CN112966286A - Method, system, device and computer readable medium for user login - Google Patents

Method, system, device and computer readable medium for user login Download PDF

Info

Publication number
CN112966286A
CN112966286A CN202110338727.0A CN202110338727A CN112966286A CN 112966286 A CN112966286 A CN 112966286A CN 202110338727 A CN202110338727 A CN 202110338727A CN 112966286 A CN112966286 A CN 112966286A
Authority
CN
China
Prior art keywords
key
server
user name
client
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110338727.0A
Other languages
Chinese (zh)
Other versions
CN112966286B (en
Inventor
何伟明
刘丽娟
廖敏飞
许腾
成楚天
赖敷君
郭敏鸿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202110338727.0A priority Critical patent/CN112966286B/en
Publication of CN112966286A publication Critical patent/CN112966286A/en
Application granted granted Critical
Publication of CN112966286B publication Critical patent/CN112966286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method, a system, equipment and a computer readable medium for user login, and relates to the technical field of data security. One embodiment of the method comprises: the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by a salt-adding key sent by the server; the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key; and the server side judges whether the client side successfully logs in according to the verification access key and the access key. The implementation method can guarantee the login safety of the user.

Description

Method, system, device and computer readable medium for user login
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, a system, a device, and a computer readable medium for user login.
Background
In various business scenarios, a user password is usually required to verify login. In the verification process, the client generally needs to send the verification elements of the password to the server, and the server compares the verification elements according to the information related to the password stored in the database and completes login after the comparison is passed.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: in the verification process, the leakage probability of the login password of the user is high, and the login safety of the user is difficult to guarantee.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, a system, a device, and a computer readable medium for user login, which can ensure the security of user login.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method for a user to log in, including:
the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by a salt-adding key sent by the server;
the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key;
and the server side judges whether the client side successfully logs in according to the verification access key and the access key.
Before the client sends the user name, the device key and the access key to the server, the method further comprises the following steps:
and the client generates the equipment key by adopting a Hash algorithm and combining the client equipment identifier.
Before the client sends the user name, the device key and the access key to the server, the method further comprises the following steps:
and the client generates the access key according to the login password corresponding to the user name and the salt adding key sent by the server.
And the salt adding key sent by the server side is a random salt adding key.
And the salting key is sent after the service end receives the user name.
The server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key, and the method comprises the following steps:
the server side generates a verification key according to the user name, the equipment key and the salt adding key;
and the server side decrypts the original database key of the user name by using the verification key to obtain a verification access key.
The server side generates a verification key according to the user name, the equipment key and the salt adding key, and the method comprises the following steps:
and the server side generates a verification key by adopting a key algorithm according to the user name, the equipment key and the salt adding key.
The key algorithm comprises an HKDF key derivation algorithm.
The server side decrypts the database original key of the user name by using the verification key to obtain a verification access key, and the method comprises the following steps:
the server side inquires an original key of a database of the user name according to the user name;
and the server side decrypts the original database key of the user name by using the verification key to obtain a verification access key.
The server side judges whether the client side successfully logs in according to the verification access key and the access key, and the method comprises the following steps:
and the server side judges whether the client side successfully logs in according to whether the verification access key is the same as the access key.
The method further comprises the following steps:
and generating the original key of the database at the server side based on the user name, the equipment key and the salt adding key.
Generating the database original key at the server based on the user name, the device key and the salt adding key, including:
the client sends the user name, the equipment key and the newly-built access key to the server;
and the server side generates and stores a database original key of the user name according to the user name, the equipment key and the newly-built access key.
The client sends the user name, the equipment key and the newly-established access key to the server, and the method comprises the following steps:
the client generates the newly-established access key based on the login password corresponding to the user name and the salt adding key, wherein the salt adding key is sent by the server after the client sends an application;
the client generates the device key by adopting a Hash algorithm and combining with the client device identifier;
and the client sends the user name, the equipment key and the newly-built access key to the server.
The server side generates and stores a database original key of the user name according to the user name, the equipment key and the newly-established access key, and the method comprises the following steps:
the server side generates a verification key by adopting a key algorithm according to the user name, the equipment key and the salt adding key;
and the server side encrypts the newly-established access key by adopting the verification key, and generates and stores a database original key of the user name.
The key algorithm comprises an HKDF key derivation algorithm.
The method further comprises the following steps:
and the server stores the user name and the salt adding key.
The server side stores the user name and the salt adding key, and the steps comprise:
and the server stores the salt adding key and the database original key according to the user name.
According to a second aspect of the embodiments of the present invention, there is provided a system for user login, the system comprising a client and a server,
the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by a salt-adding key sent by the server;
the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key;
and the server side judges whether the client side successfully logs in according to the verification access key and the access key.
According to a third aspect of the embodiments of the present invention, there is provided an electronic device for a user to log in, including:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method as described above.
According to a fourth aspect of embodiments of the present invention, there is provided a computer readable medium, on which a computer program is stored, which when executed by a processor, implements the method as described above.
One embodiment of the above invention has the following advantages or benefits: the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by a salt-adding key sent by the server; the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key; and the server side judges whether the client side successfully logs in according to the verification access key and the access key. The user logs in through the client, the login verification process not only relates to the user equipment identification, but also relates to the salt adding key, and the login safety of the user is guaranteed from the client side and the server side.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a main flow of a method of user login according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a client generating a device key and a newly created access key according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of generating a database raw key for a user name according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart illustrating a process for decrypting a database original key of a user name to obtain a verified access key according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of the main structure of a system for user login according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
When a user logs in to verify a user password, the database is attacked by hackers, so that data leaks password information. Then, if the login password of the user is restored by means of collision or a rainbow table, the login password is leaked, so that the leakage probability of the login password is high, and the security of the user login is difficult to ensure.
In order to ensure the security of user login, the following technical scheme in the embodiment of the invention can be adopted.
Referring to fig. 1, fig. 1 is a schematic diagram of a main flow of a user login method according to an embodiment of the present invention, which jointly guarantees user login from both the client and the server based on a client device identifier and a salt-adding key sent by the server. As shown in fig. 1, the method specifically comprises the following steps:
s101, the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identification of the client, and the access key is generated by a salt adding key sent by the server.
In the embodiment of the invention, a user logs in at a server and relates to two devices, specifically a client and the server. And the user accesses the server through the client.
As an example, the client may be an application APP provided at the user's mobile terminal. As another example, the client may be a browser of a user's mobile terminal or PC.
As one example, the server may be located in the cloud. As another example, the server may be located in a server.
The user logs in the server through the client, and the client needs to send information to the server. After the server side verifies that the information sent by the client side is successful, the user logs in successfully; and after the server side fails to verify the information sent by the client side, the user fails to log in.
In the embodiment of the present invention, the server side verification information not only relates to the information sent by the client side, but also relates to the server side pre-stored information, wherein the pre-stored information is the database original key.
The following is an exemplary description of pre-storing the database raw key at the server.
In the embodiment of the invention, firstly, a user applies for setting the password through a client. And after receiving the password setting application sent by the client, the server generates and sends the salt adding key. Namely, the salting key is sent by the server after the client sends the application. As an example, the server generates a salt key according to the user name. That is, the user name has a correspondence with the salt key.
Referring to fig. 2, fig. 2 is a schematic flowchart of a process of generating a device key and creating a new access key by a client according to an embodiment of the present invention, which specifically includes the following steps:
s201, the client generates a new access key based on a login password and a salt adding key corresponding to the user name, wherein the salt adding key is sent by the server after the client sends an application.
The user inputs a user name and a login password at the client, and the client generates a new access key by adopting a Hash algorithm based on the login password and the salt adding key.
As an example, P ═ Hash, where P is the newly created access key, passd is the login password, and salt is the salting key.
S202, the client side generates a device key by combining the hash algorithm and the client side device identification.
And the client generates an equipment key by adopting a Hash algorithm based on the equipment identifier of the client, wherein the equipment key is marked as R. As an example, the client device identification may be an identification of the mobile terminal.
S203, the client sends the user name, the equipment key and the newly-built access key to the server.
The client sends the user name, the equipment key and the newly-built access key to the server so as to generate an original database key at the server.
In the embodiment of fig. 2, the client sends the user name, the device identifier, and the newly created access key to the server, and it is known that the generation of the original key of the database involves the device identifier.
Referring to fig. 3, fig. 3 is a schematic flowchart of a process of generating a database original key of a user name according to an embodiment of the present invention, which specifically includes the following steps:
s301, the server side generates a verification key by adopting a key algorithm according to the user name, the equipment key and the salt adding key.
And the server side generates an authentication key by adopting a key algorithm according to the user name, the equipment key and the salt adding key. As an example, the key algorithm may be an HKDF key derivation algorithm.
Specifically, K ═ HKDF (R, salt, diameter), K is the authentication key, and diameter is the user name.
S302, the server side encrypts the newly-established access key by adopting the verification key, and generates and stores the database original key of the user name.
And the server side encrypts the newly-established access key by adopting the verification key to generate a database original key of the user name. Specifically, the server encrypts M ═ E (K, P) for P using K, where M is the database origin key. The database original key corresponds to the user name, that is, different user names correspond to different database original keys.
In one embodiment of the invention, the username, the salt key, and the database raw key are stored at the server. Illustratively, the server stores the salt key and the database original key according to the user name. In other words, the user name has a correspondence with the salt key and the database original key. The corresponding salt key and/or database raw key can be known based on the user name.
According to the calculation schemes of fig. 2 and 3 described above, the database raw key is stored at the server.
The key verification involved in user login is illustrated below in connection with the figures.
The user applies for password authentication through the client, and the server sends the salt adding key back to the client after inquiring the salt adding key according to the user name. That is, the salt key is sent after the service end receives the user name. As an example, the salt key sent by the server is a random salt key. Because the server stores the login password after the random salt adding key is hashed, the same rainbow table cannot be used for collision. The random salting key is adopted to improve the login security of the user.
And the client generates an access key according to the login password corresponding to the user name and the salt adding key sent by the server. As one example, the client computes P ═ Hash (passsd, salt).
In addition, the client generates a device key by combining the client device identification by adopting a hash algorithm.
And finally, the client sends the user name, the equipment key and the access key to the server.
S102, the server side decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server side to obtain the verification access key.
And when the server receives the user name, the equipment key and the access key sent by the client, which indicates that the user needs to log in, the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain the verification access key.
Referring to fig. 4, fig. 4 is a schematic flowchart of a process of decrypting a database original key of a user name to obtain a verification access key according to an embodiment of the present invention, which specifically includes the following steps:
s401, the server side generates a verification key according to the user name, the equipment key and the salt adding key.
The premise for decrypting the database origin key is to know the validation key, i.e., to decrypt the database origin key based on the validation key.
And the server side generates an authentication key by adopting a key algorithm according to the user name, the equipment key and the salt adding key. As one example, the key algorithm includes an HKDF key derivation algorithm.
Specifically, the server calculates K ═ HKDF (R, salt, diameter) using an HKDF key derivation algorithm.
S402, the server side decrypts the original key of the database of the user name by using the verification key to obtain a verification access key.
The database original key is stored in the server side, and the database original key needs to be acquired first and then decrypted.
Specifically, the server side inquires the original key of the database of the user name according to the user name. And the server decrypts the original database key of the user name by using the verification key to obtain a verification access key.
Illustratively, the server queries M from the database according to the parameter, decrypts M with K, P1 ═ D (K, M), and obtains a verification access key P1.
S103, the server side judges whether the client side successfully logs in according to the verification access key and the access key.
The server judges whether the client logs in successfully or not according to whether the verification access key is the same as the access key or not. The authentication access key is a key obtained from the server and the access key is either from the client or the retrieval key. If the access key is the same as the access key, the client login success is judged; and if the access key is not the same as the verification access key, judging that the client login fails.
In the embodiment of the present invention, the client sends the user name, the device key and the access key to the server, the device key is generated according to the device identifier of the client, and the access key is generated by the salting key sent by the server; the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key; and the server side judges whether the client side successfully logs in according to the verification access key and the access key. The user logs in through the client, the login verification process not only relates to the user equipment identification, but also relates to the salt adding key, and the login safety of the user is guaranteed from the client side and the server side.
The existing hash algorithm is adopted, the hash value of the login key and the salt adding key are stored in the database, and if the database is attacked by a hacker, the hacker can use a common password or user information to explode the hash value of the login key and the salt adding key, so that information leakage is caused.
In embodiments of the present invention, however, the generation of the database origin key involves the client device identification. The hacker cannot obtain the client device identification by attacking the database. Even if the login password is leaked, a hacker can not log in other equipment, and the influence of the leakage of the login password on sensitive information and funds of a client is effectively prevented.
Referring to fig. 5, fig. 5 is a schematic diagram of a main structure of a system for user login according to an embodiment of the present invention, where the system for user login may implement a method for user login, as shown in fig. 5, the system for user login specifically includes:
the system for user login comprises a client 501 and a server 502,
the client 501 sends a user name, a device key and an access key to the server 502, wherein the device key is generated according to the client device identifier, and the access key is generated by a salt-adding key sent by the server 502;
the server 502 decrypts the original database key of the user name to obtain a verification access key according to the user name, the device key and the salt-adding key stored by the server 502;
the server 502 determines whether the client 501 logs in successfully according to the authentication access key and the access key.
In one embodiment of the present invention, the client 501 uses a hash algorithm in combination with the client device identifier to generate the device key.
In an embodiment of the present invention, the client 501 generates the access key according to the login password corresponding to the user name and the salt-added key sent by the server 502.
In one embodiment of the present invention, the salt key sent by the server 502 is a random salt key.
In an embodiment of the present invention, the salting key is sent after the server 502 receives the user name.
In an embodiment of the present invention, the server 502 generates an authentication key according to the user name, the device key, and the salt key;
the server 502 decrypts the database original key of the user name to obtain the verification access key by using the verification key.
In an embodiment of the present invention, the server 502 generates the verification key by using a key algorithm according to the user name, the device key, and the salt-adding key.
In one embodiment of the invention, the key algorithm comprises an HKDF key derivation algorithm.
In an embodiment of the present invention, the server 502 queries the database original key of the user name according to the user name;
the server 502 decrypts the database original key of the user name to obtain the verification access key by using the verification key.
In an embodiment of the present invention, the server 502 determines whether the client 501 logs in successfully according to whether the authentication access key is the same as the access key.
In one embodiment of the invention, the database raw key is generated at the server 502 based on the user name, the device key, and the salt key.
In an embodiment of the present invention, the client 501 sends the user name, the device key, and the newly created access key to the server 502;
the server 502 generates and stores the database original key of the user name according to the user name, the device key and the newly created access key.
In an embodiment of the present invention, the client 501 generates the new access key based on the login password corresponding to the user name and the salt-added key, where the salt-added key is sent by the server 502 after the client 501 sends an application;
the client 501 generates the device key by using a hash algorithm in combination with the client device identifier;
the client 501 sends the user name, the device key and the newly created access key to the server 502.
In an embodiment of the present invention, the server 502 generates an authentication key by using a key algorithm according to the user name, the device key, and the salt-adding key;
the server 502 encrypts the newly created access key by using the verification key, and generates and stores a database original key of the user name.
In one embodiment of the invention, the key algorithm comprises an HKDF key derivation algorithm.
In one embodiment of the invention, the server 502 stores the username and the salt key.
In an embodiment of the present invention, the server 502 stores the salting key and the database original key according to the user name.
Fig. 6 illustrates an exemplary system architecture 600 of a user login method or system to which embodiments of the present invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605. The network 604 serves to provide a medium for communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with the server 605 via the network 604 to receive or send messages or the like. The terminal devices 601, 602, 603 may have installed thereon various communication client applications, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 605 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 601, 602, 603. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.
It should be noted that the method for user login provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the system for user login is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a client and a server. Where the names of these modules do not in some cases constitute a limitation on the modules themselves, for example, the client sends a user name, a device key generated from the client device identification, and an access key generated from a salt key sent by the server to the server.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise:
the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by a salt-adding key sent by the server;
the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key;
and the server side judges whether the client side successfully logs in according to the verification access key and the access key.
According to the technical scheme of the embodiment of the invention, the client sends the user name, the equipment key and the access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by the salt adding key sent by the server; the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key; and the server side judges whether the client side successfully logs in according to the verification access key and the access key. The user logs in through the client, the login verification process not only relates to the user equipment identification, but also relates to the salt adding key, and the login safety of the user is guaranteed from the client side and the server side.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (20)

1. A method for logging in a user is characterized by comprising the following steps:
the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by a salt-adding key sent by the server;
the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key;
and the server side judges whether the client side successfully logs in according to the verification access key and the access key.
2. The method of claim 1, wherein before the client sends the user name, the device key, and the access key to the server, the method further comprises:
and the client generates the equipment key by adopting a Hash algorithm and combining the client equipment identifier.
3. The method of claim 1, wherein before the client sends the user name, the device key, and the access key to the server, the method further comprises:
and the client generates the access key according to the login password corresponding to the user name and the salt adding key sent by the server.
4. The method as claimed in claim 3, wherein the salt key sent by the server is a random salt key.
5. The method of claim 1, wherein the salting key is sent by the server after receiving the username.
6. The method for logging in a user according to claim 1, wherein the server decrypts a database original key of the user name according to the user name, the device key, and the salt-added key stored by the server to obtain a verification access key, including:
the server side generates a verification key according to the user name, the equipment key and the salt adding key;
and the server side decrypts the original database key of the user name by using the verification key to obtain a verification access key.
7. The method of claim 6, wherein the step of the server side generating an authentication key according to the user name, the device key and the salt adding key comprises:
and the server side generates a verification key by adopting a key algorithm according to the user name, the equipment key and the salt adding key.
8. The method of claim 7, wherein said key algorithm comprises an HKDF key derivation algorithm.
9. The method as claimed in claim 6, wherein the step of the server side decrypting the database original key of the user name to obtain the authentication access key by using the authentication key comprises:
the server side inquires an original key of a database of the user name according to the user name;
and the server side decrypts the original database key of the user name by using the verification key to obtain a verification access key.
10. The method of claim 1, wherein the step of the server determining whether the client logs in successfully according to the authentication access key and the access key comprises:
and the server side judges whether the client side successfully logs in according to whether the verification access key is the same as the access key.
11. The method of user login according to claim 1, wherein the method further comprises:
and generating the original key of the database at the server side based on the user name, the equipment key and the salt adding key.
12. The method of claim 11, wherein the generating the database origin key at the server based on the user name, the device key, and the salt key comprises:
the client sends the user name, the equipment key and the newly-built access key to the server;
and the server side generates and stores a database original key of the user name according to the user name, the equipment key and the newly-built access key.
13. The method of claim 12, wherein the step of the client sending the user name, the device key, and the newly created access key to the server comprises:
the client generates the newly-established access key based on the login password corresponding to the user name and the salt adding key, wherein the salt adding key is sent by the server after the client sends an application;
the client generates the device key by adopting a Hash algorithm and combining with the client device identifier;
and the client sends the user name, the equipment key and the newly-built access key to the server.
14. The method according to claim 12, wherein the step of the server side generating and storing a database original key of the user name according to the user name, the device key and a newly created access key comprises:
the server side generates a verification key by adopting a key algorithm according to the user name, the equipment key and the salt adding key;
and the server side encrypts the newly-established access key by adopting the verification key, and generates and stores a database original key of the user name.
15. The method of user login according to claim 14, wherein said key algorithm comprises an HKDF key derivation algorithm.
16. The method of user login according to claim 14, wherein the method further comprises:
and the server stores the user name and the salt adding key.
17. The method of claim 16, wherein the server side stores the user name and the salt key, and comprises:
and the server stores the salt adding key and the database original key according to the user name.
18. A system for logging in a user is characterized by comprising a client and a server,
the client sends a user name, an equipment key and an access key to the server, wherein the equipment key is generated according to the equipment identifier of the client, and the access key is generated by a salt-adding key sent by the server;
the server decrypts the original database key of the user name according to the user name, the equipment key and the salt adding key stored by the server to obtain a verification access key;
and the server side judges whether the client side successfully logs in according to the verification access key and the access key.
19. An electronic device for a user to log in, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-17.
20. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-17.
CN202110338727.0A 2021-03-30 2021-03-30 Method, system, device and computer readable medium for user login Active CN112966286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110338727.0A CN112966286B (en) 2021-03-30 2021-03-30 Method, system, device and computer readable medium for user login

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110338727.0A CN112966286B (en) 2021-03-30 2021-03-30 Method, system, device and computer readable medium for user login

Publications (2)

Publication Number Publication Date
CN112966286A true CN112966286A (en) 2021-06-15
CN112966286B CN112966286B (en) 2023-01-24

Family

ID=76279685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110338727.0A Active CN112966286B (en) 2021-03-30 2021-03-30 Method, system, device and computer readable medium for user login

Country Status (1)

Country Link
CN (1) CN112966286B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726606A (en) * 2022-03-31 2022-07-08 北京九州恒盛电力科技有限公司 User authentication method, client, gateway and authentication server

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5495533A (en) * 1994-04-29 1996-02-27 International Business Machines Corporation Personal key archive
CN103391292A (en) * 2013-07-18 2013-11-13 百度在线网络技术(北京)有限公司 Mobile-application-oriented safe login method, system and device
CN104580248A (en) * 2015-01-27 2015-04-29 中復保有限公司 Secured logon method for variable secret key encryption under HTTP
CN106576041A (en) * 2014-06-27 2017-04-19 林建华 Method of mutual verification between a client and a server
CN108494551A (en) * 2018-03-16 2018-09-04 数安时代科技股份有限公司 Processing method, system, computer equipment and storage medium based on collaboration key
CN109347835A (en) * 2018-10-24 2019-02-15 苏州科达科技股份有限公司 Information transferring method, client, server and computer readable storage medium
US20190356650A1 (en) * 2018-05-21 2019-11-21 Wickr Inc. Local Encryption for Single Sign-On
CN111191218A (en) * 2019-12-30 2020-05-22 江苏恒宝智能***技术有限公司 Authorization authentication method and device
CN111193695A (en) * 2019-07-26 2020-05-22 腾讯科技(深圳)有限公司 Encryption method and device for third party account login and storage medium
CN111585998A (en) * 2020-04-24 2020-08-25 广东电网有限责任公司 Audit data secure transmission method and system
CN111935094A (en) * 2020-07-14 2020-11-13 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5495533A (en) * 1994-04-29 1996-02-27 International Business Machines Corporation Personal key archive
CN103391292A (en) * 2013-07-18 2013-11-13 百度在线网络技术(北京)有限公司 Mobile-application-oriented safe login method, system and device
CN106576041A (en) * 2014-06-27 2017-04-19 林建华 Method of mutual verification between a client and a server
CN104580248A (en) * 2015-01-27 2015-04-29 中復保有限公司 Secured logon method for variable secret key encryption under HTTP
CN108494551A (en) * 2018-03-16 2018-09-04 数安时代科技股份有限公司 Processing method, system, computer equipment and storage medium based on collaboration key
US20190356650A1 (en) * 2018-05-21 2019-11-21 Wickr Inc. Local Encryption for Single Sign-On
CN109347835A (en) * 2018-10-24 2019-02-15 苏州科达科技股份有限公司 Information transferring method, client, server and computer readable storage medium
CN111193695A (en) * 2019-07-26 2020-05-22 腾讯科技(深圳)有限公司 Encryption method and device for third party account login and storage medium
CN111191218A (en) * 2019-12-30 2020-05-22 江苏恒宝智能***技术有限公司 Authorization authentication method and device
CN111585998A (en) * 2020-04-24 2020-08-25 广东电网有限责任公司 Audit data secure transmission method and system
CN111935094A (en) * 2020-07-14 2020-11-13 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726606A (en) * 2022-03-31 2022-07-08 北京九州恒盛电力科技有限公司 User authentication method, client, gateway and authentication server

Also Published As

Publication number Publication date
CN112966286B (en) 2023-01-24

Similar Documents

Publication Publication Date Title
CN113347206B (en) Network access method and device
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN112039826B (en) Login method and device applied to applet end, electronic equipment and readable medium
CN113271296B (en) Login authority management method and device
CN112887284B (en) Access authentication method and device, electronic equipment and readable medium
CN112966287B (en) Method, system, device and computer readable medium for acquiring user data
CN110839004A (en) Method and device for access authentication
CN110958119A (en) Identity verification method and device
CN112437044B (en) Instant messaging method and device
CN111814131A (en) Method and device for equipment registration and configuration management
CN112560003A (en) User authority management method and device
CN112966286B (en) Method, system, device and computer readable medium for user login
CN112905990A (en) Access method, client, server and access system
CN113282951A (en) Security verification method, device and equipment for application program
CN107707528B (en) Method and device for isolating user information
CN112565156B (en) Information registration method, device and system
CN113055186B (en) Cross-system service processing method, device and system
CN110765445B (en) Method and device for processing request
CN113343155A (en) Request processing method and device
CN110166226B (en) Method and device for generating secret key
CN113761566A (en) Data processing method and device
CN113420331B (en) Method and device for managing file downloading permission
CN112926076B (en) Data processing method, device and system
CN115828309B (en) Service calling method and system
CN110602074B (en) Service identity using method, device and system based on master-slave association

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220923

Address after: 25 Financial Street, Xicheng District, Beijing 100033

Applicant after: CHINA CONSTRUCTION BANK Corp.

Address before: 12 / F, 15 / F, No. 99, Yincheng Road, Shanghai pilot Free Trade Zone, 200120

Applicant before: Jianxin Financial Science and Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant