[go: up one dir, main page]

CN108667800B - Access authority authentication method and device - Google Patents

Access authority authentication method and device Download PDF

Info

Publication number
CN108667800B
CN108667800B CN201810276892.6A CN201810276892A CN108667800B CN 108667800 B CN108667800 B CN 108667800B CN 201810276892 A CN201810276892 A CN 201810276892A CN 108667800 B CN108667800 B CN 108667800B
Authority
CN
China
Prior art keywords
terminal
identity information
user
information
symmetric key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810276892.6A
Other languages
Chinese (zh)
Other versions
CN108667800A (en
Inventor
孙铂
王志华
喻波
王志海
秦凯
安鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201810276892.6A priority Critical patent/CN108667800B/en
Publication of CN108667800A publication Critical patent/CN108667800A/en
Application granted granted Critical
Publication of CN108667800B publication Critical patent/CN108667800B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides an authentication method and device of access authority. In the embodiment of the present invention, the information carried in the authentication request sent by the terminal to the server is: and encrypting the user identity information of the user and the terminal identity information of the terminal by using the symmetric key. Thus, even if the authentication request is intercepted by a lawbreaker during transmission and the encrypted identity information is extracted from the authentication request, the lawbreaker cannot obtain the symmetric key, and thus cannot decrypt the encrypted identity information to obtain the user identity information of the user and the terminal identity information of the terminal. Therefore, lawless persons are prevented from using the user identity information of the user and the terminal identity information of the terminal to impersonate and access the network server, and the safety is improved.

Description

Access authority authentication method and device
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an access right authentication method and apparatus.
Background
Currently, more and more users use terminals to surf the internet, for example, use the terminals to access a network server located in the internet, however, before using the terminals to access the network server, it is often necessary to first obtain access rights of the access server.
In the prior art, when the access right of the access server needs to be acquired, a user needs to input an internet account and an internet password of the user on a terminal, then an authentication request carrying the internet account and the internet password is sent to an authentication server, the authentication server receives the authentication request, extracts the internet account and the internet password from the authentication request, compares whether the internet password is the internet password corresponding to the internet account in a database, and if so, opens the access right of accessing the network server to the terminal.
However, the authentication request may be intercepted by a lawbreaker during transmission, which may cause the internet account and the internet password of the user to be leaked, and further, the internet account and the internet password are impersonated to access the network server, which is low in security.
Disclosure of Invention
In order to solve the above technical problem, embodiments of the present invention show an access right authentication method and apparatus.
In a first aspect, an embodiment of the present invention shows a method for authenticating an access right, where the method is applied to a terminal, and the method includes:
acquiring terminal identity information of the terminal;
acquiring user identity information of a user currently using the terminal, wherein the terminal identity information comprises a hash value of data loaded by the terminal in the terminal starting process;
obtaining a symmetric key uniquely corresponding to the user identity information;
encrypting the user identity information and the terminal identity information by using the symmetric key to obtain encrypted identity information;
generating an authentication request carrying the encrypted identity information;
and sending the authentication request to an authentication server.
In an optional implementation manner, the obtaining a symmetric key uniquely corresponding to the user identity information includes:
sending a symmetric key acquisition request carrying the user identity information and the terminal identity information to the authentication server;
receiving an encryption key returned by the authentication server according to the symmetric key acquisition request, wherein the encryption key is obtained by encrypting the symmetric key by using a public key uniquely corresponding to the terminal identity information after the authentication server acquires the symmetric key uniquely corresponding to the user identity information and the terminal identity information;
obtaining a private key uniquely corresponding to the public key;
and decrypting the encrypted key by using the private key to obtain the symmetric key.
In an optional implementation manner, before receiving the encryption key returned by the authentication server according to the symmetric key acquisition request, the method further includes:
receiving a user attribute information acquisition request sent by an authentication server, wherein the user attribute information acquisition request carries a public key uniquely corresponding to the authentication server and the user identity information;
acquiring user attribute information of the user according to the user identity information;
encrypting the user attribute information by using a public key uniquely corresponding to the authentication server to obtain encrypted information;
and sending the encryption information to the authentication server.
In a second aspect, an embodiment of the present invention shows a communication connection establishment method, where the method is applied to an authentication server, and the method includes:
receiving an authentication request sent by a terminal, wherein the authentication request carries encrypted identity information, the encrypted identity information is obtained by encrypting user identity information of a user using the terminal currently and terminal identity information of the terminal by using a symmetric key by the terminal, and the terminal identity information comprises a hash value of data loaded by the terminal in a terminal starting process;
acquiring the symmetric key;
decrypting the encrypted identity information carried by the authentication request by using the symmetric key to obtain the user identity information and the terminal identity information;
verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
and if the identity of the user and the identity of the terminal are legal, opening the access authority of the terminal for accessing the network server.
In an optional implementation, the method further includes:
receiving a symmetric key acquisition request which is sent by the terminal and carries the user identity information and the terminal identity information;
generating a symmetric key uniquely corresponding to the user identity information and the terminal identity information;
acquiring a public key uniquely corresponding to the terminal identity information;
encrypting the symmetric key by using the public key to obtain an encryption key;
and sending the encryption key to the terminal.
In an optional implementation manner, before generating the symmetric key uniquely corresponding to the user identity information and the terminal identity information, the method further includes:
verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
if the identity of the user and the identity of the terminal are legal, a public key uniquely corresponding to the authentication server is obtained;
sending a user attribute information acquisition request to the terminal, wherein the user attribute information acquisition request carries a public key uniquely corresponding to the authentication server and the user identity information;
receiving encrypted information returned by the terminal, wherein the encrypted information is obtained by encrypting the user attribute information by the terminal by using a public key uniquely corresponding to the authentication server;
obtaining a private key uniquely corresponding to the authentication server;
decrypting the encrypted information by using a private key uniquely corresponding to the authentication server to obtain the user attribute information;
determining whether the identity of the user is legitimate using the user identity information and user attribute information;
and if the identity of the user is determined to be legal by using the user identity information and the user attribute information, executing the step of generating a symmetric key uniquely corresponding to the user identity information and the terminal identity information.
In a third aspect, an embodiment of the present invention shows an apparatus for authenticating an access right, where the apparatus is applied to a terminal, and the apparatus includes:
the terminal comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring terminal identity information of the terminal, and the terminal identity information comprises a hash value of data loaded by the terminal in the terminal starting process;
the second acquisition module is used for acquiring the user identity information of the user currently using the terminal;
the third acquisition module is used for acquiring a symmetric key uniquely corresponding to the user identity information;
the first encryption module is used for encrypting the user identity information and the terminal identity information by using the symmetric key to obtain encrypted identity information;
the first generation module is used for generating an authentication request carrying the encrypted identity information;
and the first sending module is used for sending the authentication request to an authentication server.
In an optional implementation manner, the third obtaining module includes:
a first sending unit, configured to send a symmetric key acquisition request carrying the user identity information and the terminal identity information to the authentication server;
a first receiving unit, configured to receive an encryption key returned by the authentication server according to the symmetric key acquisition request, where the encryption key is obtained by encrypting, by using a public key uniquely corresponding to the terminal identity information, a symmetric key uniquely corresponding to the user identity information and the terminal identity information after the authentication server acquires the symmetric key uniquely corresponding to the user identity information and the terminal identity information;
a first obtaining unit, configured to obtain a private key uniquely corresponding to the public key;
and the decryption unit is used for decrypting the encrypted secret key by using the private key to obtain the symmetric secret key.
In an optional implementation manner, the third obtaining module further includes:
a second receiving unit, configured to receive a user attribute information acquisition request sent by an authentication server, where the user attribute information acquisition request carries a public key uniquely corresponding to the authentication server and the user identity information;
the second acquisition unit is used for acquiring the user attribute information of the user according to the user identity information;
the encryption unit is used for encrypting the user attribute information by using a public key uniquely corresponding to the authentication server to obtain encrypted information;
a second transmitting unit configured to transmit the encryption information to the authentication server.
In a fourth aspect, an embodiment of the present invention shows a communication connection establishment apparatus, which is applied to an authentication server, and includes:
a first receiving module, configured to receive an authentication request sent by a terminal, where the authentication request carries encrypted identity information, and the encrypted identity information is obtained by encrypting, by the terminal, user identity information of a user currently using the terminal and terminal identity information of the terminal using a symmetric key, where the terminal identity information includes a hash value of data loaded by the terminal in a terminal starting process;
a fourth obtaining module, configured to obtain the symmetric key;
the first decryption module is used for decrypting the encrypted identity information carried by the authentication request by using the symmetric key to obtain the user identity information and the terminal identity information;
the first verification module is used for verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
and the opening module is used for opening the access authority of the terminal for accessing the network server if the identity of the user and the identity of the terminal are legal.
In an optional implementation, the apparatus further comprises:
a second receiving module, configured to receive a symmetric key acquisition request that carries the user identity information and the terminal identity information and is sent by the terminal;
the second generation module is used for generating a symmetric key uniquely corresponding to the user identity information and the terminal identity information;
a fifth obtaining module, configured to obtain a public key uniquely corresponding to the terminal identity information;
the second encryption module is used for encrypting the symmetric key by using the public key to obtain an encryption key;
and the second sending module is used for sending the encryption key to the terminal.
In an optional implementation, the apparatus further comprises:
the second verification module is used for verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
a sixth obtaining module, configured to obtain a public key uniquely corresponding to the authentication server if the identity of the user and the identity of the terminal are legal;
a third sending module, configured to send a user attribute information obtaining request to the terminal, where the user attribute information obtaining request carries a public key uniquely corresponding to the authentication server and the user identity information;
a third receiving module, configured to receive encrypted information returned by the terminal, where the encrypted information is obtained by encrypting, by the terminal, the user attribute information using a public key uniquely corresponding to the authentication server;
a seventh obtaining module, configured to obtain a private key uniquely corresponding to the authentication server;
the second decryption module is used for decrypting the encrypted information by using a private key uniquely corresponding to the authentication server to obtain the user attribute information;
a determining module for determining whether the identity of the user is legal using the user identity information and the user attribute information;
the second generation module is further to: and if the identity of the user is determined to be legal by using the user identity information and the user attribute information, generating a symmetric key which is uniquely corresponding to the user identity information and the terminal identity information.
Compared with the prior art, the embodiment of the invention has the following advantages:
in the embodiment of the present invention, the information carried in the authentication request sent by the terminal to the server is: and encrypting the user identity information of the user and the terminal identity information of the terminal by using the symmetric key. Thus, even if the authentication request is intercepted by a lawbreaker during transmission and the encrypted identity information is extracted from the authentication request, the lawbreaker cannot obtain the symmetric key, and thus cannot decrypt the encrypted identity information to obtain the user identity information of the user and the terminal identity information of the terminal. Therefore, lawless persons are prevented from using the user identity information of the user and the terminal identity information of the terminal to impersonate and access the network server, and the safety is improved.
Drawings
FIG. 1 is a block diagram of an embodiment of an access right authentication system according to the present invention;
FIG. 2 is a flowchart illustrating the steps of an embodiment of a method for authenticating access rights in accordance with the present invention;
FIG. 3 is a block diagram of an embodiment of an apparatus for authenticating access rights according to the present invention;
fig. 4 is a block diagram of an embodiment of an access right authentication apparatus according to the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Referring to fig. 1, a block diagram of an embodiment of an authentication system for access rights according to the present invention is shown, where the system includes a terminal 01 and an authentication server 02, the terminal 01 and the authentication server 02 are in communication connection, and the terminal 01 and the authentication server 02 can interact through the communication connection, and the terminal 01 includes devices such as a mobile phone, a tablet computer, and a desktop computer.
Referring to fig. 2, a flowchart illustrating steps of an embodiment of the method for authenticating access rights according to the present invention is shown, where the method is applied to the system shown in fig. 1, and specifically may include the following steps:
in step S101, the terminal acquires terminal identity information of the terminal;
in the embodiment of the invention, the terminal identity information of different terminals is different.
The terminal Identity information of the terminal includes a Media Access Control (MAC) address or an International Mobile Equipment Identity (IMEI) of the terminal, and the like.
The terminal identity information of the terminal is stored in the local terminal, and when a user needs to use the terminal to access the network server, the terminal can acquire the terminal identity information stored in the local terminal.
In step S102, the terminal acquires user identity information of a user currently using the terminal;
in the embodiment of the invention, the user identity information of different users is different.
The user identity information includes a user identification of the user, or includes a user identification of the user and a user password. The user identities of different users are different.
When a user needs to use the terminal to access the network server, the user can input the identity information of the user on the terminal, and the terminal acquires the identity information input by the user.
In step S103, the terminal obtains a symmetric key uniquely corresponding to the user identity information;
after the terminal identity information and the user identity information are acquired, the terminal needs to send an authentication request carrying the terminal identity information and the user identity information to an authentication server, so that the authentication server determines whether the terminal identity and the user identity are legal or not according to the terminal identity information and the user identity information, and in order to avoid that the authentication request is intercepted by a lawless person in a transmission process, so that the terminal identity information and the user identity information are leaked, the terminal identity information and the user identity information need to be encrypted.
In order to encrypt the terminal identity information and the user identity information, the terminal needs to obtain a symmetric key uniquely corresponding to the terminal identity information and the user identity information from the authentication server.
Specifically, the step can be implemented by the following process, including:
11) the terminal can send a symmetric key acquisition request carrying the terminal identity information and the user identity information to the authentication server;
12) the authentication server receives the symmetric key acquisition request sent by the terminal;
13) the authentication server generates a symmetric key uniquely corresponding to the terminal identity information and the user identity information;
the authentication server may randomly generate a symmetric key that has not been generated in the history process, and use the symmetric key as a symmetric key uniquely corresponding to the terminal identity information and the user identity information.
Or, a symmetric key may be generated according to the terminal identity information and the user identity information according to a specific algorithm, and since the user identity information of different users is different and the terminal identity information of different terminals is different, the symmetric key generated according to the user identity information of different users and the terminal identity information of different terminals according to the specific algorithm is different, that is, the symmetric key generated according to the user identity information and the heavy single identity information according to the specific algorithm uniquely corresponds to the terminal identity information and the user identity information.
14) The authentication server acquires a public key uniquely corresponding to the terminal identity information;
in the embodiment of the invention, the public key uniquely corresponding to the identity information of different terminals is different.
For any terminal, the authentication server may form a corresponding entry in advance by using the terminal identity information of the terminal and the public key uniquely corresponding to the terminal identity information of the terminal, store the entry in the corresponding relationship between the stored terminal identity information and the public key, and similarly execute the above operations for each other terminal.
Therefore, in this step, the public key corresponding to the terminal identity information may be searched for in the stored correspondence between the terminal identity information and the public key, and may be used as the public key uniquely corresponding to the terminal identity information.
15) The authentication server encrypts the symmetric key by using the public key to obtain an encrypted key;
16) and the authentication server sends the encryption key to the terminal.
17) The terminal receives the encryption key sent by the authentication server;
18) the terminal acquires a private key uniquely corresponding to the public key;
in the embodiment of the invention, each terminal is provided with a public key and a private key, the public keys of different terminals are different, the private keys of different terminals are different, and the public keys and the private keys of the same terminal are in one-to-one correspondence. Each terminal will store its own public and private keys locally.
Therefore, the terminal can directly obtain the stored private key uniquely corresponding to the public key from the local.
19) And the terminal decrypts the encryption key by using the private key to obtain the symmetric key.
Since the encryption key is obtained by encrypting the symmetric key by the authentication server by using the public key uniquely corresponding to the terminal, the symmetric key can be obtained by decrypting the encryption key by using the private key uniquely corresponding to the public key
In another embodiment of the present invention, step S103 may be executed in real time after step S102, or may be executed in advance before step S101, and the symmetric key is obtained and stored locally, so that the stored symmetric key uniquely corresponding to the user identity information may be directly obtained locally in step S103.
In step S104, the terminal encrypts the terminal identity information and the user identity information using the symmetric key to obtain encrypted identity information;
in step S105, the terminal generates an authentication request carrying the encrypted identity information;
in step S106, the terminal sends the authentication request to the authentication server;
in step S107, the authentication server receives the authentication request sent by the terminal;
in step S108, the authentication server acquires the symmetric key;
in step 13), after the authentication server generates the symmetric key uniquely corresponding to the terminal identity information and the user identity information, the symmetric key is stored locally, so that the authentication server can directly obtain the stored symmetric key from locally, and then decrypt the encrypted identity information by using the symmetric key to obtain the terminal identity information and the user identity information.
In step S109, the authentication server decrypts the encrypted identity information carried in the authentication request by using the symmetric key, so as to obtain the terminal identity information and the user identity information;
in step S110, the authentication server verifies whether the identity of the user and the identity of the terminal are legal according to the terminal identity information and the user identity information;
in the embodiment of the invention, in order to avoid the illegal user identity information of the user from being used for impersonating to access the network server after being intercepted by a lawless person, the terminal used for accessing the network server by using the user identity information of the user needs to be limited
For example, if a user can access a network server only on a terminal of the user by using user identity information of the user, even if a lawbreaker intercepts the user identity information of the user, if the lawbreaker does not steal the terminal of the user, the network server cannot be accessed on a terminal of a non-user by using the user identity information of the user.
For any user, when the user registers a user account in the authentication server in advance, a registration request is often sent to the authentication server through the terminal of the user, and the registration request carries terminal identity information of the terminal, after the authentication server allocates user identity information to the user according to the registration request, the terminal identity information and the user identity information form a corresponding table entry and are stored in a corresponding relationship between the stored terminal identity information and the stored user identity information.
Therefore, when the user needs to access the network server later, the user identity information of the user needs to be used and the network server can be accessed only on the terminal of the user, and even if the lawless person intercepts the user identity information of the user, the user identity information of the user still cannot access the network server on the terminal of a non-user under the condition that the terminal of the user is not stolen, so that the safety is improved.
Therefore, in this step, the authentication server needs to search whether the user identity information corresponding to the terminal identity information exists in the stored correspondence between the terminal identity information and the user identity information, and if the user identity information corresponding to the terminal identity information exists, it is determined that the identity of the user and the identity of the terminal are legal, and then step S109 is executed; and if the user identity information corresponding to the terminal identity information does not exist, determining that the identity of the user is illegal or the identity of the terminal is illegal, and refusing to open the access authority of the terminal to access the network server.
In step S111, if the identity of the user and the identity of the terminal are legal, the authentication server opens the access right of the terminal to the network server.
For example, the authentication server may send a permission instruction to the network server, where the permission instruction carries the terminal identity information and the user identity information, and the permission instruction is used to indicate that a user permitted to correspond to the user identity information may establish a communication connection with the network server using a terminal corresponding to the terminal information, and access the network server through the communication connection.
Secondly, the authentication server can also send a notification message to the terminal, wherein the notification message is used for notifying the terminal that the communication connection between the terminal corresponding to the terminal identity information and the network server can be established by using the terminal identity information and the user identity information, and then the network server is accessed.
In the embodiment of the present invention, the information carried in the authentication request sent by the terminal to the server is: and encrypting the user identity information of the user and the terminal identity information of the terminal by using the symmetric key. Thus, even if the authentication request is intercepted by a lawbreaker during transmission and the encrypted identity information is extracted from the authentication request, the lawbreaker cannot obtain the symmetric key, and thus cannot decrypt the encrypted identity information to obtain the user identity information of the user and the terminal identity information of the terminal. Therefore, lawless persons are prevented from using the user identity information of the user and the terminal identity information of the terminal to impersonate and access the network server, and the safety is improved.
In the embodiment of the present invention, the terminal identity information of the terminal includes a hash value of data loaded by the terminal in the process of starting the terminal.
In the process of starting the terminal, the operating system of the terminal loads some system data, and the data loaded by the operating system of the terminal in the process of starting the terminal every time are the same.
When a user uses a terminal to register a user account in an authentication server in advance, a registration request is sent to the authentication server through the terminal, the terminal identity information of the terminal is carried, namely, a hash value of data loaded by the terminal in the terminal starting process is carried, the hash value is used as the terminal identity information of the terminal, then the terminal identity information and the user identity information form a corresponding table item, and the corresponding table item is stored in a corresponding relation between the stored terminal identity information and the user identity information.
If a lawbreaker installs an illegal application program for stealing user identity information in the terminal later, the system data loaded by the operating system of the terminal is started in the process of starting the terminal, and the system data comprises the data of the illegal application program, so that the hash value of the system data is different from the hash value in the terminal identity information corresponding to the user identity information in the corresponding relationship. Therefore, the authentication server can determine that the terminal identity information is illegal when verifying whether the identity of the user and the identity of the terminal are legal according to the terminal identity information and the user identity information, namely, the terminal is determined to be an unsafe terminal, and the access right of the terminal to access the network server is denied, so that the security is improved.
To further increase the safety, after step 12) and before step 13), the method further comprises:
21) the authentication server verifies whether the identity of the user and the identity of the terminal are legal or not according to the terminal identity information and the user identity information;
the step can be referred to as step S109, and is not described in detail here.
22) If the identity of the user and the identity of the terminal are legal, the authentication server acquires a public key uniquely corresponding to the authentication server;
in the embodiment of the present invention, the authentication server stores the public key and the private key that the authentication server has locally, so in this step, the authentication server can obtain the locally stored public key uniquely corresponding to the authentication server.
23) The authentication server sends a user attribute information acquisition request to the terminal, wherein the user attribute information acquisition request carries a public key uniquely corresponding to the authentication server and user identity information;
24) the terminal receives the attribute information acquisition request sent by the authentication server;
25) the terminal acquires user attribute information of the user according to the user identity information;
in the embodiment of the present invention, the user attribute information of the user includes information, such as the age, sex, place of birth, place of living, occupation, marital status, unit, and privacy problem of the user, which is stored in the user account after the user registers the user account in the authentication server. Typically, the user attribute information is different for different users.
26) The terminal encrypts the user attribute information by using a public key uniquely corresponding to the authentication server to obtain encrypted information;
27) and the terminal sends the encrypted information to the authentication server.
28) The authentication server receives the encrypted information sent by the terminal;
29) the authentication server acquires a private key uniquely corresponding to the authentication server;
in the embodiment of the invention, the authentication server stores the public key and the private key which the authentication server has locally.
Therefore, in this step, the authentication server can acquire a locally stored private key uniquely corresponding to the authentication server.
31) The authentication server decrypts the encrypted information by using a private key uniquely corresponding to the authentication server to obtain the user attribute information;
32) the authentication server determines whether the identity of the user is legal or not by using the user identity information and the user attribute information;
33) and if the identity of the user is determined to be legal by using the user identity information and the user attribute information, executing step 13).
By the method of the embodiment of the invention, even if lawbreakers intercept the user identity information of the user, the authentication server can not open the access authority of accessing the network server to the terminal as long as the user attribute information of the user is not intercepted, thereby further improving the security.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 3, a block diagram of an embodiment of an access right authentication apparatus according to the present invention is shown, and the apparatus may specifically include the following modules:
a first obtaining module 01, configured to obtain terminal identity information of the terminal, where the terminal identity information includes a hash value of data loaded by the terminal in a terminal starting process;
a second obtaining module 02, configured to obtain user identity information of a user currently using the terminal;
a third obtaining module 03, configured to obtain a symmetric key uniquely corresponding to the user identity information;
a first encryption module 04, configured to encrypt the user identity information and the terminal identity information using the symmetric key to obtain encrypted identity information;
the first generating module 05 is configured to generate an authentication request carrying the encrypted identity information;
a first sending module 06, configured to send the authentication request to an authentication server.
In an optional implementation manner, the third obtaining module 03 includes:
a first sending unit, configured to send a symmetric key acquisition request carrying the user identity information and the terminal identity information to the authentication server;
a first receiving unit, configured to receive an encryption key returned by the authentication server according to the symmetric key acquisition request, where the encryption key is obtained by encrypting, by using a public key uniquely corresponding to the terminal identity information, a symmetric key uniquely corresponding to the user identity information and the terminal identity information after the authentication server acquires the symmetric key uniquely corresponding to the user identity information and the terminal identity information;
a first obtaining unit, configured to obtain a private key uniquely corresponding to the public key;
and the decryption unit is used for decrypting the encrypted secret key by using the private key to obtain the symmetric secret key.
In an optional implementation manner, the third obtaining module further includes:
a second receiving unit, configured to receive a user attribute information acquisition request sent by an authentication server, where the user attribute information acquisition request carries a public key uniquely corresponding to the authentication server and the user identity information;
the second acquisition unit is used for acquiring the user attribute information of the user according to the user identity information;
the encryption unit is used for encrypting the user attribute information by using a public key uniquely corresponding to the authentication server to obtain encrypted information;
a second transmitting unit configured to transmit the encryption information to the authentication server.
In the embodiment of the present invention, the information carried in the authentication request sent by the terminal to the server is: and encrypting the user identity information of the user and the terminal identity information of the terminal by using the symmetric key. Thus, even if the authentication request is intercepted by a lawbreaker during transmission and the encrypted identity information is extracted from the authentication request, the lawbreaker cannot obtain the symmetric key, and thus cannot decrypt the encrypted identity information to obtain the user identity information of the user and the terminal identity information of the terminal. Therefore, lawless persons are prevented from using the user identity information of the user and the terminal identity information of the terminal to impersonate and access the network server, and the safety is improved.
Referring to fig. 4, a block diagram of an embodiment of an access right authentication apparatus according to the present invention is shown, and the apparatus may specifically include the following modules:
a first receiving module 21, configured to receive an authentication request sent by a terminal, where the authentication request carries encrypted identity information, and the encrypted identity information is obtained by encrypting, by the terminal, user identity information of a user currently using the terminal and terminal identity information of the terminal using a symmetric key, where the terminal identity information includes a hash value of data loaded by the terminal in a terminal starting process;
a fourth obtaining module 22, configured to obtain the symmetric key;
the first decryption module 23 is configured to decrypt the encrypted identity information carried in the authentication request by using the symmetric key, so as to obtain the user identity information and the terminal identity information;
the first verification module 24 is configured to verify whether the identity of the user and the identity of the terminal are legal according to the user identity information and the terminal identity information;
an opening module 25, configured to open an access right for the terminal to access the network server if the identity of the user and the identity of the terminal are legal.
In an optional implementation, the apparatus further comprises:
a second receiving module, configured to receive a symmetric key acquisition request that carries the user identity information and the terminal identity information and is sent by the terminal;
the second generation module is used for generating a symmetric key uniquely corresponding to the user identity information and the terminal identity information;
a fifth obtaining module, configured to obtain a public key uniquely corresponding to the terminal identity information;
the second encryption module is used for encrypting the symmetric key by using the public key to obtain an encryption key;
and the second sending module is used for sending the encryption key to the terminal.
In an optional implementation, the apparatus further comprises:
the second verification module is used for verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
a sixth obtaining module, configured to obtain a public key uniquely corresponding to the authentication server if the identity of the user and the identity of the terminal are legal;
a third sending module, configured to send a user attribute information obtaining request to the terminal, where the user attribute information obtaining request carries a public key uniquely corresponding to the authentication server and the user identity information;
a third receiving module, configured to receive encrypted information returned by the terminal, where the encrypted information is obtained by encrypting, by the terminal, the user attribute information using a public key uniquely corresponding to the authentication server;
a seventh obtaining module, configured to obtain a private key uniquely corresponding to the authentication server;
the second decryption module is used for decrypting the encrypted information by using a private key uniquely corresponding to the authentication server to obtain the user attribute information;
a determining module for determining whether the identity of the user is legal using the user identity information and the user attribute information;
the second generation module is further to: and if the identity of the user is determined to be legal by using the user identity information and the user attribute information, generating a symmetric key which is uniquely corresponding to the user identity information and the terminal identity information.
In the embodiment of the present invention, the information carried in the authentication request sent by the terminal to the server is: and encrypting the user identity information of the user and the terminal identity information of the terminal by using the symmetric key. Thus, even if the authentication request is intercepted by a lawbreaker during transmission and the encrypted identity information is extracted from the authentication request, the lawbreaker cannot obtain the symmetric key, and thus cannot decrypt the encrypted identity information to obtain the user identity information of the user and the terminal identity information of the terminal. Therefore, lawless persons are prevented from using the user identity information of the user and the terminal identity information of the terminal to impersonate and access the network server, and the safety is improved.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The above detailed description is given to the method and apparatus for authenticating access rights provided by the present invention, and the specific examples are applied herein to explain the principle and the implementation of the present invention, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. An authentication method for access authority, which is applied to a terminal, and comprises the following steps:
acquiring terminal identity information of the terminal, wherein the terminal identity information comprises a hash value of data loaded by the terminal in the terminal starting process;
acquiring user identity information of a user currently using the terminal;
obtaining a symmetric key uniquely corresponding to the user identity information;
encrypting the user identity information and the terminal identity information by using the symmetric key to obtain encrypted identity information;
generating an authentication request carrying the encrypted identity information;
and sending the authentication request to an authentication server.
2. The method of claim 1, wherein the obtaining a symmetric key uniquely corresponding to the user identity information comprises:
sending a symmetric key acquisition request carrying the user identity information and the terminal identity information to the authentication server;
receiving an encryption key returned by the authentication server according to the symmetric key acquisition request, wherein the encryption key is obtained by encrypting the symmetric key by using a public key uniquely corresponding to the terminal identity information after the authentication server acquires the symmetric key uniquely corresponding to the user identity information and the terminal identity information;
obtaining a private key uniquely corresponding to the public key;
and decrypting the encrypted key by using the private key to obtain the symmetric key.
3. The method of claim 2, wherein after sending the symmetric key acquisition request carrying the user identity information and the terminal identity information to the authentication server, the method further comprises:
receiving a user attribute information acquisition request sent by an authentication server, wherein the user attribute information acquisition request carries a public key uniquely corresponding to the authentication server and the user identity information;
acquiring user attribute information of the user according to the user identity information;
encrypting the user attribute information by using a public key uniquely corresponding to the authentication server to obtain encrypted information;
and sending the encryption information to the authentication server.
4. A communication connection establishment method applied to an authentication server, the method comprising:
receiving an authentication request sent by a terminal, wherein the authentication request carries encrypted identity information, the encrypted identity information is obtained by encrypting user identity information of a user using the terminal currently and terminal identity information of the terminal by using a symmetric key by the terminal, and the terminal identity information comprises a hash value of data loaded by the terminal in a terminal starting process;
acquiring the symmetric key;
decrypting the encrypted identity information carried by the authentication request by using the symmetric key to obtain the user identity information and the terminal identity information;
verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
and if the identity of the user and the identity of the terminal are legal, opening the access authority of the terminal for accessing the network server.
5. The method of claim 4, further comprising:
receiving a symmetric key acquisition request which is sent by the terminal and carries the user identity information and the terminal identity information;
generating a symmetric key uniquely corresponding to the user identity information and the terminal identity information;
acquiring a public key uniquely corresponding to the terminal identity information;
encrypting the symmetric key by using the public key to obtain an encryption key;
and sending the encryption key to the terminal.
6. The method according to claim 5, wherein after receiving the symmetric key acquisition request carrying the user identity information and the terminal identity information sent by the terminal and before generating the symmetric key uniquely corresponding to the user identity information and the terminal identity information, further comprising:
verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
if the identity of the user and the identity of the terminal are legal, a public key uniquely corresponding to the authentication server is obtained;
sending a user attribute information acquisition request to the terminal, wherein the user attribute information acquisition request carries a public key uniquely corresponding to the authentication server and the user identity information;
receiving encrypted information returned by the terminal, wherein the encrypted information is obtained by encrypting the user attribute information by the terminal by using a public key uniquely corresponding to the authentication server;
obtaining a private key uniquely corresponding to the authentication server;
decrypting the encrypted information by using a private key uniquely corresponding to the authentication server to obtain the user attribute information;
determining whether the identity of the user is legitimate using the user identity information and user attribute information;
and if the identity of the user is determined to be legal by using the user identity information and the user attribute information, executing the step of generating a symmetric key uniquely corresponding to the user identity information and the terminal identity information.
7. An apparatus for authenticating an access right, the apparatus being applied to a terminal, the apparatus comprising:
the terminal comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring terminal identity information of the terminal, and the terminal identity information comprises a hash value of data loaded by the terminal in the terminal starting process;
the second acquisition module is used for acquiring the user identity information of the user currently using the terminal;
the third acquisition module is used for acquiring a symmetric key uniquely corresponding to the user identity information;
the first encryption module is used for encrypting the user identity information and the terminal identity information by using the symmetric key to obtain encrypted identity information;
the first generation module is used for generating an authentication request carrying the encrypted identity information;
and the first sending module is used for sending the authentication request to an authentication server.
8. The apparatus of claim 7, wherein the third obtaining module comprises:
a first sending unit, configured to send a symmetric key acquisition request carrying the user identity information and the terminal identity information to the authentication server;
a first receiving unit, configured to receive an encryption key returned by the authentication server according to the symmetric key acquisition request, where the encryption key is obtained by encrypting, by using a public key uniquely corresponding to the terminal identity information, a symmetric key uniquely corresponding to the user identity information and the terminal identity information after the authentication server acquires the symmetric key uniquely corresponding to the user identity information and the terminal identity information;
a first obtaining unit, configured to obtain a private key uniquely corresponding to the public key;
and the decryption unit is used for decrypting the encrypted secret key by using the private key to obtain the symmetric secret key.
9. A communication connection establishing apparatus, wherein the apparatus is applied to an authentication server, the apparatus comprising:
a first receiving module, configured to receive an authentication request sent by a terminal, where the authentication request carries encrypted identity information, and the encrypted identity information is obtained by encrypting, by the terminal, user identity information of a user currently using the terminal and terminal identity information of the terminal using a symmetric key, where the terminal identity information includes a hash value of data loaded by the terminal in a terminal starting process;
a fourth obtaining module, configured to obtain the symmetric key;
the first decryption module is used for decrypting the encrypted identity information carried by the authentication request by using the symmetric key to obtain the user identity information and the terminal identity information;
the first verification module is used for verifying whether the identity of the user and the identity of the terminal are legal or not according to the user identity information and the terminal identity information;
and the opening module is used for opening the access authority of the terminal for accessing the network server if the identity of the user and the identity of the terminal are legal.
10. The apparatus of claim 9, further comprising:
a second receiving module, configured to receive a symmetric key acquisition request that carries the user identity information and the terminal identity information and is sent by the terminal;
the second generation module is used for generating a symmetric key uniquely corresponding to the user identity information and the terminal identity information;
a fifth obtaining module, configured to obtain a public key uniquely corresponding to the terminal identity information;
the second encryption module is used for encrypting the symmetric key by using the public key to obtain an encryption key;
and the second sending module is used for sending the encryption key to the terminal.
CN201810276892.6A 2018-03-30 2018-03-30 Access authority authentication method and device Active CN108667800B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810276892.6A CN108667800B (en) 2018-03-30 2018-03-30 Access authority authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810276892.6A CN108667800B (en) 2018-03-30 2018-03-30 Access authority authentication method and device

Publications (2)

Publication Number Publication Date
CN108667800A CN108667800A (en) 2018-10-16
CN108667800B true CN108667800B (en) 2020-08-28

Family

ID=63782556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810276892.6A Active CN108667800B (en) 2018-03-30 2018-03-30 Access authority authentication method and device

Country Status (1)

Country Link
CN (1) CN108667800B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109831431B (en) * 2019-01-30 2021-03-30 重庆农村商业银行股份有限公司 Random number encryption method for service provider to initiate generation of access request
CN113572717B (en) * 2020-04-29 2024-02-20 青岛海尔洗涤电器有限公司 Communication connection establishment method, washing and protecting equipment and server
CN112822162B (en) * 2020-12-29 2023-05-23 重庆川仪自动化股份有限公司 Equipment verification connection method and system based on block chain

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101426009A (en) * 2007-10-31 2009-05-06 中国移动通信集团公司 Identity management platform, service server, uniform login system and method
CN104125565A (en) * 2013-04-23 2014-10-29 中兴通讯股份有限公司 Method for realizing terminal authentication based on OMA DM, terminal and server
CN104320391A (en) * 2014-10-22 2015-01-28 南京绿云信息技术有限公司 Cloud authentication method and system
CN107113315A (en) * 2016-04-15 2017-08-29 深圳前海达闼云端智能科技有限公司 Identity authentication method, terminal and server

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8818334B2 (en) * 2008-11-19 2014-08-26 Motorola Mobility Llc Secure data exchange with identity information exchange
US9372963B2 (en) * 2012-08-30 2016-06-21 Verizon Patent And Licensing Inc. User device selection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101426009A (en) * 2007-10-31 2009-05-06 中国移动通信集团公司 Identity management platform, service server, uniform login system and method
CN104125565A (en) * 2013-04-23 2014-10-29 中兴通讯股份有限公司 Method for realizing terminal authentication based on OMA DM, terminal and server
CN104320391A (en) * 2014-10-22 2015-01-28 南京绿云信息技术有限公司 Cloud authentication method and system
CN107113315A (en) * 2016-04-15 2017-08-29 深圳前海达闼云端智能科技有限公司 Identity authentication method, terminal and server

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于移动终端的多终端单点登录研究与设计";孟青春;《中国优秀硕士论文全文数据库》;20140516;全文 *

Also Published As

Publication number Publication date
CN108667800A (en) 2018-10-16

Similar Documents

Publication Publication Date Title
CN104798083B (en) For the method and system of authentication-access request
CN106657152B (en) Authentication method, server and access control device
US9053318B2 (en) Anti-cloning system and method
WO2020173332A1 (en) Trusted execution environment-based application activation method and apparatus
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
CN104426659B (en) Dynamic password formation method, authentication method and system, relevant device
CN107733636B (en) Authentication method and authentication system
CN106230838A (en) A kind of third-party application accesses the method and apparatus of resource
CN109981665B (en) Resource providing method and device, and resource access method, device and system
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN108667800B (en) Access authority authentication method and device
CN112487450A (en) File server access grading method
RU2698424C1 (en) Authorization control method
CN110807210B (en) Information processing method, platform, system and computer storage medium
CN110598469A (en) Information processing method and device and computer storage medium
CN107358118B (en) SFS access control method and system, SFS and terminal equipment
CN106992978B (en) Network security management method and server
CN112769560B (en) Key management method and related device
KR102355708B1 (en) Method for processing request based on user authentication using blockchain key and system applying same
CN108429621B (en) Identity verification method and device
CN113079506A (en) Network security authentication method, device and equipment
KR102053993B1 (en) Method for Authenticating by using Certificate
CN117082501A (en) Mobile terminal data encryption method
Nishimura et al. Secure authentication key sharing between personal mobile devices based on owner identity
KR20170111809A (en) Bidirectional authentication method using security token based on symmetric key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant