CN111901290A - Identity authentication method and device - Google Patents

Identity authentication method and device Download PDF

Info

Publication number
CN111901290A
CN111901290A CN202010494072.1A CN202010494072A CN111901290A CN 111901290 A CN111901290 A CN 111901290A CN 202010494072 A CN202010494072 A CN 202010494072A CN 111901290 A CN111901290 A CN 111901290A
Authority
CN
China
Prior art keywords
permission information
management interface
access request
authorization permission
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010494072.1A
Other languages
Chinese (zh)
Other versions
CN111901290B (en
Inventor
郑霖
林育民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruishu Information Technology Shanghai Co ltd
Original Assignee
Ruishu Information Technology Shanghai Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruishu Information Technology Shanghai Co ltd filed Critical Ruishu Information Technology Shanghai Co ltd
Priority to CN202010494072.1A priority Critical patent/CN111901290B/en
Publication of CN111901290A publication Critical patent/CN111901290A/en
Application granted granted Critical
Publication of CN111901290B publication Critical patent/CN111901290B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an identity authentication method and device, wherein the method comprises the following steps: receiving an access request sent to a management interface of the Internet of things equipment by a proxy gateway built in the Internet of things equipment; if the access request does not contain authorization permission information, the access request is sent to an authentication entrance of the management interface; caching and forwarding the authorization permission information issued by the management interface to an accessor; and if the access request contains authorization permission information and the authorization permission information is matched with the authorization permission information cached by the proxy gateway, sending the access request to the requested management interface address.

Description

Identity authentication method and device
[ technical field ] A method for producing a semiconductor device
The present application relates to the field of computer application technologies, and in particular, to a method and an apparatus for identity authentication.
[ background of the invention ]
This section is intended to provide a background or context to the embodiments of the application that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The Internet of things (IoT) is an information carrier based on The Internet, traditional telecommunication networks, etc., which allows all common physical objects that can be addressed independently to form an inter-working network. With the development of the internet of things technology, a large number of internet of things terminals are accessed to the internet, but due to the fact that market growth is not achieved, the safety protection of the internet of things terminals still has many weak points. In the newly published vulnerability ranking of the internet of things by the international organization OWASP (Open Web Application Security Project), the unsafe network service and the unsafe ecological interface caused by the imprecise identity authentication are respectively higher than the second place and the third place of the vulnerability ranking list. Therefore, the attack face of the IoT equipment can be more effectively reduced by innovating on the IoT identity authentication, and the IoT security threat is reduced.
[ summary of the invention ]
In view of the above, the present application provides a method and an apparatus for identity authentication, so as to reduce IoT security threats.
The specific technical scheme is as follows:
in a first aspect, the present application provides a method for identity authentication, including:
receiving an access request sent to a management interface of the Internet of things equipment by a proxy gateway built in the Internet of things equipment;
if the access request does not contain authorization permission information, the access request is sent to an authentication entrance of the management interface; caching and forwarding the authorization permission information issued by the management interface to an accessor;
and if the access request contains authorization permission information and the authorization permission information is matched with the authorization permission information cached by the proxy gateway, sending the access request to the requested management interface address.
According to a preferred embodiment of the present application, the proxy gateway is built in the internet of things device in the form of an executable file.
According to a preferred embodiment of the present application, the access request includes:
the visitor triggers an access request sent to a management interface of the Internet of things equipment on other equipment; alternatively, the first and second electrodes may be,
and the visitor triggers an access request sent to a management interface of the Internet of things equipment on the Internet of things equipment.
According to a preferred embodiment of the present application, before caching and forwarding the authorization permission information issued by the management interface to the visitor, the method further includes:
forwarding an identity authentication interface provided by an authentication inlet of the management interface to the visitor;
and forwarding the identity information input by the visitor on the identity authentication interface to the management interface so that the management interface authenticates the identity authentication information and sends authorization permission information.
According to a preferred embodiment of the present application, the method further comprises:
and if the access request contains authorization permission information and the authorization permission information is not matched with the authorization permission information cached by the proxy gateway, sending the access request to an authentication inlet of the management interface, or returning an authentication failure response.
According to a preferred embodiment of the present application, the method further comprises:
and the authorization permission information cached by the proxy gateway is deleted after the validity period is reached.
In a second aspect, the present application further provides an identity authentication apparatus, where the apparatus is built in an internet of things device, and the apparatus includes: the system comprises a first interaction unit, a cooperative authentication unit and a second interaction unit;
the first interaction unit is used for receiving and sending an access request sent to a management interface of the Internet of things equipment;
the cooperative authentication unit is configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface if it is determined that the access request does not include authorization permission information; if the access request contains authorization permission information and the authorization permission information is matched with the cached authorization permission information, triggering the second interaction unit to send the access request to the requested management interface address;
the second interaction unit is configured to send the access request to an authentication entry of the management interface under the trigger of the cooperative authentication unit; receiving authorization permission information issued by the management interface and providing the authorization permission information to the cooperative authentication unit; sending the access request to the requested management interface address under the trigger of the cooperative authentication unit;
the cooperative authentication unit is further configured to cache authorization permission information issued by the management interface and trigger the first interaction unit to forward the authorization permission information to an accessor;
the first interaction unit is further configured to forward the authorization permission information to an visitor under the trigger of the cooperative authentication unit.
According to a preferred embodiment of the present application, the apparatus is built in the internet of things device in the form of an executable file.
According to a preferred embodiment of the present application, before caching the authorization permission information issued by the management interface, the cooperative authentication unit is further configured to trigger the first interaction unit to forward an identity authentication interface provided by an authentication entry of the management interface to the visitor;
the first interaction unit is further configured to forward the identity authentication interface to the visitor under the trigger of the cooperative authentication unit; receiving identity information input by the visitor on the identity authentication interface;
the second interaction unit is further configured to forward the identity information input by the visitor on the identity authentication interface to the management interface, so that the management interface authenticates the identity authentication information and sends authorization permission information.
According to a preferred embodiment of the present application, the cooperative authentication unit is further configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface, or trigger the first interaction unit to return an authentication failure response, if the access request includes authorization permission information and the authorization permission information does not match with the authorization permission information cached by the proxy gateway.
In a third aspect, the present application further provides an apparatus, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method as described above.
In a fourth aspect, the present application also provides a storage medium containing computer-executable instructions for performing the method as described above when executed by a computer processor.
According to the technical scheme, the proxy gateway built in the IoT equipment can intercept and capture the access request sent to the management interface of the IoT equipment, and the access request which does not contain the authorization permission information is sent to the authentication inlet of the management interface, so that the management interface performs identity authentication on an accessor and sends the authorization permission information; access to the requested management interface address is allowed for access requests containing the correct authorization permission information. Through the cooperative authentication of the proxy gateway, a malicious visitor can be prevented from bypassing the identity authentication of the management interface and directly accessing the management interface, and the IoT security threat is reduced.
[ description of the drawings ]
FIG. 1 is a diagram of a system architecture provided by an embodiment of the present application;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a block diagram of an apparatus according to an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of an exemplary computer system/server suitable for use in implementing embodiments of the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in detail below with reference to the accompanying drawings and specific embodiments.
At present, when a management interface of some types of IoT devices is accessed, identity authentication needs to be performed through an identity authentication interface provided by the management interface first, and only a request of an accessor who passes the identity authentication can smoothly access the management interface. However, some malicious visitors may find the vulnerability of the management interface, thereby directly accessing the management interface by bypassing the identity authentication. In view of the above, a core idea of the present application is to embed a proxy gateway in an IoT device, where the proxy gateway is located in an intermediate position between an accessor and a management interface, acquire an access request sent by the accessor to the management interface, and perform cooperative identity authentication to determine whether to allow the access request to be sent to the management interface. The corresponding system architecture diagram can be as shown in fig. 1, and the method provided in the present application is described in detail below with reference to the embodiments.
Fig. 2 is a flowchart of a method provided in an embodiment of the present application, where the method is performed by a proxy gateway built in an IoT device. The IoT devices referred to in this application may be various IoT terminal class devices, IoT network connection devices, IoT server devices, and so on. The IoT terminal class devices may include, but are not limited to, various smart home devices, smart transportation devices, smart wearable class devices, smart medical devices, smart security devices, and the like. The network connection devices of the IoT may include, but are not limited to, intelligent relay devices, switching devices, routers, and the like. As shown in fig. 2, the method includes:
in 201, a proxy gateway built into an IoT device receives an access request sent to a management interface of the IoT device.
The method and the device have the advantages that the proxy gateway is additionally arranged in front of the management interface in the IoT device, and the proxy gateway can be arranged in the IoT device in an executable file mode. The proxy gateway is responsible for monitoring and intercepting the access request sent to the management interface and executing the processing of the subsequent steps.
The management interface of the IoT device in this application may include a portal responsible for registering a visitor, a portal responsible for authenticating an identity of a visitor, an interface responsible for forwarding an access request to other devices or websites, and so on. That is, in the present application, the interfaces responsible for the functional management of the IoT devices are collectively referred to as a management interface. When a visitor needs to use a specific function of the IoT device, the visitor needs to access a management interface address corresponding to the specific function, and send a corresponding access request to the management interface address to use the function. For example, when a visitor needs to register, the visitor needs to access the registration entry of the management interface and perform identity registration on the registration interface provided by the management interface. For another example, when the visitor needs to perform identity authentication, the visitor needs to access the authentication entry of the management interface and perform identity authentication on the identity authentication interface provided by the management interface. For another example, when the visitor needs to access a specific web page by using the IoT device, the visitor needs to access the forwarding interface address of the IoT device management interface, and the forwarding interface of the management interface implements forwarding of the url request. Etc. are not intended to be exhaustive of the specific functions described herein.
In addition, the above-described visitor may trigger on other devices to send a request to the IoT device to access the management interface of the IoT device. For example, when a visitor is to use a smart tv access router, the visitor triggers on the smart tv to send an access request to the management interface of the router.
The visitor may also trigger on the IoT device to send an access request to the management interface of the IoT device. For example, when a visitor wants to view a privacy space on a smart television, the visitor triggers sending an access request to a management interface of the smart television on an interface provided by the smart television.
In 202, judging whether the access request contains authorization permission information, if not, executing 203; otherwise 205 is performed.
For the case that the visitor first accesses the management interface of the IoT device, the authorization permission information is not included in its access request. In the case where the visitor accesses the management interface of the IoT device again after performing the subsequent steps 203 and 204, the authorization permission information is included in the access request.
That is, for an accessor, if authorization permission information issued by a management interface of an IoT device is locally stored, the authorization permission information may be carried in an access request sent to the management interface. If the authorization permission information issued by the management interface of the IoT device is not stored locally, the authorization permission information is not carried in the access request sent to the management interface.
At 203, the access request is sent to the authentication portal of the management interface.
For access requests which do not contain authorization permission information, the access requests are redirected to an authentication entry of the management interface by the proxy gateway. After the access request is sent to the authentication entry, the authentication entry of the management interface provides an identity authentication interface for the visitor. The proxy gateway forwards the identity authentication interface provided by the authentication inlet of the management interface to the visitor, and forwards the identity information input by the visitor on the identity authentication interface to the management interface, so that the management interface authenticates the identity authentication information. For the visitor who passes the authentication, the management interface issues authorization permission information, and for the visitor who fails the authentication, a response of authentication failure can be returned.
The identity information entered by the visitor on the identity authentication interface may be identity information that the visitor previously registered on the IoT device. For example, the identity information may be a user name, a password, etc.
The authorization license information issued by the management interface may be signature information, Token (Token), password, character string, etc., and the specific form of the authorization license information is not limited in the present application.
In 204, the authorization permission information issued by the management interface is cached and forwarded to the visitor, and the visitor waits for sending the request for accessing the management interface of the IoT device again, and the process goes to execute step 201.
After receiving the authorization permission information issued to the visitor by the management interface of the IoT device, the proxy gateway caches the authorization permission information in the authentication cache in the system shown in fig. 1. And the authorization permission information is forwarded to the visitor, so that the authorization permission information can be carried in the access request sent again by the visitor.
In addition, the authorization permission information cached by the proxy gateway can have a certain validity period and is deleted after the authorization permission information reaches the validity period.
In 205, judging whether the authorization permission information contained in the access request is matched with the authorization permission information cached by the proxy gateway, if so, executing 206; otherwise 207 is performed.
In 206, the access request is allowed to access the management interface address requested by the access request, and the current process is ended.
For the management interface, after receiving the access request, the management interface may also perform verification by using the authorization permission information included in the access request, and if the authorization permission information is consistent with the issued authorization permission information, the management interface performs a corresponding function according to the access request through verification. For example, if the visitor wants to access a specific url, the visitor forwards the access request of the url through the corresponding forwarding interface after the authentication is passed. And for another example, if the visitor wants to access the private space of the smart television, the visitor is allowed to access the private space of the smart television after the verification is passed.
At 207, an authentication failure response is returned.
If the access request contains the authorization permission information, whether the authorization permission information is consistent with the authorization permission information cached by the proxy gateway or not can be further compared, and if so, the access request is sent to the requested management interface address so as to realize the function to be accessed by the access request. If not, the authorization permission information may be considered to be spoofed, and an authentication failure response may be returned directly to the visitor. Or, if not, the authorization permission information may be considered to have expired, so that the access request may be redirected to the authentication entry of the management interface again for identity authentication to retrieve the authorization permission information, that is, to perform step 203 (in this case, not shown in fig. 2).
The above is a detailed description of the method provided in the present application, and the following is a detailed description of the apparatus provided in the present application with reference to the embodiments.
Fig. 3 is a structural diagram of an apparatus provided in an embodiment of the present application, where the apparatus is built in an IoT device, and the apparatus is built in the IoT device in the form of an executable file to implement the function of a proxy gateway in the method. As shown in fig. 3, the apparatus may include: a first interaction unit 01, a cooperative authentication unit 02 and a second interaction unit 03. The main functions of each constituent unit are as follows:
the first interaction unit 01 receives an access request sent by a visitor to a management interface of an IoT device.
The visitor described above may trigger on the other device to send a request to the IoT device to access the management interface of the IoT device. The visitor may also trigger on the IoT device to send an access request to the management interface of the IoT device.
If the cooperative authentication unit 02 judges that the access request does not contain the authorization permission information, the second interaction unit 03 is triggered to send the access request to the authentication entry of the management interface; if the access request includes the authorization permission information and the authorization permission information matches with the cached authorization permission information, the second interaction unit 03 is triggered to send the access request to the requested management interface address.
The second interaction unit 03 sends the access request to the authentication entry of the management interface under the trigger of the cooperative authentication unit 02; receiving authorization permission information issued by the management interface and providing the authorization permission information to the cooperative authentication unit 02; the access request is sent to the requested management interface address under the trigger of the cooperative authentication unit 02.
The cooperative authentication unit 02 caches the authorization permission information issued by the management interface and triggers the first interaction unit 01 to forward the authorization permission information to the visitor.
The first interaction unit 01 forwards the authorization permission information to the visitor under the trigger of the cooperative authentication unit 02.
Further, the cooperative authentication unit 02 triggers the first interaction unit 01 to forward the identity authentication interface provided by the authentication entry of the management interface to the visitor before caching the authorization permission information issued by the management interface.
The first interaction unit 01 forwards the identity authentication interface to the visitor under the trigger of the cooperative authentication unit 02; and receiving identity information input by the visitor on the identity authentication interface.
The identity information entered by the visitor on the identity authentication interface may be identity information that the visitor previously registered on the IoT device. For example, the identity information may be a user name, a password, etc.
The second interaction unit 03 forwards the identity information input by the visitor on the identity authentication interface to the management interface, so that the management interface authenticates the identity authentication information and sends authorization permission information.
The authorization license information issued by the management interface may be signature information, Token (Token), password, character string, etc., and the specific form of the authorization license information is not limited in the present application.
The cooperative authentication unit 02 is further configured to trigger the second interaction unit 03 to send the access request to the authentication entry of the management interface, or trigger the first interaction unit 01 to return an authentication failure response, if the access request includes the authorization permission information and the authorization permission information does not match the authorization permission information cached by the proxy gateway.
In addition, the authorization permission information cached by the proxy gateway may have a certain validity period, and is deleted by the cooperative authentication unit 02 after the authorization permission information reaches the validity period.
According to the technical scheme, through the cooperative authentication of the proxy gateway, malicious visitors can be prevented from bypassing the identity authentication of the management interface and directly accessing the management interface, and the IoT security threat is reduced. The method is easy to implement, and can effectively prevent the vulnerability of unauthorized access to the management interface.
Fig. 4 illustrates a block diagram of an exemplary computer system/server 012 suitable for use in implementing embodiments of the invention. The computer system/server 012 shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in fig. 4, the computer system/server 012 is embodied as a general purpose computing device. The components of computer system/server 012 may include, but are not limited to: one or more processors or processing units 016, a system memory 028, and a bus 018 that couples various system components including the system memory 028 and the processing unit 016.
Bus 018 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer system/server 012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 012 and includes both volatile and nonvolatile media, removable and non-removable media.
System memory 028 can include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)030 and/or cache memory 032. The computer system/server 012 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 034 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be connected to bus 018 via one or more data media interfaces. Memory 028 can include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the present invention.
Program/utility 040 having a set (at least one) of program modules 042 can be stored, for example, in memory 028, such program modules 042 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof might include an implementation of a network environment. Program modules 042 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
The computer system/server 012 may also communicate with one or more external devices 014 (e.g., keyboard, pointing device, display 024, etc.), hi the present invention, the computer system/server 012 communicates with an external radar device, and may also communicate with one or more devices that enable a user to interact with the computer system/server 012, and/or with any device (e.g., network card, modem, etc.) that enables the computer system/server 012 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 022. Also, the computer system/server 012 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 020. As shown, the network adapter 020 communicates with the other modules of the computer system/server 012 via bus 018. It should be appreciated that although not shown in fig. 4, other hardware and/or software modules may be used in conjunction with the computer system/server 012, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 016 executes programs stored in the system memory 028, thereby executing various functional applications and data processing, such as implementing the method flow provided by the embodiment of the present invention.
The computer program described above may be provided in a computer storage medium encoded with a computer program that, when executed by one or more computers, causes the one or more computers to perform the method flows and/or apparatus operations shown in the above-described embodiments of the invention. For example, the method flows provided by the embodiments of the invention are executed by one or more processors described above.
With the development of time and technology, the meaning of media is more and more extensive, and the propagation path of computer programs is not limited to tangible media any more, and can also be downloaded from a network directly and the like. Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. A method of identity authentication, the method comprising:
receiving an access request sent to a management interface of the Internet of things equipment by a proxy gateway built in the Internet of things equipment;
if the access request does not contain authorization permission information, the access request is sent to an authentication entrance of the management interface; caching and forwarding the authorization permission information issued by the management interface to an accessor;
and if the access request contains authorization permission information and the authorization permission information is matched with the authorization permission information cached by the proxy gateway, sending the access request to the requested management interface address.
2. The method of claim 1, wherein the proxy gateway is built into the internet of things device in the form of an executable file.
3. The method of claim 1, wherein the access request comprises:
the visitor triggers an access request sent to a management interface of the Internet of things equipment on other equipment; alternatively, the first and second electrodes may be,
and the visitor triggers an access request sent to a management interface of the Internet of things equipment on the Internet of things equipment.
4. The method of claim 1, wherein prior to caching and forwarding the authorization permission information issued by the management interface to the visitor, the method further comprises:
forwarding an identity authentication interface provided by an authentication inlet of the management interface to the visitor;
and forwarding the identity information input by the visitor on the identity authentication interface to the management interface so that the management interface authenticates the identity authentication information and sends authorization permission information.
5. The method of claim 1, further comprising:
and if the access request contains authorization permission information and the authorization permission information is not matched with the authorization permission information cached by the proxy gateway, sending the access request to an authentication inlet of the management interface, or returning an authentication failure response.
6. The method of claim 1, further comprising:
and the authorization permission information cached by the proxy gateway is deleted after the validity period is reached.
7. The utility model provides an identity authentication's device, its characterized in that places thing networking equipment in the device, the device includes: the system comprises a first interaction unit, a cooperative authentication unit and a second interaction unit;
the first interaction unit is used for receiving and sending an access request sent to a management interface of the Internet of things equipment;
the cooperative authentication unit is configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface if it is determined that the access request does not include authorization permission information; if the access request contains authorization permission information and the authorization permission information is matched with the cached authorization permission information, triggering the second interaction unit to send the access request to the requested management interface address;
the second interaction unit is configured to send the access request to an authentication entry of the management interface under the trigger of the cooperative authentication unit; receiving authorization permission information issued by the management interface and providing the authorization permission information to the cooperative authentication unit; sending the access request to the requested management interface address under the trigger of the cooperative authentication unit;
the cooperative authentication unit is further configured to cache authorization permission information issued by the management interface and trigger the first interaction unit to forward the authorization permission information to an accessor;
the first interaction unit is further configured to forward the authorization permission information to an visitor under the trigger of the cooperative authentication unit.
8. The apparatus of claim 7, wherein the apparatus is built into an internet of things device in the form of an executable file.
9. The apparatus according to claim 7, wherein the cooperative authentication unit, before caching the authorization permission information issued by the management interface, is further configured to trigger the first interaction unit to forward an identity authentication interface provided by an authentication entry of the management interface to the visitor;
the first interaction unit is further configured to forward the identity authentication interface to the visitor under the trigger of the cooperative authentication unit; receiving identity information input by the visitor on the identity authentication interface;
the second interaction unit is further configured to forward the identity information input by the visitor on the identity authentication interface to the management interface, so that the management interface authenticates the identity authentication information and sends authorization permission information.
10. The apparatus according to claim 7, wherein the cooperative authentication unit is further configured to trigger the second interaction unit to send the access request to the authentication entry of the management interface, or trigger the first interaction unit to return an authentication failure response, if the access request includes authorization permission information and the authorization permission information does not match the authorization permission information cached by the proxy gateway.
11. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
12. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-6 when executed by a computer processor.
CN202010494072.1A 2020-06-03 2020-06-03 Identity authentication method and device Active CN111901290B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010494072.1A CN111901290B (en) 2020-06-03 2020-06-03 Identity authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010494072.1A CN111901290B (en) 2020-06-03 2020-06-03 Identity authentication method and device

Publications (2)

Publication Number Publication Date
CN111901290A true CN111901290A (en) 2020-11-06
CN111901290B CN111901290B (en) 2022-10-11

Family

ID=73207283

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010494072.1A Active CN111901290B (en) 2020-06-03 2020-06-03 Identity authentication method and device

Country Status (1)

Country Link
CN (1) CN111901290B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556349A (en) * 2021-07-23 2021-10-26 海信集团控股股份有限公司 Gateway authentication method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924154A (en) * 2018-07-24 2018-11-30 华数传媒网络有限公司 Identity identifying method and device
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN109726025A (en) * 2018-12-29 2019-05-07 北京神舟航天软件技术有限公司 A kind of api interface access method based on API gateway
US20210319132A1 (en) * 2018-09-03 2021-10-14 VeChain Global Technology, S.AR.L Methods and Devices For Managing User Identity Authentication Data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924154A (en) * 2018-07-24 2018-11-30 华数传媒网络有限公司 Identity identifying method and device
US20210319132A1 (en) * 2018-09-03 2021-10-14 VeChain Global Technology, S.AR.L Methods and Devices For Managing User Identity Authentication Data
CN109726025A (en) * 2018-12-29 2019-05-07 北京神舟航天软件技术有限公司 A kind of api interface access method based on API gateway
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556349A (en) * 2021-07-23 2021-10-26 海信集团控股股份有限公司 Gateway authentication method and device and electronic equipment

Also Published As

Publication number Publication date
CN111901290B (en) 2022-10-11

Similar Documents

Publication Publication Date Title
CN109194673B (en) Authentication method, system, equipment and storage medium based on user authorization information
US8806627B1 (en) Content randomization for thwarting malicious software attacks
CN111478910B (en) User identity authentication method and device, electronic equipment and storage medium
CN111698312B (en) Service processing method, device, equipment and storage medium based on open platform
CN112311788A (en) Access control method, device, server and medium
US8813200B2 (en) Online password management
CN113225351B (en) Request processing method and device, storage medium and electronic equipment
CN111901289B (en) Identity authentication method, device, equipment and storage medium
CN114938288B (en) Data access method, device, equipment and storage medium
WO2018112878A1 (en) Token mechanism-based system and method for detecting and defending against cc attack
CN111901290B (en) Identity authentication method and device
US11075922B2 (en) Decentralized method of tracking user login status
CN110177096B (en) Client authentication method, device, medium and computing equipment
CN112836186A (en) Page control method and device
US20230351028A1 (en) Secure element enforcing a security policy for device peripherals
CN113194088B (en) Access interception method, device, log server and computer readable storage medium
CN109857488B (en) Application program call control method and device, terminal and readable storage medium
CN114006757A (en) GIS service access control method, device, framework, medium and equipment
KR101319570B1 (en) Method for connection certification between pc and server, relay device and computer readable recording medium applying the same
CN112966277A (en) Webpage protection method and device, computer equipment and storage medium
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
CN112187786A (en) Service processing method, device, server and storage medium of network service
CN109684818A (en) A kind of server log method for the cross-terminal formula for preventing owner's login password from revealing
CN114143056B (en) Terminal access method and device, electronic equipment and storage medium
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant