CN107070917A

CN107070917A - A kind of network application login method and system

Info

Publication number: CN107070917A
Application number: CN201710244614.8A
Authority: CN
Inventors: 李东声
Original assignee: Tendyron Technology Co Ltd
Current assignee: Tendyron Technology Co Ltd
Priority date: 2017-04-14
Filing date: 2017-04-14
Publication date: 2017-08-18
Anticipated expiration: 2037-04-14
Also published as: CN107070917B

Abstract

The invention provides a kind of network application login method and system, wherein method includes：After intelligent cipher key equipment and terminal are set up and be connected, terminal triggering checking equipment performs the PIN code checking flow of intelligent cipher key equipment；It is verified, authentication server preserves PIN code and is verified information；Flow for authenticating ID is performed between intelligent cipher key equipment and router；Router certification by when, be terminal distribution IP address, preserve the binding information of intelligent cipher key equipment identity information and IP address；Terminal is sent to application server applies Sign-On services solicited message, the flow determined with the intelligent cipher key equipment identity information of terminal coupling is performed between triggering router and application server, application server obtains the intelligent cipher key equipment identity information determined；Application server sends PIN code proofing state inquiry request to authentication server；In the case where obtaining PIN code checking completion confirmation, provided the terminal with by router and apply Sign-On services.

Description

Network application login method and system

Technical Field

The invention relates to the technical field of electronics, in particular to a network application login method and a network application login system.

Background

The router is a device connected to a local area network or a wide area network in the internet, and automatically selects and sets a route according to the channel condition and transmits signals. When a user uses terminal equipment (a computer, a mobile phone and the like) to surf the internet, the user can be connected with the application server through the router. In order to ensure the security of the application data, the terminal device of the user generally needs to input a password corresponding to the application when logging in the application server, for example: when a user logs in a mailbox by using a computer, the user needs to input the password of the mailbox. Because the password of each application may be different, the user needs to remember the password corresponding to each application, and needs to input the corresponding password each time the user logs in the application, so that the process of logging in the application by the user is complicated. Therefore, there is a need for an application login method that reduces the complexity of a user when logging in different applications through a router on the premise of ensuring the security of application data.

Disclosure of Invention

The present invention is directed to solving one of the problems set forth above.

The invention mainly aims to provide a network application login method.

The invention also aims to provide a network application login system.

In order to achieve the purpose, the technical scheme of the invention is realized as follows:

one aspect of the present invention provides a method for logging in a network application, including: after the connection between the intelligent secret key equipment and the terminal is established, the terminal triggers the verification equipment to execute a PIN code verification process of the intelligent secret key equipment; if the verification is passed, the identity authentication server acquires and stores PIN code verification passing information; the intelligent secret key equipment executes an identity authentication process between the terminal and the router; when the identity authentication process result is that the authentication is passed, the router allocates an IP address for the terminal, and stores the binding information of the identity information of the intelligent secret key equipment and the IP address, wherein the identity information of the intelligent secret key equipment is an intelligent secret key equipment certificate or an intelligent secret key equipment ID; the terminal sends application login service request information to the application server through the router, a process that the router and the application server execute intelligent secret key equipment identity information matched with the terminal according to the IP address of the terminal and binding information of the intelligent secret key equipment identity information and the IP address is triggered, and the application server obtains the determined intelligent secret key equipment identity information; the application server sends a PIN code verification state query request to the identity authentication server through the router; the identity authentication server receives the PIN code verification state inquiry request, inquires whether PIN code verification passing information exists or not and inquires the state of the PIN code verification passing information, and if the PIN code verification passing information exists in the identity authentication server and the state of the PIN code verification passing information is valid, PIN code verification completion confirmation information is sent to the application server through the router; and the application server provides application login service for the terminal through the router according to the determined identity information of the intelligent secret key equipment under the condition of obtaining the PIN code verification completion confirmation information.

In addition, the process of triggering the verification device to execute the PIN verification of the intelligent key device comprises the following steps: the terminal prompts the PIN code to input prompt information, receives the PIN code and generates PIN code verification information, the PIN code verification information is sent to the intelligent key device, the intelligent key device receives and verifies the PIN code verification information, if the verification is passed, PIN code verification passing information is generated and sent to the identity authentication server through the terminal and the router; or the terminal prompts the PIN code to input prompt information, receives the PIN code and generates PIN code verification information, the PIN code verification information is sent to the identity authentication server, the identity authentication server receives and verifies the PIN code verification information, and if the verification is passed, PIN code verification passing information is generated; or the terminal sends the PIN code input prompt information to the intelligent secret key equipment, the intelligent secret key equipment receives and prompts the PIN code input prompt information, receives and verifies the PIN code, and if the verification is passed, PIN code verification pass information is generated and sent to the identity authentication server through the terminal and the router; or the terminal sends the PIN code input prompt information to the intelligent key device, the intelligent key device receives the PIN code input prompt information and prompts, receives the PIN code and generates PIN code verification information, the PIN code verification information is sent to the identity authentication server through the terminal and the router, the identity authentication server receives the PIN code verification information and verifies the PIN code, and if the verification passes, PIN code verification passing information is generated.

In addition, the terminal sends application login service request information to the application server through the router, a process of determining intelligent secret key equipment identity information matched with the terminal according to the IP address of the terminal and the binding information of the intelligent secret key equipment identity information and the IP address is triggered to be executed between the router and the application server, and the application server obtains the determined intelligent secret key equipment identity information and comprises the following steps: the terminal sends application login service request information to an application server through a router, wherein the application login service request information comprises intelligent secret key equipment identity information and an IP address; the application server receives application login service request information and sends an intelligent secret key equipment identity authentication request to the router, wherein the intelligent secret key equipment identity authentication request comprises intelligent secret key equipment identity information and an IP address; the router receives the intelligent key equipment identity authentication request, authenticates the intelligent key equipment identity information carried in the intelligent key equipment identity authentication request according to the IP address and the binding information, obtains intelligent key equipment identity authentication result information and sends the intelligent key equipment identity authentication result information to the application server; the application server receives the authentication result information of the intelligent key equipment, and if the authentication result information of the intelligent key equipment passes the authentication, the intelligent key equipment identity information carried in the login service request information is determined to be the intelligent key equipment identity information; or the terminal sends application login service request information to the application server through the router, wherein the application login service request information comprises an IP address; the application server sends an intelligent secret key equipment identity information request to the router, wherein the intelligent secret key equipment identity information request at least comprises an IP address; the router receives the identity authentication request of the intelligent key equipment, obtains the identity information of the intelligent key equipment according to the IP address and the binding information and sends the identity information to the application server; the application server receives the identity information of the intelligent key equipment, wherein the identity information of the intelligent key equipment is the determined identity information of the intelligent key equipment; or the terminal sends application login service request information to the router, wherein the application login service request information comprises an IP address; after receiving application login service request information sent by a terminal, a router obtains intelligent key equipment identity information according to an IP address and binding information; the router sends application login service request information and intelligent secret key equipment identity information to the application server, the application server receives the application login service request information and the intelligent secret key equipment identity information, and the intelligent secret key equipment identity information is the determined intelligent secret key equipment identity information.

In addition, after the identity authentication server acquires and stores the PIN code verification passing information, the method further comprises the following steps: when the terminal detects that the connection between the terminal and the intelligent secret key equipment is disconnected, the terminal sends disconnection notification information to the identity authentication server through the router; after receiving the disconnection notification information, the identity authentication server executes an operation of invalidating the information that the PIN code verification passes; or when the router detects that the connection between the router and the terminal is disconnected, the router sends equipment leaving information to the identity authentication server, and when the router detects that the router is connected with the terminal again, the router sends equipment access information to the identity authentication server; the identity authentication server receives the equipment leaving information, starts timing by using a timer, maintains the validity of the PIN code verification passing information if equipment access information is received before the timing reaches a first preset time, and executes the operation of invalidating the PIN code verification passing information if the equipment access information is not received before the timing reaches the first preset time; or the identity authentication server starts timing by using a timer, maintains the validity of the PIN verification passing information before the timing reaches the second preset time, and executes the operation of invalidating the PIN verification passing information after the timing reaches the second preset time.

Another aspect of the present invention provides a network application login system, including: the system comprises a terminal, intelligent secret key equipment, a router, an identity authentication server and an application server; the terminal is used for triggering the verification equipment to execute the PIN code verification process of the intelligent secret key equipment after the connection with the intelligent secret key equipment is established; the identity authentication server is used for acquiring and storing PIN code verification passing information when the PIN code verification process passes verification; the intelligent secret key equipment is used for executing an identity authentication process between the terminal and the router; the router is used for distributing an IP address for the terminal when the identity authentication process result is that the authentication is passed, and storing the binding information of the identity information of the intelligent secret key equipment and the IP address, wherein the identity information of the intelligent secret key equipment is an intelligent secret key equipment certificate or an intelligent secret key equipment ID; the terminal is also used for sending application login service request information to the application server through the router and triggering a process of determining intelligent secret key equipment identity information matched with the terminal according to the IP address of the terminal and the binding information of the intelligent secret key equipment identity information and the IP address between the router and the application server; the application server is used for obtaining the determined identity information of the intelligent secret key equipment and sending a PIN code verification state query request to the identity authentication server through the router; the identity authentication server is also used for receiving a PIN code verification state inquiry request, inquiring whether PIN code verification passing information exists or not and inquiring the state of the PIN code verification passing information, and if the PIN code verification passing information exists in the identity authentication server and the state of the PIN code verification passing information is valid, sending PIN code verification completion confirmation information to the application server through the router; and the application server is also used for providing application login service for the terminal through the router according to the determined identity information of the intelligent secret key equipment under the condition of obtaining the PIN code verification completion confirmation information.

In addition, when the verification device is an intelligent key device, the terminal is specifically used for prompting the PIN code to input prompt information, receiving the PIN code, generating PIN code verification information and sending the PIN code verification information to the intelligent key device; the intelligent secret key equipment is specifically used for receiving and verifying PIN code verification information, if the verification is passed, PIN code verification passing information is generated, and the PIN code verification passing information is sent to the identity authentication server through the terminal and the router; or when the verification device is an identity authentication server, the terminal is specifically used for prompting the PIN code to input prompt information, receiving the PIN code, generating PIN code verification information and sending the PIN code verification information to the identity authentication server; the identity authentication server is specifically used for receiving and verifying the PIN code verification information, and if the verification is passed, PIN code verification passing information is generated; or when the verification device is the intelligent key device, the terminal is specifically used for sending PIN code input prompt information to the intelligent key device; the intelligent secret key equipment is specifically used for receiving PIN code input prompt information and prompting, receiving and verifying the PIN code, if the verification is passed, generating PIN code verification passing information, and sending the PIN code verification passing information to the identity authentication server through the terminal and the router; or when the verification device is an identity authentication server, the terminal is specifically used for sending PIN code input prompt information to the intelligent secret key device; the intelligent secret key equipment is specifically used for receiving and prompting PIN code input prompt information, receiving the PIN code, generating PIN code verification information and sending the PIN code verification information to the identity authentication server through the terminal and the router; and the identity authentication server is specifically used for receiving and verifying the PIN code verification information, and if the verification is passed, generating PIN code verification passing information.

In addition, the terminal is specifically used for sending application login service request information to the application server through the router, wherein the application login service request information comprises the identity information and the IP address of the intelligent key equipment; the application server is specifically used for receiving application login service request information and sending an intelligent secret key equipment identity authentication request to the router, wherein the intelligent secret key equipment identity authentication request comprises intelligent secret key equipment identity information and an IP address; the router is specifically used for receiving the intelligent secret key equipment identity authentication request, verifying the intelligent secret key equipment identity information carried in the intelligent secret key equipment identity authentication request according to the IP address and the binding information to obtain intelligent secret key equipment identity authentication result information and sending the intelligent secret key equipment identity authentication result information to the application server; the application server is specifically used for receiving the authentication result information of the intelligent key equipment, and if the authentication result information of the intelligent key equipment passes the authentication, the intelligent key equipment identity information carried in the application login service request information is the determined intelligent key equipment identity information; or the terminal is specifically used for sending application login service request information to the application server through the router, wherein the application login service request information comprises an IP address; the application server is specifically used for sending an intelligent secret key equipment identity information request to the router, wherein the intelligent secret key equipment identity information request at least comprises an IP address; the router is specifically used for receiving the authentication request of the intelligent key equipment, obtaining the identity information of the intelligent key equipment according to the IP address and the binding information and sending the identity information to the application server; the application server is specifically used for receiving the identity information of the intelligent key equipment, and the identity information of the intelligent key equipment is determined identity information of the intelligent key equipment; or the terminal is specifically used for sending application login service request information to the router, wherein the application login service request information comprises an IP address; the router is specifically used for obtaining the identity information of the intelligent key equipment according to the IP address and the binding information after receiving the application login service request information sent by the terminal, and sending the application login service request information and the identity information of the intelligent key equipment to the application server; and the application server is specifically used for receiving the application login service request information and the intelligent secret key equipment identity information, wherein the intelligent secret key equipment identity information is the determined intelligent secret key equipment identity information.

In addition, the terminal is also used for sending disconnection notification information to the identity authentication server through the router when the disconnection between the terminal and the intelligent secret key device is detected; the identity authentication server is also used for executing the operation of invalidating the information that the PIN code passes the verification after receiving the connection disconnection notification information; or the router is further configured to send device leaving information to the identity authentication server when detecting that the router is disconnected from the terminal, and send device access information to the identity authentication server when detecting that the router is reconnected with the terminal; the identity authentication server is also used for starting timing by using a timer when equipment leaving information is received, if equipment access information is received before the timing reaches first preset time, keeping the validity of PIN code verification passing information, and if the equipment access information is not received before the timing reaches the first preset time, executing the operation of invalidating the PIN code verification passing information; or the identity authentication server is further configured to start timing by using a timer, maintain the validity of the PIN code verification passing information before the timing reaches the second preset time, and execute an operation of invalidating the PIN code verification passing information after the timing reaches the second preset time.

When a user uses terminal equipment (a computer, a mobile phone and the like) to surf the internet, the application server can be accessed through the router. The existing method for logging in the application server does not use intelligent key equipment, but uses a terminal to directly log in through a router, and because the existing logging-in method does not pass through a PIN code verification process, and does not store information of the PIN code verification process, a user needs to input a password corresponding to the application again when logging in the application server through the router every time the user uses the terminal. By adopting the method and the system provided by the embodiment, the user can use the intelligent secret key device to connect with the terminal, and after the PIN code verification process of the intelligent secret key device is passed, the terminal is connected with the application server through the router. And after the PIN verification process of the intelligent key device is completed, the identity authentication server stores PIN verification passing information, and when the user accesses the application server through the router by using the terminal connected with the intelligent key device again, the user can log in the application server without inputting the password of the application server again under the condition that the PIN verification passing information is effective because the user passes the PIN verification process of the intelligent key device, so that the process of logging in the application by the user is simplified.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.

Fig. 1 is a flowchart of a network application login method provided in embodiment 1 of the present invention;

fig. 2 is a flowchart of a PIN verification process that triggers a verification device to execute an intelligent key device according to embodiment 1 of the present invention;

fig. 3 is a flowchart of another process for triggering an authentication device to perform PIN verification of an intelligent key device according to embodiment 1 of the present invention;

fig. 4 is a flowchart of another process for triggering the authentication device to perform PIN verification of the smart key device according to embodiment 1 of the present invention;

fig. 5 is a flowchart of another process for triggering the authentication device to perform PIN verification of the smart key device according to embodiment 1 of the present invention;

fig. 6 is a schematic structural diagram of a network application login system according to embodiment 2 of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.

In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.

In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.

Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.

Example 1

Fig. 1 is a flowchart of a network application login method provided in this embodiment, and the method embodiment shown in fig. 1 includes the following steps (S1-S7):

step S1, after the connection between the intelligent key device and the terminal is established, the terminal triggers the verification device to execute the PIN code verification process of the intelligent key device; if the verification is passed, the identity authentication server acquires and stores PIN code verification passing information;

step S2, the intelligent key device executes the identity authentication process between the terminal and the router;

step S3, when the result of the identity authentication process is that the authentication is passed, the router allocates an IP address for the terminal, and stores the binding information between the identity information of the intelligent key device and the IP address, wherein the identity information of the intelligent key device is an intelligent key device certificate or an intelligent key device ID;

step S4, the terminal sends application login service request information to the application server through the router, the router and the application server are triggered to execute a process of determining the intelligent key equipment identity information matched with the terminal according to the IP address of the terminal and the binding information of the intelligent key equipment identity information and the IP address, and the application server obtains the determined intelligent key equipment identity information;

step S5, the application server sends a PIN code verification state inquiry request to the identity authentication server through the router;

step S6, the identity authentication server receives the PIN code verification state inquiry request, inquires whether the PIN code verification passing information exists and inquires the state of the PIN code verification passing information, and if the identity authentication server stores the PIN code verification passing information and the state of the PIN code verification passing information is valid, the identity authentication server sends PIN code verification completion confirmation information to the application server through the router;

and step S7, the application server provides the application login service to the terminal through the router according to the determined identity information of the intelligent key equipment under the condition of obtaining the PIN code verification completion confirmation information.

When a user uses terminal equipment (a computer, a mobile phone and the like) to surf the internet, the application server can be accessed through the router. The existing method for logging in the application server does not use intelligent key equipment, but uses a terminal to directly log in through a router, and because the existing logging-in method does not pass through a PIN code verification process, and does not store information of the PIN code verification process, a user needs to input a password corresponding to the application again when logging in the application server through the router every time the user uses the terminal. By adopting the method provided by the embodiment, the user can use the intelligent secret key device to connect with the terminal, and after the PIN code verification process of the intelligent secret key device, the terminal is connected with the application server through the router. And after the PIN verification process of the intelligent key device is completed, the identity authentication server stores PIN verification passing information, and when the user accesses the application server through the router by using the terminal connected with the intelligent key device again, the user can log in the application server without inputting the password of the application server again under the condition that the PIN verification passing information is effective because the user passes the PIN verification process of the intelligent key device, so that the process of logging in the application by the user is simplified.

The following specifically describes steps S1-S7 of the present embodiment:

in this step, the terminal includes electronic devices such as a computer and a mobile phone, the smart key device includes but is not limited to an electronic signature device and a smart card, and the smart key device has a built-in security chip, and the security chip has functions of encrypting, signing and the like to ensure data security.

In this step, as an optional implementation manner, the terminal may be provided with a wired communication interface, for example, when the terminal is a computer, a USB interface provided on the computer may be the wired communication interface; when the terminal is a mobile phone, the audio interface arranged on the mobile phone can be a wired communication interface of the mobile phone. The method for establishing connection between the intelligent secret key equipment and the terminal specifically comprises the following steps: the intelligent key device is connected with the communication interface of the terminal in a wired connection mode. As another optional implementation, the terminal may be provided with a wireless communication module, for example, a communication module such as WIFI, bluetooth, NFC, or the like. The method for establishing connection between the intelligent secret key equipment and the terminal specifically comprises the following steps: the intelligent secret key equipment is connected with the terminal through wireless connection (WIFI, Bluetooth, NFC and the like). Therefore, the terminal can realize the security function by means of the intelligent key device.

In this step, the verification device is triggered to execute the PIN code verification process of the smart key device, which at least includes any one of the following four ways:

in a first mode

In this embodiment, the verification device is an intelligent key device, and fig. 2 is a flowchart for triggering the verification device to execute a PIN code verification process of the intelligent key device, where as shown in fig. 2, the process specifically includes:

step S101, a terminal prompts a PIN code to input prompt information;

in this step, the terminal can show or input the tip information through speaker voice broadcast PIN code on the screen, for example: the terminal displays "please enter password" on the screen.

Step S102, the terminal receives the PIN code and generates PIN code verification information;

in this step, after the terminal prompts, the user may input the PIN code in a keyboard input mode, a mouse selection mode, a voice input mode, or the user may input the PIN code in a biological information input mode. The terminal generates PIN code verification information after receiving the PIN code, optionally, the PIN code verification information may be encrypted data generated after the PIN code is encrypted by the terminal, and the encryption mode may include symmetric key encryption or asymmetric key encryption, so that the PIN code is safer when being transmitted between the terminal and other devices.

Step S103, the terminal sends PIN code verification information to the intelligent secret key equipment;

step S104, the intelligent secret key equipment receives and verifies the PIN code verification information, and if the verification is passed, PIN code verification passing information is generated;

in this step, optionally, if the PIN code verification information is encrypted data generated after the PIN code is encrypted, the smart key device decrypts the received PIN code verification information to obtain the PIN code. The intelligent key device can pre-store the PIN code, the PIN code obtained from the PIN code verification information is compared with the PIN code pre-stored by the intelligent key device, and if the comparison is consistent, the PIN code verification information is verified to be passed. Or, the intelligent key device may prestore a PIN code MAC value, after receiving the PIN code verification information, calculate the PIN code in the PIN code verification information to obtain the MAC value, compare the calculated MAC value with the prestored PIN code MAC value, and if the comparison is consistent, pass the PIN code verification information verification.

And step S105, the intelligent secret key equipment sends the PIN code verification passing information to an identity authentication server through the terminal and the router.

In the optional implementation mode, the PIN code verification process is initiated by the terminal and prompts the PIN code input prompt information; verifying the PIN code by the intelligent secret key equipment; and if the verification is passed, storing the PIN code verification passing information by the identity authentication server.

Mode two

The present embodiment differs from the first embodiment in that: in this manner, the verification device is an identity authentication server. The identity authentication server and the router are connected in a wired or wireless mode. Fig. 3 is another flowchart of a process for triggering an authentication device to execute a PIN code authentication process of a smart key device, where as shown in fig. 3, the process specifically includes:

step S111, the terminal prompts a PIN code to input prompt information;

step S112, the terminal receives the PIN code and generates PIN code verification information;

step S113, the terminal sends the PIN code verification information to an identity authentication server;

in this step, the terminal may send the PIN code verification information to the authentication server through the router.

Step S114, the identity authentication server receives and verifies the PIN code verification information, and if the verification is passed, PIN code verification passing information is generated.

As an optional implementation manner, the PIN code may be prestored in the authentication server, after the PIN code verification information is received, the PIN code in the PIN code verification information is compared with the prestored PIN code, and if the comparison is consistent, the verification is passed. Or, the identity authentication server may pre-store a PIN code MAC value, after receiving the PIN code verification information, calculate the PIN code in the PIN code verification information to obtain the MAC value, compare the calculated MAC value with the pre-stored PIN code MAC value, and if the comparison is consistent, the verification is passed.

In the optional implementation mode, the PIN code verification process is initiated by the terminal and prompts the PIN code input prompt information; and verifying the PIN code by the identity authentication server, and storing the verification passing information of the PIN code if the verification passes. Compared with the embodiment provided in the first mode, the PIN code verification process in the first mode does not need the participation of the intelligent key device.

Mode III

In this manner, the authentication device is an intelligent key device. The present embodiment differs from the first embodiment in that: in this mode, the smart key device prompts the PIN code to input prompt information and receives the PIN code. Fig. 4 is a flowchart of another flow for triggering the authentication device to execute the PIN code authentication process of the smart key device, as shown in fig. 4, the flow specifically includes:

step S121, the terminal sends PIN code input prompt information to the intelligent secret key equipment;

step S122, the intelligent secret key equipment receives PIN code input prompt information and prompts;

in this step, the smart key device may display on the screen or input prompt information by voice broadcasting the PIN code through a speaker, for example: the smart key device displays "please enter a password" on its screen.

Step S123, the intelligent secret key equipment receives and verifies the PIN code, and if the verification is passed, PIN code verification passing information is generated;

in this step, after the smart key device performs the prompt, the user may input the PIN code in a manner of keyboard input, mouse selection, voice input, or the like, or the user may input the PIN code in a manner of biometric information entry.

And step S124, the intelligent secret key equipment sends the PIN code verification passing information to the identity authentication server through the terminal and the router.

In this optional embodiment, the PIN code verification process is initiated by the terminal; the intelligent key equipment prompts the PIN code input prompt information and verifies the PIN code; and if the verification is passed, the identity authentication equipment stores the PIN code verification passing information. In addition, in this optional embodiment, since the smart key device directly receives and verifies the PIN code, the PIN code or data obtained by processing the PIN code does not need to be transmitted between the devices, thereby improving the security of the PIN code.

Mode IV

In this manner, the verification device is an identity authentication server. This embodiment is different from the first embodiment in that: in this mode, the smart key device prompts the PIN code to input prompt information and receives the PIN code. Fig. 5 is a flowchart of another process for triggering the authentication device to execute the PIN verification process of the smart key device, where as shown in fig. 5, the process specifically includes:

step S131, the terminal sends PIN code input prompt information to the intelligent secret key equipment;

step S132, the intelligent secret key equipment receives and prompts the PIN code input prompt information;

step S133, the intelligent secret key equipment receives the PIN code and generates PIN code verification information;

step S134, PIN code verification information is sent to an identity authentication server through a terminal and a router;

in step S135, the authentication server receives and verifies the PIN code verification information, and if the verification passes, generates PIN code verification pass information.

In this optional embodiment, the PIN code verification process is initiated by the terminal; the intelligent key equipment prompts the PIN code input prompt information; and verifying the PIN code by the identity authentication server, and if the verification is passed, generating verification passing information and storing the verification passing information.

In step S1, according to any of the above optional embodiments, the verification device may verify the identity of the user by means of PIN code verification, and after the verification is passed, the authentication server may obtain and store PIN code verification passing information, so as to provide a basis for subsequent application login operations.

In order to further improve the security, after the PIN verification is passed, the validity of the PIN verification information can be maintained. For example, when the time elapsed after the user inputs the PIN code is too long, or the terminal of the user is disconnected from the router, the authentication server may perform a disabling operation on the stored PIN code verification pass information, and the user may need to perform the PIN code verification again to perform the network application login operation again.

The following is an exemplary description of validity maintenance of PIN code verification information:

in an optional implementation manner of this embodiment, after step S1, the method further includes: when the terminal detects that the connection between the terminal and the intelligent secret key equipment is disconnected, the terminal sends disconnection notification information to the identity authentication server through the router; and after receiving the disconnection notification information, the identity authentication server executes an operation of invalidating the information that the PIN code verification passes. In this alternative embodiment, a status parameter may be set in the authentication server to indicate whether the PIN verification pass information is in a valid status. In particular, the status parameter may be represented by a one-bit binary number, with different numbers representing the valid status and the invalid status, respectively. For example, the number "1" may represent that the PIN code verification passing information is in a valid state, and the number "0" may represent that the PIN code verification passing information is in a disabled state; alternatively, the number "0" may indicate that the PIN code verification passing information is in a valid state, and the number "1" may indicate that the PIN code verification passing information is in a disabled state, which is not specifically limited herein. In a specific implementation process, after step S1, when the terminal detects that the terminal is disconnected from the smart key device, the terminal sends a disconnection notification message to the identity authentication server through the router; after receiving the disconnection notification information, the authentication server modifies the state parameter of the pre-stored PIN code verification passing information of the smart key device to a disabled state, for example, in the case that the PIN code verification passing information is in a valid state, the number "1" indicates that the authentication server modifies the state parameter from "1" to "0".

In this optional embodiment, the status parameter may not be set in the authentication server, but whether the smart key device PIN code verification passing information is valid may be determined by whether the smart key device PIN code verification passing information is stored in the authentication server. Specifically, after step S1, when the terminal detects that the terminal is disconnected from the smart key device, sending disconnection notification information to the identity authentication server through the router; and after receiving the disconnection notification information, the identity authentication server deletes the stored PIN code verification passing information of the intelligent secret key equipment. Therefore, as long as the PIN verification passing information of the intelligent key equipment is found in the identity authentication server, the pre-stored PIN verification passing information of the intelligent key equipment is determined to be in a valid state, and otherwise, the verification passing information is in a failure state. When the connection between the terminal and the intelligent key device is disconnected, other people except the user can use the terminal to access the network, so that the PIN code verification passing information is determined to be in a failure state, and the other people except the user can be prevented from illegally accessing the network; when the user reconnects the intelligent key device with the terminal, the user needs to input the PIN again to complete a new PIN verification process.

In another optional implementation manner of this embodiment, after step S1, the method further includes: the router sends equipment leaving information to the identity authentication server when detecting that the router is disconnected from the terminal, and sends equipment access information to the identity authentication server when detecting that the router is reconnected with the terminal; the identity authentication server receives the equipment leaving information, starts timing by using a timer, maintains the validity of the PIN code verification passing information if the equipment access information is received before the timing reaches the first preset time, and executes the operation of invalidating the PIN code verification passing information if the equipment access information is not received before the timing reaches the first preset time. For example, the first preset time is 10 minutes, if the terminal is disconnected from the router and then is reconnected with the router within 10 minutes, the PIN code does not need to be input again to perform a new PIN code verification process; if the disconnection time of the terminal and the router exceeds 10 minutes, the terminal and the router need to input the PIN again to carry out a new PIN verification process after being connected again.

In this optional embodiment, with reference to the last optional embodiment, a state parameter may be set in the authentication server to indicate whether the PIN code verification passing information is in a valid state, in a specific implementation process, the authentication server receives the device leaving information, starts timing by using a timer, does not modify the state parameter if the device access information is received before the timing reaches the first preset time, and modifies the state parameter if the device access information is not received before the timing reaches the first preset time, for example, the authentication server modifies the state parameter from "1" to "0" in a case where the PIN code verification passing information is in a valid state by using a number "1"; or, in this optional embodiment, the identity authentication server receives the device leaving information, starts timing by using a timer, and deletes the PIN code verification passing information stored by the identity authentication server if the device access information is not received before the timing reaches the first preset time, so that as long as the PIN code verification passing information of the smart key device is found in the identity authentication server, it is determined that the PIN code verification passing information of the smart key device stored in advance is in a valid state, and otherwise, the PIN code verification passing information of the smart key device is in a disabled state. When the connection and disconnection time between the terminal and the router is too long, the user using the terminal and the intelligent secret key device may have changed, and the PIN code verification passing information is determined to be in a failure state, so that other people except the user can be prevented from illegally accessing the network; if the user uses the terminal and the intelligent key device again to log in the application server again, the PIN code is input again, and then the login operation can be carried out.

In another optional implementation manner of this embodiment, after step S1, the method further includes: and the identity authentication server starts timing by using a timer, maintains the validity of the PIN code verification passing information before the timing reaches the second preset time, and executes the operation of invalidating the PIN code verification passing information after the timing reaches the second preset time. For example, the second preset time is 8 hours, after the user completes the PIN code verification once, the password-input-free network application login operation can be performed through the router within 8 hours, and after the time exceeds 8 hours, the user needs to complete the PIN code verification process once again to continue the password-input-free network application.

In this optional embodiment, a state parameter may be set in the authentication server to indicate whether the PIN code verification passing information is in a valid state, which is provided in the first optional embodiment, in a specific implementation process, the authentication server starts timing by using a timer, and before the timing reaches a second preset time, the state parameter is not modified; after the second preset time is counted, modifying the state parameter, for example, in the case that the PIN code verification passing information is in a valid state, represented by the number "1", the identity authentication server modifies the state parameter from "1" to "0"; or, in this optional embodiment, the identity authentication server starts timing by using a timer, and deletes the PIN code verification passing information stored by the identity authentication server after the timing reaches the second preset time, so that as long as the PIN code verification passing information of the smart key device is found in the identity authentication server, it is determined that the pre-stored PIN code verification passing information of the smart key device is in an effective state, and otherwise, it is in a disabled state.

in this step, the router has an identity authentication function, specifically: a security chip is arranged in the router, and a digital certificate and/or a private key are/is stored in the security chip; or the router is internally provided with software to realize the digital certificate function; or the router is externally connected with the intelligent key device. The intelligent key device is a device with a security chip, the security chip is internally provided with an independent processor and a storage unit, and can store keys of types such as a PKI digital certificate, a private key, an encryption and decryption key, a verification key and the like and other characteristic data, encrypt, decrypt, sign and check the data, and provide data encryption and identity authentication services for users. In a specific implementation process, the router may implement identity authentication on the smart key device by: and verifying the received digital certificate of the intelligent secret key device by using the root certificate, and/or verifying the signature data signed by using the private key of the intelligent secret key device by using the digital certificate of the intelligent secret key device. The intelligent key device can realize the identity authentication of the router by the following modes: and verifying the received digital certificate of the router by using the root certificate, and/or verifying the signature data signed by using the private key of the router by using the digital certificate of the router. Only one-way identity authentication can be carried out between the router and the intelligent key equipment, namely the router carries out identity authentication on the intelligent key equipment, or the intelligent key equipment carries out identity authentication on the router; bidirectional identity authentication can be performed between the router and the intelligent key device, namely the router performs identity authentication on the intelligent key device and the intelligent key device performs identity authentication on the router.

The following is an exemplary description of the process of performing mutual authentication between a smart key device and a router:

step S201, the intelligent key device generates a random number R1, and signs the random number R1 and the intelligent key device ID by using a private key KS1 of the intelligent key device to obtain signature data S1;

in practice, the smart key device may splice the random number R1 and the smart key device ID to obtain a splicing result. For example: if the random number R1 is "7195" and the smart key device ID is "1000001", the concatenation result obtained by sequentially concatenating the random number R1 and the smart key device ID is "71951000001". Of course, the way of splicing the random number R1 and the smart key device ID is not limited to sequential splicing, and splicing may be performed according to other rules, which are not limited herein. The intelligent key device performs HASH operation on the splicing result to obtain a summary message X1, and performs signature operation on the summary message X1 by using its own private key KS1 to obtain signature data S1.

Step S202, the intelligent key device sends the random number R1, the ID of the intelligent key device, the signature data S1 and the certificate of the intelligent key device to the router through the terminal;

step S203, after verifying that the certificate of the intelligent key equipment is legal, the router verifies and signs the signature data S1 by using the public key KP1 of the intelligent key equipment in the certificate of the intelligent key equipment, and after the verification and sign pass, the router generates a random number R2 by using a self security chip.

In the implementation process, the router uses the public key KP1 of the smart key device in the smart key device certificate to calculate the received signature data S1 to obtain a calculation result X2, and splices the received random number R1 and the smart key device ID to obtain a splicing result, where the splicing rule is consistent with the splicing rule in the smart key device. The router performs HASH operation on the obtained splicing result to obtain a summary message X3, the operation result X2 is compared with the summary message X3, and if the comparison result is consistent, the router passes the signature verification of the signature data S1.

Step S204, the router encrypts random numbers R1 and R2 by using a public key KP1 of the intelligent key device to obtain ciphertext data E1, and signs the ciphertext data E1 by using a private key KS2 of the router to obtain signature data S2;

in this step, the specific process of the router performing the signing operation is consistent with the process of the smart key device performing the signing operation provided in step S201, and is not described herein again.

Step S205, the router sends the ciphertext data E1, the signature data S2 and the router certificate to the intelligent key device through the terminal;

step S206, the intelligent key device checks the signature data S2 by using the public key KP2 of the router in the received certificate, and after the signature passes, the intelligent key device decrypts the ciphertext data E1 by using the private key KS1 of the intelligent key device to obtain random numbers R1 and R2;

in this step, the specific process of the signature verification operation performed by the smart key device is consistent with the process of the signature verification operation performed by the router provided in step S203, and is not described herein again.

Step S207, the smart key device compares the random number R1 obtained by decryption with the random number R1 generated by the smart key device, and if the comparison result is consistent, the identity authentication result between the smart key device and the router is passed.

The above steps (S201-S207) are only an optional identity authentication procedure, and identity authentication between the smart key device and the router and in other manners may be performed, which is not limited herein. Through the above steps, the smart key device and the router can mutually verify whether the identity of the other party is legal, and in step S206, the random number R2 decrypted by the smart key device can be used as a session key, and when the smart key device and the router transmit data, the random number R2 can be used as an encryption/decryption key, thereby improving the security of the transmitted data.

in this step, the router may acquire the identity information of the smart key device in an identity authentication process, for example, the process described in step S202 above. Thus, the router can establish a one-to-one correspondence between the identity information of the smart key device and the IP address of the terminal connected to the smart key device.

in this embodiment, step S4 can be implemented in at least any one of the following three ways:

in a first mode

Step S401, the terminal sends application login service request information to an application server through a router;

the application login service request information comprises intelligent secret key equipment identity information and an IP address. The identity information of the smart key device is a device certificate or a device ID of the smart key device connected to the terminal, and the IP address is in step S3, when the result of the identity authentication process is that the authentication is passed, the router allocates an IP address to the terminal.

Step S402, the application server receives the application login service request information and sends an intelligent secret key equipment identity authentication request to the router;

the intelligent key equipment identity authentication request comprises intelligent key equipment identity information and an IP address.

Step S403, the router receives the authentication request of the intelligent key device, authenticates the intelligent key device identity information carried in the authentication request of the intelligent key device according to the IP address and the binding information, obtains the authentication result information of the intelligent key device and sends the authentication result information to the application server;

specifically, when the result of the identity authentication process is that the authentication passes, the router may allocate an IP address to the terminal and store the binding information between the identity information of the smart key device and the IP address, that is, the router establishes a one-to-one correspondence between the identity information of the smart key device and the IP address of the terminal connected to the smart key device. The router receives an authentication request of the intelligent secret key equipment, wherein the authentication request of the intelligent secret key equipment comprises the following steps: the router can search the intelligent key equipment identity information A2 corresponding to the IP address in the self-stored binding information according to the IP address carried in the intelligent key equipment identity verification request, verify whether the received intelligent key equipment identity information A1 is consistent with the stored intelligent key equipment identity information A2 or not, and if so, obtain intelligent key equipment identity verification result information and verify that the verification result is passed; if not, the authentication result information of the intelligent secret key equipment is obtained, and the authentication result is that the authentication is not passed. Therefore, the router can verify the IP address carried in the application login service request information initiated by the terminal and the identity information of the intelligent key device by using the stored binding information, and the binding information is stored when the identity authentication process result of the router is that the authentication is passed, so that whether the application login service request information sent by the terminal is legal or not can be verified through the step, and if the authentication is passed, the application login service request information is legal.

Step 404, the application server receives the authentication result information of the intelligent key device, and if the authentication result information of the intelligent key device is that the authentication is passed, the intelligent key device identity information carried in the application login service request information is the determined intelligent key device identity information;

for example, if the verification of the smart key device identity information is positive, i.e., in step S403, the received smart key device identity information A1 matches the stored smart key device identity information A2, then smart key device identity information A1 is the determined smart key device identity information. Therefore, the application server can obtain the legal identity information of the intelligent key equipment and provide a basis for the subsequent application server to provide the application login service for the terminal through the router according to the identity information of the intelligent key equipment.

In this optional embodiment, the terminal sends application login service request information to the application server, where the application login service request information includes an IP address and the identification information of the smart key device, and after the application server sends an identification request of the smart key device, the router completes the identification of the received identification information of the smart key device, so as to obtain the determined identification information of the smart key device.

Mode two

Step S411, the terminal sends application login service request information to an application server through a router;

in this step, the application login service request information includes an IP address. In addition, the application login service request information may not include the identity information of the smart key device.

Step S412, the application server sends the intelligent key equipment identity information request to the router,

the intelligent key equipment identity information request at least comprises an IP address;

step S413, the router receives the authentication request of the intelligent key equipment, obtains the identity information of the intelligent key equipment according to the IP address and the binding information and sends the identity information to the application server;

specifically, when the result of the identity authentication process is that the authentication passes, the router may allocate an IP address to the terminal and store the binding information between the identity information of the smart key device and the IP address, that is, the router establishes a one-to-one correspondence between the identity information of the smart key device and the IP address of the terminal connected to the smart key device, and thus, the router may find the identity information of the smart key device corresponding to the received IP address in the self-stored binding information. And because the binding information stored in the router is stored when the router passes the authentication process, the intelligent key device identity information obtained by the step is safe and legal.

Step S414, the application server receives the identity information of the intelligent key equipment, and the identity information of the intelligent key equipment is the determined identity information of the intelligent key equipment;

in the optional embodiment, the terminal sends application login service request information to the application server, the application login service request information includes an IP address, and after the application server sends an intelligent key device identity authentication request, the router obtains legal intelligent key device identity information according to the IP address by using the binding information, and sends the legal intelligent key device identity information to the application server, so that a basis is provided for a subsequent application server to provide application login service to the terminal through the router according to the intelligent key device identity information.

Mode III

Step S421, the terminal sends application login service request information to the router;

in this optional embodiment, the application login service request information includes an IP address. In addition, the application login service request information may not include the identity information of the smart key device.

Step S422, after the router receives the application login service request information sent by the terminal, the intelligent key equipment identity information is obtained according to the IP address and the binding information;

Step S423, the router sends the application login service request information and the identity information of the smart key device to the application server, and the application server receives the application login service request information and the identity information of the smart key device, where the identity information of the smart key device is the determined identity information of the smart key device.

In the optional embodiment, the terminal sends the application login service request information to the router, the application login service request information includes an IP address, the router obtains legal intelligent key device identity information according to the IP address by using the binding information, and the legal intelligent key device identity information is sent to the application server, so that a basis is provided for the subsequent application server to provide the application login service for the terminal through the router according to the intelligent key device identity information.

In step S4, according to any of the above optional embodiments, the process of determining, between the router and the application server, the smart key device identity information that matches the terminal according to the IP address of the terminal and the binding information between the smart key device identity information and the IP address may be completed, so that the application server obtains the determined smart key device identity information. And, the determined smart key device identity information obtained by any of the alternative embodiments of step S4 is valid. Therefore, the application server can provide the security of the application login service for the terminal through the router according to the identity information of the intelligent secret key equipment.

in this embodiment, steps S5 and S6 and step S4 are the process of determining, between the trigger router and the application server, the smart key device identity information that matches the terminal according to the IP address of the terminal and the binding information between the smart key device identity information and the IP address, and the execution sequence of the application server obtaining the determined smart key device identity information is not limited. That is, after the terminal sends the application login service request information to the application server through the router, the step S4 may be performed first, and then the steps S5 and S6 may be performed; alternatively, steps S5, S6 may be performed first, and then step S4 may be performed; alternatively, step S4 and steps S5, S6 may be performed in parallel. In any execution sequence, the application server only needs to obtain the determined identity information of the intelligent key device under the condition of obtaining the PIN code verification completion confirmation information, and then the subsequent steps can be continued.

In this embodiment, if the verification of the PIN code verification process of the smart key device in step S1 fails, and the authentication server does not have PIN code verification passing information, then, after the application server sends a PIN code verification status query request to the authentication server through the router, the authentication server queries that the PIN code verification passing information is not stored in the authentication server, and in this case, the application server cannot provide the application login service to the terminal.

Further, in the case where the method includes maintenance of validity of the PIN code verification information, even if the PIN code verification-passing information is stored in the authentication server, the PIN code verification-passing information stored in the authentication server may be in a disabled state due to occurrence of an abnormal situation such as disconnection of the smart key device from the terminal, or disconnection of the terminal from the router. Therefore, if the PIN verification process of the smart key device in step S1 passes the verification, but there is an abnormal situation as described above, after the application server sends a PIN verification status query request to the authentication server through the router, the authentication server queries that the PIN verification passing information is stored in the authentication server, but the status of the authentication server is a failure status, in which case, the application server cannot provide the application login service to the terminal.

Therefore, through steps S5 and S6 in this embodiment, before providing the application login service to the terminal, the application server sends a PIN code verification status query request to the authentication server through the router to query whether the authentication server stores valid PIN code verification passing information, so as to determine whether the terminal requesting to log in the application server is safe and legal, and after determining that the terminal identity is legal, the application server provides subsequent application login service to the terminal, thereby ensuring the security of the network application login process.

And step S7, the application server provides the application login service to the terminal through the router according to the determined identity information of the intelligent key equipment under the condition of acquiring the PIN code verification completion confirmation information.

In this step, the application server obtains the PIN code verification completion confirmation information, that is, the identity of the terminal requesting to log in the application server is safe and legal, and in this case, the application server may provide the application login service to the terminal according to the determined identity information of the smart key device obtained in step S4. Therefore, under the condition of ensuring the login security of the network application, the terminal can directly access the application server through the router without inputting the password again when logging in the application server, so that the network application login is more convenient.

Example 2

Fig. 6 is a schematic structural diagram of a network application login system provided in this embodiment, and as shown in fig. 6, the system includes: the intelligent key device 10, the terminal 20, the router 30, the identity authentication server 40 and the application server 50; wherein,

and the terminal 20 is configured to trigger the verification device to execute a PIN code verification process of the smart key device 10 after the smart key device 10 establishes a connection with the terminal 20.

In this embodiment, the terminal 20 includes an electronic device such as a computer and a mobile phone, the smart key device 10 includes but is not limited to an electronic signature device and a smart card, and the smart key device 10 has a built-in security chip, and the security chip has functions of encrypting and signing to ensure data security.

As an alternative embodiment, the terminal 20 may be provided with a wired communication interface, for example, when the terminal 20 is a computer, a USB interface provided on the computer may be the wired communication interface; when the terminal 20 is a mobile phone, the audio interface provided on the mobile phone may be a wired communication interface thereof. The establishment of the connection between the smart key device 10 and the terminal 20 specifically includes: the smart key device 10 is connected to the communication interface of the terminal 20 by means of a wired connection. As another alternative, the terminal 20 may be provided with a wireless communication module, such as a WIFI, bluetooth, NFC, or other communication module. The establishment of the connection between the smart key device 10 and the terminal 20 specifically includes: smart key device 10 establishes a connection with terminal 20 through a wireless connection (WIFI, bluetooth, NFC, etc.). Thus, terminal 20 may implement security functions with the aid of smart key device 10.

In this embodiment, the triggering verification device executes the PIN code verification process of the smart key device 10, which at least includes any one of the following four ways:

in a first mode

In this mode, the verification device is an intelligent key device 10, the terminal 20 is specifically used for prompting the input of prompt information of the PIN code, the terminal 20 receives the PIN code and generates PIN code verification information, and the PIN code verification information is sent to the intelligent key device 10; wherein, terminal 20 can show on the screen or through speaker voice broadcast PIN code input prompt information, for example: the terminal 20 displays "please enter a password" on the screen. After the terminal 20 prompts, the user may input the PIN code by means of keyboard input, mouse selection, voice input, or the like, or the user may input the PIN code by means of biometric information entry. Optionally, the PIN verification information may be encrypted data generated by encrypting the PIN by the terminal 20, and the encryption manner may include symmetric key encryption or asymmetric key encryption, so that the PIN can be more securely transmitted between the terminal 20 and other devices. The smart key device 10 is specifically configured to receive and verify the PIN code verification information, and if the verification passes, generate PIN code verification passing information, and send the PIN code verification passing information to the authentication server through the terminal 20 and the router 30. Optionally, if the PIN code verification information is encrypted data generated after the PIN code is encrypted, the smart key device 10 decrypts the received PIN code verification information to obtain the PIN code. The smart key device 10 may pre-store the PIN code, compare the PIN code obtained from the PIN code verification information with the PIN code pre-stored in the smart key device 10, and if the comparison is consistent, the PIN code verification information passes verification. Or, the smart key device 10 may prestore a PIN code MAC value, after receiving the PIN code verification information, calculate the PIN code in the PIN code verification information to obtain the MAC value, compare the calculated MAC value with the prestored PIN code MAC value, and if the comparison is consistent, pass the PIN code verification information verification.

In this alternative embodiment, the PIN code verification process is initiated by the terminal 20 and prompts the PIN code input prompt information; the PIN code is verified by the smart key device 10; if the verification is passed, the PIN code verification pass information is stored by the authentication server 40.

Mode two

The present embodiment differs from the first embodiment in that: in this embodiment, the verification device is an authentication server 40. The authentication server 40 establishes a connection with the router 30 in a wired or wireless manner. The terminal 20 is specifically configured to prompt the PIN code to input prompt information, receive the PIN code, generate PIN code verification information, and send the PIN code verification information to the authentication server 40. Among them, the terminal 20 may transmit the PIN code verification information to the authentication server 40 through the router 30. The identity authentication server 40 is specifically configured to receive and verify the PIN code verification information, and if the verification passes, generate PIN code verification passing information. As an optional implementation manner, the PIN code may be pre-stored in the authentication server 40, after the PIN code verification information is received, the PIN code in the PIN code verification information is compared with the pre-stored PIN code, and if the comparison is consistent, the verification is passed. Or, the PIN code MAC value may be prestored in the authentication server 40, after the PIN code verification information is received, the PIN code in the PIN code verification information is calculated to obtain the MAC value, the calculated MAC value is compared with the prestored PIN code MAC value, and if the comparison is consistent, the verification is passed.

In this alternative embodiment, the PIN code verification process is initiated by the terminal 20 and prompts the PIN code input prompt information; the PIN code is verified by the authentication server 40, and if the verification is passed, the PIN code verification pass information is stored. Compared with the embodiment provided in the first embodiment, the PIN code verification process in this embodiment does not require the smart key device 10 to participate.

Mode III

In this embodiment, the authentication device is a smart key device 10. The present embodiment differs from the first embodiment in that: in this mode, the smart key device 10 prompts the PIN code to input prompt information and receives the PIN code. And the terminal 20 is specifically configured to send the PIN code input prompt message to the smart key device 10. The smart key device 10 is specifically configured to receive and prompt the PIN code input prompt information, receive and verify the PIN code, generate PIN code verification pass information if the verification passes, and send the PIN code verification pass information to the authentication server 40 through the terminal 20 and the router 30.

In this alternative embodiment, smart key device 10 may display on a screen or voice-report a PIN code input prompt via a speaker, such as: smart key device 10 displays "please enter a password" on its screen. After being prompted by smart key device 10, the user may enter the PIN code by way of keyboard entry, mouse selection, voice entry, or the like, or the user may enter the PIN code by way of biometric entry.

In this alternative embodiment, the PIN code verification process is initiated by the terminal 20; the intelligent secret key device 10 prompts the PIN code input prompt information and verifies the PIN code; and if the verification is passed, the identity authentication equipment stores the PIN code verification passing information. In addition, since the smart key device 10 directly receives and verifies the PIN code, the PIN code or data obtained by processing the PIN code does not need to be transmitted between the devices, thereby improving the security of the PIN code.

Mode IV

In this embodiment, the verification device is an authentication server 40. This embodiment is different from the first embodiment in that: in this mode, the smart key device 10 prompts the PIN code to input prompt information and receives the PIN code. The terminal 20 is specifically configured to send the PIN code input prompt message to the smart key device 10; the intelligent secret key device 10 is specifically configured to receive and prompt PIN code input prompt information, receive a PIN code, generate PIN code verification information, and send the PIN code verification information to the identity authentication server 40 through the terminal 20 and the router 30; the identity authentication server 40 is specifically configured to receive and verify the PIN code verification information, and if the verification passes, generate PIN code verification passing information.

In this alternative embodiment, the PIN code verification process is initiated by the terminal 20; prompting the PIN code input prompting information by the intelligent secret key device 10; the PIN code is verified by the authentication server 40, and if the verification is passed, verification pass information is generated and stored.

In this embodiment, according to any optional embodiment described above, the verification device may verify the identity of the user in a PIN code verification manner, and after the verification passes, the identity authentication server 40 may obtain and store PIN code verification passing information, so as to provide a basis for subsequent application login operations.

And the identity authentication server 40 is used for acquiring and storing the PIN verification passing information when the PIN verification process passes verification.

In order to further improve the security, after the PIN verification is passed, the validity of the PIN verification information can be maintained. For example, when the time elapsed after the user inputs the PIN code is too long, or the terminal 20 of the user is disconnected from the router 30, the authentication server 40 performs a disabling operation on the stored PIN code verification passing information, and the user needs to perform the PIN code verification again to perform the network application login operation again.

in an optional implementation manner of this embodiment, the terminal 20 is further configured to send disconnection notification information to the identity authentication server 40 through the router 30 when detecting that the terminal 20 is disconnected from the smart key device 10; and the identity authentication server 40 is also used for executing the operation of invalidating the PIN verification passing information after receiving the disconnection notification information. In this alternative embodiment, a status parameter may be set in the authentication server 40 to indicate whether the PIN verification pass information is in a valid status. In particular, the status parameter may be represented by a one-bit binary number, with different numbers representing the valid status and the invalid status, respectively. For example, the number "1" may represent that the PIN code verification passing information is in a valid state, and the number "0" may represent that the PIN code verification passing information is in a disabled state; alternatively, the number "0" may indicate that the PIN code verification passing information is in a valid state, and the number "1" may indicate that the PIN code verification passing information is in a disabled state, which is not specifically limited herein. In a specific implementation process, when detecting that the connection between the terminal 20 and the smart key device 10 is disconnected, the terminal 20 sends disconnection notification information to the identity authentication server 40 through the router 30; the authentication server 40, upon receiving the disconnection notification information, modifies the state parameter of the PIN code verification-passing information stored in advance to a disabled state, for example, in the case where the PIN code verification-passing information is represented by the number "1" to be in a valid state, the authentication server 40 modifies the state parameter from "1" to "0".

In this alternative embodiment, the status parameter may not be set in the authentication server 40, but whether the smart key device PIN verification passing information is valid may be determined by whether the smart key device PIN verification passing information is stored in the authentication server 40. Specifically, the terminal 20 is configured to send disconnection notification information to the identity authentication server 40 through the router 30 when detecting that the terminal 20 is disconnected from the smart key device 10; and the identity authentication server 40 is used for deleting the stored PIN verification passing information of the intelligent key device after receiving the disconnection notification information. Therefore, as long as the verification passing information of the PIN code of the intelligent key equipment is found in the identity authentication server 40, the pre-stored verification passing information of the PIN code of the intelligent key equipment is determined to be in a valid state, otherwise, the verification passing information is in a invalid state. When the connection between the terminal 20 and the device of the intelligent key is disconnected, other people except the user may use the terminal 20 to access the network, so that the PIN code verification passing information is determined to be in a failure state, and other people except the user can be prevented from illegally accessing the network; after the user reconnects the smart key device 10 to the terminal 20, the user needs to input the PIN code again to complete a new PIN code verification process.

In another optional implementation manner of this embodiment, the router 30 is further configured to send device leaving information to the identity authentication server 40 when detecting that the connection between the router 30 and the terminal 20 is disconnected, and send device access information to the identity authentication server 40 when detecting that the router 30 and the terminal 20 are connected again; the identity authentication server 40 is further configured to start timing by using a timer when the device leaving information is received, maintain the validity of the PIN code verification passing information if the device access information is received before the timing reaches the first preset time, and perform an operation of invalidating the PIN code verification passing information if the device access information is not received before the timing reaches the first preset time. For example, if the first preset time is 10 minutes, if the terminal 20 is disconnected from the router 30 and then re-establishes connection with the router 30 within 10 minutes, the PIN code does not need to be input again to perform a new PIN code verification process; if the time for disconnecting the terminal 20 from the router 30 exceeds 10 minutes, the terminal 20 and the router 30 need to input the PIN code again to perform a new PIN code verification process after being connected again.

In this alternative embodiment, a state parameter may be set in the authentication server 40 to indicate whether the PIN code verification passing information is in a valid state, and in the specific implementation process, the authentication server 40 receives the device leaving information, starts timing by using a timer, if the device access information is received before the timing reaches the first preset time, the authentication server 40 does not modify the state parameter, and if the device access information is not received before the timing reaches the first preset time, the authentication server 40 modifies the state parameter, for example, in the case that the PIN code verification passing information is in a valid state by using the number "1", the authentication server 40 modifies the state parameter from "1" to "0"; or, in this optional embodiment, the identity authentication server 40 is configured to receive the device leaving information, start timing by using a timer, and if the device access information is not received before the timing reaches the first preset time, the identity authentication server 40 is configured to delete the PIN code verification passing information stored in itself, so that as long as the PIN code verification passing information of the smart key device is found in the identity authentication server 40, it is determined that the pre-stored PIN code verification passing information of the smart key device is in a valid state, and otherwise, the pre-stored PIN code verification passing information of the smart key device is in a disabled state. When the time for disconnecting the terminal 20 from the router 30 is too long, the user using the terminal 20 and the intelligent key device 10 may have changed, and at this time, the PIN code verification passing information is determined to be in a failure state, so that other people except the user can be prevented from illegally accessing the network; if the user uses the terminal 20 and the intelligent key device 10 again to log in the application server 50 again, the user can input the PIN code again to perform login operation.

In yet another alternative embodiment of this embodiment, the identity authentication server 40 is further configured to start timing by using a timer, maintain the validity of the PIN code verification passing information before the timing reaches the second preset time, and execute an operation of invalidating the PIN code verification passing information after the timing reaches the second preset time. For example, the second preset time is 8 hours, after the user completes the PIN code verification once, the password-input-free network application login operation may be performed through the router 30 within 8 hours, and after the time exceeds 8 hours, the user may continue the password-input-free network application only by completing the PIN code verification process once again.

In this optional embodiment, a state parameter may be set in the authentication server 40 to indicate whether the PIN code verification pass information is in a valid state as provided in the first optional embodiment, in a specific implementation process, the authentication server 40 is configured to start timing by using a timer, and before the timing reaches a second preset time, the state parameter is not modified; after the second preset time is counted, modifying the state parameter, for example, in the case that the PIN code verification pass information is in a valid state, represented by the number "1", the authentication server 40 modifies the state parameter from "1" to "0"; or, in this optional embodiment, the identity authentication server 40 is configured to start timing by using a timer, and after the timing reaches a second preset time, the identity authentication server 40 deletes the PIN code verification passing information stored in itself, so that as long as the PIN code verification passing information of the smart key device is found in the identity authentication server 40, it is determined that the PIN code verification passing information of the smart key device stored in advance is in a valid state, and otherwise, the PIN code verification passing information of the smart key device is in a disabled state.

And the intelligent key device 10 is used for performing an identity authentication process between the terminal 20 and the router 30.

In this embodiment, the router 30 has an identity authentication function, specifically: the router 30 is internally provided with a security chip, and a digital certificate and/or a private key are/is stored in the security chip; or router 30 has built-in software to implement digital certificate functionality; or router 30 may be external to smart key device 10. The smart key device 10 is a device having a security chip, and the security chip has an independent processor and a storage unit therein, and can store a PKI digital certificate, a private key, an encryption/decryption key, a verification key and other types of keys and other characteristic data, perform encryption, decryption, signature and signature verification operations on the data, and provide data encryption and identity authentication services for a user. In particular implementation, router 30 may perform authentication of smart key device 10 by: the received digital certificate for smart key device 10 is verified using the root certificate and/or the signature data signed using the private key of smart key device 10 is verified using the digital certificate for smart key device 10. Smart key device 10 may perform authentication of router 30 by: the received digital certificate of the router 30 is verified using the root certificate and/or the signature data signed using the private key of the router 30 is verified using the digital certificate of the router 30. Only one-way identity authentication can be performed between router 30 and smart key device 10, that is, router 30 performs identity authentication on smart key device 10, or smart key device 10 performs identity authentication on router 30; two-way authentication may also be performed between router 30 and smart key device 10, i.e., router 30 authenticates smart key device 10 and smart key device 10 authenticates router 30.

The following is an exemplary description of the process of performing two-way authentication between smart key device 10 and router 30:

the smart key device 10 is configured to generate a random number R1, and sign the random number R1 and the smart key device ID with its own private key KS1 to obtain signature data S1. In practice, smart key device 10 may concatenate random number R1 with the smart key device ID to obtain a concatenation result. For example: if the random number R1 is "7195" and the smart key device ID is "1000001", the concatenation result obtained by sequentially concatenating the random number R1 and the smart key device ID is "71951000001". Of course, the way of splicing the random number R1 and the smart key device ID is not limited to sequential splicing, and splicing may be performed according to other rules, which are not limited herein. The smart key device 10 performs HASH operation on the concatenation result to obtain a digest message X1, and performs signature operation on the digest message X1 by using its own private key KS1 to obtain signature data S1. The smart key device 10 is further configured to send the random number R1, the smart key device ID, the signature data S1, and the smart key device certificate to the router 30 via the terminal 20.

The router 30 is further configured to, after verifying that the certificate of the smart key device is legal, perform signature verification on the signature data S1 by using the public key KP1 of the smart key device 10 in the certificate of the smart key device, and generate a random number R2 by using its own security chip after the signature verification is passed. In the implementation process, the router 30 uses the public key KP1 of the smart key device 10 in the smart key device certificate to perform operation on the received signature data S1 to obtain an operation result X2, and splices the received random number R1 and the smart key device ID to obtain a splicing result, where the splicing rule is consistent with the splicing rule in the smart key device 10. The router 30 performs HASH operation on the obtained splicing result to obtain a digest message X3, compares the operation result X2 with the digest message X3, and if the comparison result is consistent, the router 30 passes the signature verification of the signature data S1. The router 30 is further configured to encrypt the random numbers R1 and R2 with the public key KP1 of the smart key device 10 to obtain ciphertext data E1, and sign the ciphertext data E1 with the private key KS2 of the router 30 to obtain signature data S2. The specific process of the signing operation performed by router 30 is the same as the process of the signing operation performed by smart key device 10, and is not described herein again. And the router 30 is also used for sending the ciphertext data E1, the signature data S2 and the certificate of the router 30 to the intelligent key device 10 through the terminal 20.

The smart key device 10 is further configured to verify the signature data S2 by using the public key KP2 of the router 30 in the received certificate, and decrypt the ciphertext data E1 by using the private key KS1 of the smart key device 10 after the verification is passed, so as to obtain random numbers R1 and R2. The specific process of the signature verification operation performed by the smart key device 10 is the same as the process of the signature verification operation performed by the router 30, and is not described herein again. The smart key device 10 is further configured to compare the random number R1 obtained by decryption with the random number R1 generated by the smart key device itself, and if the comparison result matches, the authentication result between the smart key device 10 and the router 30 is a pass.

The above-mentioned authentication process is only an optional authentication process, and authentication between the smart key device 10 and the router 30 and in other manners may be performed, and is not limited herein. Through the above-mentioned authentication process, the smart key device 10 and the router 30 can mutually verify whether the identity of the other party is legal, and in addition, the random number R2 obtained by decrypting the smart key device 10 can be used as a session key, and when the smart key device 10 and the router 30 transmit data, the random number R2 can be used as an encryption/decryption key, so as to improve the security of the transmitted data.

And the router 30 is configured to, when the result of the identity authentication process is that authentication passes, allocate an IP address to the terminal 20, and store binding information between the identity information of the smart key device and the IP address, where the identity information of the smart key device is a smart key device certificate or a smart key device ID. In this embodiment, the router 30 may acquire the identity information of the smart key device 10 in the identity authentication process. Thus, router 30 may establish a one-to-one correspondence between the smart key device identity information and the IP address of the terminal 20 to which the smart key device 10 is connected.

The terminal 20 is further configured to send application login service request information to the application server 50 through the router 30, and trigger a process between the router 30 and the application server 50 to determine the smart key device identity information matched with the terminal 20 according to the IP address of the terminal 20 and the binding information between the smart key device identity information and the IP address. And the application server 50 is used for obtaining the determined identity information of the intelligent key device and sending a PIN code verification state inquiry request to the identity authentication server 40 through the router 30.

In this embodiment, the identity information of the smart key device may be determined in at least any one of the following three ways:

in a first mode

The terminal 20 is specifically configured to send the application login service request information to the application server 50 through the router 30. The application login service request information comprises intelligent secret key equipment identity information and an IP address. The identity information of the smart key device is a device certificate or a device ID of the smart key device 10 connected to the terminal 20, and the IP address is an IP address allocated to the terminal 20 by the router 30 when the result of the identity authentication process is that the authentication is passed. And the application server 50 is specifically configured to receive the application login service request information and send an authentication request of the smart key device 10 to the router 30. The authentication request of the smart key device 10 includes the identity information and the IP address of the smart key device. The router 30 is specifically configured to receive the authentication request of the smart key device 10, verify the smart key device identity information carried in the authentication request of the smart key device 10 according to the IP address and the binding information, obtain authentication result information of the smart key device 10, and send the authentication result information to the application server 50.

Specifically, when the result of the identity authentication process is that the authentication is passed, the router 30 may allocate an IP address to the terminal 20, and store the binding information between the identity information of the smart key device and the IP address, that is, the router 30 establishes a one-to-one correspondence relationship between the identity information of the smart key device and the IP address of the terminal 20 connected to the smart key device 10. Router 30 receives a smart key device 10 authentication request, wherein the smart key device 10 authentication request includes: the router 30 may search, according to the IP address carried in the authentication request of the smart key device 10, the smart key device identity information a2 corresponding to the IP address from the binding information stored in the router, and verify whether the received smart key device identity information a1 is consistent with the stored smart key device identity information a2, and if so, obtain the authentication result information of the smart key device 10, and the authentication result is that the authentication is passed; if not, the authentication result information of the intelligent secret key device 10 is obtained, and the authentication result is that the authentication is not passed. Therefore, the router 30 can verify the IP address carried in the application login service request information initiated by the terminal 20 and the identity information of the smart key device by using the stored binding information, and since the binding information is stored when the result of the identity authentication process of the router 30 is that the authentication is passed, it can be verified whether the application login service request information sent by the terminal 20 is legal, and if the authentication is passed, the application login service request information is legal.

The application server 50 is specifically configured to receive the authentication result information of the smart key device 10, and if the authentication result information of the smart key device 10 is that the authentication is passed, the smart key device identity information carried in the application login service request information is the determined smart key device identity information. For example, if the authentication result of smart key device 10 is verified, i.e., the received smart key device identity information A1 matches the stored smart key device identity information A2, then smart key device identity information A1 is the determined smart key device identity information. Therefore, the application server 50 can obtain the legal identity information of the smart key device, and provide a basis for the subsequent application server 50 to provide the application login service to the terminal 20 through the router 30 according to the identity information of the smart key device.

In this alternative embodiment, terminal 20 sends application login service request information to application server 50, where the application login service request information includes an IP address and smart key device identity information, and after application server 50 sends an authentication request for smart key device 10 identity, router 30 completes authentication of the received smart key device identity information to obtain the determined smart key device identity information.

Mode two

The terminal 20 is specifically configured to send the application login service request information to the application server 50 through the router 30. The application login service request information comprises an IP address. In addition, the application login service request information may not include the identity information of the smart key device. And the application server 50 is specifically configured to send the smart key device identity information request to the router 30. The intelligent key equipment identity information request at least comprises an IP address. The router 30 is specifically configured to receive the authentication request of the smart key device 10, obtain the identity information of the smart key device according to the IP address and the binding information, and send the identity information to the application server 50.

Specifically, when the result of the identity authentication process is that the authentication is passed, the router 30 may allocate an IP address to the terminal 20, and store the binding information between the identity information of the smart key device and the IP address, that is, the router 30 establishes a one-to-one correspondence relationship between the identity information of the smart key device and the IP address of the terminal 20 connected to the smart key device 10, and thus, the router 30 may find the identity information of the smart key device corresponding to the received IP address in the self-stored binding information. Moreover, since the binding information stored in the router 30 is stored when the router 30 passes the authentication process, the identity information of the smart key device is secure and legitimate.

The application server 50 is specifically configured to receive the identity information of the smart key device, where the identity information of the smart key device is determined.

In this alternative embodiment, the terminal 20 sends the application login service request information to the application server 50, where the application login service request information includes an IP address, and after the application server 50 sends the authentication request of the smart key device 10, the router 30 obtains valid smart key device identity information according to the IP address by using the binding information, and sends the valid smart key device identity information to the application server 50, so as to provide a basis for the subsequent application server 50 to provide the application login service to the terminal 20 through the router 30 according to the smart key device identity information.

Mode III

The terminal 20 sends the application login service request information to the router 30. The application login service request information comprises an IP address. In addition, the application login service request information may not include the identity information of the smart key device. The router 30 is specifically configured to obtain the identity information of the smart key device according to the IP address and the binding information after receiving the application login service request information sent by the terminal 20.

And the router 30 is specifically configured to send the application login service request information and the smart key device identity information to the application server 50. The application server 50 is specifically configured to receive application login service request information and intelligent key device identity information, where the intelligent key device identity information is determined intelligent key device identity information.

In this alternative embodiment, the terminal 20 sends the application login service request information to the router 30, where the application login service request information includes an IP address, and the router 30 obtains the legal intelligent key device identity information according to the IP address by using the binding information, and sends the legal intelligent key device identity information to the application server 50, so as to provide a basis for the subsequent application server 50 to provide the application login service to the terminal 20 through the router 30 according to the intelligent key device identity information.

In this embodiment, through any of the optional embodiments described above, a process of determining, between the router 30 and the application server 50, the intelligent key device identity information that matches the terminal 20 according to the IP address of the terminal 20 and the binding information between the intelligent key device identity information and the IP address may be completed, so that the application server 50 obtains the determined intelligent key device identity information. Moreover, the determined identity information of the smart key device obtained by any of the above optional embodiments is legal. Therefore, the application server 50 can provide the application login service to the terminal 20 through the router 30 according to the identity information of the intelligent key device.

The authentication server 40 is further configured to receive a PIN verification status query request, query whether PIN verification passing information exists and query a status of the PIN verification passing information, and send a PIN verification completion confirmation message to the application server 50 through the router 30 if the PIN verification passing information exists in the authentication server 40 and the status of the PIN verification passing information is valid.

In this embodiment, if the verification of the PIN code verification process of the smart key device 10 fails, and there is no PIN code verification passing information in the authentication server 40, then after the application server 50 sends a PIN code verification status query request to the authentication server 40 through the router 30, the authentication server 40 queries that the PIN code verification passing information is not stored in itself, and in this case, the application server 50 cannot provide the application login service to the terminal 20.

Further, in the case where the system includes the maintenance of the validity of the PIN code verification information, even if the PIN code verification-passing information is held in the authentication server 40, the PIN code verification-passing information held in the authentication server 40 may be in a disabled state due to the occurrence of an abnormal situation such as disconnection of the smart key device 10 from the terminal 20, or disconnection of the terminal 20 from the router 30. Therefore, if the PIN verification process of the smart key device 10 passes verification, but there is the above abnormal situation, after the application server 50 sends a PIN verification status query request to the authentication server 40 through the router 30, the authentication server 40 queries that the PIN verification passing information is stored in the authentication server 40, but the status of the authentication server is a failure status, in which case, the application server 50 cannot provide the application login service to the terminal 20.

Therefore, before the application server 50 provides the application login service to the terminal 20, the router 30 sends a PIN code verification status query request to the authentication server 40 to query whether valid PIN code verification passing information exists in the identity server, so as to confirm whether the terminal 20 requesting to log in the application server 50 is safe and legal or not, and after the identity of the terminal 20 is confirmed to be legal, the application server 50 provides subsequent application login service to the terminal 20, thereby ensuring the safety of the network application login process.

And the application server 50 is further configured to provide the application login service to the terminal 20 through the router 30 according to the determined identity information of the smart key device under the condition that the confirmation information of the verification completion of the PIN code is obtained.

In this embodiment, the application server 50 obtains the PIN code verification completion confirmation information, that is, the identity of the terminal 20 requesting to log in to the application server 50 is safe and legal, and in this case, the application server 50 may provide the application login service to the terminal 20 according to the determined identity information of the smart key device. Therefore, under the condition of ensuring the login security of the network application, the terminal 20 can directly access the application server 50 through the router 30 without inputting a password again when logging in the application server 50, so that the login of the network application is more convenient.

When a user accesses the internet using a terminal 20 device (a computer, a mobile phone, etc.), the application server 50 can be accessed through the router 30. The existing method for logging in the application server 50 does not use the smart key device 10, but uses the terminal 20 to directly log in through the router 30, and because the existing method for logging in does not pass through the PIN verification process, and does not store the information of the PIN verification process, the user needs to input the password corresponding to the application again each time the user logs in the application server 50 through the router 30 using the terminal 20. With the system provided in this embodiment, the user can use the smart key device 10 to connect with the terminal 20, and after passing through the PIN code verification process of the smart key device 10, the terminal 20 connects with the application server 50 through the router 30, which makes the application server 50 more secure when being accessed due to the high security of the smart key device 10. Moreover, after the PIN verification process of the smart key device 10 is completed, the authentication server 40 stores the PIN verification passing information, and when the user accesses the application server 50 through the router 30 by using the terminal 20 connected with the smart key device 10 again, since the user has passed the PIN verification process of the smart key device 10, the user can log in the application server 50 without inputting the password of the application server 50 again in the case that the PIN verification passing information is valid, thereby simplifying the process of logging in the application by the user.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims

1. A network application login method is characterized by comprising the following steps:

after the connection between the intelligent secret key equipment and the terminal is established, the terminal triggers the verification equipment to execute a PIN code verification process of the intelligent secret key equipment; if the verification is passed, the identity authentication server acquires and stores the PIN code verification passing information;

the intelligent secret key equipment executes an identity authentication process between the terminal and the router;

when the identity authentication process result is authentication pass, the router allocates an IP address to the terminal, and stores binding information of intelligent secret key equipment identity information and the IP address, wherein the intelligent secret key equipment identity information is an intelligent secret key equipment certificate or an intelligent secret key equipment ID;

the terminal sends application login service request information to the application server through the router, a process that the router and the application server execute intelligent secret key equipment identity information matched with the terminal according to the IP address of the terminal and the binding information of the intelligent secret key equipment identity information and the IP address is triggered, and the application server obtains the determined intelligent secret key equipment identity information;

the application server sends a PIN code verification state query request to the identity authentication server through the router;

the identity authentication server receives the PIN code verification state inquiry request, inquires whether the PIN code verification passing information exists or not and inquires the state of the PIN code verification passing information, and if the PIN code verification passing information exists in the identity authentication server and the state of the PIN code verification passing information is valid, PIN code verification completion confirmation information is sent to the application server through the router;

and the application server provides application login service for the terminal through the router according to the determined identity information of the intelligent secret key equipment under the condition of obtaining the PIN code verification completion confirmation information.

2. The method according to claim 1, wherein the trigger verification device executes a PIN verification process of the smart key device, including:

the terminal prompts the PIN code to input prompt information, receives the PIN code and generates PIN code verification information, the PIN code verification information is sent to the intelligent secret key equipment, the intelligent secret key equipment receives and verifies the PIN code verification information, if the verification is passed, the PIN code verification passing information is generated and sent to the identity authentication server through the terminal and the router; or,

the terminal prompts the PIN code to input prompt information, receives the PIN code and generates PIN code verification information, the PIN code verification information is sent to an identity authentication server, the identity authentication server receives and verifies the PIN code verification information, and if the verification is passed, the PIN code verification passing information is generated; or,

the terminal sends the PIN code input prompt information to the intelligent secret key equipment, the intelligent secret key equipment receives and prompts the PIN code input prompt information, receives and verifies the PIN code, if the verification is passed, the PIN code verification pass information is generated and sent to the identity authentication server through the terminal and the router; or,

the terminal sends the PIN code input prompt information to the intelligent key equipment, the intelligent key equipment receives the PIN code input prompt information and prompts, receives the PIN code and generates PIN code verification information, the PIN code verification information is sent to an identity authentication server through the terminal and the router, the identity authentication server receives and verifies the PIN code verification information, and if the verification is passed, PIN code verification passing information is generated.

3. The method of claim 1,

the terminal sends application login service request information to the application server through the router, a process of determining the intelligent secret key equipment identity information matched with the terminal according to the IP address of the terminal and the binding information of the intelligent secret key equipment identity information and the IP address is triggered to be executed between the router and the application server, and the application server obtains the determined intelligent secret key equipment identity information and comprises the following steps:

the terminal sends application login service request information to the application server through the router, wherein the application login service request information comprises the identity information of the intelligent secret key equipment and the IP address; the application server receives the application login service request information and sends an intelligent key equipment identity authentication request to the router, wherein the intelligent key equipment identity authentication request comprises the intelligent key equipment identity information and the IP address; the router receives the intelligent secret key equipment identity authentication request, authenticates the intelligent secret key equipment identity information carried in the intelligent secret key equipment identity authentication request according to the IP address and the binding information, obtains intelligent secret key equipment identity authentication result information and sends the intelligent secret key equipment identity authentication result information to the application server; the application server receives the authentication result information of the intelligent key equipment, and if the authentication result information of the intelligent key equipment passes the authentication, the intelligent key equipment identity information carried in the application login service request information is the determined intelligent key equipment identity information;

or,

the terminal sends application login service request information to the application server through the router, wherein the application login service request information comprises the IP address; the application server sends an intelligent secret key equipment identity information request to the router, wherein the intelligent secret key equipment identity information request at least comprises the IP address; the router receives the identity authentication request of the intelligent key equipment, obtains the identity information of the intelligent key equipment according to the IP address and the binding information and sends the identity information of the intelligent key equipment to the application server; the application server receives the identity information of the intelligent secret key equipment, wherein the identity information of the intelligent secret key equipment is the determined identity information of the intelligent secret key equipment;

or,

the terminal sends application login service request information to the router, wherein the application login service request information comprises the IP address; after receiving the application login service request information sent by the terminal, the router obtains the identity information of the intelligent key equipment according to the IP address and the binding information; the router sends the application login service request information and the intelligent secret key equipment identity information to the application server, the application server receives the application login service request information and the intelligent secret key equipment identity information, and the intelligent secret key equipment identity information is the determined intelligent secret key equipment identity information.

4. The method according to claim 1, wherein after the identity authentication server obtains and saves the PIN code verification passing information, the method further comprises:

when the terminal detects that the connection between the terminal and the intelligent secret key equipment is disconnected, the terminal sends disconnection notification information to the identity authentication server through the router; after receiving the connection disconnection notification information, the identity authentication server executes an operation of invalidating the information that the PIN code passes the verification; or,

the router sends equipment leaving information to the identity authentication server when detecting that the router is disconnected from the terminal, and sends equipment access information to the identity authentication server when detecting that the router is reconnected with the terminal; the identity authentication server receives the equipment leaving information, starts timing by using a timer, maintains the validity of the PIN code verification passing information if the equipment access information is received before the timing reaches a first preset time, and executes the operation of invalidating the PIN code verification passing information if the equipment access information is not received before the timing reaches the first preset time; or,

the identity authentication server starts timing by using a timer, maintains the validity of the PIN code verification passing information before the timing reaches a second preset time, and executes the operation of invalidating the PIN code verification passing information after the timing reaches the second preset time.

5. A web application login system, comprising: the system comprises a terminal, intelligent secret key equipment, a router, an identity authentication server and an application server;

the terminal is used for triggering verification equipment to execute a PIN code verification process of the intelligent secret key equipment after connection with the intelligent secret key equipment is established;

the identity authentication server is used for acquiring and storing the PIN code verification passing information when the PIN code verification process passes verification;

the intelligent secret key equipment is used for executing an identity authentication process between the terminal and the router;

the router is used for distributing an IP address to the terminal when the identity authentication process result is that the authentication passes, and storing the binding information of the identity information of the intelligent secret key equipment and the IP address, wherein the identity information of the intelligent secret key equipment is the certificate of the intelligent secret key equipment or the ID of the intelligent secret key equipment;

the terminal is further used for sending application login service request information to the application server through the router, and triggering a process between the router and the application server to determine the intelligent secret key equipment identity information matched with the terminal according to the IP address of the terminal and the binding information of the intelligent secret key equipment identity information and the IP address;

the application server is used for obtaining the determined identity information of the intelligent secret key equipment and sending a PIN code verification state query request to the identity authentication server through the router;

the identity authentication server is further configured to receive the PIN code verification status query request, query whether the PIN code verification passing information exists and query a status of the PIN code verification passing information, and if the PIN code verification passing information exists in the identity authentication server and the status of the PIN code verification passing information is valid, send PIN code verification completion confirmation information to the application server through the router;

and the application server is further used for providing application login service for the terminal through the router according to the determined identity information of the intelligent secret key equipment under the condition of obtaining the PIN code verification completion confirmation information.

6. The system of claim 5,

when the verification device is the intelligent key device, the terminal is specifically used for prompting the PIN code to input prompt information, receiving the PIN code, generating PIN code verification information, and sending the PIN code verification information to the intelligent key device; the intelligent secret key equipment is specifically used for receiving and verifying the PIN code verification information, if the verification is passed, the intelligent secret key equipment generates PIN code verification passing information and sends the PIN code verification passing information to the identity authentication server through the terminal and the router; or,

when the verification device is the identity authentication server, the terminal is specifically used for prompting the PIN code to input prompt information, receiving the PIN code, generating PIN code verification information and sending the PIN code verification information to the identity authentication server; the identity authentication server is specifically used for receiving and verifying the PIN code verification information, and if the verification is passed, the identity authentication server generates PIN code verification passing information; or,

when the verification device is the intelligent key device, the terminal is specifically used for sending the PIN code input prompt information to the intelligent key device at the terminal; the intelligent key device is specifically configured to receive the PIN code input prompt information and prompt, receive and verify the PIN code, generate PIN code verification passing information if verification passes, and send the PIN code verification passing information to the identity authentication server through the terminal and the router; or,

when the verification device is the identity authentication server, the terminal is specifically used for sending the PIN code input prompt information to the intelligent secret key device at the terminal; the intelligent secret key equipment is specifically used for receiving and prompting the PIN code input prompt information, receiving the PIN code and generating PIN code verification information, and sending the PIN code verification information to an identity authentication server through the terminal and the router; the identity authentication server is specifically configured to receive and verify the PIN code verification information, and if the verification passes, generate PIN code verification passing information.

7. The system of claim 5,

the terminal is specifically configured to send application login service request information to the application server through the router, where the application login service request information includes the identity information of the intelligent key device and the IP address; the application server is specifically configured to receive the application login service request information, and send an intelligent key device authentication request to the router, where the intelligent key device authentication request includes the intelligent key device identity information and the IP address; the router is specifically configured to receive the intelligent key device authentication request, verify the intelligent key device identity information carried in the intelligent key device authentication request according to the IP address and the binding information, obtain intelligent key device authentication result information, and send the intelligent key device authentication result information to the application server; the application server is specifically configured to receive the authentication result information of the smart key device, and if the authentication result information of the smart key device passes the authentication, the identity information of the smart key device carried in the application login service request information is the determined identity information of the smart key device;

or,

the terminal is specifically configured to send application login service request information to the application server through the router, where the application login service request information includes the IP address; the application server is specifically configured to send an intelligent key device identity information request to the router, where the intelligent key device identity information request at least includes the IP address; the router is specifically configured to receive the authentication request of the smart key device, obtain the identity information of the smart key device according to the IP address and the binding information, and send the identity information to the application server; the application server is specifically configured to receive the identity information of the smart key device, where the identity information of the smart key device is the determined identity information of the smart key device;

or,

the terminal is specifically configured to send application login service request information to the router, where the application login service request information includes the IP address; the router is specifically configured to, after receiving the application login service request information sent by the terminal, obtain the identity information of the smart key device according to the IP address and the binding information, and send the application login service request information and the identity information of the smart key device to the application server; the application server is specifically configured to receive the application login service request information and the intelligent key device identity information, where the intelligent key device identity information is the determined intelligent key device identity information.

8. The system of claim 5,

the terminal is further configured to send disconnection notification information to the identity authentication server through the router when detecting that the terminal is disconnected from the intelligent key device; the identity authentication server is further used for executing the operation of invalidating the information that the PIN code passes the verification after receiving the connection disconnection notification information;

or,

the router is further configured to send device leaving information to the identity authentication server when detecting that the router is disconnected from the terminal, and send device access information to the identity authentication server when detecting that the router is reconnected with the terminal; the identity authentication server is further configured to start timing by using a timer when the device leaving information is received, maintain the validity of the PIN verification passing information if the device access information is received before the timing reaches a first preset time, and execute an operation of invalidating the PIN verification passing information if the device access information is not received before the timing reaches the first preset time;

or,

the identity authentication server is further configured to start timing by using a timer, maintain the validity of the PIN verification passing information before the timing reaches a second preset time, and execute an operation of invalidating the PIN verification passing information after the timing reaches the second preset time.