CN110430043B - An authentication method, system and device, and storage medium - Google Patents

Abstract

The embodiment of the invention provides an authentication method, an authentication system, a device and a computer readable storage medium, wherein the method comprises the following steps: the node server receives first authentication request information from a terminal, wherein the first authentication request information comprises a user name and identification information of a first U-Key; the node server inquires and obtains identification information of a second U-Key corresponding to the user name; when the identification information of the first U-Key is the same as that of the second U-Key, the node server generates and sends first authentication response information to the terminal; the terminal generates and sends second authentication request information to the node server according to the first authentication response information, wherein the second authentication request information comprises encrypted password information; and the node server authenticates the second authentication request information and returns an authentication result to the terminal. The embodiment of the invention improves the safety of the password information and reduces the probability that the user name and the password information are intercepted simultaneously.

Description

An authentication method, system, device and storage medium

technical field

The present invention relates to the technical field of Internet of Things, in particular to an authentication method, a system, a device and a computer-readable storage medium.

Background technique

The Internet of Vision is a dedicated network based on Ethernet hardware for high-speed transmission of high-definition video and dedicated protocols. The Internet of Vision is a more advanced form of Ethernet and a real-time network. In a video conference based on the Internet of Vision, if the video conference client logs in to the video conference server, it needs to send the user name and password on the video conference client to the video conference server, and the video conference server will verify the user name and password. If the verification is passed, the video conference server allows the video conference client to log in to the video conference server.

At present, in a video conference based on the Internet of Vision, the video conference client sends the user name and password to the video conference server in plain text. The user name and password are easily intercepted, and the security of the video conference is not high.

Contents of the invention

In view of the above problems, embodiments of the present invention are proposed to provide an authentication method, system, device, and computer-readable storage medium that overcome the above problems or at least partially solve the above problems.

In order to solve the above problems, the embodiment of the present invention discloses an authentication method, the method is applied to the Internet of Vision, the Internet of Vision includes a terminal and a node server, the terminal is provided with a first U-Key, and the terminal Communication connection with the node server; the method includes: the node server receives first authentication request information from the terminal, the first authentication request information includes a user name and identification information of the first U-Key; The node server obtains the identification information of the second U-Key corresponding to the user name according to the user name and the preset binding relationship between the user name and the U-Key; When the identification information of a U-Key is the same as the identification information of the second U-Key, generate and send the first authentication response information to the terminal; the terminal is used to generate the second authentication response information according to the first authentication response information authentication request information, and send the second authentication request information to the node server, where the second authentication request information includes encrypted password information; the node server authenticates the second authentication request information, and sends The authentication result is returned to the terminal.

Optionally, the first authentication request information further includes: first random data, encrypted certificate data, and identification information of the terminal; the step of generating the first authentication response information by the node server includes: generating the first authentication response information by the node server The second random data and a symmetric key; the node server extracts the public key from the encrypted certificate data, and uses the public key to encrypt the symmetric key; the node server uses the preset first The signing certificate signs the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal to obtain first signature information; the node The server sends the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature The certificate is determined as the first authentication response information.

Optionally, the terminal is configured to perform signature verification on the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, and when the verification passes In the case of using the preset private key to decrypt the encrypted symmetric key to obtain the symmetric key, use the symmetric key to encrypt the password information, and use the preset second signature certificate to encrypt the Sign the first random data, the second random data, and the identification information of the node server to obtain second signature information, and use the first random data, the second random data, encrypted password information, and the The identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate are determined as the second authentication request information.

Optionally, after the node server receives the first authentication request information from the terminal, the method further includes: the node server according to the user name and the preset user name and password binding The password information corresponding to the user name is obtained through a certain relationship query.

Optionally, the step of the node server authenticating the second authentication request information includes: the node server uses the second signature certificate to identify the node server in the second authentication request information information and the second random data to perform signature verification; the node server uses the symmetric key to decrypt the encrypted password information to obtain the password information when the signature verification is passed, and the password information Compare with the password information.

The embodiment of the present invention also discloses an authentication system, the system is applied to the Internet of Vision, the Internet of Vision includes a terminal and a node server, the terminal is provided with a first U-Key, and the terminal and the node The server is connected in communication; the node server includes: a receiving module, configured to receive first authentication request information from the terminal, the first authentication request information including user name and identification information of the first U-Key; query module , for obtaining the identification information of the second U-Key corresponding to the user name according to the user name and the preset binding relationship between the user name and the U-Key; the response module is used for the first When the identification information of a U-Key is the same as the identification information of the second U-Key, generate and send the first authentication response information to the terminal; the terminal is used to generate the second authentication response information according to the first authentication response information authentication request information, and send the second authentication request information to the node server, the second authentication request information includes encrypted password information; an authentication module, configured to authenticate the second authentication request information, and Return the authentication result to the terminal.

Optionally, the first authentication request information further includes first random data, encrypted certificate data, and identification information of the terminal; the response module includes: a generating module, configured to generate second random data and a symmetric key ; An encryption module, configured to extract a public key from the encrypted certificate data, and use the public key to encrypt the symmetric key; a signature module, configured to use a preset first signature certificate to encrypt the second A random data, the second random data, the encrypted symmetric key, the identification information of the node server, and the identification information of the terminal are signed to obtain first signature information; a determination module is configured to use the second signature information A random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate are determined as the The first authentication response information.

Optionally, the terminal is configured to perform signature verification on the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, and when the verification passes In the case of using the preset private key to decrypt the encrypted symmetric key to obtain the symmetric key, use the symmetric key to encrypt the password information, and use the preset second signature certificate to encrypt the Sign the first random data, the second random data, and the identification information of the node server to obtain second signature information, and use the first random data, the second random data, encrypted password information, and the The identification information of the terminal, the identification information of the node server, the second signature information and the second signature certificate are determined as the second authentication request information; the query module is also used in the receiving module After receiving the first authentication request information from the terminal, query according to the binding relationship between the user name and the preset user name and password to obtain the password information corresponding to the user name; the authentication module includes: A signature verification module, configured to use the second signature certificate to verify the identity information of the node server and the second random data in the second authentication request information; a comparison module, configured to verify the signature If passed, the encrypted password information is decrypted by using the symmetric key to obtain the password information, and the password information is compared with the password information.

The embodiment of the invention also discloses a device, comprising:

one or more processors; and

One or more machine-readable media having instructions stored thereon, when executed by the one or more processors, enables the device to execute one or more authentication methods as described in the embodiments of the present invention.

The embodiment of the present invention also discloses a computer-readable storage medium, and the computer program stored in it enables the processor to execute the authentication method described in the embodiment of the present invention.

Embodiments of the present invention include the following advantages:

An authentication scheme provided by an embodiment of the present invention is applied to a video network, and the video network may include a terminal and a node server. The terminal can be used as a video conferencing client, the terminal is provided with a first U-Key, the node server can be used as a food conference server, and the terminal and the node server can be connected through.

In the embodiment of the present invention, the terminal sends the first authentication request information to the node server, and the first authentication request information may include the user name and the identification information of the first U-key. The node server finds the identification information of the second U-Key corresponding to the user name in the first request authentication information from the preset binding relationship between the user name and the U-Key, and then uses the identification information of the first U-Key The information is compared with the identification information of the second U-Key, and if the identification information of the first U-Key is the same as the identification information of the second U-Key, first authentication response information is generated and sent to the terminal. The terminal generates second authentication request information including password information according to the first authentication response information, and sends the second authentication request information to the node server. The node server authenticates the second authentication request information, and returns the authentication result to the terminal.

In the embodiment of the present invention, on the one hand, when the terminal sends the authentication request information to the node server, it sends the password information in an encrypted form, which improves the security of the password information. On the other hand, the terminal sends the user name to the node server in the first authentication request information, and the terminal sends the password information to the node server in the second authentication request information. The terminal sends the user name and password information to the node server separately, reducing the probability of the user name and password information being intercepted at the same time. On the other hand, after the terminal sends the first authentication request information to the node server, the node server judges whether the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound to the user name, if The identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound to the user name, and the first authentication response information is returned to the terminal. That is, if the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound to the user name, the terminal sends a second authentication message containing password information to the node server according to the first authentication response information. request information. Through the node server's verification of the identification information of the U-Key, the security of the password information is improved.

Description of drawings

Fig. 1 is a kind of networking schematic diagram of visual networking of the present invention;

Fig. 2 is a schematic diagram of the hardware structure of a node server of the present invention;

Fig. 3 is a schematic diagram of the hardware structure of an access switch of the present invention;

Fig. 4 is the hardware structural representation of a kind of Ethernet protocol conversion gateway of the present invention;

Fig. 5 is a flow chart of steps of an authentication method according to an embodiment of the present invention;

6 is an interactive schematic diagram of a user login authentication method for a video conference based on the Internet of Things according to an embodiment of the present invention;

FIG. 7 is a schematic structural diagram of a node server in an authentication system according to an embodiment of the present invention.

Detailed ways

In order to make the above objects, features and advantages of the present invention more comprehensible, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

The Internet of Vision is an important milestone in the development of the network. It is a real-time network that can realize real-time transmission of high-definition video, and push many Internet applications to high-definition video, high-definition face-to-face.

The Internet of View adopts real-time high-definition video exchange technology, which can provide required services on one network platform, such as high-definition video conferencing, video surveillance, intelligent monitoring and analysis, emergency command, digital broadcast TV, time-lapse TV, online teaching, live broadcast , VOD on demand, TV mail, personalized recording (PVR), intranet (self-managed) channel, intelligent video broadcast control, information release and other dozens of video, voice, picture, text, communication, data and other services are all integrated in one System platform, realize high-definition quality video playback through TV or computer.

In order to enable those skilled in the art to better understand the embodiments of the present invention, the Internet of Things is introduced as follows:

Some of the technologies applied in the Internet of Things are as follows:

Network Technology

The network technology innovation of the Internet of View has improved the traditional Ethernet (Ethernet) to face the potentially huge first video traffic on the network. Different from pure network packet switching (Packet Switching) or network circuit switching (Circuit Switching), video networking technology uses Packet Switching to meet Streaming requirements. The Internet of Vision technology has the flexibility, simplicity and low price of packet switching, and at the same time has the quality and security guarantee of circuit switching, realizing the seamless connection of switched virtual circuits and data formats throughout the network.

Switching Technology

Video networking adopts the two advantages of Ethernet asynchronous and packet switching, eliminates the defects of Ethernet under the premise of full compatibility, has end-to-end seamless connection of the whole network, directly connects to user terminals, and directly carries IP data packets. User data does not require any format conversion across the entire network. Video networking is a more advanced form of Ethernet. It is a real-time switching platform, which can realize the real-time transmission of large-scale high-definition video in the whole network that cannot be realized by the Internet at present, and push many network video applications to high-definition and unification.

Server Technology

The server technology on the Internet of View and unified video platform is different from the server in the traditional sense. Its streaming media transmission is based on connection-oriented, and its data processing capability has nothing to do with traffic and communication time. A single network layer can contain information command and data transmission. For voice and video services, the complexity of video streaming and unified video platform streaming media processing is much simpler than data processing, and the efficiency is greatly improved by more than 100 times compared with traditional servers.

Storage Technology

The ultra-high-speed storage technology of the unified video platform adopts the most advanced real-time operating system in order to adapt to the super-large capacity and super-large-flow media content, and maps the program information in the server command to the specific hard disk space, and the media content no longer passes through the server. It is delivered directly to the user terminal in an instant, and the user generally waits for less than 0.2 seconds. The optimized sector distribution greatly reduces the mechanical movement of the hard disk head seeking. The resource consumption is only 20% of the IP Internet of the same level, but the concurrent traffic generated is 3 times larger than that of the traditional hard disk array, and the overall efficiency is increased by more than 10 times.

Network Security Technology

The structural design of the Internet of View completely eradicates the network security problems that plague the Internet through the individual licensing system for each service, complete isolation of equipment and user data, and generally does not require anti-virus programs and firewalls, preventing hackers and virus attacks , to provide users with a structured worry-free security network.

Service Innovation Technology

The unified video platform integrates business and transmission together, whether it is a single user, a private network user or the sum of a network, it is just an automatic connection. User terminals, set-top boxes or PCs are directly connected to the unified video platform to obtain rich and colorful multimedia video services in various forms. The unified video platform adopts the "recipe-style" table matching mode to replace the traditional complex application programming. It can realize complex applications with very little code and realize "unlimited" new business innovations.

The networking of the Internet of View is as follows:

Vision networking is a network structure with centralized control. The network can be a tree network, star network, ring network, etc., but on this basis, a centralized control node is required in the network to control the entire network.

As shown in Figure 1, the Internet of Things is divided into two parts: the access network and the metropolitan area network.

The equipment in the access network part can be mainly divided into three categories: node server, access switch, terminal (including various set-top boxes, encoding boards, storage, etc.). The node server is connected with the access switch, and the access switch can be connected with multiple terminals and can be connected with Ethernet.

Wherein, the node server is a node with centralized control function in the access network, which can control the access switches and terminals. The node server can be directly connected to the access switch, and can also be directly connected to the terminal.

Similarly, the devices in the MAN part can also be divided into three categories: MAN servers, node switches, and node servers. The metro server is connected to the node switch, and the node switch can be connected to multiple node servers.

Wherein, the node server is the node server of the access network part, that is, the node server belongs to both the access network part and the metropolitan area network part.

The metropolitan area server is a node with a centralized control function in the metropolitan area network, which can control node switches and node servers. The metro server can be directly connected to the node switch, or directly connected to the node server.

It can be seen that the entire Vision Network is a layered centralized control network structure, while the network controlled by the node server and the metro server can be in various structures such as tree, star, and ring.

Vividly speaking, the access network part can form a unified video platform (the part in the dotted circle), and multiple unified video platforms can form a video network; each unified video platform can be interconnected through the metropolitan area and the wide area video network.

Classification of Internet of Things devices

1.1 The equipment in the video network of the embodiment of the present invention can be mainly divided into three categories: servers, switches (including Ethernet protocol conversion gateways), terminals (including various set-top boxes, encoding boards, memory, etc.). As a whole, the Internet of Things can be divided into a metropolitan area network (or a national network, a global network, etc.) and an access network.

1.2 The equipment in the access network can be mainly divided into three categories: node server, access switch (including Ethernet protocol conversion gateway), terminal (including various set-top boxes, encoding boards, storage, etc.).

The specific hardware structure of each access network device is:

Node server:

As shown in Figure 2, it mainly includes a network interface module 201, a switching engine module 202, a CPU module 203, and a disk array module 204;

Wherein, the bag that network interface module 201, CPU module 203, disk array module 204 come in all enters switching engine module 202; The guiding information of packet stores this packet into the queue of corresponding packet cache 206; If the queue of packet cache 206 is close to full, then discards; Switching engine module 202 polls all packet cache queues, if satisfying following conditions forwarding: 1) The sending buffer of the port is not full; 2) The queue packet counter is greater than zero. Disk array module 204 mainly realizes the control to hard disk, comprises operations such as the initialization of hard disk, read and write; (including downlink protocol packet address table, uplink protocol packet address table, and data packet address table), and configuration of the disk array module 204 .

Access switch:

As shown in Figure 3, mainly comprise network interface module (downlink network interface module 301, uplink network interface module 302), switching engine module 303 and CPU module 304;

Wherein, the packet (upstream data) that the downstream network interface module 301 comes in enters the packet detection module 305; Whether the destination address (DA), source address (SA), data packet type and packet length of the packet detection module 305 detection packet meet the requirements, if Meet, then distribute corresponding flow identifier (stream-id), and enter switching engine module 303, otherwise discard; The packet (downstream data) that upstream network interface module 302 comes in enters switching engine module 303; The data packet that CPU module 304 comes in Enter switching engine module 303; Switching engine module 303 carries out the operation of looking into address table 306 to the bag that comes in, thereby obtains the guiding information of packet; If the bag that enters switching engine module 303 is that downlink network interface goes to uplink network interface, then combines Flow identifier (stream-id) stores this packet into the queue of corresponding packet cache 307; If the queue of this packet cache 307 is close to full, then discards; If the packet that enters switching engine module 303 is not downlink network interface, goes up If the data packet is sent to the network interface, the data packet is stored in the queue of the corresponding packet buffer 307 according to the direction information of the packet; if the queue of the packet buffer 307 is nearly full, it is discarded.

The switching engine module 303 polls all packet buffer queues, which can include two situations:

If the queue goes from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the port sending buffer is not full; 2) the queue packet counter is greater than zero; 3) the token generated by the code rate control module is obtained ;

If the queue does not go from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the sending buffer of the port is not full; 2) the packet counter of the queue is greater than zero.

The code rate control module 308 is configured by the CPU module 304 to generate tokens for all packet buffer queues going from the downlink network interface to the uplink network interface within a programmable interval to control the uplink forwarding code rate.

The CPU module 304 is mainly responsible for protocol processing with the node server, configuration of the address table 306 , and configuration of the code rate control module 308 .

Ethernet protocol conversion gateway :

As shown in Figure 4, it mainly includes network interface modules (downlink network interface module 401, uplink network interface module 402), switching engine module 403, CPU module 404, packet detection module 405, code rate control module 408, address table 406, packet Buffer 407 and MAC addition module 409 , MAC deletion module 410 .

Wherein, the data packet coming in from the downlink network interface module 401 enters the packet detection module 405; the packet detection module 405 detects the Ethernet MAC DA, Ethernet MAC SA, Ethernet length or frame type, visual networking destination address DA, visual networking Source address SA, depending on whether the network data packet type and packet length meet the requirements, if so, assign the corresponding stream identifier (stream-id); then, subtract MAC DA, MAC SA, length or frame type by the MAC deletion module 410 (2byte), and enter the corresponding receiving buffer, otherwise discard;

The downlink network interface module 401 detects the sending buffer of the port, if there is a packet, the Ethernet MAC DA of the corresponding terminal is known according to the visual network destination address DA of the packet, and the Ethernet MAC DA of the terminal, the MACSA of the Ethernet protocol conversion gateway, and the MACSA of the Ethernet protocol conversion gateway are added. Ethernet length or frame type, and send.

The functions of other modules in the Ethernet protocol conversion gateway are similar to those of the access switch.

terminal:

It mainly includes a network interface module, a business processing module and a CPU module; for example, a set-top box mainly includes a network interface module, an video and audio codec engine module, and a CPU module; an encoding board mainly includes a network interface module, an video and audio encoding engine module, and a CPU module; It mainly includes network interface module, CPU module and disk array module.

1.3 The equipment of the metropolitan area network can be mainly divided into two categories: node server, node switch, and metropolitan area server. Among them, the node switch mainly includes a network interface module, a switching engine module and a CPU module; the metro server mainly includes a network interface module, a switching engine module and a CPU module.

2. Definition of Internet of Vision data packets

2.1 Definition of access network data packet

The data packet of the access network mainly includes the following parts: destination address (DA), source address (SA), reserved bytes, payload (PDU), and CRC.

As shown in the table below, the data packets of the access network mainly include the following parts:

DA SA Reserved Payload CRC

in:

The destination address (DA) consists of 8 bytes (byte), the first byte indicates the type of data packet (such as various protocol packets, multicast data packets, unicast data packets, etc.), there are up to 256 possibilities, The second byte to the sixth byte is the address of the metropolitan area network, and the seventh and eighth bytes are the address of the access network;

The source address (SA) is also composed of 8 bytes (byte), and the definition is the same as that of the destination address (DA);

Reserved bytes consist of 2 bytes;

The payload part has different lengths according to different datagram types. If it is a variety of protocol packets, it is 64 bytes. If it is a single multicast data packet, it is 32+1024=1056 bytes. Of course, it is not limited to Above 2 types;

CRC consists of 4 bytes, and its calculation method follows the standard Ethernet CRC algorithm.

2.2 MAN packet definition

The topology of the metropolitan area network is a graph. There may be two or even more than two types of connections between two devices, that is, there may be more than 2 connections between node switches and node servers, node switches and node switches, and node switches and node servers. kind of connection. However, the MAN address of the MAN device is unique. In order to accurately describe the connection relationship between MAN devices, a parameter: label is introduced in the embodiment of the present invention to uniquely describe a MAN device.

The definition of labels in this manual is similar to the definition of labels in MPLS (Multi-Protocol Label Switch, Multi-Protocol Label Switching). Assuming that there are two connections between device A and device B, then the data packets from device A to device B have 2 labels, the packet from device B to device A also has 2 labels. The label is divided into an incoming label and an outgoing label. Assuming that the label (incoming label) of the data packet entering device A is 0x0000, the label (outgoing label) of the data packet when it leaves device A may become 0x0001. The network access process of the metropolitan area network is a network access process under centralized control, which means that the address allocation and label allocation of the metropolitan area network are all dominated by the metropolitan area server, and the node switches and node servers are all passively executed. Different from MPLS label allocation, MPLS label allocation is the result of mutual negotiation between switches and servers.

As shown in the table below, the data packet of the MAN mainly includes the following parts:

DA SA Reserved Label Payload CRC

That is, destination address (DA), source address (SA), reserved byte (Reserved), label, payload (PDU), and CRC. Among them, the format of the label can refer to the following definition: the label is 32bit, of which the high 16bit is reserved, and only the low 16bit is used, and its position is between the reserved byte of the data packet and the payload.

Referring to FIG. 5 , it shows a flow chart of steps of an authentication method according to an embodiment of the present invention. The method can be applied to the Internet of Vision, which can include a terminal and a node server, and the terminal is provided with a first U-Key. The terminal can communicate with the node server. The authentication method may specifically include the following steps:

Step 501, a node server receives first authentication request information from a terminal.

In the embodiment of the present invention, a video conference client application program may be pre-installed on the terminal, that is, the terminal may serve as a video conference client. The terminal may generate the first authentication request information, and send the first authentication request information to the node server through the Internet of Things. A video conference server application program may be pre-installed on the node server, that is, the node server may serve as a video conference server.

In order to improve the security of the video conference, a first U-Key may be set on the terminal. It can be understood that the node server can only be logged in on the terminal provided with the first U-Key. The identification information of the first U-Key may be identity information of the first U-Key, and is used to uniquely determine the first U-Key. The full name of U-Key is USB Key. It is a hardware storage device with USB interface. The appearance of the USB Key is similar to that of an ordinary U disk. The difference is that it stores a single-chip microcomputer or a smart card chip. The USB Key has a certain storage space and can store the user's private key and digital certificate. Using the built-in public key algorithm of the USB Key can Realize the authentication of user identity.

In this embodiment of the present invention, the first authentication request information may include the user name input by the user on the terminal and the identification information of the first U-Key. In addition, the first authentication request information may further include: first random data randomly generated by the terminal, identification information of the terminal, and encrypted certificate data. Wherein, the encrypted certificate data may include a public key.

Step 502, the node server obtains the identification information of the second U-Key corresponding to the user name through query according to the user name and the preset binding relationship between the user name and the U-Key.

In the embodiment of the present invention, the binding relationship between the user name and the U-Key can be preset on the node server, and the binding relationship can be reflected by the one-to-one correspondence between the user name and the identification information of the U-Key . After receiving the first authentication request information, the node server can search for the identifier of the second U-Key that has a one-to-one correspondence with the username in the first authentication request information in the binding relationship between the user name and the U-Key information. Furthermore, the node server may compare the found identification information of the second U-Key with the identification information of the first U-Key in the first authentication request information, if the identification information of the second U-Key is the same as that of the first U-Key - if the identification information of the Key is the same, it means that the second U-Key and the first U-Key are the same U-Key. It can be understood that the first U-Key set on the terminal is a U-Key that has a one-to-one correspondence with the user name on the terminal.

In a preferred embodiment of the present invention, after the node server receives the first authentication request information, in addition to querying to obtain the identification information of the second U-Key corresponding to the user name, it can also use the user name and the preset The binding relationship between the user name and the password is queried to obtain the password information corresponding to the user name. In addition to the binding relationship between the user name and the U-Key, the binding relationship between the user name and the password can also be set on the node server. After receiving the first authentication request information, the node server may search the binding relationship between the user name and the password for password information having a one-to-one correspondence with the user name in the first authentication request information.

Step 503, when the identification information of the first U-Key is the same as the identification information of the second U-Key, the node server generates and sends first authentication response information to the terminal.

In the embodiment of the present invention, when the first U-Key set on the terminal is a U-Key corresponding to a user name one-to-one, the node server may generate first authentication response information and send the first authentication response information to the terminal.

In practical applications, when the node server generates the first authentication response information, it can generate the second random data and the symmetric key, extract the public key from the encrypted certificate data in the first authentication request information, and use the public key pair to generate Encrypt the symmetric key, and then use the private key in the preset first signature certificate to sign the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal Obtain the first signature information, and then determine the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information and the first signature certificate as the first authentication Response message.

In the embodiment of the present invention, after receiving the first authentication response information, the terminal may perform a series of processing on the first authentication response information to generate the second authentication request information, and then send the second authentication request information to the node server. When the terminal performs a series of processing on the first authentication response information, it can use the public key of the first signature certificate in the first authentication response information to verify the first random data in the first authentication response information and the identification information of the terminal , to verify that the first random data and the identification information of the terminal have not been tampered with, and prove that the first authentication response information comes from the node server. When the signature verification is passed, the terminal uses the preset private key to decrypt the encrypted symmetric key to obtain the symmetric key. The preset private key may be a private key paired with the public key in the encrypted certificate data, and it can be understood that only the preset private key can decrypt the encrypted symmetric key. After decrypting to obtain the symmetric key, the terminal may use the symmetric key to encrypt the password information of the user name to obtain encrypted password information. The terminal then uses the private key in the preset second signature certificate to sign the first random data, the second random data, and the identification information of the node server to obtain the second signature information, and then the first random data, the second random data, The encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information and the second signature certificate are used as the second authentication request information.

Step 504, the node server authenticates the second authentication request information, and returns the authentication result to the terminal.

In the embodiment of the present invention, after receiving the second authentication request information, the node server can use the public key in the second signature certificate to verify the identity information of the node server and the second random data in the second authentication request information , to verify that the identification information of the node server and the second random data have not been tampered with, and prove that the second authentication request information originates from the terminal. When the signature verification is passed, the node server can use the symmetric key to decrypt the encrypted password information to obtain the password information of the user name. Furthermore, the node server compares the decrypted password information with the password information obtained from the search above. If the password information is consistent with the password information, it means that the node server has passed the authentication of the second authentication request information, that is, the terminal is allowed to use the input user name and password. The password information is logged into the node server, and an authentication result indicating that the authentication is passed can be sent to the terminal; if the password information is inconsistent with the password information, it means that the node server fails to authenticate the second authentication request information, that is, the terminal is prohibited from using the input user name and password information. After logging in to the node server, an authentication result indicating that the authentication failed can be sent to the terminal.

Based on the above description about an authentication method, a user login authentication method for a video conference based on the Internet of Vision is introduced below. As shown in FIG. 6 , an application program Pamir is installed on the video conference client, and the application program Pamir is used to control the video conference. After the application program Pamir generates the random number RB, it sends the U-Key ID, user name, random number RB, client's IDB and encrypted certificate data on the client to the server. After receiving the U-Key's ID, user name, random number RB, client's IDB and encrypted certificate data, the server finds the U-Key's ID and password information bound to the user name according to the user name. If the ID of the U-Key bound to the username matches the ID of the U-Key on the client, the server generates a random number RA and a symmetric key S1. The server extracts the public key PKB from the encrypted certificate data, and then uses the public key PKB to encrypt the symmetric key S1 to obtain E(PKB+S1). The server then uses the signature certificate on the server side to sign the random number RA, random number RB, E(PKB+S1), the client's IDB, and the server's IDA to obtain sign(RA+RB+E(PKB+S1)+IDA+IDB) , and then send the random number RA, random number RB, E(PKB+S1), IDB of the client, IDA of the server, sign(RA+RB+E(PKB+S1)+IDA+IDB) and the signature certificate of the server to client. The client uses the server-side signature certificate to verify the random number RB and the client's IDB, uses the local private key to decrypt E(PKB+S1) to obtain the symmetric key S1, and then uses the symmetric key S1 to encrypt the login password to obtain E(S1+ login password), and then use the signature certificate of the client to sign the random number RB, random number RA, and server’s IDA to obtain sign(RB+RA+IDA), and use the random number RB, random number RA, E(S1+login password), The server's IDA, sign(RB+RA+IDA) and the client's signature certificate are sent to the server. After the server passes the signature verification of the random number RA and the server's IDA, it verifies whether the password information is consistent with the password information, and returns a verification result including verification passed or verification failed to the client.

An authentication scheme provided by an embodiment of the present invention is applied to a video network, and the video network may include a terminal and a node server. The terminal can be used as a video conferencing client, the terminal is provided with a first U-Key, the node server can be used as a food conference server, and the terminal and the node server can be connected through.

In the embodiment of the present invention, the terminal sends the first authentication request information to the node server, and the first authentication request information may include the user name and the identification information of the first U-key. The node server finds the identification information of the second U-Key corresponding to the user name in the first request authentication information from the preset binding relationship between the user name and the U-Key, and then uses the identification information of the first U-Key The information is compared with the identification information of the second U-Key, and if the identification information of the first U-Key is the same as the identification information of the second U-Key, first authentication response information is generated and sent to the terminal. The terminal generates second authentication request information including password information according to the first authentication response information, and sends the second authentication request information to the node server. The node server authenticates the second authentication request information, and returns the authentication result to the terminal.

In the embodiment of the present invention, on the one hand, when the terminal sends the authentication request information to the node server, it sends the password information in an encrypted form, which improves the security of the password information. On the other hand, the terminal sends the user name to the node server in the first authentication request information, and the terminal sends the password information to the node server in the second authentication request information. The terminal sends the user name and password information to the node server separately, reducing the probability of the user name and password information being intercepted at the same time. On the other hand, after the terminal sends the first authentication request information to the node server, the node server judges whether the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound to the user name, if The identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound to the user name, and the first authentication response information is returned to the terminal. That is, if the identification information of the U-Key in the first authentication request information is the same as the identification information of the U-Key bound to the user name, the terminal sends a second authentication message containing password information to the node server according to the first authentication response information. request information. Through the node server's verification of the identification information of the U-Key, the security of the password information is improved.

It should be noted that, for the method embodiment, for the sake of simple description, it is expressed as a series of action combinations, but those skilled in the art should know that the embodiment of the present invention is not limited by the described action sequence, because According to the embodiment of the present invention, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.

Referring to FIG. 7 , it shows an authentication system according to an embodiment of the present invention. The system is applied to the Internet of Vision, and the Internet of Vision includes a terminal and a node server. The terminal is provided with a first U-Key, and the The terminal communicates with the node server; the node server may include the following modules:

The receiving module 701 is configured to receive the first authentication request information from the terminal, the first authentication request information includes the user name and the identification information of the first U-Key; the query module 702 is configured to according to the user name and The binding relationship query between the preset user name and U-Key obtains the identification information of the second U-Key corresponding to the user name; the response module 703 is used to obtain the identification information of the first U-Key When it is the same as the identification information of the second U-Key, generate and send first authentication response information to the terminal; the terminal is used to generate second authentication request information according to the first authentication response information, and send the The second authentication request information to the node server, the second authentication request information includes encrypted password information; the authentication module 704 is configured to authenticate the second authentication request information, and return the authentication result to the described terminal.

Optionally, the first authentication request information further includes first random data, encrypted certificate data, and identification information of the terminal; the response module 703 includes: a generating module 7031 configured to generate second random data and symmetric Key; encryption module 7032, used to extract the public key from the encrypted certificate data, and use the public key to encrypt the symmetric key; signature module 7033, used to use the preset first signature certificate Sign the first random data, the second random data, the encrypted symmetric key, the identification information of the node server, and the identification information of the terminal to obtain first signature information; the determination module 7034 uses The first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information and the first signature The certificate is determined as the first authentication response information.

Optionally, the terminal is configured to perform signature verification on the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, and when the verification passes In the case of using the preset private key to decrypt the encrypted symmetric key to obtain the symmetric key, use the symmetric key to encrypt the password information, and use the preset second signature certificate to encrypt the Sign the first random data, the second random data, and the identification information of the node server to obtain second signature information, and use the first random data, the second random data, encrypted password information, and the The identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate are determined as the second authentication request information.

The query module 702 is further configured to, after the receiving module receives the first authentication request information from the terminal, query the user name and the preset binding relationship between the user name and password to obtain the Password information corresponding to the user name;

The authentication module 704 includes: a signature verification module 7041, configured to use the second signature certificate to verify the identity information of the node server and the second random data in the second authentication request information; The comparison module 7042 is configured to use the symmetric key to decrypt the encrypted password information to obtain the password information when the signature verification is passed, and compare the password information with the password information.

As for the embodiment of the authentication system, because it is basically similar to the embodiment of the authentication method, the description is relatively simple, and for the related parts, please refer to the part of the description of the embodiment of the authentication method.

The embodiment of the present invention also provides a device, including:

one or more processors; and

One or more machine-readable media having instructions stored thereon, when executed by the one or more processors, enables the device to execute one or more authentication methods as described in the embodiments of the present invention.

The embodiment of the present invention also provides a computer-readable storage medium, the computer program stored in it causes the processor to execute the authentication method as described in the embodiment of the present invention.

Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.

Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, devices, or computer program products. Accordingly, embodiments of the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor or processor of other programmable data processing terminal equipment to produce a machine such that instructions executed by the computer or processor of other programmable data processing terminal equipment Produce means for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing terminal to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the The instruction means implements the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded into a computer or other programmable data processing terminal equipment, so that a series of operational steps are performed on the computer or other programmable terminal equipment to produce computer-implemented processing, thereby The instructions executed above provide steps for implementing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

Having described preferred embodiments of embodiments of the present invention, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, the appended claims are intended to be construed to cover the preferred embodiment and all changes and modifications which fall within the scope of the embodiments of the present invention.

Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or terminal equipment comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements identified, or also include elements inherent in such a process, method, article, or end-equipment. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or terminal device comprising said element.

An authentication method, a system, a device, and a computer-readable storage medium provided by the present invention have been described above in detail. In this paper, specific examples are used to illustrate the principle and implementation of the present invention. The above implementation The description of the example is only used to help understand the method of the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in the specific implementation and scope of application. In summary As stated above, the content of this specification should not be construed as limiting the present invention.

Claims (8)

1. The authentication method is applied to a video network, wherein the video network comprises a terminal and a node server, the terminal is provided with a first U-Key, and the terminal is in communication connection with the node server; the method comprises the following steps:

the node server receives first authentication request information from the terminal, wherein the first authentication request information comprises a user name and identification information of the first U-Key;

the node server inquires and obtains identification information of a second U-Key corresponding to the user name according to the user name and a binding relationship between a preset user name and the U-Key;

the node server generates and sends first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key; the terminal is used for generating second authentication request information according to the first authentication response information and sending the second authentication request information to the node server, wherein the second authentication request information comprises encrypted password information;

the node server authenticates the second authentication request message and returns an authentication result to the terminal;

the first authentication request information further includes: first random data, encrypted certificate data and identification information of the terminal;

the step of the node server generating the first authentication response information includes:

the node server generates second random data and a symmetric key;

the node server extracts a public key from the encrypted certificate data and encrypts the symmetric key by using the public key;

the node server signs the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal by using a preset first signature certificate to obtain first signature information;

the node server determines the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate as the first authentication response information.

2. The authentication method according to claim 1, wherein the terminal is configured to verify the signature of the first random data in the first authentication response information and the identification information of the terminal according to the first signature certificate, decrypt an encrypted symmetric key with a preset private key to obtain the symmetric key if the signature passes, encrypt the password information with the symmetric key, sign the first random data, the second random data, and the identification information of the node server with a preset second signature certificate to obtain second signature information, and determine the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate as the second authentication request information.

3. The authentication method according to claim 2, wherein after the step of the node server receiving the first authentication request information from the terminal, the method further comprises:

and the node server inquires and obtains password information corresponding to the user name according to the binding relationship between the user name and a preset user name and password.

4. The authentication method according to claim 3, wherein the step of authenticating the second authentication request information by the node server includes:

the node server verifies and signs the identification information of the node server and the second random data in the second authentication request information by using the second signature certificate;

and the node server decrypts the encrypted password information by using the symmetric key under the condition that the signature verification passes to obtain the password information, and compares the password information with the password information.

5. An authentication system is applied to a video network, wherein the video network comprises a terminal and a node server, the terminal is provided with a first U-Key, and the terminal is in communication connection with the node server; the node server includes:

a receiving module, configured to receive first authentication request information from the terminal, where the first authentication request information includes a user name and identification information of the first U-Key;

the query module is used for querying and obtaining identification information of a second U-Key corresponding to the user name according to the user name and a binding relationship between a preset user name and the U-Key;

the response module is used for generating and sending first authentication response information to the terminal when the identification information of the first U-Key is the same as the identification information of the second U-Key; the terminal is used for generating second authentication request information according to the first authentication response information and sending the second authentication request information to the node server, wherein the second authentication request information comprises encrypted password information;

the authentication module is used for authenticating the second authentication request information and returning an authentication result to the terminal;

the first authentication request information further includes first random data, encrypted certificate data, and identification information of the terminal;

the response module includes:

the generating module is used for generating second random data and a symmetric key;

the encryption module is used for extracting a public key from the encrypted certificate data and encrypting the symmetric key by using the public key;

the signature module is used for signing the first random data, the second random data, the encrypted symmetric key, the identification information of the node server and the identification information of the terminal by using a preset first signature certificate to obtain first signature information;

a determining module, configured to determine the first random data, the second random data, the encrypted symmetric key, the identification information of the terminal, the identification information of the node server, the first signature information, and the first signature certificate as the first authentication response information.

6. The authentication system according to claim 5, wherein the terminal is configured to verify the first random data and the identification information of the terminal in the first authentication response information according to the first signature certificate, decrypt an encrypted symmetric key with a preset private key to obtain the symmetric key if the verification is passed, encrypt the password information with the symmetric key, sign the first random data, the second random data, and the identification information of the node server with a preset second signature certificate to obtain second signature information, and determine the first random data, the second random data, the encrypted password information, the identification information of the terminal, the identification information of the node server, the second signature information, and the second signature certificate as the second authentication request information;

the query module is further configured to, after the receiving module receives first authentication request information from the terminal, query to obtain password information corresponding to the user name according to a binding relationship between the user name and a preset user name and password;

the authentication module includes:

the signature verification module is used for verifying the identification information of the node server and the second random data in the second authentication request information by using the second signature certificate;

and the comparison module is used for decrypting the encrypted password information by using the symmetric key under the condition that the signature verification passes to obtain the password information and comparing the password information with the password information.

7. An apparatus, comprising:

one or more processors; and

one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform an authentication method of one or more of claims 1-4.

8. A computer-readable storage medium, characterized in that it stores a computer program causing a processor to execute the authentication method according to any one of claims 1 to 4.

Images