present application.
图3是本申请用户认证装置的较佳实施例的功能模块图。FIG. 3 is a functional block diagram of a preferred embodiment of the user authentication device of the present application.
图4是本申请实现用户认证方法的较佳实施例的服务器的结构示意图。FIG. 4 is a schematic structural diagram of a server implementing a preferred embodiment of the user authentication method of the present application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案和优点更加清楚,下面结合附图和具体实施例对本申请进行详细描述。In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described in detail below with reference to the accompanying drawings and specific embodiments.
如图1所示,是本申请用户认证方法的较佳实施例的应用环境图。所述应用环境图包括服务器1、客户端2及业务系统3。所述服务器1与客户端2相通信,所述客户端2用于生成请求,所述服务器1与多个业务系统3相通信,每个业务系统中存储多种业务数据。As shown in FIG. 1 , it is an application environment diagram of a preferred embodiment of the user authentication method of the present application. The application environment diagram includes a server 1 , a client 2 and a business system 3 . The server 1 communicates with a client 2, and the client 2 is used to generate a request. The server 1 communicates with a plurality of business systems 3, and each business system stores a variety of business data.
如图2所示,是本申请用户认证方法的较佳实施例的流程图。根据不同的需求,该流程图中步骤的顺序可以改变,某些步骤可以省略。As shown in FIG. 2 , it is a flowchart of a preferred embodiment of the user authentication method of the present application. According to different requirements, the order of the steps in this flowchart can be changed, and some steps can be omitted.
所述用户认证方法应用于智慧安防场景中,从而推动智慧城市的建设。所述用户认证方法应用于一个或者多个服务器中,所述服务器是一种能够按照事先设定或存储的计算机可读 指令,自动进行数值计算和/或信息处理的设备,其硬件包括但不限于微处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程门阵列(Field-Programmable Gate Array,FPGA)、数字信号处理器(Digital Signal Processor,DSP)、嵌入式设备等。The user authentication method is applied in a smart security scenario, thereby promoting the construction of a smart city. The user authentication method is applied to one or more servers, the server is a device that can automatically perform numerical calculation and/or information processing according to pre-set or stored computer-readable instructions, and its hardware includes but not Limited to microprocessors, application specific integrated circuits (ASICs), programmable gate arrays (Field-Programmable Gate Arrays, FPGAs), digital signal processors (Digital Signal Processors, DSPs), embedded devices, etc.
所述服务器可以是任何一种可与用户进行人机交互的电子产品,例如,个人计算机、平板电脑、智能手机、个人数字助理(Personal Digital Assistant,PDA)、游戏机、交互式网络电视(Internet Protocol Television,IPTV)、智能穿戴式设备等。The server can be any electronic product that can interact with users, such as personal computers, tablet computers, smart phones, personal digital assistants (Personal Digital Assistant, PDA), game consoles, interactive network televisions (Internet Protocol Television, IPTV), smart wearable devices, etc.
所述服务器可以包括网络设备和/或用户设备。其中,所述网络设备包括,但不限于单个网络服务器、多个网络服务器组成的服务器组或基于云计算(Cloud Computing)的由大量主机或网络服务器构成的云。The server may include network equipment and/or user equipment. Wherein, the network device includes, but is not limited to, a single network server, a server group formed by multiple network servers, or a cloud formed by a large number of hosts or network servers based on cloud computing (Cloud Computing).
所述服务器所处的网络包括,但不限于:互联网、广域网、城域网、局域网、虚拟专用网络(Virtual Private Network,VPN)等。The network where the server is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), and the like.
S10,当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端。S10, when receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the client.
在本申请的至少一个实施例中,所述访问需求中携带的信息包括,但不限于:访问对象等。In at least one embodiment of the present application, the information carried in the access requirement includes, but is not limited to, an access object and the like.
所述第一密钥对中包括所述第一公钥及私钥。所述第一密钥对是指所述服务器与所述客户端之间的密钥。The first key pair includes the first public key and the private key. The first key pair refers to a key between the server and the client.
在本申请的至少一个实施例中,所述服务器根据所述访问需求生成与所述客户端对应的第一密钥对包括:In at least one embodiment of the present application, generating, by the server according to the access requirement, a first key pair corresponding to the client includes:
获取权限列表,所述权限列表中存储多个设备的设备信息,所述多个设备具有访问所述业务系统的权限,所述业务系统包括与所述服务器连接的多个系统;obtaining a permission list, where device information of multiple devices is stored in the permission list, and the multiple devices have permissions to access the business system, and the business system includes multiple systems connected to the server;
检测所述权限列表中是否存在所述客户端;Detecting whether the client exists in the permission list;
若所述权限列表中存在所述客户端,确定所述客户端在所述权限列表中的序号;If the client exists in the permission list, determine the serial number of the client in the permission list;
生成位数为所述序号的第一随机数,并生成位数为所述序号的第二随机数;generating a first random number with the number of digits being the serial number, and generating a second random number with the number of digits being the serial number;
根据所述第一随机数及所述第二随机数生成所述第一密钥对。The first key pair is generated according to the first random number and the second random number.
通过所述权限列表,能够检测所述客户端是否具有访问所述业务系统的权限,进而在所述客户端具有对所述业务系统的访问权限时,根据所述序号生成所述第一随机数及所述第二随机数,由于不同设备在所述权限列表中的排序是不同的,因此能够生成唯一的所述第一密钥对。Through the permission list, it can be detected whether the client has the permission to access the business system, and then when the client has the permission to access the business system, the first random number is generated according to the serial number and the second random number, since the order of different devices in the permission list is different, the unique first key pair can be generated.
具体地,所述服务器根据所述第一随机数及所述第二随机数生成所述第一密钥对包括:Specifically, generating the first key pair by the server according to the first random number and the second random number includes:
检测所述第一随机数是否为质数,并检测所述第二随机数是否为质数;detecting whether the first random number is a prime number, and detecting whether the second random number is a prime number;
当所述第一随机数及所述第二随机数均为质数时,计算所述第一随机数与所述第二随机数的乘积,得到目标数值;When both the first random number and the second random number are prime numbers, calculating the product of the first random number and the second random number to obtain a target value;
计算所述第一随机数与所述第二随机数的最小公倍数;calculating the least common multiple of the first random number and the second random number;
生成大于预设数值且小于所述最小公倍数的第一候选值,并确定所述第一候选值与所述最小公倍数的最大公约数;generating a first candidate value greater than a preset value and less than the least common multiple, and determining the greatest common divisor of the first candidate value and the least common multiple;
当所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并拼接所述目标数值与所述第一数值,得到所述第一密钥对中的公钥;When the greatest common divisor is the preset value, the first candidate value is determined as the first value, and the target value and the first value are concatenated to obtain the first key pair in the public key;
生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值与所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;generating a second candidate value greater than the preset value and less than the least common multiple, and performing a remainder operation on the product of the second candidate value and the first value and the least common multiple to obtain a remainder;
当所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并拼接所述目标数值与所述第二数值,得到所述第一密钥对中的私钥。When the remainder is the preset value, the second candidate value is determined as the second value, and the target value and the second value are concatenated to obtain the private key in the first key pair .
其中,所述预设数值是指预先设定好的数值,本申请对所述预设数值的具体取值不作限制。The preset value refers to a preset value, and the present application does not limit the specific value of the preset value.
通过上述实施方式,根据所述第一随机数及所述第二随机数生成所述第一密钥对,能够提高所述第一密钥对的安全性。According to the above-mentioned embodiment, the first key pair is generated according to the first random number and the second random number, and the security of the first key pair can be improved.
在本申请的至少一个实施例中,所述方法还包括:In at least one embodiment of the present application, the method further includes:
若所述权限列表中不存在所述客户端,生成告警信息;If the client does not exist in the permission list, generate alarm information;
将所述告警信息发送至所述客户端。Send the alarm information to the client.
S11,接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验。S11: Receive a data acquisition request generated by the client based on the first public key, and verify the data acquisition request by using the private key in the first key pair.
在本申请的至少一个实施例中,所述数据获取请求中携带的信息包括,但不限于:所述访问对象等。In at least one embodiment of the present application, the information carried in the data acquisition request includes, but is not limited to, the access object and the like.
在本申请的至少一个实施例中,在接收所述客户端基于所述第一公钥生成的数据获取请求之前,所述方法还包括:In at least one embodiment of the present application, before receiving the data acquisition request generated by the client based on the first public key, the method further includes:
获取所述访问需求的第一发送地址,并获取所述数据获取请求的第二发送地址;Obtain the first sending address of the access request, and obtain the second sending address of the data acquisition request;
检测所述第二发送地址与所述第一发送地址是否相同;Detecting whether the second sending address is the same as the first sending address;
若所述第二发送地址与所述第一发送地址相同,接收所述数据获取请求。If the second sending address is the same as the first sending address, receive the data acquisition request.
通过上述实施方式,能够确保所述数据获取请求与所述访问需求是由同一个客户端发送的,避免因不同的客户端而导致对所述数据获取请求校验失败。Through the above-mentioned embodiments, it can be ensured that the data acquisition request and the access requirement are sent by the same client, and the verification failure of the data acquisition request caused by different clients is avoided.
在本申请的至少一个实施例中,所述服务器利用所述第一密钥对中的私钥对所述数据获取请求进行校验包括:In at least one embodiment of the present application, the server using the private key in the first key pair to verify the data acquisition request includes:
利用所述私钥对所述数据获取请求进行解密处理,得到解密信息;Decrypt the data acquisition request by using the private key to obtain decryption information;
检测所述解密信息是否为乱码;Detecting whether the decrypted information is garbled;
若所述解密信息不为乱码,确定所述私钥对所述数据获取请求校验成功。If the decryption information is not garbled, it is determined that the verification of the data acquisition request by the private key is successful.
通过上述实施方式,由于无需利用校验规则进行校验,因此能够提高校验效率。According to the above-mentioned embodiment, since it is not necessary to perform the verification using the verification rule, the verification efficiency can be improved.
在本申请的至少一个实施例中,所述方法还包括:In at least one embodiment of the present application, the method further includes:
若所述解密信息为乱码,确定所述私钥对所述数据获取请求校验失败,并生成所述数据获取请求的提示信息;If the decryption information is garbled, determine that the private key fails to verify the data acquisition request, and generate a prompt message for the data acquisition request;
将所述提示信息发送至所述客户端。Send the prompt information to the client.
通过上述实施方式,能够在所述私钥对所述数据获取请求校验失败后,及时生成所述提示信息,以提醒所述客户端获悉所述数据获取请求的响应。Through the above embodiment, after the private key fails to verify the data acquisition request, the prompt information can be generated in time to remind the client to learn the response of the data acquisition request.
S12,若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对。S12, if the verification of the private key for the data acquisition request is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed.
需要强调的是,为进一步保证上述第二密钥对的私密和安全性,上述第二密钥对还可以存储于一区块链的节点中。It should be emphasized that, in order to further ensure the privacy and security of the second key pair, the second key pair may also be stored in a node of a blockchain.
在本申请的至少一个实施例中,所述待访问系统是指所述数据获取请求获取业务数据的系统。In at least one embodiment of the present application, the system to be accessed refers to a system to which the data acquisition request acquires business data.
所述第二密钥对是指所述服务器与所述待访问系统之间的密钥。The second key pair refers to a key between the server and the system to be accessed.
在本申请的至少一个实施例中,所述服务器从所述数据获取请求中确定待访问系统包括:In at least one embodiment of the present application, the server determining the system to be accessed from the data acquisition request includes:
解析所述解密信息,得到所述解密信息携带的数据信息;Parsing the decryption information to obtain data information carried by the decryption information;
从所述数据信息中获取指示系统的标识作为系统编码;Obtain the identification indicating the system from the data information as the system code;
将与所述系统编码对应的系统确定为所述待访问系统。A system corresponding to the system code is determined as the system to be accessed.
其中,所述系统编码能够唯一标识系统。Wherein, the system code can uniquely identify the system.
通过系统编码与系统的映射关系,能够快速确定出所述待访问系统。The system to be accessed can be quickly determined through the mapping relationship between the system code and the system.
在本申请的至少一个实施例中,所述服务器获取与所述待访问系统对应的第二密钥对包括:In at least one embodiment of the present application, obtaining, by the server, the second key pair corresponding to the system to be accessed includes:
获取密钥列表,所述密钥列表中存储多个系统的密钥对;Obtain a key list, where key pairs of multiple systems are stored in the key list;
从所述密钥列表中获取与所述系统编码对应的密钥对作为所述第二密钥对。The key pair corresponding to the system code is obtained from the key list as the second key pair.
通过上述实施方式,能够准确从所述待访问系统中获取到所述第二密钥对。Through the foregoing implementation manner, the second key pair can be accurately acquired from the system to be accessed.
S13,从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文。S13: Acquire an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext.
在本申请的至少一个实施例中,所述访问指令是指所述数据获取请求的报文,所述访问指令中包括所述待访问系统中业务数据的标签。In at least one embodiment of the present application, the access instruction refers to a message of the data acquisition request, and the access instruction includes a label of service data in the system to be accessed.
在本申请的至少一个实施例中,所述服务器从所述数据获取请求中获取访问指令包括:In at least one embodiment of the present application, the obtaining, by the server, the access instruction from the data obtaining request includes:
获取所述数据获取请求中报文的报文位置;obtaining the message location of the message in the data obtaining request;
从所述数据获取请求中获取所述报文位置对应的信息作为所述访问指令。The information corresponding to the message location is acquired from the data acquisition request as the access instruction.
通过所述报文位置,能够快速从所述数据获取请求中获取到所述访问指令。Through the message location, the access instruction can be quickly acquired from the data acquisition request.
在本申请的至少一个实施例中,所述服务器利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文包括:In at least one embodiment of the present application, the server encrypts the access instruction by using the second public key in the second key pair, and obtaining the access ciphertext includes:
计算所述访问指令的指令数量,并检测所述指令数量是否大于配置值;Calculate the instruction quantity of the access instruction, and detect whether the instruction quantity is greater than the configuration value;
若所述指令数量大于所述配置值,根据所述配置值划分所述访问指令,得到多个指令块,每个指令块中包含数量为所述配置值的所述访问指令;If the number of instructions is greater than the configuration value, divide the access instructions according to the configuration value to obtain a plurality of instruction blocks, and each instruction block includes the access instructions in the number of the configuration value;
并行加密所述多个指令块,得到与所述多个指令块对应的多个子密文;Encrypting the multiple instruction blocks in parallel to obtain multiple sub-ciphertexts corresponding to the multiple instruction blocks;
拼接所述多个子密文,得到所述访问密文。The multiple sub-ciphertexts are spliced to obtain the access ciphertext.
其中,所述配置值是根据所述服务器的硬件配置资源确定的。The configuration value is determined according to hardware configuration resources of the server.
通过上述实施方式,能够在不影响所述服务器运行的前提下,提高所述访问密文的生成效率。Through the above-mentioned embodiments, the generation efficiency of the access ciphertext can be improved without affecting the operation of the server.
S14,向所述待访问系统发送所述访问密文。S14: Send the access ciphertext to the system to be accessed.
在本申请的至少一个实施例中,所述服务器向所述待访问系统发送所述访问密文包括:In at least one embodiment of the present application, the sending, by the server, the access ciphertext to the system to be accessed includes:
获取所述待访问系统的系统地址;Obtain the system address of the system to be accessed;
向所述系统地址发送所述访问密文。Send the access ciphertext to the system address.
通过所述系统地址,能够准确将所述访问密文发送至所述待访问系统中。Through the system address, the access ciphertext can be accurately sent to the system to be accessed.
在本申请的至少一个实施例中,在向所述待访问系统发送所述访问密文后,所述方法还包括:In at least one embodiment of the present application, after sending the access ciphertext to the system to be accessed, the method further includes:
生成所述数据获取请求的反馈包;generating a feedback package for the data acquisition request;
将所述反馈包发送至所述客户端中。Send the feedback packet to the client.
通过上述实施方式,能够在所述访问密文完成发送后,及时向所述客户端反馈。Through the above-mentioned embodiments, after the access ciphertext is sent, it can be fed back to the client in time.
由以上技术方案可以看出,本申请无需通过所述业务系统对所述数据获取请求进行验证,避免了所述业务系统的线程被占用,提高了所述业务系统的高可用性,此外,本申请通过所述私钥对所述数据获取请求进行验证,由于所述私钥与发送至所述客户端中的所述第一公钥是不同的,确保了所述客户端对所述待访问系统存在访问权限,同时,在所述私钥对所述数据获取请求校验成功后,利用所述第二公钥对获取到的访问指令进行加密,能够避免所述访问指令被篡改,进而提高了所述业务系统的安全性,确保了所述业务系统中的数据安全。It can be seen from the above technical solutions that the application does not need to verify the data acquisition request through the business system, which avoids the occupation of threads of the business system and improves the high availability of the business system. The data acquisition request is verified by using the private key. Since the private key is different from the first public key sent to the client, it is ensured that the client has access to the system to be accessed. There is an access right, and at the same time, after the private key successfully verifies the data acquisition request, the second public key is used to encrypt the acquired access instruction, which can prevent the access instruction from being tampered with, thereby improving the The security of the business system ensures data security in the business system.
如图3所示,是本申请用户认证装置的较佳实施例的功能模块图。所述用户认证装置11包括生成单元110、校验单元111、获取单元112、加密单元113、发送单元114、检测单元115及接收单元116。本申请所称的模块/单元是指一种能够被处理器13所获取,并且能够完成固定功能的一系列计算机可读指令段,其存储在存储器12中。在本实施例中,关于各模块/单元的功能将在后续的实施例中详述。As shown in FIG. 3 , it is a functional block diagram of a preferred embodiment of the user authentication device of the present application. The user authentication device 11 includes a generation unit 110 , a verification unit 111 , an acquisition unit 112 , an encryption unit 113 , a transmission unit 114 , a detection unit 115 and a reception unit 116 . The module/unit referred to in this application refers to a series of computer-readable instruction segments that can be acquired by the processor 13 and can perform fixed functions, and are stored in the memory 12 . In this embodiment, the functions of each module/unit will be described in detail in subsequent embodiments.
当接收到所述客户端发送的访问需求时,生成单元110根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端。When receiving the access requirement sent by the client, the generating unit 110 generates a first key pair corresponding to the client according to the access requirement, and generates the first public key in the first key pair sent to the client.
在本申请的至少一个实施例中,所述访问需求中携带的信息包括,但不限于:访问对象等。In at least one embodiment of the present application, the information carried in the access requirement includes, but is not limited to, an access object and the like.
所述第一密钥对中包括所述第一公钥及私钥。所述第一密钥对是指所述服务器与所述客户端之间的密钥。The first key pair includes the first public key and the private key. The first key pair refers to a key between the server and the client.
在本申请的至少一个实施例中,所述生成单元110根据所述访问需求生成与所述客户端对应的第一密钥对包括:In at least one embodiment of the present application, the generating unit 110 generating the first key pair corresponding to the client according to the access requirement includes:
获取权限列表,所述权限列表中存储多个设备的设备信息,所述多个设备具有访问所述业务系统的权限,所述业务系统包括与所述服务器连接的多个系统;obtaining a permission list, where device information of multiple devices is stored in the permission list, and the multiple devices have permissions to access the business system, and the business system includes multiple systems connected to the server;
检测所述权限列表中是否存在所述客户端;Detecting whether the client exists in the permission list;
若所述权限列表中存在所述客户端,确定所述客户端在所述权限列表中的序号;If the client exists in the permission list, determine the serial number of the client in the permission list;
生成位数为所述序号的第一随机数,并生成位数为所述序号的第二随机数;generating a first random number with the number of digits being the serial number, and generating a second random number with the number of digits being the serial number;
根据所述第一随机数及所述第二随机数生成所述第一密钥对。The first key pair is generated according to the first random number and the second random number.
通过所述权限列表,能够检测所述客户端是否具有访问所述业务系统的权限,进而在所述客户端具有对所述业务系统的访问权限时,根据所述序号生成所述第一随机数及所述第二随机数,由于不同设备在所述权限列表中的排序是不同的,因此能够生成唯一的所述第一密钥对。Through the permission list, it can be detected whether the client has the permission to access the business system, and then when the client has the permission to access the business system, the first random number is generated according to the serial number and the second random number, since the order of different devices in the permission list is different, the unique first key pair can be generated.
具体地,所述生成单元110根据所述第一随机数及所述第二随机数生成所述第一密钥对包括:Specifically, the generating unit 110 generating the first key pair according to the first random number and the second random number includes:
检测所述第一随机数是否为质数,并检测所述第二随机数是否为质数;detecting whether the first random number is a prime number, and detecting whether the second random number is a prime number;
当所述第一随机数及所述第二随机数均为质数时,计算所述第一随机数与所述第二随机数的乘积,得到目标数值;When both the first random number and the second random number are prime numbers, calculating the product of the first random number and the second random number to obtain a target value;
计算所述第一随机数与所述第二随机数的最小公倍数;calculating the least common multiple of the first random number and the second random number;
生成大于预设数值且小于所述最小公倍数的第一候选值,并确定所述第一候选值与所述最小公倍数的最大公约数;generating a first candidate value greater than a preset value and less than the least common multiple, and determining the greatest common divisor of the first candidate value and the least common multiple;
当所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并拼接所述目标数值与所述第一数值,得到所述第一密钥对中的公钥;When the greatest common divisor is the preset value, the first candidate value is determined as the first value, and the target value and the first value are concatenated to obtain the first key pair in the public key;
生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值与所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;generating a second candidate value greater than the preset value and less than the least common multiple, and performing a remainder operation on the product of the second candidate value and the first value and the least common multiple to obtain a remainder;
当所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并拼接所述目标数值与所述第二数值,得到所述第一密钥对中的私钥。When the remainder is the preset value, the second candidate value is determined as the second value, and the target value and the second value are concatenated to obtain the private key in the first key pair .
通过上述实施方式,根据所述第一随机数及所述第二随机数生成所述第一密钥对,能够提高所述第一密钥对的安全性。According to the above-mentioned embodiment, the first key pair is generated according to the first random number and the second random number, and the security of the first key pair can be improved.
校验单元111接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验。The verification unit 111 receives the data acquisition request generated by the client based on the first public key, and uses the private key in the first key pair to verify the data acquisition request.
在本申请的至少一个实施例中,所述数据获取请求中携带的信息包括,但不限于:所述访问对象等。In at least one embodiment of the present application, the information carried in the data acquisition request includes, but is not limited to, the access object and the like.
在本申请的至少一个实施例中,在接收所述客户端基于所述第一公钥生成的数据获取请求之前,获取单元112获取所述访问需求的第一发送地址,并获取所述数据获取请求的第二发送地址;In at least one embodiment of the present application, before receiving the data acquisition request generated by the client based on the first public key, the acquisition unit 112 acquires the first sending address of the access request, and acquires the data acquisition request the second sending address of the request;
检测单元115检测所述第二发送地址与所述第一发送地址是否相同;The detection unit 115 detects whether the second sending address is the same as the first sending address;
若所述第二发送地址与所述第一发送地址相同,接收单元116接收所述数据获取请求。If the second sending address is the same as the first sending address, the receiving unit 116 receives the data acquisition request.
通过上述实施方式,能够确保所述数据获取请求与所述访问需求是由同一个客户端发送的,避免因不同的客户端而导致对所述数据获取请求校验失败。Through the above-mentioned embodiments, it can be ensured that the data acquisition request and the access requirement are sent by the same client, and the verification failure of the data acquisition request caused by different clients is avoided.
在本申请的至少一个实施例中,所述校验单元111利用所述第一密钥对中的私钥对所述数据获取请求进行校验包括:In at least one embodiment of the present application, the verification unit 111 using the private key in the first key pair to verify the data acquisition request includes:
利用所述私钥对所述数据获取请求进行解密处理,得到解密信息;Decrypt the data acquisition request by using the private key to obtain decryption information;
检测所述解密信息是否为乱码;Detecting whether the decrypted information is garbled;
若所述解密信息不为乱码,确定所述私钥对所述数据获取请求校验成功。If the decryption information is not garbled, it is determined that the verification of the data acquisition request by the private key is successful.
通过上述实施方式,由于无需利用校验规则进行校验,因此能够提高校验效率。According to the above-mentioned embodiment, since it is not necessary to perform the verification using the verification rule, the verification efficiency can be improved.
在本申请的至少一个实施例中,若所述解密信息为乱码,所述生成单元110确定所述私钥对所述数据获取请求校验失败,并生成所述数据获取请求的提示信息;In at least one embodiment of the present application, if the decryption information is garbled, the generating unit 110 determines that the private key fails to verify the data acquisition request, and generates prompt information for the data acquisition request;
发送单元114将所述提示信息发送至所述客户端。The sending unit 114 sends the prompt information to the client.
通过上述实施方式,能够在所述私钥对所述数据获取请求校验失败后,及时生成所述提示信息,以提醒所述客户端获悉所述数据获取请求的响应。Through the above embodiment, after the private key fails to verify the data acquisition request, the prompt information can be generated in time to remind the client to learn the response of the data acquisition request.
若所述私钥对所述数据获取请求校验成功,所述获取单元112从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对。If the verification of the data acquisition request by the private key is successful, the acquisition unit 112 determines the system to be accessed from the data acquisition request, and acquires a second key pair corresponding to the system to be accessed.
需要强调的是,为进一步保证上述第二密钥对的私密和安全性,上述第二密钥对还可以存储于一区块链的节点中。It should be emphasized that, in order to further ensure the privacy and security of the second key pair, the second key pair may also be stored in a node of a blockchain.
在本申请的至少一个实施例中,所述待访问系统是指所述数据获取请求获取业务数据的系统。In at least one embodiment of the present application, the system to be accessed refers to a system to which the data acquisition request acquires business data.
所述第二密钥对是指所述服务器与所述待访问系统之间的密钥。The second key pair refers to a key between the server and the system to be accessed.
在本申请的至少一个实施例中,所述获取单元112从所述数据获取请求中确定待访问系统包括:In at least one embodiment of the present application, the obtaining unit 112 determines from the data obtaining request that the system to be accessed includes:
解析所述解密信息,得到所述解密信息携带的数据信息;Parsing the decryption information to obtain data information carried by the decryption information;
从所述数据信息中获取指示系统的标识作为系统编码;Obtain the identification indicating the system from the data information as the system code;
将与所述系统编码对应的系统确定为所述待访问系统。A system corresponding to the system code is determined as the system to be accessed.
其中,所述系统编码能够唯一标识系统。Wherein, the system code can uniquely identify the system.
通过系统编码与系统的映射关系,能够快速确定出所述待访问系统。The system to be accessed can be quickly determined through the mapping relationship between the system code and the system.
在本申请的至少一个实施例中,所述获取单元112获取与所述待访问系统对应的第二密钥对包括:In at least one embodiment of the present application, the acquiring unit 112 acquiring the second key pair corresponding to the system to be accessed includes:
获取密钥列表,所述密钥列表中存储多个系统的密钥对;Obtain a key list, where key pairs of multiple systems are stored in the key list;
从所述密钥列表中获取与所述系统编码对应的密钥对作为所述第二密钥对。The key pair corresponding to the system code is obtained from the key list as the second key pair.
通过上述实施方式,能够准确从所述待访问系统中获取到所述第二密钥对。Through the foregoing implementation manner, the second key pair can be accurately acquired from the system to be accessed.
加密单元113从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文。The encryption unit 113 acquires the access instruction from the data acquisition request, and encrypts the access instruction with the second public key in the second key pair to obtain the access ciphertext.
在本申请的至少一个实施例中,所述访问指令是指所述数据获取请求的报文,所述访问指令中包括所述待访问系统中业务数据的标签。In at least one embodiment of the present application, the access instruction refers to a message of the data acquisition request, and the access instruction includes a label of service data in the system to be accessed.
在本申请的至少一个实施例中,所述加密单元113从所述数据获取请求中获取访问指令包括:In at least one embodiment of the present application, obtaining the access instruction from the data obtaining request by the encryption unit 113 includes:
获取所述数据获取请求中报文的报文位置;obtaining the message location of the message in the data obtaining request;
从所述数据获取请求中获取所述报文位置对应的信息作为所述访问指令。The information corresponding to the message location is acquired from the data acquisition request as the access instruction.
通过所述报文位置,能够快速从所述数据获取请求中获取到所述访问指令。Through the message location, the access instruction can be quickly acquired from the data acquisition request.
在本申请的至少一个实施例中,所述加密单元113利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文包括:In at least one embodiment of the present application, the encryption unit 113 encrypts the access instruction by using the second public key in the second key pair, and obtaining the access ciphertext includes:
计算所述访问指令的指令数量,并检测所述指令数量是否大于配置值;Calculate the instruction quantity of the access instruction, and detect whether the instruction quantity is greater than the configuration value;
若所述指令数量大于所述配置值,根据所述配置值划分所述访问指令,得到多个指令块,每个指令块中包含数量为所述配置值的所述访问指令;If the number of instructions is greater than the configuration value, divide the access instructions according to the configuration value to obtain a plurality of instruction blocks, and each instruction block includes the access instructions in the number of the configuration value;
并行加密所述多个指令块,得到与所述多个指令块对应的多个子密文;Encrypting the multiple instruction blocks in parallel to obtain multiple sub-ciphertexts corresponding to the multiple instruction blocks;
拼接所述多个子密文,得到所述访问密文。The multiple sub-ciphertexts are spliced to obtain the access ciphertext.
其中,所述配置值是根据所述服务器的硬件配置资源确定的。The configuration value is determined according to hardware configuration resources of the server.
通过上述实施方式,能够在不影响所述服务器运行的前提下,提高所述访问密文的生成效率。Through the above-mentioned embodiments, the generation efficiency of the access ciphertext can be improved without affecting the operation of the server.
发送单元114向所述待访问系统发送所述访问密文。The sending unit 114 sends the access ciphertext to the system to be accessed.
在本申请的至少一个实施例中,所述发送单元114向所述待访问系统发送所述访问密文包括:In at least one embodiment of the present application, the sending unit 114 sending the access ciphertext to the system to be accessed includes:
获取所述待访问系统的系统地址;Obtain the system address of the system to be accessed;
向所述系统地址发送所述访问密文。Send the access ciphertext to the system address.
通过所述系统地址,能够准确将所述访问密文发送至所述待访问系统中。Through the system address, the access ciphertext can be accurately sent to the system to be accessed.
在本申请的至少一个实施例中,在向所述待访问系统发送所述访问密文后,所述生成单元110生成所述数据获取请求的反馈包;In at least one embodiment of the present application, after sending the access ciphertext to the system to be accessed, the generating unit 110 generates a feedback packet of the data acquisition request;
所述发送单元114将所述反馈包发送至所述客户端中。The sending unit 114 sends the feedback packet to the client.
通过上述实施方式,能够在所述访问密文完成发送后,及时向所述客户端反馈。Through the above-mentioned embodiments, after the access ciphertext is sent, it can be fed back to the client in time.
由以上技术方案可以看出,本申请无需通过所述业务系统对所述数据获取请求进行验证,避免了所述业务系统的线程被占用,提高了所述业务系统的高可用性,此外,本申请通过所述私钥对所述数据获取请求进行验证,由于所述私钥与发送至所述客户端中的所述第一公钥是不同的,确保了所述客户端对所述待访问系统存在访问权限,同时,在所述私钥对所述数据获取请求校验成功后,利用所述第二公钥对获取到的访问指令进行加密,能够避免所述访问指令被篡改,进而提高了所述业务系统的安全性,确保了所述业务系统中的数据安全。It can be seen from the above technical solutions that the application does not need to verify the data acquisition request through the business system, which avoids the occupation of threads of the business system and improves the high availability of the business system. The data acquisition request is verified by using the private key. Since the private key is different from the first public key sent to the client, it is ensured that the client has access to the system to be accessed. There is an access right, and at the same time, after the private key successfully verifies the data acquisition request, the second public key is used to encrypt the acquired access instruction, which can prevent the access instruction from being tampered with, thereby improving the The security of the business system ensures data security in the business system.
如图4所示,是本申请实现用户认证方法的较佳实施例的服务器的结构示意图。As shown in FIG. 4 , it is a schematic structural diagram of a server implementing a preferred embodiment of the user authentication method of the present application.
在本申请的一个实施例中,所述服务器1包括,但不限于,存储器12、处理器13,以及存储在所述存储器12中并可在所述处理器13上运行的计算机可读指令,例如用户认证程序。In one embodiment of the present application, the server 1 includes, but is not limited to, a memory 12, a processor 13, and computer-readable instructions stored in the memory 12 and executable on the processor 13, such as user authentication procedures.
本领域技术人员可以理解,所述示意图仅仅是服务器1的示例,并不构成对服务器1的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如所述服务器1还可以包括输入输出设备、网络接入设备、总线等。Those skilled in the art can understand that the schematic diagram is only an example of the server 1, and does not constitute a limitation on the server 1. It may include more or less components than the one shown in the figure, or combine some components or For example, the server 1 may further include input and output devices, network access devices, buses, and the like.
所述处理器13可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等,所述处理器13是所述服务器1的运算核心和控制中心,利用各种接口和线路连接整个服务器1的各个部分,及执行所述服务器1的操作系统以及安装的各类应用程序、程序代码等。The processor 13 may be a central processing unit (Central Processing Unit, CPU), or other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc. The processor 13 is the computing core and control center of the server 1, and uses various interfaces and lines to connect the entire server 1. Each part, and the operating system that executes the server 1 and various installed applications, program codes, and the like.
示例性的,所述计算机可读指令可以被分割成一个或多个模块/单元,所述一个或者多个模块/单元被存储在所述存储器12中,并由所述处理器13执行,以完成本申请。所述一个或多个模块/单元可以是能够完成特定功能的一系列计算机可读指令段,该计算机可读指令段用于描述所述计算机可读指令在所述服务器1中的执行过程。例如,所述计算机可读指令可以被分割成生成单元110、校验单元111、获取单元112、加密单元113、发送单元114、检测单元115及接收单元116。Exemplarily, the computer-readable instructions may be divided into one or more modules/units, and the one or more modules/units are stored in the memory 12 and executed by the processor 13 to Complete this application. The one or more modules/units may be a series of computer-readable instruction segments capable of accomplishing specific functions, and the computer-readable instruction segments are used to describe the execution process of the computer-readable instructions in the server 1 . For example, the computer-readable instructions may be divided into a generating unit 110 , a checking unit 111 , an obtaining unit 112 , an encryption unit 113 , a sending unit 114 , a detecting unit 115 and a receiving unit 116 .
所述存储器12可用于存储所述计算机可读指令和/或模块,所述处理器13通过运行或执行存储在所述存储器12内的计算机可读指令和/或模块,以及调用存储在存储器12内的数据,实现所述服务器1的各种功能。所述存储器12可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据服务器的使用所创建的数据等。存储器12可以包括非易失性和易失性存储器,例如:硬盘、内存、插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、或其他存储器件。The memory 12 can be used to store the computer-readable instructions and/or modules, and the processor 13 executes or executes the computer-readable instructions and/or modules stored in the memory 12 and invokes the computer-readable instructions and/or modules stored in the memory 12. The data in the server 1 realizes various functions of the server 1. The memory 12 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, an application program required for at least one function (such as a sound playback function, an image playback function, etc.), and the like; the storage data area may Stores data etc. created according to the usage of the server. The memory 12 may include non-volatile and volatile memory such as: hard disk, internal memory, plug-in hard disk, Smart Media Card (SMC), Secure Digital (SD) card, Flash memory card (Flash) Card), at least one disk storage device, flash memory device, or other storage device.
所述存储器12可以是服务器1的外部存储器和/或内部存储器。进一步地,所述存储器12可以是具有实物形式的存储器,如内存条、TF卡(Trans-flash Card)等等。The memory 12 may be an external memory and/or an internal memory of the server 1 . Further, the storage 12 may be a storage in physical form, such as a memory stick, a TF card (Trans-flash Card) and the like.
所述服务器1集成的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中,所述计算机可读存储介质可以是非易失性的存储介质,也可以是易失性的存储介质。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,也可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一计算机可读存储介质中,该计算机可读指令在被处理器执行时,可实现上述各个方法实施例的步骤。If the modules/units integrated in the server 1 are implemented in the form of software functional units and sold or used as independent products, they may be stored in a computer-readable storage medium, and the computer-readable storage medium may be non-volatile. It can also be a volatile storage medium. Based on this understanding, the present application can implement all or part of the processes in the methods of the above embodiments, and can also be completed by instructing relevant hardware through computer-readable instructions, and the computer-readable instructions can be stored in a computer-readable storage medium. The computer-readable instructions, when executed by the processor, can implement the steps of the above-mentioned method embodiments.
其中,所述计算机可读指令包括计算机可读指令代码,所述计算机可读指令代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机可读指令代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)。Wherein, the computer-readable instructions include computer-readable instruction codes, and the computer-readable instruction codes may be in source code form, object code form, executable file, or some intermediate form, and the like. The computer-readable medium may include: any entity or device capable of carrying the computer-readable instruction code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM, Read-Only). Memory), random access memory (RAM, Random Access Memory).
本申请所指区块链是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。区块链(Blockchain),本质上是一个去中心化的数据库,是一串使用密码学方法相关联产生的数据块,每一个数据块中包含了一批次网络交易的信息,用于验证其信息的有效性(防伪)和生成下一个区块。区块链可以包括区块链底层平台、平台产品服务层以及应用服务层等。The blockchain referred to in this application is a new application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm. Blockchain, essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information to verify its Validity of information (anti-counterfeiting) and generation of the next block. The blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
结合图2,所述服务器1中的所述存储器12存储计算机可读指令实现一种用户认证方法,所述处理器13可执行所述计算机可读指令从而实现:2, the memory 12 in the server 1 stores computer-readable instructions to implement a user authentication method, and the processor 13 can execute the computer-readable instructions to implement:
当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the the client;
接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
具体地,所述处理器13对上述计算机可读指令的具体实现方法可参考图2对应实施例中相关步骤的描述,在此不赘述。Specifically, for the specific implementation method of the above-mentioned computer-readable instruction by the processor 13, reference may be made to the description of the relevant steps in the corresponding embodiment of FIG. 2 , which is not repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the modules is only a logical function division, and there may be other division manners in actual implementation.
所述计算机可读存储介质上存储有计算机可读指令,其中,所述计算机可读指令被处理器13执行时用以实现以下步骤:The computer-readable storage medium stores computer-readable instructions, wherein the computer-readable instructions are used to implement the following steps when executed by the processor 13:
当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the the client;
接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and components shown as modules may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本申请各个实施例中的各功能模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能模块的形式实现。In addition, each functional module in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of hardware plus software function modules.
因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本申请的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本申请内。不应将权利要求中的任何附关联图标记视为限制所涉及 的权利要求。Accordingly, the embodiments are to be regarded in all respects as illustrative and not restrictive, and the scope of the application is to be defined by the appended claims rather than the foregoing description, which is therefore intended to fall within the scope of the claims. All changes within the meaning and scope of the equivalents of , are included in this application. Any reference signs in the claims shall not be construed as limiting the involved claims.
此外,显然“包括”一词不排除其他单元或步骤,单数不排除复数。所述的多个单元或装置也可以由一个单元或装置通过软件或者硬件来实现。第一、第二等词语用来表示名称,而并不表示任何特定的顺序。Furthermore, it is clear that the word "comprising" does not exclude other units or steps and the singular does not exclude the plural. The multiple units or devices described may also be implemented by one unit or device through software or hardware. The words first, second, etc. are used to denote names and do not denote any particular order.
最后应说明的是,以上实施例仅用以说明本申请的技术方案而非限制,尽管参照较佳实施例对本申请进行了详细说明,本领域的普通技术人员应当理解,可以对本申请的技术方案进行修改或等同替换,而不脱离本申请技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application rather than limitations. Although the present application has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the present application can be Modifications or equivalent substitutions can be made without departing from the spirit and scope of the technical solutions of the present application.

Claims (20)

  1. 一种用户认证方法,其中,应用于服务器中,所述服务器分别与客户端及多个业务系统相通信,所述用户认证方法包括:A user authentication method, wherein, applied in a server, the server communicates with a client and a plurality of business systems respectively, and the user authentication method comprises:
    当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the the client;
    接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
    若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
    从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
    向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
  2. 根据权利要求1所述的用户认证方法,其中,所述根据所述访问需求生成与所述客户端对应的第一密钥对包括:The user authentication method according to claim 1, wherein the generating the first key pair corresponding to the client according to the access requirement comprises:
    获取权限列表,所述权限列表中存储多个设备的设备信息,所述多个设备具有访问所述业务系统的权限,所述业务系统包括与所述服务器连接的多个系统;obtaining a permission list, where device information of multiple devices is stored in the permission list, and the multiple devices have permissions to access the business system, and the business system includes multiple systems connected to the server;
    检测所述权限列表中是否存在所述客户端;Detecting whether the client exists in the permission list;
    若所述权限列表中存在所述客户端,确定所述客户端在所述权限列表中的序号;If the client exists in the permission list, determine the serial number of the client in the permission list;
    生成位数为所述序号的第一随机数,并生成位数为所述序号的第二随机数;generating a first random number with the number of digits being the serial number, and generating a second random number with the number of digits being the serial number;
    根据所述第一随机数及所述第二随机数生成所述第一密钥对。The first key pair is generated according to the first random number and the second random number.
  3. 根据权利要求2所述的用户认证方法,其中,所述根据所述第一随机数及所述第二随机数生成所述第一密钥对包括:The user authentication method according to claim 2, wherein the generating the first key pair according to the first random number and the second random number comprises:
    检测所述第一随机数是否为质数,并检测所述第二随机数是否为质数;detecting whether the first random number is a prime number, and detecting whether the second random number is a prime number;
    当所述第一随机数及所述第二随机数均为质数时,计算所述第一随机数与所述第二随机数的乘积,得到目标数值;When both the first random number and the second random number are prime numbers, calculating the product of the first random number and the second random number to obtain a target value;
    计算所述第一随机数与所述第二随机数的最小公倍数;calculating the least common multiple of the first random number and the second random number;
    生成大于预设数值且小于所述最小公倍数的第一候选值,并确定所述第一候选值与所述最小公倍数的最大公约数;generating a first candidate value greater than a preset value and less than the least common multiple, and determining the greatest common divisor of the first candidate value and the least common multiple;
    当所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并拼接所述目标数值与所述第一数值,得到所述第一密钥对中的公钥;When the greatest common divisor is the preset value, the first candidate value is determined as the first value, and the target value and the first value are spliced together to obtain the first candidate value in the first key pair. public key;
    生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值与所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;generating a second candidate value greater than the preset value and less than the least common multiple, and performing a remainder operation on the product of the second candidate value and the first value and the least common multiple to obtain a remainder;
    当所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并拼接所述目标数值与所述第二数值,得到所述第一密钥对中的私钥。When the remainder is the preset value, the second candidate value is determined as the second value, and the target value and the second value are concatenated to obtain the private key in the first key pair .
  4. 根据权利要求1所述的用户认证方法,其中,在接收所述客户端基于所述第一公钥生成的数据获取请求之前,所述用户认证方法还包括:The user authentication method according to claim 1, wherein before receiving the data acquisition request generated by the client based on the first public key, the user authentication method further comprises:
    获取所述访问需求的第一发送地址,并获取所述数据获取请求的第二发送地址;Obtain the first sending address of the access request, and obtain the second sending address of the data acquisition request;
    检测所述第二发送地址与所述第一发送地址是否相同;Detecting whether the second sending address is the same as the first sending address;
    若所述第二发送地址与所述第一发送地址相同,接收所述数据获取请求。If the second sending address is the same as the first sending address, receive the data acquisition request.
  5. 根据权利要求1所述的用户认证方法,其中,所述利用所述第一密钥对中的私钥对所述数据获取请求进行校验包括:The user authentication method according to claim 1, wherein the verifying the data acquisition request by using the private key in the first key pair comprises:
    利用所述私钥对所述数据获取请求进行解密处理,得到解密信息;Decrypt the data acquisition request by using the private key to obtain decryption information;
    检测所述解密信息是否为乱码;Detecting whether the decrypted information is garbled;
    若所述解密信息不为乱码,确定所述私钥对所述数据获取请求校验成功。If the decryption information is not garbled, it is determined that the verification of the data acquisition request by the private key is successful.
  6. 根据权利要求5所述的用户认证方法,其中,所述从所述数据获取请求中确定待访问系统包括:The user authentication method according to claim 5, wherein the determining the system to be accessed from the data acquisition request comprises:
    解析所述解密信息,得到所述解密信息携带的数据信息;Parsing the decryption information to obtain data information carried by the decryption information;
    从所述数据信息中获取指示系统的标识作为系统编码;Obtain the identification indicating the system from the data information as the system code;
    将与所述系统编码对应的系统确定为所述待访问系统。A system corresponding to the system code is determined as the system to be accessed.
  7. 根据权利要求1所述的用户认证方法,其中,所述利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文包括:The user authentication method according to claim 1, wherein the encrypting the access instruction by using the second public key in the second key pair to obtain the access ciphertext comprises:
    计算所述访问指令的指令数量,并检测所述指令数量是否大于配置值;Calculate the instruction quantity of the access instruction, and detect whether the instruction quantity is greater than the configuration value;
    若所述指令数量大于所述配置值,根据所述配置值划分所述访问指令,得到多个指令块,每个指令块中包含数量为所述配置值的所述访问指令;If the number of instructions is greater than the configuration value, divide the access instructions according to the configuration value to obtain a plurality of instruction blocks, and each instruction block includes the access instructions whose number is the configuration value;
    并行加密所述多个指令块,得到与所述多个指令块对应的多个子密文;Encrypting the multiple instruction blocks in parallel to obtain multiple sub-ciphertexts corresponding to the multiple instruction blocks;
    拼接所述多个子密文,得到所述访问密文。The multiple sub-ciphertexts are spliced to obtain the access ciphertext.
  8. 一种用户认证装置,其中,运行于服务器中,所述服务器分别与客户端及多个业务系统相通信,所述用户认证装置包括:A user authentication device, which runs in a server, the server communicates with a client and a plurality of business systems respectively, and the user authentication device includes:
    生成单元,用于当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;The generating unit is configured to, when receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and generate the first key pair in the first key pair The public key is sent to the client;
    校验单元,用于接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;a verification unit, configured to receive a data acquisition request generated by the client based on the first public key, and to verify the data acquisition request by using the private key in the first key pair;
    获取单元,用于若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;an acquisition unit, configured to determine a system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed if the private key is successfully verified against the data acquisition request;
    加密单元,用于从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;an encryption unit, configured to obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
    发送单元,用于向所述待访问系统发送所述访问密文。A sending unit, configured to send the access ciphertext to the system to be accessed.
  9. 一种服务器,其中,所述服务器分别与客户端及多个业务系统相通信,所述服务器包括处理器和存储器,所述处理器用于执行存储器中存储的至少一个计算机可读指令以实现以下步骤:A server, wherein the server communicates with a client and a plurality of business systems respectively, the server includes a processor and a memory, the processor is configured to execute at least one computer-readable instruction stored in the memory to implement the following steps :
    当接收到所述客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the the client;
    接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
    若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
    从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
    向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
  10. 根据权利要求9所述的服务器,其中,在所述根据所述访问需求生成与所述客户端对应的第一密钥对时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:The server of claim 9, wherein, when the first key pair corresponding to the client is generated according to the access requirement, the processor executes the at least one computer-readable instruction to implement the following step:
    获取权限列表,所述权限列表中存储多个设备的设备信息,所述多个设备具有访问所述业务系统的权限,所述业务系统包括与所述服务器连接的多个系统;obtaining a permission list, where device information of multiple devices is stored in the permission list, and the multiple devices have permissions to access the business system, and the business system includes multiple systems connected to the server;
    检测所述权限列表中是否存在所述客户端;Detecting whether the client exists in the permission list;
    若所述权限列表中存在所述客户端,确定所述客户端在所述权限列表中的序号;If the client exists in the permission list, determine the serial number of the client in the permission list;
    生成位数为所述序号的第一随机数,并生成位数为所述序号的第二随机数;generating a first random number with the number of digits being the serial number, and generating a second random number with the number of digits being the serial number;
    根据所述第一随机数及所述第二随机数生成所述第一密钥对。The first key pair is generated according to the first random number and the second random number.
  11. 根据权利要求10所述的服务器,其中,在所述根据所述第一随机数及所述第二随机数生成所述第一密钥对时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:11. The server of claim 10, wherein, when the first key pair is generated from the first random number and the second random number, the processor executes the at least one computer-readable instructions to implement the following steps:
    检测所述第一随机数是否为质数,并检测所述第二随机数是否为质数;detecting whether the first random number is a prime number, and detecting whether the second random number is a prime number;
    当所述第一随机数及所述第二随机数均为质数时,计算所述第一随机数与所述第二随机数的乘积,得到目标数值;When both the first random number and the second random number are prime numbers, calculating the product of the first random number and the second random number to obtain a target value;
    计算所述第一随机数与所述第二随机数的最小公倍数;calculating the least common multiple of the first random number and the second random number;
    生成大于预设数值且小于所述最小公倍数的第一候选值,并确定所述第一候选值与所述最小公倍数的最大公约数;generating a first candidate value greater than a preset value and less than the least common multiple, and determining the greatest common divisor of the first candidate value and the least common multiple;
    当所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并拼接所述目标数值与所述第一数值,得到所述第一密钥对中的公钥;When the greatest common divisor is the preset value, the first candidate value is determined as the first value, and the target value and the first value are concatenated to obtain the first key pair in the public key;
    生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值与所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;generating a second candidate value greater than the preset value and less than the least common multiple, and performing a remainder operation on the product of the second candidate value and the first value and the least common multiple to obtain a remainder;
    当所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并拼接所述目标数值与所述第二数值,得到所述第一密钥对中的私钥。When the remainder is the preset value, the second candidate value is determined as the second value, and the target value and the second value are concatenated to obtain the private key in the first key pair .
  12. 根据权利要求9所述的服务器,其中,在接收所述客户端基于所述第一公钥生成的数据获取请求之前,所述处理器还执行所述至少一个计算机可读指令以实现以下步骤:The server of claim 9, wherein before receiving a data acquisition request generated by the client based on the first public key, the processor further executes the at least one computer-readable instruction to implement the following steps:
    获取所述访问需求的第一发送地址,并获取所述数据获取请求的第二发送地址;Obtain the first sending address of the access request, and obtain the second sending address of the data acquisition request;
    检测所述第二发送地址与所述第一发送地址是否相同;Detecting whether the second sending address is the same as the first sending address;
    若所述第二发送地址与所述第一发送地址相同,接收所述数据获取请求。If the second sending address is the same as the first sending address, receive the data acquisition request.
  13. 根据权利要求9所述的服务器,其中,在所述利用所述第一密钥对中的私钥对所述数据获取请求进行校验时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:10. The server of claim 9, wherein the processor executes the at least one computer-readable instruction upon verifying the data acquisition request with a private key in the first key pair to implement the following steps:
    利用所述私钥对所述数据获取请求进行解密处理,得到解密信息;Decrypt the data acquisition request by using the private key to obtain decryption information;
    检测所述解密信息是否为乱码;Detecting whether the decrypted information is garbled;
    若所述解密信息不为乱码,确定所述私钥对所述数据获取请求校验成功。If the decryption information is not garbled, it is determined that the verification of the data acquisition request by the private key is successful.
  14. 根据权利要求9所述的服务器,其中,在所述利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:The server according to claim 9, wherein when the access instruction is encrypted with the second public key in the second key pair to obtain the access ciphertext, the processor executes the at least one computer Readable instructions to implement the following steps:
    计算所述访问指令的指令数量,并检测所述指令数量是否大于配置值;Calculate the instruction quantity of the access instruction, and detect whether the instruction quantity is greater than the configuration value;
    若所述指令数量大于所述配置值,根据所述配置值划分所述访问指令,得到多个指令块,每个指令块中包含数量为所述配置值的所述访问指令;If the number of instructions is greater than the configuration value, divide the access instructions according to the configuration value to obtain a plurality of instruction blocks, and each instruction block includes the access instructions in the number of the configuration value;
    并行加密所述多个指令块,得到与所述多个指令块对应的多个子密文;Encrypting the multiple instruction blocks in parallel to obtain multiple sub-ciphertexts corresponding to the multiple instruction blocks;
    拼接所述多个子密文,得到所述访问密文。The multiple sub-ciphertexts are spliced to obtain the access ciphertext.
  15. 一种计算机可读存储介质,其中,所述计算机可读存储介质存储有至少一个计算机可读指令,所述至少一个计算机可读指令被处理器执行时实现以下步骤:A computer-readable storage medium, wherein the computer-readable storage medium stores at least one computer-readable instruction, and the at least one computer-readable instruction implements the following steps when executed by a processor:
    当接收到客户端发送的访问需求时,根据所述访问需求生成与所述客户端对应的第一密钥对,并将所述第一密钥对中的第一公钥发送至所述客户端;When receiving the access requirement sent by the client, generate a first key pair corresponding to the client according to the access requirement, and send the first public key in the first key pair to the client end;
    接收所述客户端基于所述第一公钥生成的数据获取请求,并利用所述第一密钥对中的私钥对所述数据获取请求进行校验;receiving a data acquisition request generated by the client based on the first public key, and verifying the data acquisition request by using the private key in the first key pair;
    若所述私钥对所述数据获取请求校验成功,从所述数据获取请求中确定待访问系统,并获取与所述待访问系统对应的第二密钥对;If the verification of the data acquisition request by the private key is successful, determine the system to be accessed from the data acquisition request, and acquire a second key pair corresponding to the system to be accessed;
    从所述数据获取请求中获取访问指令,并利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文;Obtain an access instruction from the data acquisition request, and encrypt the access instruction with the second public key in the second key pair to obtain an access ciphertext;
    向所述待访问系统发送所述访问密文。Send the access ciphertext to the system to be accessed.
  16. 根据权利要求15所述的存储介质,其中,在所述根据所述访问需求生成与所述客户端对应的第一密钥对时,所述至少一个计算机可读指令被处理器执行以实现以下步骤:16. The storage medium of claim 15, wherein, when the first key pair corresponding to the client is generated according to the access requirement, the at least one computer-readable instruction is executed by a processor to implement the following: step:
    获取权限列表,所述权限列表中存储多个设备的设备信息,所述多个设备具有访问业务系统的权限,所述业务系统包括与服务器连接的多个系统;obtaining a permission list, where the device information of multiple devices is stored in the permission list, and the multiple devices have the permission to access the business system, and the business system includes multiple systems connected to the server;
    检测所述权限列表中是否存在所述客户端;Detecting whether the client exists in the permission list;
    若所述权限列表中存在所述客户端,确定所述客户端在所述权限列表中的序号;If the client exists in the permission list, determine the serial number of the client in the permission list;
    生成位数为所述序号的第一随机数,并生成位数为所述序号的第二随机数;generating a first random number with the number of digits being the serial number, and generating a second random number with the number of digits being the serial number;
    根据所述第一随机数及所述第二随机数生成所述第一密钥对。The first key pair is generated according to the first random number and the second random number.
  17. 根据权利要求16所述的存储介质,其中,在所述根据所述第一随机数及所述第二随机数生成所述第一密钥对时,所述至少一个计算机可读指令被处理器执行以实现以下步骤:17. The storage medium of claim 16, wherein the at least one computer-readable instruction is executed by a processor when the first key pair is generated from the first random number and the second random number Execute to achieve the following steps:
    检测所述第一随机数是否为质数,并检测所述第二随机数是否为质数;detecting whether the first random number is a prime number, and detecting whether the second random number is a prime number;
    当所述第一随机数及所述第二随机数均为质数时,计算所述第一随机数与所述第二随机数的乘积,得到目标数值;When both the first random number and the second random number are prime numbers, calculating the product of the first random number and the second random number to obtain a target value;
    计算所述第一随机数与所述第二随机数的最小公倍数;calculating the least common multiple of the first random number and the second random number;
    生成大于预设数值且小于所述最小公倍数的第一候选值,并确定所述第一候选值与所述最小公倍数的最大公约数;generating a first candidate value greater than a preset value and less than the least common multiple, and determining the greatest common divisor of the first candidate value and the least common multiple;
    当所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并拼接所述目标数值与所述第一数值,得到所述第一密钥对中的公钥;When the greatest common divisor is the preset value, the first candidate value is determined as the first value, and the target value and the first value are concatenated to obtain the first key pair in the public key;
    生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值与所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;generating a second candidate value greater than the preset value and less than the least common multiple, and performing a remainder operation on the product of the second candidate value and the first value and the least common multiple to obtain a remainder;
    当所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并拼接所述目标数值与所述第二数值,得到所述第一密钥对中的私钥。When the remainder is the preset value, the second candidate value is determined as the second value, and the target value and the second value are concatenated to obtain the private key in the first key pair .
  18. 根据权利要求15所述的存储介质,其中,在接收所述客户端基于所述第一公钥生成的数据获取请求之前,所述至少一个计算机可读指令被处理器执行以实现以下步骤:16. The storage medium of claim 15, wherein before receiving a data acquisition request generated by the client based on the first public key, the at least one computer-readable instruction is executed by a processor to implement the following steps:
    获取所述访问需求的第一发送地址,并获取所述数据获取请求的第二发送地址;Obtain the first sending address of the access request, and obtain the second sending address of the data acquisition request;
    检测所述第二发送地址与所述第一发送地址是否相同;Detecting whether the second sending address is the same as the first sending address;
    若所述第二发送地址与所述第一发送地址相同,接收所述数据获取请求。If the second sending address is the same as the first sending address, receive the data acquisition request.
  19. 根据权利要求15所述的存储介质,其中,在所述利用所述第一密钥对中的私钥对所述数据获取请求进行校验时,所述至少一个计算机可读指令被处理器执行时以实现以下步骤:16. The storage medium of claim 15, wherein the at least one computer-readable instruction is executed by a processor upon verification of the data acquisition request using a private key in the first key pair to achieve the following steps:
    利用所述私钥对所述数据获取请求进行解密处理,得到解密信息;Decrypt the data acquisition request by using the private key to obtain decryption information;
    检测所述解密信息是否为乱码;Detecting whether the decrypted information is garbled;
    若所述解密信息不为乱码,确定所述私钥对所述数据获取请求校验成功。If the decryption information is not garbled, it is determined that the verification of the data acquisition request by the private key is successful.
  20. 根据权利要求15所述的存储介质,其中,在所述利用所述第二密钥对中的第二公钥加密所述访问指令,得到访问密文时,所述至少一个计算机可读指令被处理器执行以实现以下步骤:The storage medium of claim 15, wherein when the access instruction is encrypted with the second public key in the second key pair to obtain an access ciphertext, the at least one computer-readable instruction is The processor performs the following steps:
    计算所述访问指令的指令数量,并检测所述指令数量是否大于配置值;Calculate the instruction quantity of the access instruction, and detect whether the instruction quantity is greater than the configuration value;
    若所述指令数量大于所述配置值,根据所述配置值划分所述访问指令,得到多个指令块,每个指令块中包含数量为所述配置值的所述访问指令;If the number of instructions is greater than the configuration value, divide the access instructions according to the configuration value to obtain a plurality of instruction blocks, and each instruction block includes the access instructions in the number of the configuration value;
    并行加密所述多个指令块,得到与所述多个指令块对应的多个子密文;Encrypting the multiple instruction blocks in parallel to obtain multiple sub-ciphertexts corresponding to the multiple instruction blocks;
    拼接所述多个子密文,得到所述访问密文。The multiple sub-ciphertexts are spliced to obtain the access ciphertext.
PCT/CN2021/123635 2021-02-25 2021-10-13 User authentication method and apparatus, server and storage medium WO2022179115A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110215281.2 2021-02-25
CN202110215281.2A CN112948851A (en) 2021-02-25 2021-02-25 User authentication method, device, server and storage medium

Publications (1)

Publication Number Publication Date
WO2022179115A1 true WO2022179115A1 (en) 2022-09-01

Family

ID=76246401

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/123635 WO2022179115A1 (en) 2021-02-25 2021-10-13 User authentication method and apparatus, server and storage medium

Country Status (2)

Country Link
CN (1) CN112948851A (en)
WO (1) WO2022179115A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium
CN113609366A (en) * 2021-08-04 2021-11-05 深圳市元征科技股份有限公司 Data acquisition method and device, terminal equipment and readable storage medium
CN113872932B (en) * 2021-08-20 2023-08-29 苏州浪潮智能科技有限公司 SGX-based micro-service interface authentication method, system, terminal and storage medium
CN114338033A (en) * 2021-12-06 2022-04-12 北京达佳互联信息技术有限公司 Request processing method, device, equipment and storage medium
CN114785585B (en) * 2022-04-18 2023-12-08 高途教育科技集团有限公司 Information verification method, device, equipment and storage medium
CN115065530B (en) * 2022-06-13 2024-01-23 北京华信傲天网络技术有限公司 Trusted data interaction method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103037366A (en) * 2011-09-30 2013-04-10 卓望数码技术(深圳)有限公司 Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique
US20140129828A1 (en) * 2012-11-08 2014-05-08 Samsung Electronics Co., Ltd. User authentication method using self-signed certificate of web server, client device and electronic device including web server performing the same
CN105656859A (en) * 2014-11-18 2016-06-08 航天信息股份有限公司 Secure online upgrade method and system for tax control equipment software
CN109522698A (en) * 2018-10-11 2019-03-26 平安科技(深圳)有限公司 User authen method and terminal device based on block chain
CN111901303A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Device authentication method and apparatus, storage medium, and electronic apparatus
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078841B (en) * 2012-12-03 2016-01-13 厦门市美亚柏科信息股份有限公司 The method and system that a kind of preventative electronic data is saved from damage
US10015150B2 (en) * 2015-10-15 2018-07-03 Pkware, Inc. Systems and methods for Smartkey information management
CN105812388B (en) * 2016-05-13 2018-12-07 中国农业银行股份有限公司 A kind of management method and system of user certificate and private key
CN108667605B (en) * 2018-04-25 2021-02-23 拉扎斯网络科技(上海)有限公司 Data encryption and decryption method and device
EP3624391A1 (en) * 2018-09-12 2020-03-18 Koninklijke Philips N.V. Public/private key system with decreased encrypted message size
CN111698088B (en) * 2020-05-28 2022-10-18 平安科技(深圳)有限公司 Key alternation method, key alternation device, electronic equipment and medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103037366A (en) * 2011-09-30 2013-04-10 卓望数码技术(深圳)有限公司 Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique
US20140129828A1 (en) * 2012-11-08 2014-05-08 Samsung Electronics Co., Ltd. User authentication method using self-signed certificate of web server, client device and electronic device including web server performing the same
CN105656859A (en) * 2014-11-18 2016-06-08 航天信息股份有限公司 Secure online upgrade method and system for tax control equipment software
CN109522698A (en) * 2018-10-11 2019-03-26 平安科技(深圳)有限公司 User authen method and terminal device based on block chain
CN111901303A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Device authentication method and apparatus, storage medium, and electronic apparatus
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium

Also Published As

Publication number Publication date
CN112948851A (en) 2021-06-11

Similar Documents

Publication Publication Date Title
WO2022179115A1 (en) User authentication method and apparatus, server and storage medium
JP6865850B2 (en) Obtaining access data to the blockchain network using a highly available and reliable execution environment
US11323271B2 (en) Retrieving public data for blockchain networks using highly available trusted execution environments
WO2022142038A1 (en) Data transmission method and related device
JP7426475B2 (en) Decentralized data authentication
US10534920B2 (en) Distributed data storage by means of authorisation token
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
AU2019204708A1 (en) Retrieving public data for blockchain networks using highly available trusted execution environments
US8984286B2 (en) Message originator token verification
WO2021239059A1 (en) Key rotation method, device, electronic apparatus, and medium
US20180020008A1 (en) Secure asynchronous communications
US9749139B2 (en) Digital certificate issuer-correlated digital signature verification
US20230370265A1 (en) Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control
WO2022088666A1 (en) Service instance verification method and apparatus, electronic device, and storage medium
CN114884697B (en) Data encryption and decryption method and related equipment based on cryptographic algorithm
WO2021137769A1 (en) Method and apparatus for sending and verifying request, and device thereof
CN113610526A (en) Data trust method and device, electronic equipment and storage medium
CN114172659B (en) Message transmission method, device, equipment and storage medium in block chain system
WO2022073336A1 (en) Secure payment method and apparatus, electronic device, and storage medium
WO2024011863A9 (en) Communication method and apparatus, sim card, electronic device, and terminal device
CN116975937B (en) Anonymous attestation method and anonymous verification method
CN112487502A (en) Equipment authentication method and device, electronic equipment and storage medium
CN113472561A (en) Block chain data processing method and equipment thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21927539

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06/12/2023)