[go: up one dir, main page]

CN207442908U - A network identity authentication device and a login device - Google Patents

A network identity authentication device and a login device Download PDF

Info

Publication number
CN207442908U
CN207442908U CN201721536607.7U CN201721536607U CN207442908U CN 207442908 U CN207442908 U CN 207442908U CN 201721536607 U CN201721536607 U CN 201721536607U CN 207442908 U CN207442908 U CN 207442908U
Authority
CN
China
Prior art keywords
server
website
authentication
information
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201721536607.7U
Other languages
Chinese (zh)
Inventor
刘文印
李昕
沈治恒
张加龙
凡帅
张启翔
巫家宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong University of Technology
Original Assignee
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong University of Technology filed Critical Guangdong University of Technology
Priority to CN201721536607.7U priority Critical patent/CN207442908U/en
Application granted granted Critical
Publication of CN207442908U publication Critical patent/CN207442908U/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The utility model discloses a network identity authentication device includes internet access terminal and website server, still includes: the first server is connected with the internet access terminal and used for generating and sending registration information of a target website to the second server; and the second server is connected with the first server and the website server and used for sending an authentication request to the website server by using the registration information to complete authentication operation. The utility model discloses a network authentication device, first server can be for user's automatic generation different user names and passwords on each target website that needs to register, and the second server can be directly with the registration information who has user name and password send to the website server and accomplish the authentication operation, under the prerequisite of avoiding the password fatigue, has improved network authentication's security. The utility model also discloses a logger can realize above-mentioned technological effect equally.

Description

一种网络身份认证装置及一种登录器A network identity authentication device and a login device

技术领域technical field

本实用新型涉及信息安全技术控制技术领域,更具体地说,涉及一种网络身份认证装置及一种登录器。The utility model relates to the technical field of information security technology control, in particular to a network identity authentication device and a login device.

背景技术Background technique

随着互联网规模的扩张及用户使用需求的增大,网络空间发展给我们带来方便快捷的同时,也为个人及国家安全和社会稳定带来新的挑战,传统基于字符型“用户名-密码”的网络身份认证管理机制因其使用简单、可靠性强、易于部署、成本低廉而成为当前主流的网络身份认证管理机制。With the expansion of the scale of the Internet and the increase in user demand, the development of cyberspace brings us convenience and speed, but also brings new challenges to personal and national security and social stability. The traditional character-based "username-password "The network identity authentication management mechanism has become the current mainstream network identity authentication management mechanism because of its simple use, strong reliability, easy deployment, and low cost.

然而如今单个用户需要面对在多个网站上注册网络身份、同时管理多个网络身份的场景,由此可能遭受到如密码疲劳、钓鱼诈骗、撞库攻击等一系列严重的网络安全威胁。However, nowadays a single user needs to face the scenario of registering online identities on multiple websites and managing multiple online identities at the same time, which may encounter a series of serious network security threats such as password fatigue, phishing scams, and credential stuffing attacks.

例如,某用户在多个网站上注册了网络身份,为了提高安全性,不同网络身份需要设置不同的用户名和密码。为此该用户需同时记忆很多用户名和密码,易造成多个用户名及密码混淆不清,用户体验很差。这就是所谓“密码疲劳”问题。For example, a user has registered network identities on multiple websites. In order to improve security, different user names and passwords need to be set for different network identities. For this reason, the user needs to memorize a lot of user names and passwords at the same time, which easily causes confusion of multiple user names and passwords, and the user experience is very poor. This is the so-called "password fatigue" problem.

为方便起见,大多数用户选择相同的或近似的用户名且共享一个密码,这样虽然易于记忆,但安全性较低。一旦一个账号被盗,所有账号都有被泄露的风险。黑客可以通过尝试使用已经泄露的身份信息或常用密码去登录,非法获得大量的用户网络身份信息。这就是所谓的“撞库”攻击。For convenience, most users choose the same or similar user names and share a password, which is easy to remember but less secure. Once one account is stolen, all accounts are at risk of being leaked. Hackers can illegally obtain a large amount of user network identity information by trying to log in with leaked identity information or common passwords. This is the so-called "credential stuffing" attack.

因此,如何在避免密码疲劳的前提下,提高了网络身份认证的安全性是本领域技术人员需要解决的问题。Therefore, how to improve the security of network identity authentication under the premise of avoiding password fatigue is a problem to be solved by those skilled in the art.

实用新型内容Utility model content

本实用新型的目的在于提供一种网络身份认证装置及一种登录器,在避免密码疲劳的前提下,提高了网络身份认证的安全性。The purpose of the utility model is to provide a network identity authentication device and a login device, which improve the security of network identity authentication on the premise of avoiding password fatigue.

为实现上述目的,本实用新型实施例提供了一种网络身份认证装置,包括上网终端和与所述上网终端相连的网站服务器,还包括:In order to achieve the above purpose, the embodiment of the present utility model provides a network identity authentication device, which includes an Internet access terminal and a website server connected to the Internet access terminal, and also includes:

与所述上网终端相连,用于生成并向第二服务器发送目标网站的注册信息的第一服务器;A first server that is connected to the Internet terminal and is used to generate and send registration information of the target website to the second server;

与所述第一服务器和所述网站服务器相连,用于利用所述注册信息向所述网站服务器发送认证请求完成认证操作的所述第二服务器。The second server is connected with the first server and the website server, and is used for sending an authentication request to the website server using the registration information to complete the authentication operation.

其中,所述第二服务器直接与所述网站服务器相连,用于直接将所述目标网站的身份信息和所述注册信息发送至所述网站服务器完成认证操作。Wherein, the second server is directly connected to the website server, and is used to directly send the identity information of the target website and the registration information to the website server to complete the authentication operation.

其中,所述第二服务器通过所述上网终端与所述网站服务器相连,用于向所述上网终端转发所述目标网站的身份信息和所述注册信息,以便所述上网终端向所述网站服务器完成认证操作。Wherein, the second server is connected to the website server through the Internet access terminal, and is used to forward the identity information of the target website and the registration information to the Internet access terminal, so that the Internet access terminal can send the website server Complete the authentication operation.

其中,所述第二服务器包括上网终端扩展和扩展服务器;Wherein, the second server includes an Internet terminal extension and an extension server;

所述上网终端扩展连接所述上网终端和所述第一服务器;The Internet terminal is extended to connect the Internet terminal and the first server;

所述扩展服务器连接所述第一服务器和所述上网终端扩展。The extension server is connected to the first server and the Internet access terminal extension.

为实现上述目的,本实用新型实施例提供了一种登录器,包括上述网络身份认证装置,用于登录终端设备。To achieve the above object, an embodiment of the present utility model provides a log-in device, which includes the above-mentioned network identity authentication device, and is used to log in to a terminal device.

通过以上方案可知,本实用新型实施例提供的一种网络身份认证装置包括上网终端和与所述上网终端相连的网站服务器,还包括:与所述上网终端相连,用于生成并向第二服务器发送目标网站的注册信息的第一服务器;与所述第一服务器和所述网站服务器相连,用于利用所述注册信息向所述网站服务器发送认证请求完成认证操作的所述第二服务器。It can be seen from the above solutions that a network identity authentication device provided by the embodiment of the present invention includes an Internet terminal and a website server connected to the Internet terminal, and also includes: connected to the Internet terminal, used to generate and report to the second server The first server sending the registration information of the target website; the second server connected to the first server and the website server and used to send an authentication request to the website server using the registration information to complete the authentication operation.

本实用新型实施例提供的网络身份认证装置,第一服务器可以为用户在每一个需要注册的目标网站上自动生成不同的用户名和密码,用户不需要记住这些用户名和密码,在需要注册或登录目标网站时,不需要从目标网站下载所需应用程序,第二服务器可以直接将带有用户名和密码的注册信息发送至网站服务器完成认证操作,避免由于用户名密码过于相似造成的撞库攻击。由此可见,本实用新型实施例提供的网络身份认证装置,在避免密码疲劳的前提下,提高了网络身份认证的安全性。本实用新型还公开了一种登录器,同样能实现上述技术效果。In the network identity authentication device provided by the embodiment of the present invention, the first server can automatically generate different usernames and passwords for the user on each target website that needs to be registered, and the user does not need to remember these usernames and passwords. When using the target website, there is no need to download the required application program from the target website. The second server can directly send the registration information with the user name and password to the website server to complete the authentication operation, avoiding the collision attack caused by too similar user name and password. It can be seen that the network identity authentication device provided by the embodiment of the utility model improves the security of network identity authentication on the premise of avoiding password fatigue. The utility model also discloses a logger, which can also achieve the above-mentioned technical effects.

附图说明Description of drawings

为了更清楚地说明本实用新型实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本实用新型的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are only some embodiments of the utility model, and those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本实用新型实施例公开的一种网络身份认证装置的结构示意图;FIG. 1 is a schematic structural diagram of a network identity authentication device disclosed in an embodiment of the present invention;

图2为本实用新型实施例公开的另一种网络身份认证装置的结构示意图。Fig. 2 is a schematic structural diagram of another network identity authentication device disclosed by the embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本实用新型实施例中的附图,对本实用新型实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本实用新型一部分实施例,而不是全部的实施例。基于本实用新型中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本实用新型保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of them. example. Based on the embodiments of the present utility model, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of the present utility model.

本实用新型实施例公开了一种网络身份认证装置,在避免密码疲劳的前提下,提高了网络身份认证的安全性。The embodiment of the utility model discloses a network identity authentication device, which improves the security of the network identity authentication on the premise of avoiding password fatigue.

参见图1,图1为本实用新型实施例公开的一种网络身份认证装置的结构示意图,如图1所示,包括上网终端101和与所述上网终端101相连的网站服务器102,还包括:Referring to Fig. 1, Fig. 1 is a schematic structural diagram of a network identity authentication device disclosed in an embodiment of the present invention, as shown in Fig. 1, it includes an Internet terminal 101 and a website server 102 connected to the Internet terminal 101, and also includes:

与所述上网终端相连,用于生成并向第二服务器发送目标网站的注册信息的第一服务器103;A first server 103 connected to the Internet access terminal for generating and sending the registration information of the target website to the second server;

与所述第一服务器和所述网站服务器相连,用于利用所述注册信息向所述网站服务器发送认证请求完成认证操作的所述第二服务器104。The second server 104 is connected with the first server and the website server, and is used to use the registration information to send an authentication request to the website server to complete the authentication operation.

本实施例中,网络身份认证装置具体的工作流程如下:In this embodiment, the specific workflow of the network identity authentication device is as follows:

S1:第一服务器通过上网终端获取目标网站的身份信息和注册规则;S1: the first server obtains the identity information and registration rules of the target website through the Internet terminal;

此步骤的目的在于获取目标网站的身份信息和注册规则,以便后续步骤根据注册规则自动生成目标网站的注册信息,该注册信息可以包括登录该目标网站的用户名和密码,利用身份信息和注册信息访问该目标网站。The purpose of this step is to obtain the identity information and registration rules of the target website, so that the subsequent steps can automatically generate the registration information of the target website according to the registration rules. The registration information can include the user name and password to log in to the target website, and access the target site.

在具体实施中,上网终端通过网站服务器获取目标网站的身份信息和注册规则,并将该身份信息和注册规则发送至第一服务器。所述身份信息包括所述目标网站的网址和会话信息。In a specific implementation, the Internet terminal obtains the identity information and registration rules of the target website through the website server, and sends the identity information and registration rules to the first server. The identity information includes the URL and session information of the target website.

可以理解的是,第一服务器获取目标网站的身份信息和注册规则存在多种方式,在此不作具体限定,本领域技术人员可以根据实际情况灵活选择。例如,第二服务器根据上网终端请求显示的目标网站,得到目标网站的身份信息和注册规则,并自动或在用户点击输入框时生成对应的二维码传回至上网终端显示,第一服务器扫描二维码,与第二服务器建立安全连接,并通过安全连接从第二服务器获取目标网站的身份信息和注册规则。It can be understood that there are many ways for the first server to obtain the identity information and registration rules of the target website, which are not specifically limited here, and those skilled in the art can choose flexibly according to the actual situation. For example, the second server obtains the identity information and registration rules of the target website according to the target website requested by the Internet terminal, and generates a corresponding QR code automatically or when the user clicks on the input box and sends it back to the Internet terminal for display. A two-dimensional code, establishes a secure connection with the second server, and obtains the identity information and registration rules of the target website from the second server through the secure connection.

又如,第一服务器先与第二服务器建立安全连接,第二服务器根据上网终端请求显示的目标网站,得到目标网站的身份信息和注册规则后,在用户点击上网终端上页面中的相应输入框时,将目标网站的身份信息和注册规则通过安全连接发送给第一服务器。As another example, the first server first establishes a secure connection with the second server, and the second server obtains the identity information and registration rules of the target website according to the target website requested by the Internet terminal, and then clicks the corresponding input box on the page on the Internet terminal when the user clicks , sending the identity information and registration rules of the target website to the first server through a secure connection.

需要说明的是,在上述例子中建立安全连接的方式有很多,在此不作具体限定。例如,第一服务器可以通过登录第二服务器的方式与第二服务器建立安全连接。又如,第二服务器根据上网终端请求显示的目标网站得到其身份信息,产生唯一会话标识符(sessionID),并生成包含该唯一会话标识符的二维码,第一服务器通过扫描二维码的方式得到所述唯一会话标识符,并将所述唯一会话标识符发送至第二服务器,第二服务器对接收到的唯一会话标识符进行校验,若校验成功则完成第一服务器与第二服务器之间建立安全连接的操作。It should be noted that there are many ways to establish a secure connection in the above examples, which are not specifically limited here. For example, the first server may establish a secure connection with the second server by logging into the second server. As another example, the second server obtains its identity information according to the target website requested by the Internet access terminal, generates a unique session identifier (sessionID), and generates a two-dimensional code containing the unique session identifier, and the first server scans the two-dimensional code The unique session identifier is obtained by means of the method, and the unique session identifier is sent to the second server. The second server checks the received unique session identifier. If the verification is successful, the first server and the second server are completed. An operation that establishes a secure connection between servers.

第一服务器是一个可以被用户信任,帮助用户自动生成账户信息的计算机系统。需要说明的是,每个用户可以授权多个第一服务器,但一个第一服务器只能为一个用户服务。The first server is a computer system that can be trusted by the user and helps the user to automatically generate account information. It should be noted that each user can authorize multiple first servers, but one first server can only serve one user.

此步骤默认第一服务器已经被用户授权并激活。其中,用户激活该第一服务器可以有多种方式,在此不作具体限定。例如,用户可以为该第一服务器设置一个主密码,通过输入主密码的方式激活该第一服务器。又如,用户可以通过输入已经授权的生物体征的方式激活该第一服务器,生物体征可以包括用户的虹膜信息、指纹信息、音频信息等,在此不作具体限定。In this step, by default, the first server has been authorized and activated by the user. Wherein, there may be multiple ways for the user to activate the first server, which are not specifically limited here. For example, the user can set a master password for the first server, and activate the first server by inputting the master password. For another example, the user may activate the first server by inputting authorized biometrics, which may include user's iris information, fingerprint information, audio information, etc., which are not specifically limited herein.

第一服务器通过上网终端获取目标网站的身份信息和注册规则之后,还可以包括根据所述身份信息判断所述目标网站是否为钓鱼网站的步骤。当然,本领域技术人员可以选择任意一种方式判断目标网站是否为钓鱼网站,都在本实用新型实施例的保护范围内。例如,可以通过特征提取器提取该目标网站的特征向量,并将得到的特征向量输入训练完成的分类器中进行分类,从而判断该目标网站是否为钓鱼网站。当目标网站为钓鱼网站时,可以通过上网终端向用户发送告警提示,可以理解的是,告警提示的方式也存在多种形式,如弹出提示框、音频等方式,在此不作具体限定。After the first server acquires the identity information and registration rules of the target website through the Internet access terminal, it may further include a step of judging whether the target website is a phishing website according to the identity information. Of course, those skilled in the art can choose any method to judge whether the target website is a phishing website, which is within the scope of protection of the embodiments of the present invention. For example, the feature vector of the target website can be extracted by a feature extractor, and the obtained feature vector can be input into a trained classifier for classification, so as to determine whether the target website is a phishing website. When the target website is a phishing website, an alarm prompt can be sent to the user through the Internet terminal. It is understandable that there are various forms of alarm prompts, such as pop-up prompt box, audio, etc., which are not specifically limited here.

S2:根据所述身份信息得到所述目标网站的注册信息,或根据所述注册规则生成所述注册信息;S2: Obtain the registration information of the target website according to the identity information, or generate the registration information according to the registration rules;

在具体实施中,第一服务器可以代替用户自动完成账户信息(即用户名和密码)的生成,网站服务器需将注册时所需的信息(如邮箱、手机号等)及对用户名及密码的规则要求以约定的(如JSON)格式告知第一服务器,如有必要,第一服务器可以根据服务器端的要求从其他途径获取所需信息(可以包括第一服务器的软硬件的序列号等),并利用这些信息按服务器要求的规则生成用户名和密码,连同所述用户提供的其他信息(当然也可以包括第一服务器自动获取的其他信息),生成所述目标网站的所需注册信息。In a specific implementation, the first server can replace the user to automatically complete the generation of account information (that is, user name and password), and the website server needs to send the information required for registration (such as email address, mobile phone number, etc.) and the rules for user name and password. It is required to inform the first server in an agreed (such as JSON) format. If necessary, the first server can obtain the required information (including the serial number of the first server's software and hardware, etc.) from other channels according to the requirements of the server, and use The information generates a user name and password according to the rules required by the server, together with other information provided by the user (of course, other information automatically obtained by the first server may also be included), to generate the required registration information of the target website.

需要说明的是,第一服务器还可以实现用户已注册的网络身份的管理。用户已经注册的网络身份信息,即已注册过网站的用户名和密码可以存储在第一服务器中,用户可以随时添加新注册的账号或是删除曾经注册过的旧账号并在云端及多个第一服务器之间备份和同步。It should be noted that the first server can also manage the registered network identity of the user. The user's registered network identity information, that is, the user name and password of the registered website can be stored in the first server, and the user can add a new registered account at any time or delete an old registered account and store it in the cloud and multiple first Backup and synchronization between servers.

在生成所述注册信息之前,第一服务器可以根据所述身份信息找到所述目标网站的用户已经注册的网络身份信息并直接执行S3完成登录认证操作。当然,即使第一服务器已经查询到所述目标网站已经注册的一个或多个历史注册信息,用户仍然可以选择根据所述注册规则生成所述目标网站的一个新的注册信息,然后执行S3完成注册认证操作。Before generating the registration information, the first server may find the registered network identity information of the user of the target website according to the identity information and directly execute S3 to complete the login authentication operation. Of course, even if the first server has found one or more historical registration information registered by the target website, the user can still choose to generate a new registration information of the target website according to the registration rules, and then execute S3 to complete the registration Authentication operation.

S3:将所述身份信息和所述注册信息发送至第二服务器,以便所述第二服务器利用所述身份信息和所述注册信息向网站服务器发送认证请求完成认证操作。S3: Send the identity information and the registration information to a second server, so that the second server uses the identity information and the registration information to send an authentication request to the website server to complete the authentication operation.

在具体实施中,第二服务器的作用为向网站服务器发送认证请求,该认证请求可以是注册请求,也可以是登录请求。因此,在上述根据所述注册规则生成所述目标网站的注册信息的步骤之前,还包括根据所述身份信息查询身份信息表中是否存在所述目标网站的历史注册信息的步骤;若是,则将所述历史注册信息作为所述目标网站的登录信息,并将所述身份信息和所述历史注册信息发送至第二服务器,以便所述第二服务器利用所述身份信息和所述历史注册信息向网站服务器发送登录请求完成认证操作,若否,则执行根据所述注册规则生成所述目标网站的注册信息的步骤。In a specific implementation, the function of the second server is to send an authentication request to the website server, and the authentication request may be a registration request or a login request. Therefore, before the above-mentioned step of generating the registration information of the target website according to the registration rules, it also includes the step of inquiring whether there is historical registration information of the target website in the identity information table according to the identity information; The historical registration information is used as the login information of the target website, and the identity information and the historical registration information are sent to the second server, so that the second server uses the identity information and the historical registration information to send The website server sends a login request to complete the authentication operation, if not, execute the step of generating the registration information of the target website according to the registration rules.

可以理解的是,用户可以通过第一服务器随时自动修改身份信息表中的历史注册信息。第一服务器首先与第二服务器之间建立安全连接,并通过该安全连接获取待修改网站的身份信息,第一服务器根据所述身份信息查询并根据所述注册规则自动修改待修改网站的历史注册信息,将所述身份信息和修改后的注册信息通过第二服务器发送至网站服务器,网站服务器完成注册信息的修改后通知上网终端修改成功与否。需要说明的是,此处建立安全连接的方式与上文相似,在此不再赘述。It can be understood that the user can automatically modify the historical registration information in the identity information table at any time through the first server. The first server first establishes a secure connection with the second server, and obtains the identity information of the website to be modified through the secure connection, the first server queries according to the identity information and automatically modifies the historical registration of the website to be modified according to the registration rules Information, sending the identity information and the modified registration information to the website server through the second server, and the website server notifies the Internet access terminal whether the modification is successful or not after completing the modification of the registration information. It should be noted that the way to establish a secure connection here is similar to the above, and will not be repeated here.

第二服务器利用所述身份信息和所述注册信息向网站服务器发送认证请求完成认证操作之前,还可以包括判断包括所述认证请求在内的任意请求是否为非法或恶意请求的步骤,当所述注册请求为非法或恶意请求时,可以向管理员发送告警提示,可以理解的是,告警提示的方式也存在多种形式,如弹出提示框、音频等方式,在此不作具体限定。若所述注册请求不为非法或恶意请求,则执行所述第二服务器利用所述身份信息和所述注册信息向网站服务器发送注册请求完成认证操作的步骤。Before the second server uses the identity information and the registration information to send an authentication request to the website server to complete the authentication operation, it may also include a step of judging whether any request including the authentication request is an illegal or malicious request, when the When the registration request is an illegal or malicious request, a warning prompt can be sent to the administrator. It is understandable that there are various forms of warning prompts, such as a pop-up prompt box, audio, etc., which are not specifically limited here. If the registration request is not an illegal or malicious request, execute the step of sending a registration request to the website server by the second server using the identity information and the registration information to complete the authentication operation.

可以理解的是,检测恶意请求的方式存在多种方式,在此不作具体限定。例如,利用预先总结的规则集来对请求进行检测;或利用机器学习算法训练得到的分类器来进行检测。第二服务器首先检查并过滤来自第一服务器的注册、登录等请求,以此达到提高服务器效率,减轻服务器压力的目的。某些登录请求集中高发的网站(例如“12306”等)可能会存在某些用户通过频繁登录、注册多个账号来从事不法行为(例如“黄牛”刷票等)的情况。此外,频繁的登录尝试也是攻击者实施“撞库攻击”的常用手段。在这些情况下,第二服务器会在短时间内收到大量来自第一服务器的注册、登录请求。通过分析这些请求信息中自带的信息源参数,可辨别这些请求是否来自同一第一服务器。如果第二服务器发现同一个第一服务器在一定时间段内多次请求在该站点服务器登录或是创建新账号,则第二服务器将会自动过滤掉来自该第一服务器的一切请求并暂时封禁该第一服务器。经由第二服务器传递过来的注册、登录请求都将被网站服务器端视为合法有效的,并被网站服务器悉数响应处理。被处理后的请求结果将被反馈至第一服务器处和用户上网终端供用户进行下一步的操作。It can be understood that there are many ways to detect malicious requests, which are not specifically limited here. For example, a pre-summarized rule set is used to detect requests; or a classifier trained by a machine learning algorithm is used for detection. The second server first checks and filters the registration and login requests from the first server, so as to improve server efficiency and reduce server pressure. Some websites with a high concentration of login requests (such as "12306", etc.) may have some users who frequently log in and register multiple accounts to engage in illegal activities (such as "scalpers" swiping tickets, etc.). In addition, frequent login attempts are also a common means for attackers to implement "credential stuffing attacks". Under these circumstances, the second server will receive a large number of registration and login requests from the first server within a short period of time. By analyzing the information source parameters contained in these request information, it can be identified whether these requests come from the same first server. If the second server finds that the same first server requests to log in or create a new account on the site server multiple times within a certain period of time, the second server will automatically filter out all requests from the first server and temporarily block the account. first server. The registration and login requests transmitted through the second server will be regarded as legal and valid by the website server, and will be fully responded to and processed by the website server. The processed request result will be fed back to the first server and the user's Internet access terminal for the user to perform the next operation.

由此可见,当第二服务器实现了监测并过滤恶意注册和登录请求的功能时,验证码则无需继续存在,注册和登录过程中的用户体验将进一步得到提高。网站服务器遭到攻击时,第二服务器可自动采取保护预案(如临时禁止相关或所有网络身份的登录功能、要求提供更多认证信息等)并通知网站管理员及用户采取相关的措施(如更改密码)。It can be seen that when the second server implements the function of monitoring and filtering malicious registration and login requests, the verification code does not need to continue to exist, and the user experience in the registration and login process will be further improved. When the website server is attacked, the second server can automatically take protection plans (such as temporarily prohibiting the login function of relevant or all network identities, requiring more authentication information, etc.) and notify the website administrator and users to take relevant measures (such as changing password).

需要说明的是,第二服务器可以部署在网站服务器端,也可以部署在上网终端一侧。具体的,当第二服务器部署在网站服务器端时,第二服务器与网站服务器连接紧密,可以直接将目标网站的身份信息和注册信息传输至网站服务器完成认证操作。当第二服务器部署在上网终端一侧时,第二服务器需要先与第一服务器建立安全连接,第一服务器通过安全连接将目标网站的身份信息和注册信息发送给第二服务器,第二服务器再将目标网站的身份信息和注册信息发送至上网终端,最后由上网终端向网站服务器发送认证请求以完成认证操作。It should be noted that the second server may be deployed on the website server side, or may be deployed on the Internet terminal side. Specifically, when the second server is deployed on the website server side, the second server is closely connected to the website server, and can directly transmit the identity information and registration information of the target website to the website server to complete the authentication operation. When the second server is deployed on the side of the Internet terminal, the second server needs to establish a secure connection with the first server first, and the first server sends the identity information and registration information of the target website to the second server through the secure connection, and the second server then The identity information and registration information of the target website are sent to the Internet terminal, and finally the Internet terminal sends an authentication request to the website server to complete the authentication operation.

本实用新型实施例提供的网络身份认证装置,第一服务器可以为用户在每一个需要注册的目标网站上自动生成不同的用户名和密码,用户不需要记住这些用户名和密码,在需要注册或登录目标网站时,不需要从目标网站下载所需应用程序,第二服务器可以直接将带有用户名和密码的注册信息发送至网站服务器完成认证操作,避免由于用户名密码过于相似造成的撞库攻击。由此可见,本实用新型实施例提供的网络身份认证装置,在避免密码疲劳的前提下,提高了网络身份认证的安全性。In the network identity authentication device provided by the embodiment of the present invention, the first server can automatically generate different usernames and passwords for the user on each target website that needs to be registered, and the user does not need to remember these usernames and passwords. When using the target website, there is no need to download the required application program from the target website. The second server can directly send the registration information with the user name and password to the website server to complete the authentication operation, avoiding the collision attack caused by too similar user name and password. It can be seen that the network identity authentication device provided by the embodiment of the utility model improves the security of network identity authentication on the premise of avoiding password fatigue.

本实用新型实施例公开了一种网络身份认证方法,相对于上一实施例,本实施例对技术方案作了进一步的说明和优化。具体的:The embodiment of the utility model discloses a network identity authentication method. Compared with the previous embodiment, this embodiment further explains and optimizes the technical solution. specific:

参见图2,图2为本实用新型实施例公开的另一种网络身份认证装置的结构示意图,如图2所示,包括上网终端201和网站服务器202,还包括:Referring to FIG. 2, FIG. 2 is a schematic structural diagram of another network identity authentication device disclosed in the embodiment of the present invention. As shown in FIG. 2, it includes an Internet access terminal 201 and a website server 202, and also includes:

与所述上网终端相连,用于生成并向第二服务器发送目标网站的注册信息的第一服务器203;A first server 203 connected to the Internet access terminal for generating and sending the registration information of the target website to the second server;

与所述第一服务器相连、通过所述上网终端与所述网站服务器相连,用于向所述上网终端转发所述目标网站的身份信息和所述注册信息,以便所述上网终端向所述网站服务器完成认证操作的所述第二服务器204。Connected to the first server, connected to the website server through the Internet access terminal, and used to forward the identity information of the target website and the registration information to the Internet access terminal, so that the Internet access terminal can send information to the website The second server 204 that the server completes the authentication operation.

在上述实施例的基础上,作为优选实施方式,所述第二服务器包括上网终端扩展和扩展服务器;On the basis of the above embodiments, as a preferred implementation manner, the second server includes an Internet terminal extension and an extension server;

所述上网终端扩展连接所述上网终端和所述第一服务器;The Internet terminal is extended to connect the Internet terminal and the first server;

所述扩展服务器连接所述第一服务器和所述上网终端扩展。The extension server is connected to the first server and the Internet access terminal extension.

本申请还提供了一种登录器,包括如上述实施例提供的网络身份认证装置,用于登录终端设备。The present application also provides a log-in device, which includes the network identity authentication device provided in the above embodiment, and is used to log in to a terminal device.

本实用新型实施例提供的登录器,第一服务器可以为用户在每一个需要注册的目标网站上自动生成不同的用户名和密码,用户不需要记住这些用户名和密码,在需要注册或登录目标网站时,不需要从目标网站下载所需应用程序,第二服务器可以直接将带有用户名和密码的注册信息发送至网站服务器完成认证操作,避免由于用户名密码过于相似造成的撞库攻击。由此可见,本实用新型实施例提供的网络身份认证装置,在避免密码疲劳的前提下,提高了网络身份认证的安全性。In the login device provided by the embodiment of the present invention, the first server can automatically generate different usernames and passwords for the user on each target website that needs to be registered, and the user does not need to remember these usernames and passwords. When the user does not need to download the required application program from the target website, the second server can directly send the registration information with the user name and password to the website server to complete the authentication operation, avoiding the credential stuffing attack caused by too similar user name and password. It can be seen that the network identity authentication device provided by the embodiment of the utility model improves the security of network identity authentication on the premise of avoiding password fatigue.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本实用新型。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本实用新型的精神或范围的情况下,在其它实施例中实现。因此,本实用新型将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables those skilled in the art to realize or use the utility model. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to these embodiments shown herein, but will conform to the widest scope consistent with the principles and novel features disclosed herein.

说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的系统而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。Each embodiment in the description is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for relevant details, please refer to the description of the method part. It should be pointed out that those skilled in the art can make some improvements and modifications to the application without departing from the principles of the application, and these improvements and modifications also fall within the protection scope of the claims of the application.

还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this specification, relative terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations There is no such actual relationship or order between the operations. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

Claims (5)

1. a kind of network ID authentication device, the Website server being connected including access terminals and with the access terminals is special Sign is, including:
It is connected with the access terminals, for generating and being sent to second server the first service of the log-on message of targeted website Device;
It is connected with the first server and the Website server, for utilizing the log-on message to the Website server Send the second server that certification request completes authentication operation.
2. network ID authentication device according to claim 1, which is characterized in that the second server directly with the net Site server is connected, for the identity information of the targeted website and the log-on message directly to be sent to the website service Device completes authentication operation.
3. network ID authentication device according to claim 1, which is characterized in that the second server passes through the online Terminal is connected with the Website server, for forwarding the identity information of the targeted website and the note to the access terminals Volume information, so that the access terminals complete authentication operation to the Website server.
4. network ID authentication device according to claim 3, which is characterized in that the second server includes access terminals Extension and expansion service device;
The access terminals extension connects the access terminals and the first server;
The expansion service device connects the first server and access terminals extension.
5. a kind of logger, which is characterized in that including the network ID authentication device as described in claim any one of 1-4, be used for Registration terminal equipment.
CN201721536607.7U 2017-11-16 2017-11-16 A network identity authentication device and a login device Active CN207442908U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201721536607.7U CN207442908U (en) 2017-11-16 2017-11-16 A network identity authentication device and a login device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201721536607.7U CN207442908U (en) 2017-11-16 2017-11-16 A network identity authentication device and a login device

Publications (1)

Publication Number Publication Date
CN207442908U true CN207442908U (en) 2018-06-01

Family

ID=62290027

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201721536607.7U Active CN207442908U (en) 2017-11-16 2017-11-16 A network identity authentication device and a login device

Country Status (1)

Country Link
CN (1) CN207442908U (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371762A (en) * 2020-02-26 2020-07-03 广东工业大学 Identity authentication method and device, electronic equipment and storage medium
CN112929388A (en) * 2021-03-10 2021-06-08 广东工业大学 Network identity cross-device application rapid authentication method and system, and user agent device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371762A (en) * 2020-02-26 2020-07-03 广东工业大学 Identity authentication method and device, electronic equipment and storage medium
CN111371762B (en) * 2020-02-26 2021-03-16 广东工业大学 Identity authentication method and device, electronic equipment and storage medium
CN112929388A (en) * 2021-03-10 2021-06-08 广东工业大学 Network identity cross-device application rapid authentication method and system, and user agent device

Similar Documents

Publication Publication Date Title
WO2019095856A1 (en) Network identity authentication method and system, and user agent device used thereby
CN105897782B (en) A kind of processing method and processing device of the call request for interface
TWI633775B (en) Terminal identification method, machine identification code registration method, corresponding system and equipment
TWI519992B (en) Method and system of login authentication, and computer storage medium
CN108880822B (en) An identity authentication method, device, system, and an intelligent wireless device
CN105357186B (en) A kind of secondary authentication method based on out-of-band authentication and enhancing OTP mechanism
CN107046544B (en) Method and device for identifying illegal access request to website
JP2017535877A (en) Conditional login promotion
WO2018064881A1 (en) Method and system for saving user login state for use in ios client terminal
TW201405459A (en) Login verification method, client, server and system
US8881273B2 (en) Device reputation management
CN106302332B (en) User data access control method, device and system
CN107733838A (en) A kind of mobile terminal client terminal identity identifying method, device and system
CN102624687A (en) Networking program user authentication method based on mobile terminal
CN104539604A (en) Website protection method and device
CN109302397B (en) Network security management method, platform and computer readable storage medium
CN105282166A (en) Identity authentication method and system for linux operating system
CN103716316B (en) A kind of authenticating user identification system
CN207442908U (en) A network identity authentication device and a login device
CN108259436B (en) User identity authentication processing method, application server and authentication system server
CN104506518B (en) The identity identifying method of MIPS platform network system access controls
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
CN109639695A (en) Dynamic identity authentication method, electronic equipment and storage medium based on mutual trust framework
CN107682371A (en) A kind of malice AP detection method and device
CN104717177B (en) A kind of mobile application security management-control method and equipment

Legal Events

Date Code Title Description
GR01 Patent grant
GR01 Patent grant