[go: up one dir, main page]

CN115696329B - Zero trust authentication method and device, zero trust client device and storage medium - Google Patents

Zero trust authentication method and device, zero trust client device and storage medium Download PDF

Info

Publication number
CN115696329B
CN115696329B CN202211330409.0A CN202211330409A CN115696329B CN 115696329 B CN115696329 B CN 115696329B CN 202211330409 A CN202211330409 A CN 202211330409A CN 115696329 B CN115696329 B CN 115696329B
Authority
CN
China
Prior art keywords
zero
authentication
sim card
national
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211330409.0A
Other languages
Chinese (zh)
Other versions
CN115696329A (en
Inventor
焦清旺
徐永明
金刚
邓鸿亮
李军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Digital Technology Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202211330409.0A priority Critical patent/CN115696329B/en
Publication of CN115696329A publication Critical patent/CN115696329A/en
Application granted granted Critical
Publication of CN115696329B publication Critical patent/CN115696329B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a zero-trust authentication method and device, zero-trust client equipment and a storage medium. The method is applied to the zero-trust client and comprises the following steps: sending a first login request to the zero trust server, and enabling the zero trust server to verify login information in the first login request to generate a first authentication result; receiving a first authentication result; when the first authentication result indicates that authentication is successful and login is not performed for the first time, an identification code request is sent to the national cipher SIM card; receiving an integrated circuit card identification code ICCID, and acquiring an international mobile equipment identification code IMEI and a random number; signing the ICCID, the IMEI and the random number by using the digital certificate to generate a national secret SIM card fingerprint; the second authentication result is sent to the zero trust server to enable the zero trust server to authenticate the fingerprint of the national secret SIM card to generate a second authentication result; and when the second authentication result indicates that authentication is successful, receiving a login response sent by the zero trust server. The method reduces the security risk of the zero-trust client.

Description

零信任认证方法及装置、零信任客户端设备和存储介质Zero trust authentication method and device, zero trust client device and storage medium

技术领域Technical Field

本申请涉及计算机技术领域,尤其涉及一种零信任认证方法及装置、零信任客户端设备和存储介质。The present application relates to the field of computer technology, and in particular to a zero-trust authentication method and apparatus, a zero-trust client device, and a storage medium.

背景技术Background technique

零信任是一种网络安全防护理念,在零信任模式下,用户网络内外的任何人、设备和系统都需要“持续验证,永不信任”。基于零信任原则,可以保障用户终端安全、链路安全以及访问控制安全。Zero trust is a network security protection concept. In the zero trust mode, any person, device, and system inside or outside the user network needs to be "continuously verified and never trusted". Based on the zero trust principle, user terminal security, link security, and access control security can be guaranteed.

目前,用户终端设备在登录操作的零信任认证过程中,通常采用用户名和密码进行认证后,再通过采用设备序列号、网卡媒体存取控制(Media Access Control,MAC)地址等硬件信息生成的设备指纹进行认证,两次认证均通过以后允许登录。At present, in the zero-trust authentication process of the user terminal device login operation, the user name and password are usually used for authentication, and then the device fingerprint generated by hardware information such as the device serial number and network card media access control (MAC) address is used for authentication. Login is allowed after both authentications are passed.

但采用上述零信任认证方式,仍然存在设备指纹被恶意篡改或伪造等安全风险。However, when using the above-mentioned zero-trust authentication method, there are still security risks such as malicious tampering or forgery of device fingerprints.

发明内容Summary of the invention

本申请提供一种零信任认证方法及装置、零信任客户端设备和存储介质,用以解决设备指纹被恶意篡改或伪造的问题。The present application provides a zero-trust authentication method and apparatus, a zero-trust client device and a storage medium to solve the problem of device fingerprints being maliciously tampered with or forged.

第一方面,本申请提供一种零信任认证方法,应用于零信任客户端,方法包括:In a first aspect, the present application provides a zero-trust authentication method, which is applied to a zero-trust client, and the method includes:

向零信任服务端发送第一登录请求,使零信任服务端对第一登录请求中登录信息进行验证生成第一认证结果;Sending a first login request to the zero trust server, so that the zero trust server verifies the login information in the first login request and generates a first authentication result;

接收零信任服务端发送的第一认证结果;Receive the first authentication result sent by the zero trust server;

在第一认证结果指示认证成功后且非首次登录时,向国密用户身份识别(Subscriber Identity Module,SIM)卡发送识别码请求;After the first authentication result indicates that the authentication is successful and it is not the first login, sending an identification code request to the Subscriber Identity Module (SIM) card;

接收国密SIM卡发送的集成电路卡识别码(Integrate circuit card identity,ICCID);Receive the integrated circuit card identity (ICCID) sent by the national encryption SIM card;

获取零信任客户端的国际移动设备识别码(International Mobile EquipmentIdentity,IMEI)以及随机数;Obtain the International Mobile Equipment Identity (IMEI) and random number of the zero-trust client;

使用预先存储的数字证书对ICCID、IMEI以及随机数进行签名,生成国密SIM卡指纹;Use the pre-stored digital certificate to sign the ICCID, IMEI and random number to generate the national secret SIM card fingerprint;

将国密SIM卡指纹发送至零信任服务端,使零信任服务端对国密SIM卡指纹进行认证生成第二认证结果;Send the national secret SIM card fingerprint to the zero trust server, so that the zero trust server authenticates the national secret SIM card fingerprint and generates a second authentication result;

在第二认证结果指示认证成功时,接收零信任服务端发送的登录响应。When the second authentication result indicates that the authentication is successful, receive a login response sent by the zero trust server.

可选地,接收零信任服务端发送的第一认证结果之后,还包括:Optionally, after receiving the first authentication result sent by the zero-trust server, the method further includes:

在第一认证结果指示认证成功后且非首次登录时,获取国密SIM卡的个人身份识别码(Personal Identification Number,PIN),根据国密SIM卡的PIN生成签名请求,向国密SIM卡发送签名请求;After the first authentication result indicates that the authentication is successful and it is not the first login, obtain the personal identification number (PIN) of the national secret SIM card, generate a signature request according to the PIN of the national secret SIM card, and send the signature request to the national secret SIM card;

接收国密SIM卡发送的签名;Receive the signature sent by the national encryption SIM card;

根据签名和用户信息生成签名认证请求,向零信任服务端发送签名认证请求,使零信任服务端对签名认证请求中签名和用户信息进行认证,生成第三认证结果;Generate a signature authentication request based on the signature and user information, send the signature authentication request to the zero trust server, and enable the zero trust server to authenticate the signature and user information in the signature authentication request to generate a third authentication result;

相应地,在第二认证结果指示认证成功时,接收零信任服务端发送的登录响应,具体包括:Accordingly, when the second authentication result indicates that the authentication is successful, a login response sent by the zero-trust server is received, specifically including:

当第二认证结果和第三认证结果都指示认证成功时,接收零信任服务端发送的登录响应。When the second authentication result and the third authentication result both indicate successful authentication, a login response sent by the zero-trust server is received.

可选地,向零信任服务端发送第一登录请求之前,还包括:Optionally, before sending the first login request to the zero trust server, the method further includes:

向零信任服务端发送第二登录请求,使零信任服务端对第二登录请求中登录信息进行验证生成第四认证结果;Sending a second login request to the zero trust server, so that the zero trust server verifies the login information in the second login request and generates a fourth authentication result;

接收零信任服务端发送的第四认证结果;Receive the fourth authentication result sent by the zero trust server;

在第四认证结果指示认证成功后且首次登录时,向零信任服务端发送数字证书请求;After the fourth authentication result indicates that the authentication is successful and at the first login, a digital certificate request is sent to the zero trust server;

接收零信任服务端发送的数字证书;Receive the digital certificate sent by the zero-trust server;

向国密SIM卡转发数字证书,使国密SIM卡存储数字证书。Forward the digital certificate to the national encryption SIM card so that the national encryption SIM card can store the digital certificate.

可选地,向零信任服务端发送数字证书请求之前,还包括:Optionally, before sending a digital certificate request to the zero trust server, the following steps are also included:

向管理服务端发送国密SIM卡应用请求;Send a national encryption SIM card application request to the management server;

接收管理服务端发送的国密SIM卡应用程序;Receive the national encryption SIM card application sent by the management server;

向零信任服务端发送实名认证请求,使零信任服务端对实名认证请求中实名认证信息进行认证生成第五认证结果;Sending a real-name authentication request to the zero-trust server, so that the zero-trust server authenticates the real-name authentication information in the real-name authentication request to generate a fifth authentication result;

相应地,在第四认证结果指示认证成功后且首次登录时,向零信任服务端发送数字证书请求,具体包括:Accordingly, after the fourth authentication result indicates that the authentication is successful and at the first login, a digital certificate request is sent to the zero trust server, specifically including:

在第四认证结果和第五认证结果均指示认证成功后且首次登录时,向零信任服务端发送数字证书请求;After the fourth authentication result and the fifth authentication result both indicate successful authentication and at the first login, a digital certificate request is sent to the zero trust server;

相应地,向国密SIM卡转发数字证书,使国密SIM卡存储数字证书,具体包括:Accordingly, the digital certificate is forwarded to the national secret SIM card so that the national secret SIM card stores the digital certificate, specifically including:

通过运行国密SIM卡应用程序向国密SIM卡转发数字证书,使国密SIM卡存储数字证书。By running the national encryption SIM card application, the digital certificate is forwarded to the national encryption SIM card, so that the national encryption SIM card stores the digital certificate.

可选地,向零信任服务端发送数字证书请求,具体包括:Optionally, send a digital certificate request to the zero trust server, including:

向国密SIM卡发送证书签名请求,使国密SIM卡生成非对称密钥;Send a certificate signing request to the national encryption SIM card to enable the national encryption SIM card to generate an asymmetric key;

接收国密SIM卡发送的非对称密钥,根据非对称密钥生成数字证书请求;Receive the asymmetric key sent by the national encryption SIM card, and generate a digital certificate request based on the asymmetric key;

向零信任服务端发送数字证书请求。Send a digital certificate request to the zero trust server.

可选地,接收零信任服务端发送的登录响应之后,还包括:Optionally, after receiving the login response sent by the zero trust server, the following is further included:

接收国密SIM卡发送的风险提示信息,其中,风险提示信息是国密SIM卡接收到管理服务端发送的弹窗认证命令后生成的;弹窗认证命令是管理服务端在接收到零信任服务端发送的二次认证命令后生成的,零信任服务端在检测到风险事件后生成二次认证命令;Receive risk warning information sent by the national secret SIM card, where the risk warning information is generated after the national secret SIM card receives the pop-up authentication command sent by the management server; the pop-up authentication command is generated by the management server after receiving the secondary authentication command sent by the zero trust server, and the zero trust server generates the secondary authentication command after detecting a risk event;

根据风险提示信息生成确认响应,并向国密SIM卡发送确认响应,使国密SIM卡通过管理服务端向零信任服务端转发确认响应。Generate a confirmation response based on the risk warning information, and send the confirmation response to the national encryption SIM card, so that the national encryption SIM card forwards the confirmation response to the zero trust server through the management server.

第二方面,本申请提供一种零信任认证装置,应用于零信任客户端,装置包括:In a second aspect, the present application provides a zero-trust authentication device, which is applied to a zero-trust client, and the device includes:

发送模块,用于向零信任服务端发送第一登录请求,使零信任服务端对第一登录请求中登录信息进行验证生成第一认证结果;A sending module, used to send a first login request to a zero-trust server, so that the zero-trust server verifies the login information in the first login request and generates a first authentication result;

接收模块,用于接收零信任服务端发送的第一认证结果;A receiving module, used to receive a first authentication result sent by a zero-trust server;

发送模块,还用于在第一认证结果指示认证成功后且非首次登录时,向国密SIM卡发送识别码请求;The sending module is further used to send an identification code request to the national encryption SIM card after the first authentication result indicates that the authentication is successful and it is not the first login;

接收模块,还用于接收国密SIM卡发送的集成电路卡识别码,并获取零信任客户端的国际移动设备识别码以及随机数;The receiving module is also used to receive the integrated circuit card identification code sent by the national encryption SIM card, and obtain the international mobile equipment identification code and random number of the zero-trust client;

签名模块,用于使用预先存储的数字证书对集成电路卡识别码、国际移动设备识别码以及随机数进行签名,生成国密SIM卡指纹;The signature module is used to sign the integrated circuit card identification code, the international mobile equipment identification code and the random number using the pre-stored digital certificate to generate the national secret SIM card fingerprint;

发送模块,还用于将国密SIM卡指纹发送至零信任服务端,使零信任服务端对国密SIM卡指纹进行认证生成第二认证结果;The sending module is also used to send the national secret SIM card fingerprint to the zero trust server, so that the zero trust server authenticates the national secret SIM card fingerprint and generates a second authentication result;

接收模块,还用于在第二认证结果指示认证成功时,接收零信任服务端发送的登录响应。The receiving module is also used to receive a login response sent by the zero-trust server when the second authentication result indicates that the authentication is successful.

第三方面,本申请提供一种零信任客户端设备,包括:存储器和处理器;In a third aspect, the present application provides a zero-trust client device, including: a memory and a processor;

存储器用于存储计算机程序;处理器用于根据存储器存储的计算机程序执行第一方面及第一方面任一种可能的设计中的零信任认证方法。The memory is used to store computer programs; the processor is used to execute the zero-trust authentication method in the first aspect and any possible design of the first aspect according to the computer program stored in the memory.

第四方面,本申请提供一种计算机可读存储介质,计算机可读存储介质中存储有计算机程序,计算机程序被处理器执行时用于实现第一方面及第一方面任一种可能的设计中的零信任认证方法。In a fourth aspect, the present application provides a computer-readable storage medium, which stores a computer program. When the computer program is executed by a processor, it is used to implement the zero-trust authentication method in the first aspect and any possible design of the first aspect.

第五方面,本申请提供一种计算机程序产品,计算机程序产品包括计算机程序,计算机程序被处理器执行时实现第一方面及第一方面任一种可能的设计中的零信任认证方法。In a fifth aspect, the present application provides a computer program product, which includes a computer program. When the computer program is executed by a processor, it implements the zero-trust authentication method in the first aspect and any possible design of the first aspect.

本申请提供的零信任认证方法及装置、零信任客户端设备和存储介质,通过在零信任服务端对第一登录请求认证成功之后,再使用数字证书对ICCID、IMEI以及随机数进行签名生成国密SIM卡指纹以进行指纹认证,解决指纹认证采用的设备指纹被恶意篡改或伪造的问题,实现降低安全风险的效果。The zero-trust authentication method and apparatus, zero-trust client device and storage medium provided in this application, after the zero-trust server successfully authenticates the first login request, uses a digital certificate to sign the ICCID, IMEI and random number to generate a national secret SIM card fingerprint for fingerprint authentication, thereby solving the problem of the device fingerprint used in fingerprint authentication being maliciously tampered with or forged, and achieving the effect of reducing security risks.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the present application or the prior art, a brief introduction will be given below to the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1为本申请一实施例提供的零信任认证的场景示意图;FIG1 is a schematic diagram of a zero-trust authentication scenario provided by an embodiment of the present application;

图2为本申请一实施例提供的零信任认证方法的信令交互图;FIG2 is a signaling interaction diagram of a zero-trust authentication method provided in an embodiment of the present application;

图3为本申请一实施例提供的数字证书签名的信令交互图;FIG3 is a signaling interaction diagram of a digital certificate signature provided in an embodiment of the present application;

图4为本申请一实施例提供的零信任客户端首次登录的信令交互图;FIG4 is a signaling interaction diagram of a zero-trust client logging in for the first time provided by an embodiment of the present application;

图5为本申请一实施例提供的零信任客户端二次认证的信令交互图;FIG5 is a signaling interaction diagram of zero-trust client secondary authentication provided by an embodiment of the present application;

图6为本申请一实施例提供的零信任认证装置的结构示意图;FIG6 is a schematic diagram of the structure of a zero-trust authentication device provided in an embodiment of the present application;

图7为本申请一实施例提供的零信任客户端设备的硬件结构示意图。FIG. 7 is a schematic diagram of the hardware structure of a zero-trust client device provided in an embodiment of the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请中的附图,对本申请中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of this application clearer, the technical solutions in this application will be clearly and completely described below in conjunction with the drawings in this application. Obviously, the described embodiments are part of the embodiments of this application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换。例如,在不脱离本文范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。The terms "first", "second", "third", "fourth", etc. in the specification and claims and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the terms used in this way can be interchangeable under appropriate circumstances. For example, first information can also be referred to as second information without departing from the scope of this document, and similarly, second information can also be referred to as first information.

为确保客户端安全,用户在登录客户端时,一般需要进行认证。现有技术中,客户端登录时通常会进行用户名和密码认证,认证通过后,客户端根据设备序列号、网卡MAC地址等硬件信息生成设备指纹,发送至服务端,由服务端进行验证,验证通过后,允许客户端登录。To ensure the security of the client, users are generally required to perform authentication when logging in to the client. In the prior art, a user name and password authentication is usually performed when the client logs in. After the authentication is passed, the client generates a device fingerprint based on hardware information such as the device serial number and the network card MAC address, and sends it to the server, which verifies it. After the verification is passed, the client is allowed to log in.

但现有技术中,认证采用的设备指纹仍存在被恶意篡改或伪造等安全风险,认证结果并不能确保客户端安全。However, in the prior art, the device fingerprint used for authentication still has security risks such as being maliciously tampered with or forged, and the authentication result cannot ensure the security of the client.

针对上述问题,本申请提出了一种零信任认证方法及装置、零信任客户端设备和存储介质。本申请的零信任认证方法,是在客户端非首次登录时向零信任服务端发送第一登录请求,在零信任服务端对第一登录请求的登录信息认证通过后,零信任客户端再使用数字证书对ICCID、IMEI以及随机数进行签名生成国密SIM卡指纹,用于发送至零信任服务端进行指纹认证,认证通过后,允许零信任客户端登录。与现有技术相比,本申请的方法中,进行指纹认证所采用的指纹,是数字证书对ICCID、IMEI以及随机数进行签名生成的,由于使用了ICCID和IMEI,保证了零信任客户端的唯一性,而随机数则确保每次认证时指纹均不相同,降低了指纹被恶意篡改或伪造等安全风险。In response to the above problems, the present application proposes a zero-trust authentication method and apparatus, a zero-trust client device and a storage medium. The zero-trust authentication method of the present application is to send a first login request to the zero-trust server when the client is not logging in for the first time. After the zero-trust server authenticates the login information of the first login request, the zero-trust client uses a digital certificate to sign the ICCID, IMEI and random number to generate a national secret SIM card fingerprint, which is sent to the zero-trust server for fingerprint authentication. After the authentication is passed, the zero-trust client is allowed to log in. Compared with the prior art, in the method of the present application, the fingerprint used for fingerprint authentication is generated by signing the ICCID, IMEI and random number with a digital certificate. Due to the use of ICCID and IMEI, the uniqueness of the zero-trust client is guaranteed, and the random number ensures that the fingerprint is different each time the authentication is performed, reducing the security risks of fingerprints being maliciously tampered with or forged.

下面以具体地实施例对本申请的技术方案进行详细说明。下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例不再赘述。The technical solution of the present application is described in detail with specific embodiments below. The following specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.

图1示出了本申请一实施例提供的一种零信任认证的场景示意图。在零信任客户端登录时,通常需要通过零信任服务端进行认证,认证方式可以是用户名和密码认证,也可以是指纹认证或其他认证方式,还可以是多种认证方式结合使用。在至少两次认证通过之后,零信任客户端才能成功登录。FIG1 shows a schematic diagram of a zero-trust authentication scenario provided by an embodiment of the present application. When a zero-trust client logs in, it is usually necessary to authenticate through a zero-trust server. The authentication method can be username and password authentication, fingerprint authentication or other authentication methods, or a combination of multiple authentication methods. The zero-trust client can successfully log in only after at least two authentications are passed.

本申请中,以零信任客户端为执行主体,执行如下实施例的零信任认证方法。具体地,该执行主体可以为零信任客户端的硬件装置,或者为零信任客户端中实现下述实施例的软件应用,或者为安装有实现下述实施例的软件应用的计算机可读存储介质,或者为实现下述实施例的软件应用的代码。In this application, the zero-trust client is used as the execution subject to execute the zero-trust authentication method of the following embodiment. Specifically, the execution subject can be a hardware device of the zero-trust client, or a software application that implements the following embodiment in the zero-trust client, or a computer-readable storage medium installed with the software application that implements the following embodiment, or a code of the software application that implements the following embodiment.

图2示出了本申请一实施例提供的一种零信任认证方法的交互信令图,应用于零信任客户端。如图2所示,本实施例的方法可以包括如下步骤:FIG2 shows an interactive signaling diagram of a zero-trust authentication method provided by an embodiment of the present application, which is applied to a zero-trust client. As shown in FIG2 , the method of this embodiment may include the following steps:

S201、向零信任服务端发送第一登录请求,使零信任服务端对第一登录请求中登录信息进行验证生成第一认证结果。S201. Send a first login request to the zero trust server, so that the zero trust server verifies the login information in the first login request and generates a first authentication result.

其中,第一登录请求的登录信息可以是用户名和密码,零信任服务端根据预存的用户名和密码对登录信息进行验证,生成第一认证结果。Among them, the login information of the first login request can be a user name and password. The zero trust server verifies the login information according to the pre-stored user name and password to generate a first authentication result.

S202、接收零信任服务端发送的第一认证结果。S202. Receive a first authentication result sent by the zero-trust server.

S203、在第一认证结果指示认证成功后且非首次登录时,向国密SIM卡发送识别码请求。S203: After the first authentication result indicates that the authentication is successful and it is not the first login, send an identification code request to the national encryption SIM card.

本实施例中,第一认证结果指示认证成功且非首次登录时,向国密SIM卡申请国密SIM卡的ICCID,ICCID可用于查询国密SIM卡的用户信息。首次登录情形,在本申请后续实施例会详细介绍。In this embodiment, when the first authentication result indicates that the authentication is successful and it is not the first login, the ICCID of the national secret SIM card is applied to the national secret SIM card, and the ICCID can be used to query the user information of the national secret SIM card. The first login situation will be described in detail in the subsequent embodiments of this application.

S204、接收国密SIM卡发送的ICCID。S204, receiving the ICCID sent by the national encryption SIM card.

S205、获取零信任客户端的IMEI以及随机数。S205. Obtain the IMEI and random number of the zero-trust client.

其中,IMEI是零信任客户端的国际移动设备识别码,每个零信任客户端均有唯一的IMEI,可用于鉴别零信任客户端真伪。Among them, IMEI is the international mobile equipment identity code of the zero-trust client. Each zero-trust client has a unique IMEI, which can be used to identify the authenticity of the zero-trust client.

S206、使用预先存储的数字证书对ICCID、IMEI以及随机数进行签名,生成国密SIM卡指纹。S206. Use the pre-stored digital certificate to sign the ICCID, IMEI and random number to generate a national secret SIM card fingerprint.

本实施例中,ICCID、IMEI以及随机数组成字符串,例如,ICCID为AAA、IMEI为BBB,随机数为CCC,对应的字符串为AAABBBCCC。通过数字证书对该字符串进行签名,签名值即为国密SIM卡指纹。随机数可确保每次认证时,国密SIM卡指纹均不相同,即国密SIM卡指纹为动态指纹。In this embodiment, ICCID, IMEI and random number form a string. For example, ICCID is AAA, IMEI is BBB, random number is CCC, and the corresponding string is AAABBBCCC. The string is signed by a digital certificate, and the signature value is the national secret SIM card fingerprint. The random number can ensure that the national secret SIM card fingerprint is different each time the authentication is performed, that is, the national secret SIM card fingerprint is a dynamic fingerprint.

S207、将国密SIM卡指纹发送至零信任服务端,使零信任服务端对国密SIM卡指纹进行认证生成第二认证结果。S207. Send the national secret SIM card fingerprint to the zero-trust server, so that the zero-trust server authenticates the national secret SIM card fingerprint and generates a second authentication result.

本实施例中,零信任服务端在接收到国密SIM卡指纹后,使用数字证书对国密SIM卡指纹进行解密得到ICCID、IMEI以及随机数组成的字符串,截取ICCID、IMEI对应的字符串之后,例如,AAABBBCCC截取之后为AAABBB,与预存的初始指纹进行对比,一致则认证通过。其中初始指纹为ICCID、IMEI组成的字符串,例如,ICCID为AAA、IMEI为BBB,对应的初始指纹为AAABBB。In this embodiment, after receiving the national secret SIM card fingerprint, the zero-trust server uses the digital certificate to decrypt the national secret SIM card fingerprint to obtain a string consisting of ICCID, IMEI and random numbers, and then intercepts the string corresponding to ICCID and IMEI, for example, AAABBBCCC is intercepted to AAABBB, and compares it with the pre-stored initial fingerprint. If they are consistent, the authentication is passed. The initial fingerprint is a string consisting of ICCID and IMEI. For example, if ICCID is AAA and IMEI is BBB, the corresponding initial fingerprint is AAABBB.

S208、在第二认证结果指示认证成功时,接收零信任服务端发送的登录响应。S208. When the second authentication result indicates that the authentication is successful, receive a login response sent by the zero-trust server.

本实施例中,认证成功,即第一认证结果和第二认证结果均指示认证成功,接收零信任服务端发送的登录响应,零信任客户端登录成功。In this embodiment, the authentication is successful, that is, the first authentication result and the second authentication result both indicate that the authentication is successful, and a login response sent by the zero-trust server is received, and the zero-trust client logs in successfully.

本实施例的零信任认证方法,在非首次登录时,通过对第一登录请求进行认证后,使用数字证书对ICCID、IMEI以及随机数组成的字符串签名得到的国密SIM卡指纹,由零信任服务端对国密SIM卡指纹进行验证,降低了指纹被篡改或伪造的风险,进而降低了零信任客户端的安全风险。The zero-trust authentication method of this embodiment, when it is not the first login, after authenticating the first login request, uses a digital certificate to sign a string consisting of ICCID, IMEI and random numbers to obtain the national secret SIM card fingerprint, and the zero-trust server verifies the national secret SIM card fingerprint, reducing the risk of fingerprint tampering or forgery, thereby reducing the security risk of the zero-trust client.

图3为本申请一实施例提供的数字证书签名的信令交互图,应用于零信任客户端。如图3所示,在一些实施例中,步骤202之后,还包括如下步骤:FIG3 is a signaling interaction diagram of a digital certificate signature provided by an embodiment of the present application, which is applied to a zero-trust client. As shown in FIG3, in some embodiments, after step 202, the following steps are also included:

S301、在第一认证结果指示认证成功后且非首次登录时,零信任客户端获取国密SIM卡的PIN,根据国密SIM卡的PIN生成签名请求,向国密SIM卡发送签名请求。S301. After the first authentication result indicates that the authentication is successful and it is not the first login, the zero-trust client obtains the PIN of the national secret SIM card, generates a signature request according to the PIN of the national secret SIM card, and sends the signature request to the national secret SIM card.

本实施例中,PIN用来验证零信任客户端使用者的身份。此外,签名请求还可以包括零信任客户端自定义报文,例如标识用户身份信息的报文。In this embodiment, the PIN is used to verify the identity of the zero-trust client user. In addition, the signature request may also include a zero-trust client custom message, such as a message that identifies the user's identity information.

S302、零信任客户端接收国密SIM卡发送的签名。S302. The zero-trust client receives the signature sent by the national encryption SIM card.

本实施例中,国密SIM卡发送的签名是指国密SIM卡采用数字证书对包含自定义报文的签名请求进行签名。In this embodiment, the signature sent by the national cryptographic SIM card refers to the national cryptographic SIM card using a digital certificate to sign the signature request containing the custom message.

S303、零信任客户端根据签名和用户信息生成签名认证请求,向零信任服务端发送签名认证请求,使零信任服务端对签名认证请求中签名和用户信息进行认证,生成第三认证结果。S303. The zero-trust client generates a signature authentication request based on the signature and user information, and sends the signature authentication request to the zero-trust server, so that the zero-trust server authenticates the signature and user information in the signature authentication request to generate a third authentication result.

其中,用户信息可以为用户名和密码,也可以仅为用户名。对签名和用户信息进行验证,为验证零信任客户端使用者的信息,或者,还包括验证对其他可能的自定义信息。The user information may be a user name and a password, or may be only a user name. The signature and user information are verified to verify the information of the user of the zero-trust client, or other possible custom information is also verified.

本实施例中,步骤S208具体包括:当第二认证结果和第三认证结果都指示认证成功时,接收零信任服务端发送的登录响应。In this embodiment, step S208 specifically includes: when the second authentication result and the third authentication result both indicate successful authentication, receiving a login response sent by the zero trust server.

本实施例的零信任认证方法,在图2所示实施例的基础上,通过对第一登录请求进行认证后,使用数字证书对根据国密SIM卡的PIN生成的签名请求进行签名,由零信任服务端对该签名以及用户信息进行验证,降低了零信任客户端当前使用者与注册者不匹配的风险,进一步降低了零信任客户端的安全风险。The zero-trust authentication method of this embodiment is based on the embodiment shown in Figure 2. After authenticating the first login request, a digital certificate is used to sign the signature request generated according to the PIN of the national secret SIM card. The zero-trust server verifies the signature and user information, thereby reducing the risk of mismatch between the current user of the zero-trust client and the registrant, and further reducing the security risk of the zero-trust client.

图4为本申请一实施例提供的零信任客户端首次登录的信令交互图,应用于零信任客户端。如图4所示,在一些实施例中,步骤S201之前,还包括如下步骤:FIG4 is a signaling interaction diagram of a zero-trust client's first login provided by an embodiment of the present application, which is applied to a zero-trust client. As shown in FIG4, in some embodiments, before step S201, the following steps are also included:

S401、零信任客户端向零信任服务端发送第二登录请求,使零信任服务端对第二登录请求中登录信息进行验证生成第四认证结果。S401. The zero-trust client sends a second login request to the zero-trust server, so that the zero-trust server verifies the login information in the second login request and generates a fourth authentication result.

本实施例中,第二登录请求中的登录信息可以是用户名和密码,零信任服务端根据预存的用户名和密码对登录信息进行验证,生成第四认证结果。In this embodiment, the login information in the second login request may be a user name and password. The zero-trust server verifies the login information based on the pre-stored user name and password to generate a fourth authentication result.

S402、零信任客户端接收零信任服务端发送的第四认证结果。S402. The zero trust client receives the fourth authentication result sent by the zero trust server.

S403、在第四认证结果指示认证成功后且首次登录时,零信任客户端向管理服务端发送国密SIM卡应用请求。S403. After the fourth authentication result indicates that the authentication is successful and when logging in for the first time, the zero-trust client sends a national encryption SIM card application request to the management server.

本实施例中,首次登录时,零信任客户端需要完成国密SIM卡认证策略开通,即向管理服务端申请国密SIM卡应用,通过零信任服务端完成实名认证,以及向零信任服务端申请数字证书的过程。其中,管理服务端可以为至少一台业务服务器。In this embodiment, when logging in for the first time, the zero-trust client needs to complete the activation of the national secret SIM card authentication policy, that is, apply for the national secret SIM card application from the management server, complete the real-name authentication through the zero-trust server, and apply for a digital certificate from the zero-trust server. The management server can be at least one business server.

S404、零信任客户端接收管理服务端发送的国密SIM卡应用程序。S404. The zero-trust client receives the national encryption SIM card application sent by the management server.

S405、零信任客户端向零信任服务端发送实名认证请求,使零信任服务端对实名认证请求中实名认证信息进行认证生成第五认证结果。S405. The zero-trust client sends a real-name authentication request to the zero-trust server, so that the zero-trust server authenticates the real-name authentication information in the real-name authentication request and generates a fifth authentication result.

其中,在申请到国密SIM卡应用程序之后,才能够进行实名认证。零信任客户端通过国密SIM卡应用程序与国密SIM卡进行交互。Among them, real-name authentication can only be performed after applying for the national secret SIM card application. The zero-trust client interacts with the national secret SIM card through the national secret SIM card application.

S406、在第五认证结果指示认证成功后,零信任客户端向国密SIM卡发送证书签名请求,使国密SIM卡生成非对称密钥。S406. After the fifth authentication result indicates that the authentication is successful, the zero-trust client sends a certificate signing request to the national encryption SIM card, so that the national encryption SIM card generates an asymmetric key.

本实施例中,签名请求可以为证书签名请求文件(Cerificate Signing Request,CSR),可以由零信任客户端调用国密SIM卡应用接口生成。国密SIM卡根据CSR生成非对称密钥。In this embodiment, the signature request may be a certificate signing request file (CSR), which may be generated by the zero-trust client calling the national cryptographic SIM card application interface. The national cryptographic SIM card generates an asymmetric key according to the CSR.

S407、零信任客户端接收国密SIM卡发送的非对称密钥,根据非对称密钥生成数字证书请求。S407. The zero-trust client receives the asymmetric key sent by the national encryption SIM card and generates a digital certificate request based on the asymmetric key.

本实施例中,零信任客户端根据非对称密钥生成数字证书请求,数字证书用于标识用户身份。In this embodiment, the zero-trust client generates a digital certificate request based on an asymmetric key, and the digital certificate is used to identify the user.

S408、零信任客户端向零信任服务端发送数字证书请求。S408. The zero trust client sends a digital certificate request to the zero trust server.

S409、零信任客户端接收零信任服务端发送的数字证书。S409. The zero trust client receives the digital certificate sent by the zero trust server.

S410、零信任客户端向国密SIM卡转发数字证书,使国密SIM卡存储数字证书。S410. The zero-trust client forwards the digital certificate to the national encryption SIM card, so that the national encryption SIM card stores the digital certificate.

本实施例中,零信任客户端可以通过运行国密SIM卡应用程序向国密SIM卡转发数字证书,使国密SIM卡存储数字证书。In this embodiment, the zero-trust client can forward the digital certificate to the national encryption SIM card by running the national encryption SIM card application, so that the national encryption SIM card stores the digital certificate.

本实施例的零信任认证方法,通过在首次登录时,进行第二登录请求的登录信息认证成功后,向管理服务端申请国密SIM卡应用程序,向零信任服务端请求实名认证,认证成功后再向零信任服务端申请数字证书,完成了零信任客户端首次登录时国密SIM卡的认证策略开通过程,使零信任客户端非首次登录时,可直接采用国密SIM卡存储的数字证书对ICCID、IMEI以及随机数组成的字符串签名生成国密SIM卡指纹,采用数字证书对根据国密SIM卡PIN生成的签名请求进行签名,使得零信任认证过程更简便,零信任客户端的安全更有保障。The zero-trust authentication method of this embodiment, when logging in for the first time, after successfully authenticating the login information of the second login request, applies to the management server for a national secret SIM card application, requests real-name authentication from the zero-trust server, and then applies to the zero-trust server for a digital certificate after the authentication is successful, thereby completing the authentication policy activation process of the national secret SIM card when the zero-trust client logs in for the first time, so that when the zero-trust client is not logging in for the first time, it can directly use the digital certificate stored in the national secret SIM card to sign the string composed of ICCID, IMEI and random numbers to generate a national secret SIM card fingerprint, and use the digital certificate to sign the signature request generated according to the national secret SIM card PIN, making the zero-trust authentication process simpler and the security of the zero-trust client more secure.

图5为本申请一实施例提供的零信任客户端二次认证的信令交互图,应用于零信任客户端。如图5所示,在一些实施例中,步骤S208之后,还包括:FIG5 is a signaling interaction diagram of a zero-trust client secondary authentication provided by an embodiment of the present application, which is applied to a zero-trust client. As shown in FIG5, in some embodiments, after step S208, it also includes:

S501、零信任客户端接收国密SIM卡发送的风险提示信息,其中,风险提示信息是国密SIM卡接收到管理服务端发送的弹窗认证命令后生成的;弹窗认证命令是管理服务端在接收到零信任服务端发送的二次认证命令后生成的,零信任服务端在检测到风险事件后生成二次认证命令。S501. The zero-trust client receives risk warning information sent by the national secret SIM card, wherein the risk warning information is generated after the national secret SIM card receives the pop-up authentication command sent by the management server; the pop-up authentication command is generated by the management server after receiving the secondary authentication command sent by the zero-trust server, and the zero-trust server generates the secondary authentication command after detecting a risk event.

本实施例中,零信任客户端接收零信任服务端发送的登录响应之后,即登录成功。零信任客户端在使用过程中,零信任服务端若感知到零信任客户端访问存在风险,则会生成二次认证命令并发送至管理服务端,管理服务端根据二次认证命令生成弹窗认证命令,发送至国密SIM卡,由国密SIM卡生成风险提示信息并发送至零信任客户端。其中,零信任服务端可以通过威胁情报、零信任客户端环境感知等渠道感知到零信任客户端访问的风险。In this embodiment, after the zero-trust client receives the login response sent by the zero-trust server, the login is successful. During the use of the zero-trust client, if the zero-trust server perceives that there is a risk in the zero-trust client access, it will generate a secondary authentication command and send it to the management server. The management server generates a pop-up authentication command based on the secondary authentication command and sends it to the national secret SIM card. The national secret SIM card generates risk warning information and sends it to the zero-trust client. Among them, the zero-trust server can perceive the risk of zero-trust client access through channels such as threat intelligence and zero-trust client environment perception.

零信任客户端可以包括多个应用程序,多个应用程序均通过国密SIM卡与管理服务器以及零信任服务端通信联系,而不必直接与管理服务器以及零信任服务端通信联系。The zero-trust client can include multiple applications, and all of them communicate with the management server and the zero-trust server through the national encryption SIM card, without having to communicate directly with the management server and the zero-trust server.

S502、零信任客户端根据风险提示信息生成确认响应,并向国密SIM卡发送确认响应,使国密SIM卡通过管理服务端向零信任服务端转发确认响应。S502. The zero-trust client generates a confirmation response based on the risk warning information, and sends the confirmation response to the national encryption SIM card, so that the national encryption SIM card forwards the confirmation response to the zero-trust server through the management server.

本实施例中,确认响应可以为零信任客户端确认当前使用者为首次登录用户。零信任客户端通过国密SIM卡与管理服务器以及零信任服务端通信联系,国密SIM卡接收到确认响应之后,通过管理服务端向零信任服务端转发确认响应,零信任服务端接收到该确认响应之后,零信任客户端二次认证通过。In this embodiment, the confirmation response can be that the zero-trust client confirms that the current user is the first-time login user. The zero-trust client communicates with the management server and the zero-trust server through the national secret SIM card. After the national secret SIM card receives the confirmation response, it forwards the confirmation response to the zero-trust server through the management server. After the zero-trust server receives the confirmation response, the zero-trust client passes the secondary authentication.

本实施例的零信任认证方法,通过在零信任服务端感知到零信任客户端访问存在风险时,发起二次认证,使零信任客户端确认当前使用者为首次登录用户,降低了零信任客户端在使用过程中的安全风险。The zero-trust authentication method of this embodiment initiates secondary authentication when the zero-trust server perceives that there is a risk in the access of the zero-trust client, so that the zero-trust client confirms that the current user is a first-time login user, thereby reducing the security risk of the zero-trust client during use.

图6为本申请一实施例提供的零信任认证装置的结构示意图。如图6所示,本申请还提供一种零信任认证装置60,应用于零信任客户端,装置60包括:FIG6 is a schematic diagram of the structure of a zero-trust authentication device provided by an embodiment of the present application. As shown in FIG6, the present application also provides a zero-trust authentication device 60, which is applied to a zero-trust client, and the device 60 includes:

发送模块601,用于向零信任服务端发送第一登录请求,使零信任服务端对第一登录请求中登录信息进行验证生成第一认证结果;A sending module 601 is used to send a first login request to a zero-trust server, so that the zero-trust server verifies the login information in the first login request and generates a first authentication result;

接收模块602,用于接收零信任服务端发送的第一认证结果;A receiving module 602 is used to receive a first authentication result sent by a zero-trust server;

发送模块601,还用于在第一认证结果指示认证成功后且非首次登录时,向国密SIM卡发送识别码请求;The sending module 601 is further used to send an identification code request to the national encryption SIM card after the first authentication result indicates that the authentication is successful and it is not the first login;

接收模块602,还用于接收国密SIM卡发送的集成电路卡识别码,并获取零信任客户端的国际移动设备识别码以及随机数;The receiving module 602 is also used to receive the integrated circuit card identification code sent by the national encryption SIM card, and obtain the international mobile equipment identification code and random number of the zero-trust client;

签名模块603,用于使用预先存储的数字证书对集成电路卡识别码、国际移动设备识别码以及随机数进行签名,生成国密SIM卡指纹;The signature module 603 is used to sign the integrated circuit card identification code, the international mobile equipment identification code and the random number using the pre-stored digital certificate to generate a national secret SIM card fingerprint;

发送模块601,还用于将国密SIM卡指纹发送至零信任服务端,使零信任服务端对国密SIM卡指纹进行认证生成第二认证结果;The sending module 601 is also used to send the national secret SIM card fingerprint to the zero trust server, so that the zero trust server authenticates the national secret SIM card fingerprint to generate a second authentication result;

接收模块602,还用于在第二认证结果指示认证成功时,接收零信任服务端发送的登录响应。The receiving module 602 is also used to receive a login response sent by the zero-trust server when the second authentication result indicates that the authentication is successful.

本实施例提供的零信任认证装置60,可执行上述方法实施例,其具体实现原理和技术效果,可参见上述方法实施例,本实施例此处不再赘述。The zero-trust authentication device 60 provided in this embodiment can execute the above method embodiment. Its specific implementation principles and technical effects can be found in the above method embodiment, and this embodiment will not be repeated here.

图7为本申请一实施例提供的零信任客户端设备70的硬件结构示意图。如图7所示,零信任客户端设备70可以包括:存储器701,处理器702和通信接口704。Fig. 7 is a schematic diagram of the hardware structure of a zero-trust client device 70 provided in an embodiment of the present application. As shown in Fig. 7, the zero-trust client device 70 may include: a memory 701, a processor 702 and a communication interface 704.

存储器701,用于存储计算机程序。该存储器701可能包含高速随机存取存储器(Random Access Memory,RAM),也可能还包括非易失性存储(Non-Volatile Memory,NVM),例如至少一个磁盘存储器,还可以为U盘、移动硬盘、只读存储器、磁盘或光盘等。The memory 701 is used to store computer programs. The memory 701 may include a high-speed random access memory (RAM), and may also include a non-volatile memory (NVM), such as at least one disk memory, and may also be a USB flash drive, a mobile hard disk, a read-only memory, a disk or an optical disk.

处理器702,用于执行存储器存储的计算机程序,以实现上述实施例中的零信任认证方法。具体可以参见前述方法实施例中的相关描述。该处理器702可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(DigitalSignal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合发明所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。Processor 702 is used to execute the computer program stored in the memory to implement the zero-trust authentication method in the above embodiment. For details, please refer to the relevant description in the above method embodiment. The processor 702 can be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), etc. The general-purpose processor can be a microprocessor or the processor can be any conventional processor, etc. The steps of the method disclosed in the invention can be directly embodied as being executed by a hardware processor, or can be executed by a combination of hardware and software modules in the processor.

可选地,存储器701既可以是独立的,也可以跟处理器702集成在一起。Optionally, the memory 701 may be independent or integrated with the processor 702 .

当存储器701是独立于处理器702之外的器件时,零信任客户端设备70还可以包括总线703。该总线703用于连接存储器701和处理器702。该总线703可以是工业标准体系结构(Industry Standard Architecture,ISA)总线、外部设备互连(Peripheral ComponentInterconnect,PCI)总线或扩展工业标准体系结构(Extended Industry StandardArchitecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,本申请附图中的总线并不限定仅有一根总线或一种类型的总线。When the memory 701 is a device independent of the processor 702, the zero-trust client device 70 may further include a bus 703. The bus 703 is used to connect the memory 701 and the processor 702. The bus 703 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, the bus in the drawings of the present application is not limited to only one bus or one type of bus.

通信接口704,可以通过总线703与处理器702连接。处理器702可以控制通信接口704来实现零信任认证的功能。The communication interface 704 may be connected to the processor 702 via the bus 703. The processor 702 may control the communication interface 704 to implement the function of zero-trust authentication.

本实施例提供的零信任客户端设备70可用于执行上述的零信任认证方法,其实现方式和技术效果类似,本实施例此处不再赘述。The zero-trust client device 70 provided in this embodiment can be used to execute the above-mentioned zero-trust authentication method. Its implementation method and technical effects are similar, and this embodiment will not be repeated here.

本申请还提供一种计算机可读存储介质,计算机可读存储介质中存储有计算机程序,计算机程序被处理器执行时用于实现上述的各种实施方式提供的方法。The present application also provides a computer-readable storage medium, in which a computer program is stored. When the computer program is executed by a processor, it is used to implement the methods provided in the various embodiments described above.

其中,计算机可读存储介质可以是计算机存储介质,也可以是通信介质。通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。计算机存储介质可以是通用或专用计算机能够存取的任何可用介质。例如,计算机可读存储介质耦合至处理器,从而使处理器能够从该计算机可读存储介质读取信息,且可向该计算机可读存储介质写入信息。当然,计算机可读存储介质也可以是处理器的组成部分。处理器和计算机可读存储介质可以位于专用集成电路(Application Specific Integrated Circuits,ASIC)中。另外,该ASIC可以位于用户设备中。当然,处理器和计算机可读存储介质也可以作为分立组件存在于通信设备中。Among them, the computer-readable storage medium can be a computer storage medium or a communication medium. The communication medium includes any medium that facilitates the transmission of a computer program from one place to another. The computer storage medium can be any available medium that can be accessed by a general-purpose or special-purpose computer. For example, a computer-readable storage medium is coupled to a processor so that the processor can read information from the computer-readable storage medium and write information to the computer-readable storage medium. Of course, the computer-readable storage medium can also be a component of the processor. The processor and the computer-readable storage medium can be located in an application-specific integrated circuit (ASIC). In addition, the ASIC can be located in a user device. Of course, the processor and the computer-readable storage medium can also exist in a communication device as discrete components.

具体地,该计算机可读存储介质可以是由任何类型的易失性或非易失性存储设备或者它们的组合实现,如静态随机存取存储器(Static Random-Access Memory,SRAM),电可擦除可编程只读存储器(Electrically-Erasable Programmable Read-Only Memory,EEPROM),可擦除可编程只读存储器(Erasable Programmable Read Only Memory,EPROM),可编程只读存储器(Programmable read-only memory,PROM),只读存储器(Read-OnlyMemory,ROM),磁存储器,快闪存储器,磁盘或光盘。存储介质可以是通用或专用计算机能够存取的任何可用介质。Specifically, the computer-readable storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk. The storage medium can be any available medium that can be accessed by a general or special-purpose computer.

本申请还提供一种计算机程序产品,该计算机程序产品包括计算机程序,该计算机程序存储在计算机可读存储介质中。设备的至少一个处理器可以从计算机可读存储介质中读取该计算机程序,至少一个处理器执行该计算机程序使得设备实施上述的各种实施方式提供的方法。The present application also provides a computer program product, which includes a computer program stored in a computer-readable storage medium. At least one processor of a device can read the computer program from the computer-readable storage medium, and at least one processor executes the computer program so that the device implements the methods provided in the various embodiments described above.

在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅是示意性的,例如,模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative, for example, the division of modules is only a logical function division, and there may be other division methods in actual implementation, such as multiple modules can be combined or integrated into another system, or some features can be ignored or not executed.

其中,各个模块可以是物理上分开的,例如安装于一个的设备的不同位置,或者安装于不同的设备上,或者分布到多个网络单元上,或者分布到多个处理器上。各个模块也可以是集成在一起的,例如,安装于同一个设备中,或者,集成在一套代码中。各个模块可以以硬件的形式存在,或者也可以以软件的形式存在,或者也可以采用软件加硬件的形式实现。本申请可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。Among them, each module can be physically separated, for example, installed in different locations of a device, or installed on different devices, or distributed on multiple network units, or distributed on multiple processors. Each module can also be integrated together, for example, installed in the same device, or integrated in a set of codes. Each module can exist in the form of hardware, or can also exist in the form of software, or can also be implemented in the form of software plus hardware. The present application can select some or all of the modules according to actual needs to achieve the purpose of the present embodiment.

当各个模块以软件功能模块的形式实现的集成的模块,可以存储在一个计算机可读取存储介质中。上述软件功能模块存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器执行本申请各个实施例方法的部分步骤。When each module is implemented as an integrated module in the form of a software function module, it can be stored in a computer-readable storage medium. The above-mentioned software function module is stored in a storage medium, including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor to perform some steps of the methods of each embodiment of the present application.

应该理解的是,虽然上述实施例中的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,其可以以其他的顺序执行。而且,图中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,其执行顺序也不必然是依次进行,而是可以与其他步骤或者其他步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that, although the various steps in the flowchart in the above-described embodiment are displayed in sequence according to the indication of the arrows, these steps are not necessarily executed in sequence in the order indicated by the arrows. Unless there is a clear description in this article, the execution of these steps is not strictly limited in order, and they can be executed in other orders. Moreover, at least a portion of the steps in the figure may include a plurality of sub-steps or a plurality of stages, and these sub-steps or stages are not necessarily executed at the same time, but can be executed at different times, and their execution order is not necessarily to be carried out in sequence, but can be executed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.

最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制。尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换。而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the above embodiments, a person of ordinary skill in the art should understand that the technical solutions described in the above embodiments can still be modified, or some or all of the technical features can be replaced by equivalents. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

Claims (9)

1. A zero-trust authentication method, applied to a zero-trust client, the method comprising:
Sending a first login request to a zero trust server, and enabling the zero trust server to verify login information in the first login request to generate a first authentication result;
Receiving the first authentication result sent by the zero trust server;
After the first authentication result indicates that authentication is successful and when login is not performed for the first time, an identification code request is sent to a national password user identity identification SIM card;
receiving an integrated circuit card identification code ICCID sent by the national cipher SIM card;
Acquiring an international mobile equipment identification code (IMEI) and a random number of the zero trust client;
Signing the ICCID, the IMEI and the random number by using a pre-stored digital certificate to generate a national password SIM card fingerprint;
The national secret SIM card fingerprint is sent to the zero trust server, so that the zero trust server authenticates the national secret SIM card fingerprint to generate a second authentication result;
Receiving a login response sent by the zero trust server when the second authentication result indicates that authentication is successful;
After receiving the first authentication result sent by the zero trust server, the method further includes:
After the first authentication result indicates that authentication is successful and the user logs in for the first time, acquiring a personal identification Password (PIN) of a national-security SIM card, generating a signature request according to the PIN of the national-security SIM card, and sending the signature request to the national-security SIM card;
receiving a signature sent by the national cipher SIM card;
Generating a signature authentication request according to the signature and the user information, and sending the signature authentication request to the zero trust server to enable the zero trust server to authenticate the signature and the user information in the signature authentication request, so as to generate a third authentication result;
Correspondingly, when the second authentication result indicates that authentication is successful, receiving a login response sent by the zero trust server, which specifically includes:
And when the second authentication result and the third authentication result indicate that authentication is successful, receiving a login response sent by the zero trust server.
2. The method of claim 1, wherein before sending the first login request to the zero trust server, further comprising:
sending a second login request to the zero trust server, and enabling the zero trust server to verify login information in the second login request to generate a fourth authentication result;
receiving the fourth authentication result sent by the zero trust server;
after the fourth authentication result indicates that authentication is successful and when logging in for the first time, a digital certificate request is sent to the zero trust server;
receiving the digital certificate sent by the zero trust server;
And forwarding the digital certificate to the national cipher SIM card, so that the national cipher SIM card stores the digital certificate.
3. The method of claim 2, wherein before sending the digital certificate request to the zero trust server, further comprising:
Sending a national cipher SIM card application request to a management server;
receiving a national cipher SIM card application program sent by the management server;
A real-name authentication request is sent to the zero-trust server, so that the zero-trust server authenticates real-name authentication information in the real-name authentication request to generate a fifth authentication result;
correspondingly, when the fourth authentication result indicates that authentication is successful and logging in for the first time, a digital certificate request is sent to the zero trust server, which specifically comprises:
after the fourth authentication result and the fifth authentication result indicate authentication success and when logging in for the first time, sending a digital certificate request to the zero trust server;
Correspondingly, forwarding the digital certificate to the national cipher SIM card to enable the national cipher SIM card to store the digital certificate, and specifically comprises the following steps:
And forwarding the digital certificate to the national cipher SIM card by running the national cipher SIM card application program, so that the national cipher SIM card stores the digital certificate.
4. The method of claim 3, wherein the sending the digital certificate request to the zero trust server specifically comprises:
sending a certificate signing request to the national secret SIM card so that the national secret SIM card generates an asymmetric key;
Receiving the asymmetric key sent by the national cipher SIM card, and generating a digital certificate request according to the asymmetric key;
And sending the digital certificate request to the zero trust server.
5. The method according to any one of claims 1-4, further comprising, after receiving the login response sent by the zero trust server:
Receiving risk prompt information sent by the national security SIM card, wherein the risk prompt information is generated after the national security SIM card receives a popup authentication command sent by a management server; the popup authentication command is generated after the management server receives a secondary authentication command sent by the zero-trust server, and the zero-trust server generates the secondary authentication command after detecting a risk event;
Generating a confirmation response according to the risk prompt information, and sending the confirmation response to the national cipher SIM card, so that the national cipher SIM card forwards the confirmation response to the zero trust server through the management server.
6. A zero-trust authentication apparatus for use with a zero-trust client, the apparatus comprising:
The sending module is used for sending a first login request to the zero trust server side, so that the zero trust server side verifies login information in the first login request to generate a first authentication result;
the receiving module is used for receiving the first authentication result sent by the zero trust server;
The sending module is further used for sending an identification code request to the national cipher SIM card when the first authentication result indicates that authentication is successful and the authentication is not performed for the first time;
the receiving module is further configured to receive an ICCID sent by the national security SIM card, and obtain an IMEI and a random number of the zero trust client;
the signature module is used for signing the ICCID, the IMEI and the random number by using a pre-stored digital certificate to generate a national secret SIM card fingerprint;
The sending module is further configured to send the national secret SIM card fingerprint to the zero trust server, so that the zero trust server authenticates the national secret SIM card fingerprint to generate a second authentication result;
the receiving module is further configured to receive a login response sent by the zero trust server when the second authentication result indicates that authentication is successful;
The sending module is further configured to obtain a personal identification password PIN of the national security SIM card after the receiving the first authentication result sent by the zero trust server, and after the first authentication result indicates that authentication is successful and when the authentication is not performed for the first time, generate a signature request according to the PIN of the national security SIM card, and send the signature request to the national security SIM card; receiving a signature sent by the national cipher SIM card; generating a signature authentication request according to the signature and the user information, and sending the signature authentication request to the zero trust server to enable the zero trust server to authenticate the signature and the user information in the signature authentication request, so as to generate a third authentication result;
Correspondingly, the receiving module is further configured to receive a login response sent by the zero-trust server when the second authentication result and the third authentication result both indicate that authentication is successful.
7. A zero trust client device, the device comprising: a memory and a processor;
the memory is used for storing a computer program;
The processor is configured to implement the zero trust authentication method according to any one of claims 1-5 according to a computer program stored in the memory.
8. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, is adapted to implement the zero trust authentication method according to any one of claims 1-5.
9. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the zero trust authentication method of any one of claims 1-5.
CN202211330409.0A 2022-10-27 2022-10-27 Zero trust authentication method and device, zero trust client device and storage medium Active CN115696329B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211330409.0A CN115696329B (en) 2022-10-27 2022-10-27 Zero trust authentication method and device, zero trust client device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211330409.0A CN115696329B (en) 2022-10-27 2022-10-27 Zero trust authentication method and device, zero trust client device and storage medium

Publications (2)

Publication Number Publication Date
CN115696329A CN115696329A (en) 2023-02-03
CN115696329B true CN115696329B (en) 2024-06-25

Family

ID=85045251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211330409.0A Active CN115696329B (en) 2022-10-27 2022-10-27 Zero trust authentication method and device, zero trust client device and storage medium

Country Status (1)

Country Link
CN (1) CN115696329B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116996277A (en) * 2023-07-21 2023-11-03 中国电信股份有限公司技术创新中心 Data access control method, device, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005041608A1 (en) * 2003-10-23 2005-05-06 Siltanet Ltd Method of user authentication
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090193507A1 (en) * 2008-01-28 2009-07-30 Wael Ibrahim Authentication messaging service
CN104796255A (en) * 2014-01-21 2015-07-22 中国移动通信集团安徽有限公司 A safety certification method, device and system for a client end
CN109005155B (en) * 2018-07-04 2021-11-12 奇安信科技集团股份有限公司 Identity authentication method and device
US11477641B2 (en) * 2019-09-30 2022-10-18 Microsoft Technology Licensing, Llc System and method for authentication session transfer using application download links
CN113536277A (en) * 2020-04-14 2021-10-22 中移动信息技术有限公司 Authentication method, system, server, client and storage medium
CN113726774B (en) * 2020-10-13 2023-05-02 杭州涂鸦信息技术有限公司 Client login authentication method, system and computer equipment
CN113395249A (en) * 2021-01-07 2021-09-14 杭州涂鸦信息技术有限公司 Client login authentication method, system and computer equipment
CN114679293A (en) * 2021-06-15 2022-06-28 腾讯云计算(北京)有限责任公司 Access control method, device and storage medium based on zero trust security

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005041608A1 (en) * 2003-10-23 2005-05-06 Siltanet Ltd Method of user authentication
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device

Also Published As

Publication number Publication date
CN115696329A (en) 2023-02-03

Similar Documents

Publication Publication Date Title
EP3905078B1 (en) Identity verification method and system therefor
US9838205B2 (en) Network authentication method for secure electronic transactions
US12250209B2 (en) Network identity protection method and device, and electronic equipment and storage medium
CN111404696B (en) Collaborative signature method, security service middleware, related platform and system
US9231925B1 (en) Network authentication method for secure electronic transactions
US20190281028A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
CN101350723B (en) USB Key equipment and method for implementing verification thereof
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
CN107426235B (en) Authority authentication method, device and system based on equipment fingerprint
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN113472716B (en) System access method, gateway device, server, electronic device and storage medium
CN111062059B (en) Method and device for service processing
CN114168922B (en) User CA certificate generation method and system based on digital certificate
CN111130798A (en) Request authentication method and related equipment
CN107277017A (en) Purview certification method, apparatus and system based on encryption key and device-fingerprint
JP2022520226A (en) One-click login procedure
CN113678131A (en) Secure online applications and web pages with blockchain
CN112448958A (en) Domain policy issuing method and device, electronic equipment and storage medium
CN115529591B (en) Authentication method, device, equipment and storage medium based on token
CN113065117A (en) Securing an association between a user device and a user
CN115696329B (en) Zero trust authentication method and device, zero trust client device and storage medium
CN108900595B (en) Method, apparatus, device and computing medium for accessing cloud storage server data
KR102016976B1 (en) Unified login method and system based on single sign on service
KR101221728B1 (en) The certification process server and the method for graphic OTP certification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant