[go: up one dir, main page]

CN117118606B - Token-based access verification method, system and storage medium - Google Patents

Token-based access verification method, system and storage medium Download PDF

Info

Publication number
CN117118606B
CN117118606B CN202311012466.9A CN202311012466A CN117118606B CN 117118606 B CN117118606 B CN 117118606B CN 202311012466 A CN202311012466 A CN 202311012466A CN 117118606 B CN117118606 B CN 117118606B
Authority
CN
China
Prior art keywords
key
authentication
token
node
distributed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311012466.9A
Other languages
Chinese (zh)
Other versions
CN117118606A (en
Inventor
雷景皓
龙裕朝
王文凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi IoT Technology Co Ltd
Original Assignee
Tianyi IoT Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi IoT Technology Co Ltd filed Critical Tianyi IoT Technology Co Ltd
Priority to CN202311012466.9A priority Critical patent/CN117118606B/en
Publication of CN117118606A publication Critical patent/CN117118606A/en
Application granted granted Critical
Publication of CN117118606B publication Critical patent/CN117118606B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明实施例公开了一种基于Token的访问验证方法、系统及存储介质。该方法属于访问验证技术领域,其包括:认证中心模块向注册的多个分布式节点分配节点标识ID及生成密钥,并向各个分布式节点发送包含节点标识ID和密钥的密钥映射表;任一分布式节点若接收到客户端提交的用户信息,则将用户信息及节点标识ID发送至认证中心模块;认证中心模块对用户信息进行校验,若校验通过,则根据节点标识ID及密钥映射表生成认证信息,并向客户端发送认证信息;客户端根据请求内容及认证信息生成认证Token,并将认证Token及请求内容发送至任一分布式节点;若分布式节点验证认证Token合法,则对请求内容进行处理。本申请实施例提高了访问验证的安全性。

The embodiment of the present invention discloses a Token-based access verification method, system and storage medium. The method belongs to the field of access verification technology, which includes: the authentication center module assigns node identification IDs and generates keys to multiple registered distributed nodes, and sends a key mapping table containing node identification IDs and keys to each distributed node; if any distributed node receives user information submitted by a client, the user information and node identification ID are sent to the authentication center module; the authentication center module verifies the user information, and if the verification passes, generates authentication information according to the node identification ID and the key mapping table, and sends the authentication information to the client; the client generates an authentication Token according to the request content and the authentication information, and sends the authentication Token and the request content to any distributed node; if the distributed node verifies that the authentication Token is legal, the request content is processed. The embodiment of the present application improves the security of access verification.

Description

Token-based access verification method, token-based access verification system and storage medium
Technical Field
The present invention relates to the field of access verification technologies, and in particular, to a Token-based access verification method, system, and storage medium.
Background
A distributed server cluster refers to a plurality of servers that are collected together to collectively operate the same service. After the cluster service is installed on the server, the server can be added into the cluster, and a plurality of servers are used for parallel calculation, so that high-efficiency and high-availability calculation is realized. In practice, it is also often applied to speed up and distribute link requests between clients and servers to reduce single server load workload peaks. Meanwhile, the establishment of a request legal link between a client or a third party system and a plurality of servers in the system and the security check of login and single sign-on become a problem. In contrast, the current wider access verification method has three types, namely Session, cookies +redis and Token, wherein the Session mode has the defect of wasting resources (a user can exit by using only one function, but all servers need to store the Session of the user), the cookie+redis is only applicable to a distributed server of the same domain name and a server sharing rediss and cannot be applied to single sign-on skip among a plurality of different systems, and the Token mode has the defect that the Token is kept unchanged in the effective time, and other illegal users can access resources through the Token in the effective time if the Token leaks and is stolen, even if the Token is symmetrically encrypted, the Token can be decrypted and used, so that the security of access verification is poor.
Disclosure of Invention
The embodiment of the invention provides a Token-based access verification method, a Token-based access verification system and a storage medium, aiming at improving the security of the existing access verification.
In a first aspect, an embodiment of the present invention provides a Token-based access authentication method, which is applied to an access authentication system, where the access authentication system includes a client, a server, and a plurality of distributed nodes, and the server includes an authentication center module, and the method includes:
The authentication center module distributes node identification IDs and generates keys to a plurality of registered distributed nodes and sends a key mapping table containing the node identification IDs and the keys to each distributed node;
any distributed node sends the user information and the node identification ID to an authentication center module if receiving the user information submitted by the client;
the authentication center module checks the user information, and if the user information passes the check, authentication information is generated according to the node identification ID and the key mapping table, and the authentication information is sent to the client;
The client generates an authentication Token according to the request content and the authentication information, and sends the authentication Token and the request content to any one of the distributed nodes;
And if the distributed node verifies that the authentication Token is legal, processing the request content.
In a second aspect, the embodiment of the invention also provides a Token-based access verification system, which comprises a sending unit and a verification unit which are configured in an authentication center module of a server, a receiving and sending unit and a verification processing unit which are configured in all distributed nodes, and a generating unit which is configured in a client,
The sending unit is used for distributing node Identification (ID) and generating a key to a plurality of registered distributed nodes by the authentication center module, and sending a key mapping table containing the node Identification (ID) and the key to each distributed node;
The receiving and sending unit is used for sending the user information and the node identification ID to the authentication center module if any distributed node receives the user information submitted by the client;
The verification unit is used for verifying the user information by the authentication center module, generating authentication information according to the node identification ID and the key mapping table if the verification is passed, and sending the authentication information to the client;
The generating unit is used for generating an authentication Token according to the request content and the authentication information by the client and sending the authentication Token and the request content to any one of the distributed nodes;
and if the distributed node verifies that the authentication Token is legal, the verification processing unit user processes the request content.
In a third aspect, an embodiment of the present invention further provides a Token-based access verification system, where the Token-based access verification system includes a client, a server, and a plurality of distributed nodes, where each of the client, the server, and the plurality of distributed nodes includes a memory and a processor, where a computer program is stored in the memory, and the client, the server, and the processors of the plurality of distributed nodes implement the above method when executing the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer readable storage medium storing a computer program which, when executed by a processor, implements the above method.
The embodiment of the invention provides a Token-based access verification method, a Token-based access verification system and a storage medium. The method comprises the steps that the authentication center module distributes node identification IDs and generates keys to a plurality of registered distributed nodes, a key mapping table containing the node identification IDs and the keys is sent to each distributed node, any distributed node sends the user information and the node identification IDs to the authentication center module if receiving user information submitted by a client, the authentication center module verifies the user information, authentication information is generated according to the node identification IDs and the key mapping table and sent to the client if verification is passed, the client generates authentication Token according to request content and the authentication information and sends the authentication Token and the request content to any distributed node, and if the distributed node verifies that the authentication Token is legal, the request content is processed. The access verification system in the technical scheme of the embodiment of the invention comprises a client, a server and a plurality of distributed nodes, wherein the user information is authenticated by an authentication center module newly added on the server, then an authentication Token is dynamically generated in the client in real time according to the request content and the authentication information, and the authentication Token is verified by the distributed nodes, so that the resource access performed when the authentication Token is leaked and stolen is avoided, and the security of access verification is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a Token-based access authentication system according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a Token-based access verification method according to an embodiment of the present invention;
FIG. 3 is a schematic sub-flowchart of a Token-based access authentication method according to an embodiment of the present invention;
FIG. 4 is a schematic sub-flowchart of a Token-based access authentication method according to an embodiment of the present invention;
FIG. 5 is a schematic sub-flowchart of a Token-based access authentication method according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram of a Token-based access verification system according to an embodiment of the present invention;
Fig. 7 is a schematic block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Referring to fig. 1, fig. 1 is a schematic diagram of a Token-based access authentication system according to an embodiment of the present invention. The Token-based access verification system comprises a client, a server and a plurality of distributed nodes, wherein the server comprises an authentication center module and a health management module. It should be noted that in this embodiment, the client communicates with the server to receive the authentication information sent by the authentication center module, the client communicates with the distributed node to submit the user information to the distributed node, and the distributed node communicates with the server to send the user information and the node identifier to the authentication center module. In this embodiment, the authentication center module newly added on the server authenticates the user information, and then generates the authentication Token dynamically in real time according to the request content and the authentication information in the client, and verifies the authentication Token through the distributed nodes, so that the resource access performed when the authentication Token is leaked and stolen is avoided, the security of access verification is improved, and the problem that the server is maliciously accessed is solved.
Fig. 2 is a schematic flow chart of a Token-based access verification method according to an embodiment of the present invention. The Token-based access verification method of the embodiment of the invention can be applied to a Token-based access verification system, for example, the Token-based access verification method can be realized through a software program configured on the Token-based access verification system, so as to improve the security of access verification. As shown in fig. 2, the method includes the following steps S100 to S140.
And S100, the authentication center module distributes node identification IDs and generates keys to the registered distributed nodes and sends a key mapping table containing the node identification IDs and the keys to each distributed node.
In the embodiment of the invention, the server is started to initialize, the authentication center module performs automatic service registration on a plurality of distributed nodes, accesses the plurality of distributed nodes to the health check management module, distributes unique node identification ID for each distributed node, generates a secret key S1 i for all the distributed nodes, and sends a secret key mapping table containing the node identification ID and the secret key S1 i to each distributed node after each secret key S1 i is unique. Specifically, for example, assuming that the total number of distributed nodes is N, the node identification ID allocated to each distributed node is denoted as a i, the key map is denoted as Table, and each node a i and the corresponding S1 i are recorded in the key map Table. It should be noted that, in this embodiment, for the third party system platform single sign-on, an API interface is provided for performing subsequent updating of the key S1 i. It should be further noted that, in this embodiment, after each distributed node receives a Table, it needs to return receipt success information to the authentication center module, for example, the receipt success information is ok, and each distributed node stores the Table.
The server further comprises a health management module, wherein if a preset updating time T is reached, the authentication center module re-issues the secret key to obtain an updated secret key S i and sends updated messages to all the distributed nodes, the authentication center module updates the secret key mapping table according to the updated secret key to obtain an updated secret key mapping table Tablenew, the health management module inquires the health degree of all the distributed nodes and determines a target distributed node according to whether the health degree is in an available state, specifically, if the health degree is in an available state, the distributed node is determined to be the target distributed node, otherwise, if the health degree is in an unavailable state, the distributed node is shielded from updating the secret key mapping table and is not used as the target distributed node, the authentication center module sends the updated secret key mapping table to any distributed node in the target distributed nodes, and if the preset distributed node is not subjected to the retry time, the authentication center module returns information indicating that the preset distributed node is not in the preset retry time, the health degree is not successfully sent to the distributed nodes, and the health management module can be successfully sent the distributed nodes for a plurality of times. It should be noted that, in this embodiment, the reconnection of the preset retry number is required to check whether the distributed node encounters a fault or a network problem, and the preset retry number is understandably set according to the actual requirement. It should be noted that, in this embodiment, only when the health of the distributed node is set to be in the available state, the key mapping table of the distributed node may be updated, and the preset update time T may be defined by the user, but may not be less than twice the preset allowable expiration time T1 by T1 x 2, and the default value is 30 minutes.
Further, after the step of sending the updated key mapping table to the target distributed node, the authentication center module further includes deleting a second key mapping table by the distributed node, and using the updated key mapping table and the first key mapping table as the first key mapping table and the second key mapping table, respectively, where an initial value of the first key mapping table is the key mapping table, and an initial value of the second key mapping table is null. It is understood that the first key mapping table is Tablenew, and the second key mapping table is Tableold, that is, each distributed node a i holds two key mapping tables Tableold and Tablenew.
And S110, if any distributed node receives the user information submitted by the client, the user information and the node identification ID are sent to an authentication center module.
In the embodiment of the invention, the user information comprises a user name and a password, the client submits the user name and the password to any distributed node A i, any distributed node A i redirects the request to a unified authentication center module, a unique node identification ID of the distributed node A i is attached to the authentication center module, and the user information and the node identification ID are sent to the authentication center module.
And S120, the authentication center module checks the user information, and if the user information passes the check, authentication information is generated according to the node identification ID and the key mapping table, and the authentication information is sent to the client.
In the embodiment of the present invention, as shown in fig. 3, the step S120 may include steps S121 to S122, where the authentication center module checks the user name and the password according to a preset user information table, and if the user name and the password pass the check, generates a user ID, and queries the key from the key mapping table through the node identification ID, and S122, the authentication center module generates an access key according to the node identification ID, the key, and the user ID through a preset encryption algorithm, and sends the access key, the node identification ID, and the user ID to the client as the authentication information. It should be noted that, the preset encryption algorithm is a SHA256 encryption algorithm. The authentication center module checks the user name and the password, if any information in the user name and the password is wrong, error prompt information is returned to the client so that the client resubmits, if the user name and the password are verified, the access verification system login is successful, and the authentication center module generates a unique user IDuserId for the user. Meanwhile, after the corresponding S1 i is found in the key mapping Table through the A i information, the authentication center module performs SHA256 irreversible encryption calculation on the A i、S1i and the userid to obtain an access key S2 i as shown in a formula (1).
S2i=SHA256(Ai,S1i,userid) (1)
Finally, the authentication center module sends A i、S2i and userid to the client for the client to automatically generate an authentication Token in the subsequent request. Understandably, the client would save a i、S2i, userid.
S130, the client generates an authentication Token according to the request content and the authentication information, and sends the authentication Token and the request content to any distributed node.
In the embodiment of the present invention, the client may further obtain a current Timestamp before sending the request content to any one of the distributed nodes. As shown in fig. 4, the step S130 may include steps S131 to S132, where the client generates a target access key according to a current time stamp, the request content, a random encryption parameter, the access key, and the user ID through the preset encryption algorithm, and S132, the client generates the authentication Token according to the target access key, the user ID, the current time stamp, the random encryption parameter, and the node ID. Specifically, after the client logs in successfully, the client needs to generate a target access key S3 T when requesting each time, and the calculation of the target access key S3 T is specifically shown in formula (2), wherein in formula (2), C is the requested content, and R is a random encryption parameter.
S3T=SHA256(C,S2i,Timestamp,userid,R) (2)
Finally, after the target access key S3 T is generated, there are two main ways to generate the authentication Token according to a i、R、Timestamp、userid、S3T, in the first way, a i, R, timestamp, userid and S3 T are spliced and combined to generate the authentication Token (not encrypted), specifically as shown in formula (3). In the second mode, after A i, R, timestamp, userid and S3 T are spliced and then encrypted by a reversible encryption algorithm such as symmetric or asymmetric encryption, token (encryption) is obtained
Token=Ai+R+Timestamp+userid+S3T (3)
It should be noted that, according to the actual security requirement, the components a i, R, timestamp, userid and S3 T may be spliced and then selected to be unencrypted or encrypted. The purpose of using asymmetric encryption or symmetric encryption is to enable the server to reversely decrypt Token to restore the a i、R、Timestamp、userid、S3T parameter. In this embodiment, the client needs to send the authentication Token when sending the request content.
And S140, if the distributed node verifies that the authentication Token is legal, the request content is processed.
In the embodiment of the present invention, as shown in fig. 5, step S140 specifically includes the following steps S141 to S148:
S141, processing the authentication Token by the distributed node to obtain the target access key, the user ID, the current timestamp, the random encryption parameter and the node identification ID, S142, acquiring a first key from the first key mapping table by the distributed node through the node identification ID, S143, calculating the first verification key by the distributed node through a preset encryption algorithm according to the first key, the node identification ID and the user ID, generating a first target verification key according to the first verification key, the current timestamp, the request content, the random encryption parameter and the user ID, S144, comparing the first target verification key with the target access key by the distributed node, S145, judging that the authentication Token is processed by the distributed node according to the first key, the node identification ID and the user ID within a preset expiration time range when the current timestamp of the previous transmission request is within a preset expiration time range, S146, calculating the second verification key from the second key, and the second verification key according to the second verification key, and the second verification key is obtained by the distributed node ID, and the second verification key is obtained by the distributed node, if the second target verification key is the same as the target access key and the difference value between the current time stamp and the current time stamp of the last transmitted request is within a preset allowable expiration time range, the authentication Token is judged to be legal, the request content is processed, and the access key is retransmitted to the client.
Specifically, after the distributed node receives the request content and the authentication Token, the distributed node first disassembles the a i、R、Timestamp、userid、S3T parameter from the authentication Token. If the authentication Token is an encrypted version, decryption is performed using a pre-defined symmetric or asymmetric encryption algorithm. After decryption, the node refers to the key table Tablenew by the value a i to obtain the corresponding first key S1 i. The node then calculates a first verification key S2 i using a i、S1i, userid by SHA256 encryption algorithm.
S2i=SHA256(Ai,S1i,userid)
Next, the distributed node calculates a first target verification key S3 T according to the request content C, S2 i, timestamp, R, userid by SHA256 encryption algorithm.
S3T=SHA256(C,S2i,Timestamp,userid,R)
It is appreciated that at this point, the distributed nodes share a total of two S3 T. One is S3 T disassembled from the user Token, and the other is S3 T calculated by the node by disassembling the parameters of the authentication Token. then, the distributed node compares the values of the two S3 T, if the values of the two S3 T are the same and the difference T1 (also called the allowed expiration time) between the current Timestamp and the current Timestamp of the last transmitted request is within the preset allowed expiration time range T2, the authentication Token is determined to be legal, which indicates that the request authentication is successful, and the distributed node starts to process the request content. If either of a i, userid, C, timestamp, R is tampered with, the resulting S3 T will be illegal. T1 defaults to 15 minutes (which can be modified by itself according to different scenarios). Meanwhile, S1 i is updated periodically by the authentication center. Thus if the two S3 T values are not identical but T1 is within T2, then the distributed node a i believes that it is possible that the S1 i value has been updated or that the requested content C has been tampered with, resulting in illegal authentication. At this time, the distributed node verifies whether the key value S1 i is updated and the value S3 T is different, finds the second key (old S1 i) from the old key table Tableold, recalculates the old S3 i (second verification key), and calculates the old S3 T (second target verification key) from the second verification key. If the old S3 T is the same as the user' S S3 T, the request is valid as it is, i.e. the Token is validated, and the validation failure caused by the update of the S1 i value is considered to be a problem. Meanwhile, the client is redirected to the authentication center module, and the updated S2 i is directly issued to the client. if the old S3 T is different from the S3 T of the user, the request content is tampered, the request is illegal, and the user is required to log in again. If the two S3 T values are the same but the operating time T1 exceeds the allowed expiration time T2, the user is considered to be not operating for a long time and the user is required to log in again, and it is understood that if the two S3 T values are different and the operating time T1 exceeds the allowed expiration time T2, the user is considered to be required to log in again.
For ease of understanding, the Token-based access authentication method will now be described by way of the following specific examples:
s1, starting a server;
S2, assuming that 3 distributed nodes are all used, the authentication center module performs service registration and discovery on each registered distributed node, and endows each distributed node with unique node identification ID, for example, the node identification ID of a distributed node A is a, the node identification ID of a distributed node B is B, and the node identification ID of a distributed node C is C;
And S3, the authentication center module generates a key mapping Table for the first time, and each node corresponds to a key value S1. As shown in table 1, a has a key S1A, B, S1B, and C has a key S1C;
TABLE 1
Node identification ID Key(s)
a S1A
b S1B
c S1C
After generating the key mapping Table, the authentication center module sends the key mapping Table to all the distributed nodes, and the distributed nodes return a successful message after receiving the key mapping Table, so that the distributed nodes can formally start to provide services to the outside;
S4, the client logs in and inputs a correct user name and a correct password;
And S5, after the distributed node A receives the user name and the password for the first time, redirecting the information to the authentication center module. After the authentication center module verifies that the account and the password are successful, a user IDuserid, for example, 01, is generated for the client, meanwhile, a key of the distributed node A is obtained by inquiring a key mapping Table, namely S1A, an access key S2A is calculated through a formula (1), and a, 01 and S2A are sent to the client for storage, and the access key S2A is a character string;
S6, the client makes a request, such as sending a Json request, accessing a page, and the like. When submitting the request content, the client needs to generate a current time stamp, and the random number R generates a real-time authentication Token. Assuming that the request content is C, calculating a target access key S3 T by a formula (2), and then generating an authentication Token according to a formula (3), wherein symmetric encryption or asymmetric encryption can be added on the basis of the formula (3) to generate the authentication Token, and according to actual requirements, after the client calculates the authentication Token, the request content C and the authentication Token are sent together to be submitted to a server, and the load balance of the server can submit the request to any distributed node for processing, such as a distributed node B;
S7, when the distributed node B receives the transmitted request content with userid of 01 and the authentication Token, authentication Token verification is performed. Firstly, the authentication Token is disassembled according to a preset mode (a user can disassemble by adding a separator or a preset character bit) so as to disassemble a node identification ID, a random number R, timestamp, userid and an S3T from the authentication Token;
S8, the distributed node B inquires a key mapping Table, and the key value S1A of a is inquired through the node identification ID. Then, S2A is calculated by a formula (1), S3T is calculated by a formula (2), the calculated S3T is compared with S3T after the authentication Token is disassembled, and the difference between the current request time Timestamp and the last request time Timestamp is not more than 15 minutes (default time), the request is considered legal, the authentication Token is authenticated legal, and the request content C is processed;
Assuming that 30 minutes (default key mapping Table update time) have elapsed during the use process, the authentication center module updates and transmits a new key Table (new), as shown in Table 2, that is, table (new) is the first key mapping Table;
TABLE 2
Node identification ID Key value
a s1a
b s1b
c s1c
The previous key Table is changed to the old key Table (old), as shown in Table 3, that is, table (old) is the second key map Table.
TABLE 3 Table 3
Node identification ID Key value
a S1A
b S1B
c S1C
At this time, if the S2A value of the client is not updated, and the distributed node authentication Token is judged according to the key value of the Table (new), it is not legal. At this time, the distributed node can take the value from the Table (old) to verify again, so that the legal verification can be verified.
It should be noted that in this embodiment, support for distributed multi-node is added on the basis of JWT (Json web Token) verification mechanism, so that skip authentication between different platforms can be supported, the problem that other personnel can bypass the verification access system to perform illegal access to the server after the authentication Token is leaked can be solved, the security of access verification is improved, the problem that keys of all users are expired and need to be logged in again after the key table is updated is avoided, the security is enhanced, the risk that key parameters are leaked is reduced, and the access verification system has strong expansibility and decoupling property, and distributed nodes can be newly added.
Fig. 6 is a schematic block diagram of a Token-based access authentication system 200 provided in an embodiment of the present invention. As shown in fig. 6, the Token-based access authentication system 200 includes means for performing the Token-based access authentication method described above, corresponding to the Token-based access authentication method applied to the client, the server, and the plurality of distributed nodes above. Specifically, referring to fig. 6, the Token-based access verification system 200 includes a transmitting unit 101 and a verification unit 102 configured in an authentication center module of a server, a receiving and transmitting unit 201 and a verification processing unit 202 configured in all distributed nodes, and a generating unit 301 configured in a client.
The sending unit 101 is configured to distribute a node identifier ID and generate a key to a plurality of registered distributed nodes by using the authentication center module, and send a key mapping table including the node identifier ID and the key to each of the distributed nodes, the receiving and sending unit 201 is configured to send the user information and the node identifier ID to the authentication center module if any of the distributed nodes receives user information submitted by the client, the verification unit 102 is configured to verify the user information by using the authentication center module, and if the verification passes, generate authentication information according to the node identifier ID and the key mapping table, and send the authentication information to the client, the generating unit 301 is configured to generate an authentication Token by using the client according to request content and the authentication information, and send the authentication Token and the request content to any of the distributed nodes, and the verification processing unit 202 processes the request content if the user verifies that the authentication Token is legal by using the distributed nodes.
In some embodiments, for example, the verification unit 102 includes a verification generation unit and a first generation subunit.
The verification generating unit is used for verifying the user name and the password according to a preset user information table by the authentication center module, generating a user ID if the user name and the password pass the verification, and inquiring the key from the key mapping table through the node identification ID; the first generation subunit is configured to generate an access key by using the authentication center module according to the node identifier ID, the key, and the user ID through a preset encryption algorithm, and send the access key, the node identifier ID, and the user ID to the client as the authentication information.
In some embodiments, for example, the generating unit 301 includes a second generating subunit and a third generating subunit.
The second generation subunit is configured to generate a target access key according to a current timestamp, the request content, a random encryption parameter, the access key and the user ID by using the preset encryption algorithm, and the third generation subunit is configured to generate the authentication Token according to the target access key, the user ID, the current timestamp, the random encryption parameter and the node identifier ID by using the client.
In some embodiments, for example, in this embodiment, the Token-based access verification system 200 further includes an issue unit, an update unit, a sending subunit, a setting unit, and a query unit in the health management module, which are configured in the authentication center module of the server, and a deletion update unit configured in the distributed node.
The method comprises the steps that when a preset updating time is reached, an issuing unit is used for issuing the secret key again by an authentication center module to obtain updated secret keys and sending updated messages to all distributed nodes, the updating unit is used for enabling the authentication center module to update the secret key mapping table according to the updated secret keys to obtain an updated secret key mapping table, a query unit is used for enabling the health management module to query the health of all the distributed nodes and determining a target distributed node according to whether the health is available, a sending subunit is used for enabling the authentication center module to send the updated secret key mapping table to the target distributed node, the setting unit is used for setting the health of the distributed nodes to be unavailable and forwarding the distributed nodes to the health management module for management if the preset message information replied by the distributed nodes is not received within preset retry times, and the deleting unit is used for deleting the first secret key mapping table and the second secret key mapping table, and the first secret key mapping table and the second secret key mapping table are used as initial values.
In some embodiments, for example, in this embodiment, the verification processing unit 202 includes a processing unit, a first acquisition unit, a first calculation generation unit, a comparison unit, a processing unit, a second acquisition unit, a second calculation generation unit, and a processing transmission unit.
The processing unit is configured to process the authentication Token by using the distributed node to obtain the target access key, the user ID, the current timestamp, the random encryption parameter, and the node identifier ID; the first obtaining unit is used for obtaining a first key from the first key mapping table through the node identification ID by the distributed node, the first calculation generating unit is used for obtaining a first check key through calculation of the distributed node according to the first key, the node identification ID and the user ID through a preset encryption algorithm and generating a first target check key according to the first check key, the current timestamp, request content, random encryption parameters and the user ID, the comparing unit is used for comparing the first target check key with the target access key through the distributed node, the processing unit is used for judging that the authentication Token is legal if the first target check key is identical to the target access key and the difference value between the current timestamp and the current timestamp of the last transmitted request is within a preset allowable expiration time range, the second obtaining unit is used for obtaining a second key from the distributed node according to the second check key through calculation according to the second verification unit and the second verification ID and the preset expiration time table, the second obtaining unit is used for obtaining the second key from the distributed node according to the second verification key, the processing and transmitting unit is used for processing the request content and retransmitting the access key to the client if the second target check key is the same as the target access key and the difference between the current time stamp and the current time stamp of the last request for transmission is within a preset allowable expiration time range and the authentication Token is judged to be legal.
It should be noted that, as will be clearly understood by those skilled in the art, the specific implementation process of the Token-based access authentication system 200 and each unit may refer to the corresponding description in the foregoing method embodiments, and for convenience and brevity of description, the description is omitted here.
The Token-based access verification system described above may be implemented in the form of a computer program that is executable on a computer device as shown in fig. 7.
Referring to fig. 7, fig. 7 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 900 is a device built with a Token-based access authentication system.
With reference to fig. 7, the computer device 900 includes a processor 902, a memory and an interface 907 connected by a system bus 901, wherein the memory may include a storage medium 903 and an internal memory 904.
The storage medium 903 may store an operating system 9031 and a computer program 9032. The computer program 9032, when executed, may cause the processor 902 to perform a Token-based access authentication method.
The processor 902 is operable to provide computing and control capabilities to support the operation of the overall computer device 900.
The internal memory 904 provides an environment for the execution of a computer program 9032 in a storage medium 903, which computer program 9032, when executed by the processor 902, causes the processor 902 to perform a Token-based access authentication method.
The interface 905 is used to communicate with other devices. It will be appreciated by those skilled in the art that the architecture shown in fig. 7 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting of the computer device 900 to which the present inventive arrangements may be implemented, and that a particular computer device 900 may include more or less components than those shown, or may combine some components, or have a different arrangement of components.
Wherein the processor 902 of each of the client, server, and plurality of distributed nodes is configured to execute the computer program 9032 stored in the memory to implement any of the embodiments of Token-based access authentication methods described above.
It should be appreciated that in an embodiment of the application, the Processor 902 may be a central processing unit (Central Processing Unit, CPU), the Processor 902 may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processors, DSPs), application Specific Integrated Circuits (ASICs), off-the-shelf Programmable gate arrays (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that all or part of the flow in a method embodying the above described embodiments may be accomplished by computer programs instructing the relevant hardware. The computer program may be stored in a storage medium that is a computer readable storage medium. The computer program is executed by at least one processor in the wireless communication system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer readable storage medium. The storage medium stores a computer program. The computer program, when executed by a processor, causes the processor to perform any of the embodiments of the Token-based access authentication method described above.
The storage medium may be a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, or other various computer-readable storage media that can store program codes.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, wireless communication software, or combinations of both, and that the various illustrative elements and steps have been described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the system of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The integrated unit may be stored in a storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal wireless communication, a terminal, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention.
In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. An access verification method based on Token is applied to an access verification system, and is characterized in that the access verification system comprises a client, a server and a plurality of distributed nodes, wherein the server comprises an authentication center module, and the method comprises the following steps:
The authentication center module distributes node identification IDs and generates keys to a plurality of registered distributed nodes and sends a key mapping table containing the node identification IDs and the keys to each distributed node;
any distributed node sends the user information and the node identification ID to an authentication center module if receiving the user information submitted by the client;
the authentication center module checks the user information, and if the user information passes the check, authentication information is generated according to the node identification ID and the key mapping table, and the authentication information is sent to the client;
The client generates an authentication Token according to the request content and the authentication information, and sends the authentication Token and the request content to any one of the distributed nodes;
And if the distributed node verifies that the authentication Token is legal, processing the request content.
2. The Token-based access verification method according to claim 1, wherein the user information includes a user name and a password, the authentication center module verifies the user information, and if the verification passes, generates authentication information according to the node identification ID and the key mapping table, and sends the authentication information to the client, including:
The authentication center module checks the user name and the password according to a preset user information table, if the user name and the password pass the check, a user ID is generated, and the key is queried from the key mapping table through the node identification ID;
the authentication center module generates an access key through a preset encryption algorithm according to the node identification ID, the key and the user ID, and sends the access key, the node identification ID and the user ID to the client as authentication information.
3. The Token-based access verification method according to claim 2, wherein the client generates an authentication Token according to the request content and the authentication information, comprising:
the client generates a target access key through the preset encryption algorithm according to the current timestamp, the request content, the random encryption parameter, the access key and the user ID;
the client generates the authentication Token according to the target access key, the user ID, the current timestamp, the random encryption parameter and the node identification ID.
4. The Token-based access verification method of claim 3, wherein the server further comprises a health management module, the method further comprising:
if the preset updating time is reached, the authentication center module re-issues the secret key to obtain an updating secret key, and sends updating messages to all the distributed nodes;
the authentication center module updates the key mapping table according to the updated key to obtain an updated key mapping table;
The health management module inquires the health degree of all the distributed nodes and determines a target distributed node according to whether the health degree is in an available state or not;
the authentication center module sends the updated key mapping table to the target distributed node;
for any distributed node in the target distributed nodes, if the authentication center module does not receive the preset message information replied by the distributed nodes within the preset retry times, setting the health degree of the distributed nodes to be in an unavailable state, and forwarding the distributed nodes to the health management module for management.
5. The Token-based access verification method according to claim 4, wherein after the step of the authentication center module transmitting the updated key mapping table to the target distributed node, further comprising:
And deleting a second key mapping table by the distributed node, and taking the updated key mapping table and the first key mapping table as the first key mapping table and the second key mapping table respectively, wherein the initial value of the first key mapping table is the key mapping table, and the initial value of the second key mapping table is null.
6. The Token-based access verification method according to claim 5, wherein the processing the request content if the distributed node verifies that the authenticated Token is valid comprises:
the distributed node processes the authentication Token to obtain the target access key, the user ID, the current timestamp, the random encryption parameter and the node identification ID;
the distributed node obtains a first key from the first key mapping table through the node identification ID;
The distributed node calculates a first check key through a preset encryption algorithm according to the first key, the node identification ID and the user ID, and generates a first target check key according to the first check key, the current timestamp, the request content, the random encryption parameter and the user ID;
The distributed node compares the first target verification key with the target access key;
and if the first target verification key is the same as the target access key and the difference value between the current time stamp and the current time stamp of the last transmitted request is within a preset allowable expiration time range, judging that the authentication Token is legal, and processing the request content.
7. The Token-based access authentication method of claim 6, wherein after the step of the distributed node comparing the first target verification key with the target access key, further comprising:
if the first target verification key is different from the target access key, the distributed node acquires a second key from the second key mapping table through the node identification ID;
The distributed node calculates a second verification key through a preset encryption algorithm according to the second key, the node identification ID and the user ID, and generates a second target verification key according to the second verification key, the current timestamp, the request content, the random encryption parameter and the user ID;
If the second target verification key is the same as the target access key and the difference value between the current time stamp and the current time stamp of the last transmitted request is within a preset allowable expiration time range, the authentication Token is judged to be legal, the request content is processed, and the access key is retransmitted to the client.
8. The Token-based access verification system is characterized by comprising a sending unit and a verification unit which are configured in an authentication center module of a server, a receiving and sending unit and a verification processing unit which are configured in all distributed nodes, and a generating unit which is configured in a client side,
The sending unit is used for distributing node Identification (ID) and generating a key to a plurality of registered distributed nodes by the authentication center module, and sending a key mapping table containing the node Identification (ID) and the key to each distributed node;
The receiving and sending unit is used for sending the user information and the node identification ID to the authentication center module if any distributed node receives the user information submitted by the client;
The verification unit is used for verifying the user information by the authentication center module, generating authentication information according to the node identification ID and the key mapping table if the verification is passed, and sending the authentication information to the client;
The generating unit is used for generating an authentication Token according to the request content and the authentication information by the client and sending the authentication Token and the request content to any one of the distributed nodes;
and if the distributed node verifies that the authentication Token is legal, the verification processing unit user processes the request content.
9. A Token-based access verification system comprising a client, a server and a plurality of distributed nodes, each comprising a memory and a processor, the memory having stored thereon a computer program, the processors of the client, server and plurality of distributed nodes implementing the method of any of claims 1-7 when executing the computer program.
10. A computer readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any of claims 1-7.
CN202311012466.9A 2023-08-10 2023-08-10 Token-based access verification method, system and storage medium Active CN117118606B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311012466.9A CN117118606B (en) 2023-08-10 2023-08-10 Token-based access verification method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311012466.9A CN117118606B (en) 2023-08-10 2023-08-10 Token-based access verification method, system and storage medium

Publications (2)

Publication Number Publication Date
CN117118606A CN117118606A (en) 2023-11-24
CN117118606B true CN117118606B (en) 2025-03-28

Family

ID=88806754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311012466.9A Active CN117118606B (en) 2023-08-10 2023-08-10 Token-based access verification method, system and storage medium

Country Status (1)

Country Link
CN (1) CN117118606B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119442209A (en) * 2024-09-09 2025-02-14 农信银资金清算中心有限责任公司 A single sign-on access method based on timestamp encryption

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105794171A (en) * 2013-11-28 2016-07-20 瑞典爱立信有限公司 Method and arrangements for intermediary node discovery during handshake
CN107483491A (en) * 2017-09-19 2017-12-15 山东大学 An access control method for distributed storage in cloud environment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108289101B (en) * 2018-01-25 2021-02-12 中企动力科技股份有限公司 Information processing method and device
CN111935094B (en) * 2020-07-14 2022-06-03 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium
CN113742782B (en) * 2021-11-04 2022-02-08 中国信息通信研究院 Block chain access authority control method based on privacy protection and block chain system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105794171A (en) * 2013-11-28 2016-07-20 瑞典爱立信有限公司 Method and arrangements for intermediary node discovery during handshake
CN107483491A (en) * 2017-09-19 2017-12-15 山东大学 An access control method for distributed storage in cloud environment

Also Published As

Publication number Publication date
CN117118606A (en) 2023-11-24

Similar Documents

Publication Publication Date Title
CN112311735B (en) Credible authentication method, network equipment, system and storage medium
US8201231B2 (en) Authenticated credential-based multi-tenant access to a service
US11477028B2 (en) Preventing account lockout through request throttling
US7996713B2 (en) Server-to-server integrity checking
US9130756B2 (en) Managing secure content in a content delivery network
CN106375270B (en) Token generation and authentication method and authentication server
US8869258B2 (en) Facilitating token request troubleshooting
US9542545B2 (en) System, method and computer program product for access authentication
US8028331B2 (en) Source access using request and one-way authentication tokens
US20100318806A1 (en) Multi-factor authentication with recovery mechanisms
CN111093197A (en) Authority authentication method, authority authentication system and computer readable storage medium
CN112491776A (en) Security authentication method and related equipment
US10873497B2 (en) Systems and methods for maintaining communication links
US11252143B2 (en) Authentication system, authentication server and authentication method
CN112367666B (en) Method, device and system for allowing pNF in 5G core network to pass NRF authentication cNF
CN113378153B (en) Authentication method, first service device, second service device and terminal device
CN118523960B (en) Data authentication processing method of object storage server, server and electronic equipment
CN114389890A (en) User request proxy method, server and storage medium
US9270771B2 (en) System and method for performing a delegation operation
CN117118606B (en) Token-based access verification method, system and storage medium
JP6848275B2 (en) Program, authentication system and authentication cooperation system
JP7099198B2 (en) Management equipment, management systems and programs
CN115001707A (en) Blockchain-based device authentication method and related devices
CN113051035A (en) Remote control method, device and system and host machine
CN116112215B (en) Remote certification method, device, electronic device and storage medium based on alliance chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant