CN111859406B - Method, device and system for remote authentication - Google Patents

Method, device and system for remote authentication Download PDF

Info

Publication number
CN111859406B
CN111859406B CN201910364666.8A CN201910364666A CN111859406B CN 111859406 B CN111859406 B CN 111859406B CN 201910364666 A CN201910364666 A CN 201910364666A CN 111859406 B CN111859406 B CN 111859406B
Authority
CN
China
Prior art keywords
random number
user
access request
response information
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910364666.8A
Other languages
Chinese (zh)
Other versions
CN111859406A (en
Inventor
姚亦峰
刘蜀宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Original Assignee
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co Ltd, Nokia Solutions and Networks Oy filed Critical Nokia Shanghai Bell Co Ltd
Priority to CN201910364666.8A priority Critical patent/CN111859406B/en
Publication of CN111859406A publication Critical patent/CN111859406A/en
Application granted granted Critical
Publication of CN111859406B publication Critical patent/CN111859406B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application provides a method, a device and a system for remote authentication, wherein a first random number is generated for a first device and a second random number is generated for a second user, so that the second user can remotely access the first device by using a temporary login password (namely a one-time-use password), and in the remote authentication process, the first password information of the first device and the second password information of the second user cannot be transmitted and exchanged in any form in a network at all, so that the security of remote access can be ensured.

Description

Method, device and system for remote authentication
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for performing remote authentication.
Background
Prior art when performing remote access, a user typically needs to enter a fixed password (e.g., using telnet commands to enter his fixed password) to remotely access a device, and an authentication server determines whether to grant the user permission to remotely access the device by verifying the fixed password. However, since the password must be exchanged in the network, so that it is easily sniffed, such as telnet passwords, and even if SSH (Secure Shell protocol) encryption is used, weak passwords may be attacked by means such as directory attack, which makes remote access a great security risk.
Disclosure of Invention
The invention aims to provide a method, a device and a system for remote authentication.
According to one aspect of the present invention, there is provided a first apparatus for remote authentication in a first device, wherein the first apparatus is configured to:
receiving a second random number corresponding to a second user;
receiving a first access request from a second device used by the second user, wherein the first access request comprises second response information corresponding to the second user;
calculating first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device;
and generating a second access request according to the first access request and the first response information, and sending the second access request to an authentication service.
According to another aspect of the present invention, there is provided a second apparatus for performing remote authentication in a second device, wherein the second apparatus includes:
means for receiving input information input by a second user for remotely accessing a first device, wherein the input information includes second response information corresponding to the second user, the second response information being calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
And means for generating a first access request for the first device based on the input information and transmitting the first access request to the first device.
According to another aspect of the present invention, there is provided a third apparatus for remote authentication in an authentication server, wherein the third apparatus includes:
means for receiving a second access request from a first device, wherein the second access request includes first response information corresponding to the first device and second response information corresponding to a second user;
means for determining, according to the second access request, whether the first response information and the second response information are correct by combining first password information corresponding to the first device and second password information corresponding to a second user;
and the device is used for generating feedback information corresponding to the second access request according to the judging result and sending the feedback information to the first equipment.
According to another aspect of the present invention, there is provided a fourth apparatus for performing remote authentication in a network device, wherein the fourth apparatus includes:
Means for obtaining a first random number corresponding to a first device and providing the first random number to the second user;
means for obtaining a second random number corresponding to a second user and providing the second random number to the first device.
According to another aspect of the present invention, there is provided a system for performing remote authentication, wherein the system comprises a first device comprising a first apparatus as described herein, a second device comprising a second apparatus as described herein, and an authentication server comprising a third apparatus as described herein. In some embodiments, the system further comprises other network devices comprising the fourth apparatus described herein.
According to another aspect of the present invention, there is provided a method for remote authentication in a first device, wherein the method comprises the steps of:
receiving a second random number corresponding to a second user;
receiving a first access request from a second device used by the second user, wherein the first access request comprises second response information corresponding to the second user;
Calculating first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device;
and generating a second access request according to the first access request and the first response information, and sending the second access request to an authentication server.
According to another aspect of the present invention, there is provided a method for remote authentication in a second device, wherein the method comprises the steps of:
receiving input information input by a second user and used for remotely accessing a first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
and generating a first access request for the first equipment according to the input information, and sending the first access request to the first equipment.
According to another aspect of the present invention, there is provided a method for remote authentication in an authentication server, wherein the method comprises the steps of:
Receiving a second access request from a first device, wherein the second access request comprises first response information corresponding to the first device and second response information corresponding to a second user;
judging whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and generating feedback information corresponding to the second access request according to the judging result, and sending the feedback information to the first equipment.
According to another aspect of the present invention, there is provided a method for remote authentication in a network device, wherein the method comprises the steps of:
obtaining a first random number corresponding to a first device and providing the first random number to the second user;
a second random number corresponding to a second user is obtained and provided to the first device.
According to another aspect of the present invention, there is provided a method for performing remote authentication, wherein the method comprises the steps of: the first device receives a second random number corresponding to a second user; a second device receives input information input by a second user and used for remotely accessing the first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user; the second device generates a first access request for the first device according to the input information, and sends the first access request to the first device; the first device receives the first access request; the first device calculates first response information corresponding to the first device according to the second random number and first password information corresponding to the first device; the first device generates a second access request according to the first access request and the first response information, and sends the second access request to an authentication server; the authentication server receives the second access request; the authentication server judges whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user; and the authentication server generates feedback information corresponding to the second access request according to the judgment result and sends the feedback information to the first equipment. In some embodiments, the method further comprises the following steps performed before the step of the first device receiving a second random number corresponding to a second user: the authentication server or other network equipment obtains a first random number corresponding to first equipment and provides the first random number for the second user; the authentication server or other network device obtains a second random number corresponding to a second user and provides the second random number to the first device.
Compared with the prior art, the application has the following advantages: by generating a first random number for the first device and a second random number for the second user, the second user can remotely access the first device by using a temporary login password (namely, a password which can only be used once), and in the remote authentication process, the first password information of the first device and the second password information of the second user cannot be transmitted and exchanged in any form in a network at all, so that the security of remote access can be ensured; the authentication server needs to judge the correctness of the first response information and the second response information in the second access request at the same time, and the second equipment is granted with the remote access right only when the first response information and the second response information are correct, so that double authentication is realized in the authentication server, and a correct second user can be ensured to remotely access the first equipment with a correct association relation with the second equipment; further, by centrally managing passwords of the second user and the first device in the authentication server, security of the remote authentication process can be enhanced.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
FIG. 1 is a block diagram of a system for remote authentication in accordance with one embodiment of the present invention;
FIG. 2 is a block diagram of a system for remote authentication in accordance with another embodiment of the present invention;
FIG. 3 is a flow chart of a method for remote authentication according to one embodiment of the present invention;
FIG. 4 is a flow chart of a method for providing a first random number and a second random number in an authentication server or other network device according to one embodiment of the present invention;
FIG. 5 is a schematic diagram of a system for remote authentication according to one embodiment of the present invention;
FIG. 6 is a schematic diagram of a system for remote authentication according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of a system for remote authentication according to another embodiment of the present invention.
The same or similar reference numbers in the drawings refer to the same or similar parts.
Detailed Description
Before discussing exemplary embodiments in more detail, it should be mentioned that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart depicts operations as a sequential process, many of the operations can be performed in parallel, concurrently, or at the same time. Furthermore, the order of the operations may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figures. The processes may correspond to methods, functions, procedures, subroutines, and the like.
In this context, the term "computer device" refers to an intelligent electronic device that can execute predetermined processing procedures such as numerical computation and/or logic computation by executing predetermined programs or instructions, and may include a processor and a memory, where the predetermined processing procedures are executed by the processor executing program instructions pre-stored in the memory, or by hardware such as an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), or by a combination of the two.
The computer equipment comprises network equipment and user equipment. The network device includes, but is not limited to, a single network server, a server group of multiple network servers, or a Cloud based Cloud Computing (Cloud Computing) consisting of a large number of computers or network servers, where Cloud Computing is one of distributed Computing, and is a super virtual computer consisting of a group of loosely coupled computer sets. The user equipment includes, but is not limited to, a PC, a tablet computer, a smart phone, an IPTV, a PDA, a wearable device and the like; preferably, the user device is a head-mounted device, such as a VR (Virtual Reality) device, an AR (Augmented Reality) device, an MR (Mixed Reality) device, or the like. The computer device can be used for realizing the invention by running alone, and can also be accessed into a network and realized by interaction with other computer devices in the network. The network where the computer device is located includes, but is not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a VPN network, a wireless Ad Hoc network (Ad Hoc network), and the like.
It should be noted that the above network devices and user devices are merely examples, and other computer devices that may be present in the present invention or may appear in the future are applicable to the present invention, and are also included in the scope of the present invention and are incorporated herein by reference.
The methods discussed later herein (some of which are illustrated by flowcharts) may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a machine or computer readable medium such as a storage medium. The processor(s) may perform the necessary tasks.
Specific structural and functional details disclosed herein are merely representative and are for purposes of describing exemplary embodiments of the invention. The invention may be embodied in many alternate forms and should not be construed as limited to only the embodiments set forth herein.
It will be understood that, although the terms "first," "second," etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be noted that, in some alternative implementations, the functions/acts noted may occur out of the order noted in the figures. For example, two figures shown in succession may in fact be executed substantially concurrently or the figures may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
The invention is described in further detail below with reference to the accompanying drawings.
Fig. 1 is a block diagram of a system for remote authentication according to one embodiment of the present invention. Wherein the system for performing remote authentication includes a first device 100, a second device 200, and an authentication server 300. Wherein, the first device 100 refers to a device that is remotely accessed in a remote access process, and the first device 100 may be any terminal device accessing to a network, such as a smart home device, a mobile terminal device, etc.; wherein the owner of the first device 100 (also referred to in the context as "first user") may be an individual user or an enterprise user (e.g., a dealer), etc. The second device 200 is a device for performing remote access to the first device 100 during the remote access process, that is, the second user uses the second device 200 to perform remote access to the first device 100, where the second device 200 may be any user device accessing the network or may be a network device accessing the network; wherein the owner of the second device 200 (also referred to herein as a "second user") may be a personal user or an enterprise user (e.g., a service provider of a smart home device), etc. Wherein the Authentication server 300 is configured to perform an Authentication operation for a remote access, the Authentication server 300 may be any network device for implementing a remote access Authentication function, and in some embodiments, the Authentication server 300 is an AAA (Authentication, accounting) server; the authentication server 300 maintains first password information corresponding to each first device and second password information corresponding to each second user. In some embodiments, the association between the first device and the second user is also maintained in the authentication server 300, for example, identification information of a plurality of operators and device information corresponding to each operator are stored in the authentication server 300, so that when a first device needs to be remotely tracked and debugged, the authentication server 300 can determine the operator associated with the first device based on the correspondence between the operators and the device information, that is, determine the second user that needs to remotely access the first device; in other embodiments, the authentication server 300 may determine that a second user needs to remotely access the first device directly based on information provided by the first user.
Fig. 2 is a block diagram of a system for remote authentication according to another embodiment of the present invention. The system for performing remote authentication includes a first device 100, a second device 200, an authentication server 300, and a network device 400. The first device 100, the second device 200, and the authentication server 300 are described in detail in the embodiment shown in fig. 1, and are not described herein. Preferably, the network device 400 is a cloud server. In some embodiments, an association between the first device and the second user is maintained in the network device 400, for example, identification information of a plurality of operators and device information corresponding to each operator are stored in the network device 400, so that when remote tracking and debugging is required for one first device, the network device 400 can determine the operator associated with the first device, that is, determine the second user that needs to remotely access the first device, based on the correspondence between the operators and the device information. In other embodiments, the network device 400 may determine that a second user needs to remotely access the first device directly based on information provided by the first user. It should be noted that, in some embodiments, the authentication server 300 and the network device 400 may be integrated into one device.
It should be noted that, the connection between the network device 400 and the first device 100 in fig. 2 is shown by a dashed line, which indicates that direct data transmission may or may not be performed between the network device 400 and the first device 100 in the remote authentication process (e.g., the network device 400 may send information to the third device used by the first user, and then the third device sends the information to the first device 100, where no direct data transmission is performed between the network device 400 and the first device 100). Likewise, the connection between the network device 400 and the authentication server 300 in fig. 2 is also indicated by a dashed line, which means that during the remote authentication process, direct data transmission may or may not be performed between the network device 400 and the authentication server 300.
It should be noted that, for simplicity, the system shown in fig. 1 and 2 is only for one remote access process, and thus only one first device 100 and one second device 200 are shown.
It should be noted that the remote authentication scheme of the present application is applicable to any application scenario of remote authentication, such as a remote debugging scenario, a remote teaching or demonstration scenario, etc. of a service provider for a terminal product produced by the service provider.
The remote authentication process of the present application is described in detail below based on fig. 3 to 7.
Before describing the remote authentication process of the present application in detail, it should be noted first that the remote authentication process described herein may be initiated in a variety of scenarios. In some example scenarios, the first user directly sends an instruction to the authentication server or other network device to initiate a remote connection to the first device, which the authentication server or other network device receives to directly initiate a remote authentication process. In other example scenarios, the first user first negotiates with the authentication server or other network device through the third device that he uses (preferably, through a specific mobile application in the third device), and when the negotiation result is that remote access is required, the remote authentication process is inspired, for example, when the first user finds that the first device purchased by the first user fails, the first user sends a failure problem of the first device to the cloud server through mail, short message, chat (in the specific mobile application) and the like, and receives feedback from the cloud server, when the cloud server determines that remote tracking debugging is required to solve the failure through preliminary judgment, if the first user agrees to perform remote tracking debugging (i.e., the negotiation result is that remote access is required), the remote authentication process is started. It should be noted that the above scenario of starting the remote authentication process is merely exemplary, and not limiting to the present application, and those skilled in the art should understand that any implementation for starting the remote authentication process is included in the scope of protection of the present application.
Fig. 3 is a flow chart of a method for performing remote authentication according to an embodiment of the present invention. The method includes step S101, step S102, step S103, step S104, step S105, step S1062, step S107, step S108, and step S109.
In step S101, the first device receives a second random number corresponding to a second user.
The second random number is random data generated for a second user. It should be noted that, the present application does not limit the generation manner of the second random number; in some embodiments, the second random number is randomly generated by an authentication server or other network device. The method for receiving the second random number corresponding to the second user by the first device is not limited; in some embodiments, the authentication server or other network device directly sends a second random number corresponding to the second user to the first device after randomly generating the second random number, and the first device receives the second random number from the authentication server or other network device; in other embodiments, a first device receives a second random number corresponding to a second user from a third device, wherein the third device receives the second random number corresponding to the second user from the authentication server or other network device and sends the second random number to the first device; for example, after randomly generating a second random number corresponding to a second user, the authentication server or other network device provides the second random number to the first user by way of a short message, mail, receiving an instant message in a particular mobile application, or the like, which may be sent to the first device by the first user using a particular mobile application in a third device (the "particular mobile application" described in the context being usable for connecting to and controlling the first device, e.g., the first user may control a plurality of smart home devices arranged in a home by the particular mobile application).
In some embodiments, after the first device receives the second random number, if the first access request from the other device is not received for a predetermined time, the second random number is discarded or disabled.
Before step S102, the second user has received a first random number corresponding to the first device, where the first random number is random data generated for the first device. The generation manner of the first random number is not limited, for example, the first random number may be randomly generated by an authentication server or other network devices, may be randomly generated by the first device or a third device used by the first user, or may be manually randomly specified by the first user. The present application is also not limited to the manner in which the second user receives the first random number corresponding to the first device, for example, the second user may obtain the first random number by short messages, mail, receiving instant messages in a particular mobile application, or any other feasible manner. It should be noted that the first random number and the second random number may be generated simultaneously or not simultaneously, may be generated in the same device, or may be generated in different devices, and the application is not limited in this respect.
The implementation manner of providing the second random number to the first device and providing the first random number to the second user by the authentication server or other network devices will be described in detail below with reference to fig. 2, and will not be described herein.
In step S102, the second device receives input information input by the second user and used for remotely accessing the first device, where the input information includes second response information corresponding to the second user, and the second response information is calculated based on the first random number corresponding to the first device and the second password information corresponding to the second user.
The second password information refers to a fixed password corresponding to the second user, is only maintained in the authentication server except that the second user knows the second user, and is not transmitted or exchanged in the network in the whole remote authentication process of the application.
The algorithm for calculating the second response information (hereinafter referred to as "first algorithm") may be any one-way encryption algorithm, such as SHA (Secure Hash Algorithm ), SHA-1, SHA-2, SHA-3, and domestic hash algorithm SM3 defined by GM/T0004-2012. The operation of calculating the second response information may be performed in the second device, may be performed in another device, or may be performed manually by a second user. In some embodiments, the second user manually calculates the second response information corresponding to the second user based on a predetermined single encryption algorithm (e.g., SHA-3) based on the second password information and the received second random number. In some embodiments, the second user inputs the second password information and the received second random number into the second device or other devices, so that the second device or other devices calculate second response information corresponding to the second user based on a predetermined single encryption algorithm (such as SHA-3).
Wherein the input information comprises any information which is input by a second user when the second user accesses the first device remotely and used for logging in the first device, such as telnet password related information, account and password information and the like. In some embodiments, the second user directly inputs the second response information to the second device as a temporary login password for the present remote authentication process; in other embodiments, the input information further includes a first random number corresponding to the first device, and the second user combines the second response information and the first random number to be used as a temporary login password in the present remote authentication process to be input to the second device, for example, when the second user inputs the temporary login password, the second user inputs the second response information and then inputs the first random number.
In step S103, the second device generates a first access request for the first device according to the input information, and sends the first access request to the first device.
The first access request is used for indicating to initiate remote access to the first device, and the first access request comprises the second response information. In some embodiments, when the input information further includes a first random number corresponding to the first device, the first access request further includes the first random number.
In step S104, the first device receives the first access request.
In step S105, the first device calculates first response information corresponding to the first device according to the second random number and first password information corresponding to the first device.
Specifically, the first device calculates first response information corresponding to the first device according to the second random number and first password information corresponding to the first device, and based on a predetermined algorithm.
The first password information refers to a fixed password corresponding to the first device, the first password information is only stored in the first device and the authentication server, and the first password information is not transmitted or exchanged in the network in the whole remote authentication process of the application.
The algorithm for calculating the first response information (hereinafter referred to as "second algorithm") may be any one-way encryption algorithm, such as SHA, SHA-1, SHA-2, SHA-3, and the domestic hash algorithm SM3 defined by GM/T0004-2012. It should be noted that the second algorithm may be the same algorithm as the first algorithm, or may be a different algorithm.
In step S106, the first device generates a second access request according to the first access request and the first response information, and sends the second access request to an authentication server.
Specifically, the first device generates the second access request according to the first access request and the first response information and a predetermined data format, and sends the second access request to the authentication server, so that the authentication server analyzes the second access request according to the predetermined data format. In some embodiments, the second access request includes: the first response information and the second response information extracted from the first access request.
In some embodiments, the first access request includes a first random number corresponding to the first device and second response information corresponding to the second user, and the generating a second access request according to the first access request and the first response information and transmitting the second access request to the authentication server includes: and generating a second access request according to the first access request, the first response information and the second random number, and sending the second access request to an authentication server. Wherein the second access request includes: the second random number, the first response information, a first random number extracted from the first access request, and a second response information extracted from the first access request.
In some embodiments, the first device generates the second access request by reusing a data format of an existing authentication protocol and sends the second access request to an authentication server.
For example, the first device generates the second access request by reusing an attributes field in an existing RADIUS (Remote Authentication Dial In User Service, remote user dial-in authentication system) protocol packet, where the reused attributes field includes a value (value) as shown in a first column in table 1, where the second column indicates a data type (type) (where string indicates a string, integer indicates an integer), the third column indicates a length (length) (where octects indicates bytes, bits indicate bits), and the fourth column indicates corresponding data (data).
TABLE 1
For another example, the first device generates the second access request based on an existing EAP (Extensible Authentication Protocol ) data format, where the identity field is used to carry the identification information of the first device and the identification information of the second user at the same time, type=254 (that is, extended Types (which are supported by the Vendor) are used to carry the identification information of the Vendor, vendor-Id is used to carry the Type value of the Vendor (for example, the Type value of the Vendor is defined as 1), and Vendor data is used to carry authentication related data information (for example, the first random number, the second random number, the first response information, and the Type, length, and the value corresponding to the second response information, respectively).
In some embodiments, a new data format may be defined by which the first device generates the second access request and sends the second access request to the authentication server.
It should be noted that the foregoing examples are only for better illustrating the technical solution of the present invention, and not for limiting the present invention, and those skilled in the art should understand that any implementation manner of generating the second access request according to the first access request and the first response information, and sending the second access request to the authentication server is included in the scope of the present application.
In step S107, the authentication server receives the second access request.
In step S108, the authentication server determines, according to the second access request, whether the first response information and the second response information are correct by combining the first password information corresponding to the first device and the second password information corresponding to the second user.
In some embodiments, the authentication server obtains a first random number corresponding to the first device and a second random number corresponding to the second user before the step S101, and then in the step S108, the authentication server parses the second access request according to a predetermined data format, and extracts second response information corresponding to the second user and first response information corresponding to the first device from the second access request; the authentication server calculates a first result according to the first random number and the second password information of the second user and based on the first algorithm, when the first result is the same as the second response information extracted from the second access request, the extracted second response information is determined to be correct, otherwise, the extracted second response information is considered to be incorrect; and the authentication server calculates a second result according to the second random number and the first password information of the first device and based on the second algorithm, when the second result is the same as the first response information extracted from the second access request, the extracted first response information is determined to be correct, otherwise, the extracted first response information is considered to be incorrect.
In other embodiments, the authentication server parses the second access request according to a predetermined data format, and extracts the following information from the second access request: second response information corresponding to the second user, first response information corresponding to the first device, a second random number corresponding to the second user, a first random number corresponding to the first device; the authentication server calculates a first result according to the first random number and the second password information of the second user and based on the first algorithm, when the first result is the same as the second response information extracted from the second access request, the extracted second response information is determined to be correct, otherwise, the extracted second response information is considered to be incorrect; and the authentication server calculates a second result according to the second random number and the first password information of the first device and based on the second algorithm, when the second result is the same as the first response information extracted from the second access request, the extracted first response information is determined to be correct, otherwise, the extracted first response information is considered to be incorrect.
In step S109, the authentication server generates feedback information corresponding to the second access request according to the determination result, and sends the feedback information to the first device.
Specifically, when the first response information and the second response information are both correct, the authentication server generates feedback information (such as an access-success message) for indicating that authentication is successful; when either the first response information or the second response information is incorrect or only one of the first response information and the second response information is correct, feedback information (such as an access-failure message) for indicating authentication failure is generated.
And when the feedback information indicates authentication failure, the first device feeds back a message of authentication failure to the second device, namely refuses the second device to carry out remote access.
According to the scheme, the first random number is generated for the first equipment and the second random number is generated for the second user, so that the second user can remotely access the first equipment by using a temporary login password (namely, a one-time-use password), and in the remote authentication process, the first password information of the first equipment and the second password information of the second user cannot be transmitted and exchanged in any form in a network at all, so that the security of remote access can be ensured; the authentication server needs to judge the correctness of the first response information and the second response information in the second access request at the same time, and the second equipment is granted with the remote access right only when the first response information and the second response information are correct, so that double authentication is realized in the authentication server, and a correct second user can be ensured to remotely access the first equipment with a correct association relation with the second equipment; further, by centrally managing passwords of the second user and the first device in the authentication server, security of the remote authentication process can be enhanced.
Fig. 4 is a flow chart of a method for providing a first random number and a second random number in an authentication server or other network device according to an embodiment of the present invention. The method comprises steps S201 and S202 in an authentication server or other network device. The authentication server or other network device may perform the step S201 and the step S202 before the step S101 shown in fig. 3.
In the step S201, the authentication server or other network device obtains a first random number corresponding to a first device, and provides the first random number to the second user.
Implementations of the operation in which the authentication server obtains the first random number corresponding to the first device include, but are not limited to:
1) When an instruction for starting remote connection is received from other network equipment or a first user to which the first equipment belongs, a first random number corresponding to the first equipment is randomly generated.
2) A first random number corresponding to the first device is received from the third device.
3) A first random number corresponding to the first device from the other network device is obtained.
Implementations of the operation in which the network device obtains the first random number corresponding to the first device include, but are not limited to:
1) And when receiving an instruction for starting remote connection from a first user to which the first equipment belongs, randomly generating a first random number corresponding to the first equipment.
2) A first random number corresponding to a first device is received from a third device, wherein the third device belongs to the first user. For example, the first user inputs an input number as a first random number in the third device, or the first user performs an operation in a specific mobile application of the third device to cause the third device to randomly generate a first random number; the third device then transmits the obtained first random number to the network device, which receives the first random number from the third device.
3) A first random number corresponding to the first device from the authentication server is obtained.
It should be noted that, the authentication server or the network device may provide the first random number to the second user in any feasible manner, which is not limited in this application, for example, the authentication server or the network device may provide the first random number to the second user by means of mail, a short message, sending an instant message in an instant messaging application, sending a reminder message to a designated device belonging to the second user, or the like.
In step S202, the authentication server or other network device obtains a second random number corresponding to a second user and provides the second random number to the first device.
Implementations of the operation of the authentication server to obtain the second random number corresponding to the second user include, but are not limited to:
1) And when receiving an instruction for starting remote connection from other network equipment or a first user to which the first equipment belongs, randomly generating a second random number corresponding to a second user.
2) When a first random number corresponding to the first device is received, a second random number corresponding to the second user is randomly generated.
3) A second random number corresponding to the second user from the other network device is obtained.
Implementations of the operation of the network device to obtain the second random number corresponding to the second user include, but are not limited to:
1) And when receiving an instruction for starting remote connection from a first user to which the first equipment belongs, randomly generating a second random number corresponding to a second user.
2) When a first random number corresponding to the first device is received, a second random number corresponding to the second user is randomly generated.
3) A second random number corresponding to the second user from the authentication server is obtained.
It should be noted that the authentication server or the network device may provide the second random number to the first device in any feasible manner, which is not limited in this application. For example, the authentication server or network device directly sends the second random number to the first device; for another example, the authentication server or network device provides the second random number to the first user in a predetermined manner (e.g., mail, short message, instant message sent in a particular mobile application, etc.), and the first user sends the second random number to the first device via the third device.
It should be noted that, in some embodiments, the first random number is not randomly generated by the authentication server, and the network device may send the first random number to the authentication server while the first random number is provided to the second user, so that the authentication server verifies the second response information based on the first random number in a subsequent operation; in some embodiments, the second random number is not randomly generated by the authentication server, and the network device may send the second random number to the authentication server at the same time as the second random number is provided to the first device, so that the authentication server verifies the first response information based on the second random number in a subsequent operation.
It should be noted that, there is no strict sequence relationship between the step S201 and the step S202. For example, the authentication server may randomly generate the first random number and the second random number at the same time upon receiving an instruction for starting a remote connection from another network device or a first user to which the first device belongs, and thereafter provide the first random number to the second user and the second random number to the first device. For another example, after receiving a first random number corresponding to a first device, the network device provides the first random number to a second user, then randomly generates a second random number corresponding to the second user, and provides the second random number to the first device.
Fig. 5 is a schematic structural diagram of a system for performing remote authentication according to an embodiment of the present invention. The system includes a first device 100, a second device 200, and an authentication server 300. Wherein the first apparatus 100 comprises a first device 1, the first device 1 further comprising a device 110, a device 120, a device 130 and a device 140; the second apparatus 200 comprises a second device 2, the second device 2 further comprising a device 210 and a device 220; the authentication server 300 comprises a third device 3, the third device 3 further comprising a device 310, a device 320 and a device 330.
First, the apparatus 110 in the first device 100 receives a second random number corresponding to a second user.
The second random number is random data generated for a second user. It should be noted that, the present application does not limit the generation manner of the second random number; in some embodiments, the second random number is randomly generated by the authentication server 300 or other network device. The manner in which the device 110 receives the second random number corresponding to the second user is also not limited in the present application; in some embodiments, the authentication server 300 or other network device, after randomly generating a second random number corresponding to the second user, directly transmits the second random number to the first device 100, and the apparatus 110 receives the second random number from the authentication server 300 or other network device; in other embodiments, the apparatus 110 receives a second random number corresponding to a second user from a third device, where the third device receives the second random number corresponding to the second user from the authentication server 300 or other network device and sends the second random number to the first device 100; for example, after randomly generating a second random number corresponding to the second user, the authentication server 300 or other network device provides the second random number to the first user by means of a short message, mail, receiving an instant message in a specific mobile application, etc., which the first user may use in a third device (the "specific mobile application" described in the context can be used to connect to and control the first device, e.g. the first user may control a plurality of smart home devices arranged in the home by means of the specific mobile application) to send the second random number to the first device 100, which the apparatus 110 receives from the third device.
In some embodiments, after the apparatus 110 receives the second random number, if the first access request from the other device is not received for a predetermined time, the second random number is discarded or disabled.
It should be noted that, before the apparatus 210 in the second device performs the operation, the second user has received the first random number corresponding to the first device, where the first random number is the random data generated for the first device. The generation manner of the first random number is not limited, for example, the first random number may be randomly generated by an authentication server or other network devices, may be randomly generated by the first device or a third device used by the first user, or may be manually randomly specified by the first user. The present application is also not limited to the manner in which the second user receives the first random number corresponding to the first device, for example, the second user may obtain the first random number by short messages, mail, receiving instant messages in a particular mobile application, or any other feasible manner. It should be noted that the first random number and the second random number may be generated simultaneously or not simultaneously, may be generated in the same device, or may be generated in different devices, and the application is not limited in this respect.
The implementation manner of providing the second random number to the first device and providing the first random number to the second user by the authentication server or other network devices will be described in detail below with reference to fig. 2, and will not be described herein.
The apparatus 210 receives input information input by the second user for remotely accessing the first device, where the input information includes second response information corresponding to the second user, and the second response information is calculated based on the first random number corresponding to the first device and the second password information corresponding to the second user.
The second password information refers to a fixed password corresponding to the second user, is only maintained in the authentication server except that the second user knows the second user, and is not transmitted or exchanged in the network in the whole remote authentication process of the application.
The algorithm for calculating the second response information (hereinafter referred to as "first algorithm") may be any one-way encryption algorithm, such as SHA (Secure Hash Algorithm ), SHA-1, SHA-2, SHA-3, and domestic hash algorithm SM3 defined by GM/T0004-2012. The operation of calculating the second response information may be performed in the second device, may be performed in another device, or may be performed manually by a second user. In some embodiments, the second user manually calculates the second response information corresponding to the second user based on a predetermined single encryption algorithm (e.g., SHA-3) based on the second password information and the received second random number. In some embodiments, the second user inputs the second password information and the received second random number into the second device or other devices, so that the second device or other devices calculate second response information corresponding to the second user based on a predetermined single encryption algorithm (such as SHA-3).
Wherein the input information comprises any information which is input by a second user when the second user accesses the first device remotely and used for logging in the first device, such as telnet password related information, account and password information and the like. In some embodiments, the second user directly inputs the second response information to the second device as a temporary login password for the present remote authentication process; in other embodiments, the input information further includes a first random number corresponding to the first device, and the second user combines the second response information and the first random number to be used as a temporary login password in the present remote authentication process to be input to the second device, for example, when the second user inputs the temporary login password, the second user inputs the second response information and then inputs the first random number.
Next, the apparatus 220 generates a first access request for the first device according to the input information, and sends the first access request to the first device.
The first access request is used for indicating to initiate remote access to the first device, and the first access request comprises the second response information. In some embodiments, when the input information further includes a first random number corresponding to the first device, the first access request further includes the first random number.
Thereafter, the means 120 of the first device receives the first access request.
Next, the apparatus 130 calculates first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device.
Specifically, the apparatus 130 calculates the first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device, and based on a predetermined algorithm.
The first password information refers to a fixed password corresponding to the first device, the first password information is only stored in the first device and the authentication server, and the first password information is not transmitted or exchanged in the network in the whole remote authentication process of the application.
The algorithm for calculating the first response information (hereinafter referred to as "second algorithm") may be any one-way encryption algorithm, such as SHA, SHA-1, SHA-2, SHA-3, and the domestic hash algorithm SM3 defined by GM/T0004-2012. It should be noted that the second algorithm may be the same algorithm as the first algorithm, or may be a different algorithm.
Next, the device 140 generates a second access request according to the first access request and the first response information, and sends the second access request to an authentication server.
Specifically, the device 140 generates the second access request according to the first access request and the first response information and according to a predetermined data format, and sends the second access request to the authentication server, so that the authentication server parses the second access request according to the predetermined data format. In some embodiments, the second access request includes: the first response information and the second response information extracted from the first access request.
In some embodiments, the first access request includes a first random number corresponding to the first device and second response information corresponding to the second user, and the apparatus 140 is configured to: and generating a second access request according to the first access request, the first response information and the second random number, and sending the second access request to an authentication server. Wherein the second access request includes: the second random number, the first response information, a first random number extracted from the first access request, and a second response information extracted from the first access request.
In some embodiments, the device 140 generates the second access request by reusing the data format of the existing authentication protocol and sends the second access request to the authentication server.
For example, the device 140 generates the second access request by reusing an attributes field in an existing RADIUS (Remote Authentication Dial In User Service, remote user dial-in authentication system) protocol packet, where the reused attributes field includes a value (value) as shown in a first column in table 1, where the second column indicates a data type (type) (where string indicates a string, integer indicates an integer), the third column indicates a length (length) (where octets indicates bytes, bits indicate bits), and the fourth column indicates corresponding data (data).
For another example, the apparatus 140 generates the second access request based on an existing EAP (Extensible Authentication Protocol ) data format, where the identity field is used to carry the identification information of the first device and the identification information of the second user at the same time, type=254 (that is, using Expanded Types (for the Vendor to support own extension Type)), vendor-Id is used to carry the identification information of the Vendor, vendor-Type is used to carry a Vendor Type value (for example, the Vendor Type value is defined as 1), and Vendor data is used to carry authentication related data information (for example, the first random number, the second random number, the first response information, and the Type, length, and value corresponding to the second response information respectively).
In some embodiments, a new data format may be defined by which the device 140 generates the second access request and sends the second access request to the authentication server.
It should be noted that the foregoing examples are only for better illustrating the technical solution of the present invention, and not for limiting the present invention, and those skilled in the art should understand that any implementation manner of generating the second access request according to the first access request and the first response information, and sending the second access request to the authentication server is included in the scope of the present application.
Thereafter, the device 310 in the authentication server receives the second access request.
Next, the device 320 determines whether the first response information and the second response information are correct according to the second access request by combining the first password information corresponding to the first device and the second password information corresponding to the second user.
In some embodiments, the authentication server obtains the first random number corresponding to the first device and the second random number corresponding to the second user before the apparatus 110 performs the operation, and then the apparatus 320 parses the second access request according to the predetermined data format, and extracts the second response information corresponding to the second user and the first response information corresponding to the first device from the second access request; means 320 calculates, according to the first random number and the second password information of the second user, a first result based on the foregoing first algorithm, and determines that the extracted second response information is correct when the first result is the same as the second response information extracted from the second access request, otherwise considers that the extracted second response information is wrong; and, the device 320 calculates a second result according to the second random number and the first password information of the first device, and based on the foregoing second algorithm, when the second result is the same as the first response information extracted from the second access request, it is determined that the extracted first response information is correct, and otherwise, the extracted first response information is considered to be incorrect.
In other embodiments, the device 320 parses the second access request according to a predetermined data format, and extracts the following information from the second access request: second response information corresponding to the second user, first response information corresponding to the first device, a second random number corresponding to the second user, a first random number corresponding to the first device; means 320 calculates, according to the first random number and the second password information of the second user, a first result based on the foregoing first algorithm, and determines that the extracted second response information is correct when the first result is the same as the second response information extracted from the second access request, otherwise considers that the extracted second response information is wrong; and, the device 320 calculates a second result according to the second random number and the first password information of the first device, and based on the foregoing second algorithm, when the second result is the same as the first response information extracted from the second access request, it is determined that the extracted first response information is correct, and otherwise, the extracted first response information is considered to be incorrect.
And then, the device 330 generates feedback information corresponding to the second access request according to the judgment result, and sends the feedback information to the first device.
Specifically, when the first response information and the second response information are both correct, the device 330 generates feedback information (such as an access-success message) for indicating that authentication is successful; when either the first response information or the second response information is incorrect or only one is correct, the device 330 generates feedback information (such as an access-failure message) indicating authentication failure.
After that, the first device 100 receives feedback information from the authentication server 300, when the feedback information indicates that authentication is successful, a remote access connection is established between the first device 100 and the second device 200, that is, remote access authority is granted to the second device 200, and when the feedback information indicates that authentication is failed, the first device 100 feeds back a message of authentication failure to the second device 200, that is, remote access is denied to the second device 200.
According to the scheme, the first random number is generated for the first equipment and the second random number is generated for the second user, so that the second user can remotely access the first equipment by using a temporary login password (namely, a one-time-use password), and in the remote authentication process, the first password information of the first equipment and the second password information of the second user cannot be transmitted and exchanged in any form in a network at all, so that the security of remote access can be ensured; the authentication server needs to judge the correctness of the first response information and the second response information in the second access request at the same time, and the second equipment is granted with the remote access right only when the first response information and the second response information are correct, so that double authentication is realized in the authentication server, and a correct second user can be ensured to remotely access the first equipment with a correct association relation with the second equipment; further, by centrally managing passwords of the second user and the first device in the authentication server, security of the remote authentication process can be enhanced.
Fig. 6 is a schematic structural diagram of a system for performing remote authentication according to another embodiment of the present application. The system includes a first device 100, a second device 200, and an authentication server 300. Wherein the first apparatus 100 comprises a first device 1, the first device 1 further comprising a device 110, a device 120, a device 130 and a device 140; the second apparatus 200 comprises a second device 2, the second device 2 further comprising a device 210 and a device 220; the authentication server 300 comprises a third device 3, the third device 3 further comprising a device 310, a device 320, a device 330, a device 340 and a device 350. Only the device 340 and the device 350 will be described in detail below, and other devices in the system are described in detail in the foregoing embodiment shown in fig. 5, which is not described herein.
Device 340 and device 350 may perform operations prior to device 110.
The means 340 is configured to obtain a first random number corresponding to a first device and provide the first random number to the second user.
Wherein the implementation of the operation of obtaining the first random number corresponding to the first device by the apparatus 340 includes, but is not limited to:
1) When an instruction for starting remote connection is received from other network equipment or a first user to which the first equipment belongs, a first random number corresponding to the first equipment is randomly generated.
2) A first random number corresponding to the first device is received from the third device.
3) A first random number corresponding to the first device from the other network device is obtained.
It should be noted that, the device 340 may provide the first random number to the second user in any feasible manner, which is not limited in this application, for example, the device 340 may provide the first random number to the second user by mail, short message, sending an instant message in an instant messaging application, sending a reminder message to a designated device belonging to the second user, and so on.
Means 350 is for obtaining a second random number corresponding to a second user and providing the second random number to the first device.
Implementations of the operation in which the device 350 obtains the second random number corresponding to the second user include, but are not limited to:
1) And when receiving an instruction for starting remote connection from other network equipment or a first user to which the first equipment belongs, randomly generating a second random number corresponding to a second user.
2) When a first random number corresponding to the first device is received, a second random number corresponding to the second user is randomly generated.
3) A second random number corresponding to the second user from the other network device is obtained.
It should be noted that the apparatus 350 may provide the second random number to the first device in any feasible manner, which is not limited in this application. For example, the apparatus 350 directly transmits the second random number to the first device; for another example, the apparatus 350 provides the second random number to the first user in a predetermined manner (e.g., mail, text message, instant message sent in a particular mobile application, etc.), and the first user sends the second random number to the first device via the third device.
It should be noted that there is no strict sequence of operations performed by the device 340 and the device 350. The apparatus 340 and the apparatus 350 may or may not perform the operations at the same time.
Fig. 7 is a schematic structural diagram of a system for performing remote authentication according to another embodiment of the present application. The system includes a first device 100, a second device 200, an authentication server 300, and a network device 400. Wherein the first apparatus 100 comprises a first device 1, the first device 1 further comprising a device 110, a device 120, a device 130 and a device 140; the second apparatus 200 comprises a second device 2, the second device 2 further comprising a device 210 and a device 220; the authentication server 300 comprises a third device 3, the third device 3 further comprising a device 310, a device 320 and a device 330; wherein the network device 400 comprises a fourth means 4, said fourth means 4 further comprising means 410 and means 420. Only the device 410 and the device 420 will be described in detail below, and other devices in the system are described in detail in the embodiment shown in fig. 5, which is not described herein. Wherein the dashed lines in fig. 7 indicate that there may or may not be direct data transmission.
Means 410 is for obtaining a first random number corresponding to a first device and providing the first random number to the second user.
Wherein the implementation of obtaining the first random number corresponding to the first device by the apparatus 410 includes, but is not limited to:
1) And when receiving an instruction for starting remote connection from a first user to which the first equipment belongs, randomly generating a first random number corresponding to the first equipment.
2) A first random number corresponding to a first device is received from a third device, wherein the third device belongs to the first user. For example, the first user inputs an input number as a first random number in the third device, or the first user performs an operation in a specific mobile application of the third device to cause the third device to randomly generate a first random number; the third device then transmits the obtained first random number to the network device, which receives the first random number from the third device.
3) A first random number corresponding to the first device from the authentication server is obtained.
It should be noted that, the apparatus 410 may provide the first random number to the second user in any feasible manner, which is not limited in this application, for example, the apparatus 410 provides the first random number to the second user by means of mail, a short message, sending an instant message in an instant messaging application, sending a reminder message to a designated device belonging to the second user, or the like.
It should be noted that, in some embodiments, the first random number is not randomly generated by the authentication server, and the apparatus 410 may send the first random number to the authentication server at the same time when the first random number is provided to the second user, so that the authentication server verifies the second response information based on the first random number in a subsequent operation.
Means 420 is for obtaining a second random number corresponding to a second user and providing the second random number to the first device.
Implementations of the operation of the device 420 to obtain the second random number corresponding to the second user include, but are not limited to:
1) And when receiving an instruction for starting remote connection from a first user to which the first equipment belongs, randomly generating a second random number corresponding to a second user.
2) When a first random number corresponding to the first device is received, a second random number corresponding to the second user is randomly generated.
3) A second random number corresponding to the second user from the authentication server is obtained.
It should be noted that the apparatus 420 may provide the second random number to the first device in any feasible manner, which is not limited in this application. For example, the apparatus 420 directly transmits the second random number to the first device; for another example, the apparatus 420 provides the second random number to the first user in a predetermined manner (e.g., mail, text message, instant message sent in a particular mobile application, etc.), and the first user sends the second random number to the first device via the third device.
It should be noted that, in some embodiments, the second random number is not randomly generated by the authentication server, and the apparatus 420 may send the second random number to the authentication server at the same time when the second random number is provided to the first device, so that the authentication server verifies the first response information based on the second random number in a subsequent operation.
It should be noted that there is no strict sequence of operations performed by the apparatus 410 and the apparatus 420. The apparatus 340 and the apparatus 350 may or may not perform the operations at the same time.
The present application also provides a computer readable medium having stored thereon computer program code executable by a processor for performing the method for remote authentication described herein.
The present application also provides a first device for performing remote authentication, the first device comprising: at least one processor; and
at least one memory for storing computer program code,
the at least one memory and the computer program code are configured to, with the at least one processor, cause the first device to perform the method for remote authentication described herein.
The present application also provides a second device for performing remote authentication, the second device comprising: at least one processor; and
at least one memory for storing computer program code,
the at least one memory and the computer program code are configured to, with the at least one processor, cause the second device to perform the method for remote authentication described herein.
The present application also provides an authentication server for performing remote authentication, the authentication server comprising: at least one processor; and
at least one memory for storing computer program code,
the at least one memory and the computer program code are configured to, with the at least one processor, cause the authentication server to perform a method for remote authentication as described herein.
The present application also provides a network device for performing remote authentication, the network device comprising: at least one processor; and
at least one memory for storing computer program code,
the at least one memory and the computer program code are configured to, with the at least one processor, cause the network device to perform a method for remote authentication as described herein.
The present application also provides a computer program product which, when executed by a device, causes the device to perform the method for remote authentication described herein.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the system claims can also be implemented by means of software or hardware by means of one unit or means. The terms first, second, etc. are used to denote a name, but not any particular order.
While the foregoing particularly illustrates and describes exemplary embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the claims. The protection sought herein is as set forth in the claims below. These and other aspects of the various embodiments are specified in the following numbered clauses:
1. a first apparatus for remote authentication in a first device, wherein the first apparatus comprises:
means for receiving a second random number corresponding to a second user;
means for receiving a first access request from a second device used by the second user, wherein the first access request includes second response information corresponding to the second user;
means for calculating first response information corresponding to the first device based on the second random number and first password information corresponding to the first device;
and means for generating a second access request from the first access request and the first response information, and transmitting the second access request to an authentication service.
2. The first apparatus of clause 1, wherein the first access request further comprises a first random number corresponding to the first device, the means for generating a second access request from the first access request and the first response information, and sending the second access request to an authentication server is configured to:
And generating a second access request according to the first access request, the first response information and the second random number, and sending the second access request to an authentication server.
3. The first apparatus of clause 1 or 2, wherein the means for receiving the second random number corresponding to the second user is for:
a second random number corresponding to a second user is received from the authentication server or other network device.
4. The first apparatus of clause 1 or 2, wherein the means for receiving the second random number corresponding to the second user is for:
and receiving a second random number corresponding to the second user from a third device, wherein the third device receives the second random number corresponding to the second user from the authentication server or other network devices and sends the second random number to the first device.
5. A second apparatus for remote authentication in a second device, wherein the second apparatus comprises:
means for receiving input information input by a second user for remotely accessing a first device, wherein the input information includes second response information corresponding to the second user, the second response information being calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
And means for generating a first access request for the first device based on the input information and transmitting the first access request to the first device.
6. The second apparatus of clause 5, wherein the input information further comprises a first random number corresponding to the first device.
7. A third apparatus for remote authentication in an authentication server, wherein the third apparatus comprises:
means for receiving a second access request from a first device, wherein the second access request includes first response information corresponding to the first device and second response information corresponding to a second user;
means for determining, according to the second access request, whether the first response information and the second response information are correct by combining first password information corresponding to the first device and second password information corresponding to a second user;
and the device is used for generating feedback information corresponding to the second access request according to the judging result and sending the feedback information to the first equipment.
8. The third apparatus of clause 7, wherein the second access request further comprises the first random number and a second random number corresponding to the second user.
9. The third apparatus of clause 7 or 8, wherein the third apparatus further comprises means for, prior to the means for receiving the second access request from the first device:
obtaining a first random number corresponding to a first device and providing the first random number to the second user;
a second random number corresponding to a second user is obtained and provided to the first device.
10. The third apparatus of clause 9, wherein the operation of obtaining the first random number corresponding to the first device comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from the other network device or a first user to which the first device belongs, randomly generating a first random number corresponding to the first device;
-receiving a first random number from a third device corresponding to the first device;
-obtaining a first random number from the other network device corresponding to the first device.
11. The third apparatus of clause 9, wherein the operation of obtaining the second random number corresponding to the second user comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from the other network device or a first user to which the first device belongs, randomly generating a second random number corresponding to a second user;
-upon receiving a first random number corresponding to the first device, randomly generating a second random number corresponding to the second user;
-obtaining a second random number from the other network device corresponding to the second user.
12. A fourth apparatus for remote authentication in a network device, wherein the fourth apparatus comprises:
means for obtaining a first random number corresponding to a first device and providing the first random number to the second user;
means for obtaining a second random number corresponding to a second user and providing the second random number to the first device.
13. The fourth apparatus of clause 12, wherein the operation of obtaining the first random number corresponding to the first device comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from a first user to which the first device belongs, randomly generating a first random number corresponding to the first device;
-receiving a first random number from a third device corresponding to a first device, wherein the third device belongs to the first user;
-obtaining a first random number corresponding to the first device from the authentication server.
14. The fourth apparatus of clause 12, wherein the operation of obtaining the second random number corresponding to the second user comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from a first user to which the first device belongs, randomly generating a second random number corresponding to a second user;
-upon receiving a first random number corresponding to the first device, randomly generating a second random number corresponding to the second user;
-obtaining a second random number from the authentication server corresponding to the second user.
15. A system for remote authentication, wherein the system comprises a first device comprising a first apparatus as set forth in any one of clauses 1 to 4, a second device comprising a second apparatus as set forth in clauses 5 or 6, and an authentication server comprising a third apparatus as set forth in any one of clauses 7 to 11.
16. The system of clause 15, wherein the system further comprises other network equipment comprising a fourth apparatus as recited in any of clauses 12 to 14.
17. A method in a first device for remote authentication, wherein the method comprises the steps of:
Receiving a second random number corresponding to a second user;
receiving a first access request from a second device used by the second user, wherein the first access request comprises second response information corresponding to the second user;
calculating first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device;
and generating a second access request according to the first access request and the first response information, and sending the second access request to an authentication server.
18. The method of clause 17, wherein the first access request further comprises a first random number corresponding to the first device, and the steps of generating a second access request from the first access request and the first response information, and sending the second access request to an authentication server comprise:
and generating a second access request according to the first access request, the first response information and the second random number, and sending the second access request to an authentication server.
19. The method of clause 17 or 18, wherein the step of receiving the second random number corresponding to the second user comprises:
A second random number corresponding to a second user is received from the authentication server or other network device.
20. The method of clause 17 or 18, wherein the step of receiving the second random number corresponding to the second user comprises:
and receiving a second random number corresponding to the second user from a third device, wherein the third device receives the second random number corresponding to the second user from the authentication server or other network devices and sends the second random number to the first device.
21. A method in a second device for remote authentication, wherein the method comprises the steps of:
receiving input information input by a second user and used for remotely accessing a first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
and generating a first access request for the first equipment according to the input information, and sending the first access request to the first equipment.
22. The method of clause 21, wherein the input information further comprises a first random number corresponding to the first device.
23. A method in an authentication server for remote authentication, wherein the method comprises the steps of:
receiving a second access request from a first device, wherein the second access request comprises first response information corresponding to the first device and second response information corresponding to a second user;
judging whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and generating feedback information corresponding to the second access request according to the judging result, and sending the feedback information to the first equipment.
24. The method of clause 23, wherein the second access request further comprises the first random number and a second random number corresponding to the second user.
25. The method of clause 23 or 24, wherein the method further comprises the following steps performed before the step of obtaining the second access request from the first device:
Obtaining a first random number corresponding to a first device and providing the first random number to the second user;
a second random number corresponding to a second user is obtained and provided to the first device.
26. The method of clause 25, wherein the operation of obtaining the first random number corresponding to the first device comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from the other network device or a first user to which the first device belongs, randomly generating a first random number corresponding to the first device;
-receiving a first random number from a third device corresponding to the first device;
-obtaining a first random number from the other network device corresponding to the first device.
27. The method of clause 25, wherein the operation of obtaining the second random number corresponding to the second user comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from the other network device or a first user to which the first device belongs, randomly generating a second random number corresponding to a second user;
-upon receiving a first random number corresponding to the first device, randomly generating a second random number corresponding to the second user;
-obtaining a second random number from the other network device corresponding to the second user.
28. A method in a network device for remote authentication, wherein the method comprises the steps of:
obtaining a first random number corresponding to a first device and providing the first random number to the second user;
a second random number corresponding to a second user is obtained and provided to the first device.
29. The method of clause 28, wherein the operation of obtaining the first random number corresponding to the first device comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from a first user to which the first device belongs, randomly generating a first random number corresponding to the first device;
-receiving a first random number from a third device corresponding to a first device, wherein the third device belongs to the first user;
-obtaining a first random number corresponding to the first device from the authentication server.
30. The method of clause 28, wherein the operation of obtaining the second random number corresponding to the second user comprises any one of the following implementations:
-upon receiving an instruction for initiating a remote connection from a first user to which the first device belongs, randomly generating a second random number corresponding to a second user;
-upon receiving a first random number corresponding to the first device, randomly generating a second random number corresponding to the second user;
-obtaining a second random number from the authentication server corresponding to the second user.
31. A method for remote authentication, wherein the method comprises the steps of:
the first device receives a second random number corresponding to a second user;
a second device receives input information input by a second user and used for remotely accessing the first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
the second device generates a first access request for the first device according to the input information, and sends the first access request to the first device;
the first device receives the first access request;
The first device calculates first response information corresponding to the first device according to the second random number and first password information corresponding to the first device;
the first device generates a second access request according to the first access request and the first response information, and sends the second access request to an authentication server;
the authentication server receives the second access request;
the authentication server judges whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and the authentication server generates feedback information corresponding to the second access request according to the judgment result and sends the feedback information to the first equipment.
32. The method of clause 31, wherein the method comprises the following steps performed before the step of the first device receiving a second random number corresponding to a second user:
the authentication server or other network equipment obtains a first random number corresponding to first equipment and provides the first random number for the second user;
The authentication server or other network device obtains a second random number corresponding to a second user and provides the second random number to the first device.
33. A computer readable medium having stored thereon computer program code executable by a processor to:
receiving a second random number corresponding to a second user;
receiving a first access request from a second device used by the second user, wherein the first access request comprises second response information corresponding to the second user;
calculating first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device;
and generating a second access request according to the first access request and the first response information, and sending the second access request to an authentication server.
34. A computer readable medium having stored thereon computer program code executable by a processor to:
receiving input information input by a second user and used for remotely accessing a first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
And generating a first access request for the first equipment according to the input information, and sending the first access request to the first equipment.
35. A computer readable medium having stored thereon computer program code executable by a processor to:
receiving a second access request from a first device, wherein the second access request comprises first response information corresponding to the first device and second response information corresponding to a second user;
judging whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and generating feedback information corresponding to the second access request according to the judging result, and sending the feedback information to the first equipment.
36. A computer readable medium having stored thereon computer program code executable by a processor to:
obtaining a first random number corresponding to a first device and providing the first random number to the second user;
A second random number corresponding to a second user is obtained and provided to the first device.
37. A first device, the first device comprising:
at least one processor; and
at least one memory for storing computer program code,
the at least one memory and the computer program code are configured to, with the at least one processor, cause the first device to:
receiving a second random number corresponding to a second user;
receiving a first access request from a second device used by the second user, wherein the first access request comprises second response information corresponding to the second user;
calculating first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device;
and generating a second access request according to the first access request and the first response information, and sending the second access request to an authentication service.
38. A second device, the second device comprising:
at least one processor; and
at least one memory for storing computer program code,
The at least one memory and the computer program code are configured to, with the at least one processor, cause the second device to:
receiving input information input by a second user and used for remotely accessing a first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
and generating a first access request for the first equipment according to the input information, and sending the first access request to the first equipment.
39. A third device, the third device comprising:
at least one processor; and
at least one memory for storing computer program code,
the at least one memory and the computer program code are configured to, with the at least one processor, cause the third device to:
receiving a second access request from a first device, wherein the second access request comprises first response information corresponding to the first device and second response information corresponding to a second user;
Judging whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and generating feedback information corresponding to the second access request according to the judging result, and sending the feedback information to the first equipment.
40. A fourth apparatus, the fourth apparatus comprising:
at least one processor; and
at least one memory for storing computer program code,
the at least one memory and the computer program code are configured to, with the at least one processor, cause the fourth device to:
obtaining a first random number corresponding to a first device and providing the first random number to the second user;
a second random number corresponding to a second user is obtained and provided to the first device.
41. A computer program product which, when executed by an apparatus, causes the apparatus to:
receiving a second random number corresponding to a second user;
receiving a first access request from a second device used by the second user, wherein the first access request comprises second response information corresponding to the second user;
Calculating first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device;
and generating a second access request according to the first access request and the first response information, and sending the second access request to an authentication service.
42. A computer program product which, when executed by an apparatus, causes the apparatus to:
receiving input information input by a second user and used for remotely accessing a first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
and generating a first access request for the first equipment according to the input information, and sending the first access request to the first equipment.
43. A computer program product which, when executed by an apparatus, causes the apparatus to:
receiving a second access request from a first device, wherein the second access request comprises first response information corresponding to the first device and second response information corresponding to a second user;
Judging whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and generating feedback information corresponding to the second access request according to the judging result, and sending the feedback information to the first equipment.
44. A computer program product which, when executed by an apparatus, causes the apparatus to:
obtaining a first random number corresponding to a first device and providing the first random number to the second user;
a second random number corresponding to a second user is obtained and provided to the first device.

Claims (7)

1. A system for remote authentication, the system comprising a first device, a second device, a third device, and a fourth device, the first device comprising a first apparatus, the second device comprising a second apparatus, the third device comprising an authentication server, and the fourth device comprising a network device, the system characterized by:
the first device receives a second random number corresponding to a second user;
a second device receives input information input by the second user and used for remotely accessing the first equipment, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first equipment and second password information corresponding to the second user;
The second device generates a first access request for the first equipment according to the input information and sends the first access request to the first equipment;
the first device receives the first access request;
the first device calculates first response information corresponding to the first device according to the second random number and the first password information corresponding to the first device;
the first device generates a second access request according to the first access request and the first response information, and sends the second access request to an authentication server;
the authentication server receives the second access request;
the authentication server judges whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and the authentication server generates feedback information corresponding to the second access request according to the judgment result and sends the feedback information to the first equipment.
2. The system of claim 1, wherein the first access request further comprises a first random number corresponding to the first device, the means for generating a second access request from the first access request and the first response information, and transmitting the second access request to an authentication server is to:
And generating a second access request according to the first access request, the first response information and the second random number, and sending the second access request to an authentication server.
3. The system of claim 1, wherein the second access request further comprises the first random number and a second random number corresponding to the second user.
4. A system according to claim 3, wherein the third means further comprises means for, prior to the means for receiving a second access request from the first device:
obtaining a first random number corresponding to a first device and providing the first random number to the second user;
a second random number corresponding to a second user is obtained and provided to the first device.
5. A method for remote authentication, wherein the method comprises the steps of:
the first device receives a second random number corresponding to a second user;
a second device receives input information input by a second user and used for remotely accessing the first device, wherein the input information comprises second response information corresponding to the second user, and the second response information is calculated based on a first random number corresponding to the first device and second password information corresponding to the second user;
The second device generates a first access request for the first device according to the input information, and sends the first access request to the first device;
the first device receives the first access request;
the first device calculates first response information corresponding to the first device according to the second random number and first password information corresponding to the first device;
the first device generates a second access request according to the first access request and the first response information, and sends the second access request to an authentication server;
the authentication server receives the second access request;
the authentication server judges whether the first response information and the second response information are correct or not according to the second access request and by combining the first password information corresponding to the first equipment and the second password information corresponding to the second user;
and the authentication server generates feedback information corresponding to the second access request according to the judgment result and sends the feedback information to the first equipment.
6. The method of claim 5, wherein the method comprises the following steps performed before the step of the first device receiving a second random number corresponding to a second user:
The authentication server or other network equipment obtains a first random number corresponding to first equipment and provides the first random number for the second user;
the authentication server or other network device obtains a second random number corresponding to a second user and provides the second random number to the first device.
7. A computer readable medium having stored thereon computer program code executable by a processor to perform the method of claim 5.
CN201910364666.8A 2019-04-30 2019-04-30 Method, device and system for remote authentication Active CN111859406B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910364666.8A CN111859406B (en) 2019-04-30 2019-04-30 Method, device and system for remote authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910364666.8A CN111859406B (en) 2019-04-30 2019-04-30 Method, device and system for remote authentication

Publications (2)

Publication Number Publication Date
CN111859406A CN111859406A (en) 2020-10-30
CN111859406B true CN111859406B (en) 2024-03-15

Family

ID=72965865

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910364666.8A Active CN111859406B (en) 2019-04-30 2019-04-30 Method, device and system for remote authentication

Country Status (1)

Country Link
CN (1) CN111859406B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010070026A (en) * 2000-01-12 2001-07-25 백종우 Method for establishing communication channel using information storage media
CN104185844A (en) * 2011-09-09 2014-12-03 石器公司 Method and apparatus for key sharing over remote desktop protocol
CN106416123A (en) * 2014-05-23 2017-02-15 国际商业机器公司 Password-based authentication
WO2017031859A1 (en) * 2015-08-26 2017-03-02 百度在线网络技术(北京)有限公司 Method and apparatus for verifying access security
CN109150907A (en) * 2018-09-30 2019-01-04 百度在线网络技术(北京)有限公司 Vehicle-mounted industrial personal computer login method, device, system, computer equipment and medium
CN109286933A (en) * 2018-10-18 2019-01-29 世纪龙信息网络有限责任公司 Authentication method, device, system, computer equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7434050B2 (en) * 2003-12-11 2008-10-07 International Business Machines Corporation Efficient method for providing secure remote access
US9608981B2 (en) * 2013-12-11 2017-03-28 Red Hat, Inc. Strong user authentication for accessing protected network
US9369282B2 (en) * 2014-01-29 2016-06-14 Red Hat, Inc. Mobile device user authentication for accessing protected network resources

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010070026A (en) * 2000-01-12 2001-07-25 백종우 Method for establishing communication channel using information storage media
CN104185844A (en) * 2011-09-09 2014-12-03 石器公司 Method and apparatus for key sharing over remote desktop protocol
CN106416123A (en) * 2014-05-23 2017-02-15 国际商业机器公司 Password-based authentication
WO2017031859A1 (en) * 2015-08-26 2017-03-02 百度在线网络技术(北京)有限公司 Method and apparatus for verifying access security
CN109150907A (en) * 2018-09-30 2019-01-04 百度在线网络技术(北京)有限公司 Vehicle-mounted industrial personal computer login method, device, system, computer equipment and medium
CN109286933A (en) * 2018-10-18 2019-01-29 世纪龙信息网络有限责任公司 Authentication method, device, system, computer equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Hash函数结合相互认证的智能卡远程双向安全认证方案;周扬;龚畅;徐平平;王伟;;计算机测量与控制(第06期);全文 *
基于PDA的通信装备故障诊断***的设计与实现;张然;刘健伟;常青;;信息安全与通信保密(第09期);全文 *
远程访问安全认证方案的设计与分析;白跃彬, 刘轶, 郑守淇, 侯宗浩;西安交通大学学报(第08期);全文 *

Also Published As

Publication number Publication date
CN111859406A (en) 2020-10-30

Similar Documents

Publication Publication Date Title
US11308196B2 (en) Authentication of a device
CN108462710B (en) Authentication and authorization method, device, authentication server and machine-readable storage medium
RU2506637C2 (en) Method and device for verifying dynamic password
EP2705642B1 (en) System and method for providing access credentials
US10887103B2 (en) Operating method for push authentication system and device
CN112822222B (en) Login verification method, automatic login verification method, server and client
EP3068093A1 (en) Security authentication method and bidirectional forwarding detection method
US9401905B1 (en) Transferring soft token authentication capabilities to a new device
CN104601590A (en) Login method, server and mobile terminal
CN105119722A (en) Identity verification method, equipment and system
CN106559213B (en) Equipment management method, equipment and system
CN112491829B (en) MEC platform identity authentication method and device based on 5G core network and blockchain
CN101964789A (en) Method and system for safely accessing protected resources
US20210241270A1 (en) System and method of blockchain transaction verification
CN103581154A (en) Authentication method and device in system of Internet of Things
KR20150135032A (en) System and method for updating secret key using physical unclonable function
CN111654481B (en) Identity authentication method, identity authentication device and storage medium
CN111770087A (en) Service node verification method and related equipment
CN116204914A (en) Trusted privacy computing method, device, equipment and storage medium
CN114697047A (en) Sub-device registration method in Internet of things, cloud server and gateway device
CN109460647B (en) Multi-device secure login method
CN111859406B (en) Method, device and system for remote authentication
KR101502999B1 (en) Authentication system and method using one time password
WO2016086356A1 (en) Authentication method within wireless communication network, related apparatus and system
US20210400148A1 (en) Techniques for managing phone number-based user accounts

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant