CN113630405A

CN113630405A - Network access authentication method and device, electronic equipment and storage medium

Info

Publication number: CN113630405A
Application number: CN202110874471.5A
Authority: CN
Inventors: 闫帅
Original assignee: Beijing Dajia Internet Information Technology Co Ltd
Current assignee: Beijing Dajia Internet Information Technology Co Ltd
Priority date: 2021-07-30
Filing date: 2021-07-30
Publication date: 2021-11-09
Anticipated expiration: 2041-07-30
Also published as: CN113630405B

Abstract

The disclosure relates to a network access authentication method, a network access authentication device, a network access authentication terminal and a storage medium, and belongs to the technical field of network security. The network access authentication method comprises the following steps: receiving a network access request of a terminal, wherein the network access request comprises a target identity certificate and a terminal identifier, and the target identity certificate is used for reflecting whether a user corresponding to the terminal has a network access authority of accessing a target network; according to the corresponding relation between the identity certificate and the granted terminal identification, determining a target granted terminal identification corresponding to the target identity certificate, wherein the terminal indicated by the granted terminal identification is the terminal granted with the corresponding identity certificate; carrying out consistency verification on the terminal identification and the target granted terminal identification; when the terminal identification is different from the target granted terminal identification, prohibiting the terminal from accessing the target network; and when the terminal identification is the same as the target granted terminal identification, allowing the terminal to access the target network. The network access authentication method and the network access authentication device can improve the security of network access authentication.

Description

Network access authentication method and device, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of network security technologies, and in particular, to a network access authentication method and apparatus, an electronic device, and a storage medium.

Background

With the wide application of various wired networks and wireless networks, how to implement effective access authentication for network users to ensure that terminals accessing the network are compliant terminals is becoming a more and more concern of people. For example, for an enterprise wireless network, it is important to ensure that a terminal accessing a network is a terminal corresponding to an enterprise employee by effectively accessing and authenticating a network user, so as to ensure the security of the enterprise network.

At present, when a terminal accesses a network, the terminal can access the network only after network access authentication in an authentication server. When the terminal initiates network access authentication to the authentication server, the authentication server only authenticates the account name and the password of the user logged in by the terminal. And account names and passwords of users are easy to forget, leak, be stolen and the like, so that the security of the current terminal access authentication mode is low.

Disclosure of Invention

The disclosure provides a network access authentication method, a network access authentication device, a terminal and a storage medium, which can solve the problem of low security of the existing network access authentication method of the terminal to a certain extent.

According to a first aspect of the embodiments of the present disclosure, there is provided a network access authentication method, applied to a server, the method including:

receiving a network access request of a terminal, wherein the network access request comprises a target identity certificate and a terminal identifier, and the target identity certificate is used for reflecting whether a user corresponding to the terminal has a network access authority of accessing a target network;

determining a target authorization terminal identifier corresponding to the target identity certificate according to the corresponding relation between the identity certificate and the authorization terminal identifier, wherein the terminal indicated by the authorization terminal identifier is the terminal authorized with the corresponding identity certificate;

carrying out consistency verification on the terminal identification and the target granted terminal identification;

when the terminal identification is different from the target granted terminal identification, prohibiting the terminal from accessing the target network;

and when the terminal identification is the same as the target granted terminal identification, allowing the terminal to access the target network.

In one possible implementation, before the allowing the terminal to access the target network, the method further includes:

verifying the validity of the target identity certificate by using at least one type of verification data, wherein the verification data records the validity state of the identity certificate, and the at least one type of verification data comprises: the first check data are updated in real time, and the second check data are updated periodically;

when the target identity certificate is determined to be in an invalid state by adopting any one of the verification data, the terminal is forbidden to access the target network;

the allowing the terminal to access the target network includes: and when the target identity certificate is determined to be in a valid state by adopting all the verification data, allowing the terminal to access the target network.

In one possible implementation manner, the first verification data includes data stored in an identity certificate repository, and verifying the validity of the target identity certificate using the first verification data includes:

calling an identity card library according to an online certificate state protocol, and inquiring the validity state of the target identity certificate recorded in the identity card library, wherein the validity state at least comprises a valid state or an invalid state, and the validity state of each identity certificate stored in the identity card library is updated in real time.

In one possible implementation manner, the second verification data includes data recorded in a certificate revocation list, and the verifying the validity of the target identity certificate using the second verification data includes:

acquiring a periodically updated certificate revocation list, wherein the certificate revocation list records identity certificates in an invalid state;

querying whether the certificate revocation list includes the target identity certificate;

upon determining that the certificate revocation list does not include the target identity certificate, determining that the target identity certificate is in a valid state;

determining that the target identity certificate is in an invalid state upon determining that the certificate revocation list includes the target identity certificate.

In one possible implementation, the certificate revocation list further includes: the moment of failure of the identity certificate; the determining that the target identity certificate is in an invalid state when it is determined that the certificate revocation list includes the target identity certificate comprises:

and when the certificate revocation list is determined to comprise the target identity certificate and the current moment of the server is greater than the failure moment of the target identity certificate, determining that the target identity certificate is in an invalid state.

In one possible implementation manner, before the receiving the network entry request of the terminal, the method further includes:

receiving a network access request sent by the terminal for the first time, wherein the network access request sent for the first time comprises account information of the user and a terminal identifier of the terminal;

when determining that the account corresponding to the account information belongs to the accessible account corresponding to the target network, generating a target identity certificate in a valid state corresponding to the account information, wherein the target identity certificate in the valid state is used for reflecting that the user has a network access authority for accessing the target network;

the terminal identification is used as a target granted terminal identification of the target identity certificate, and the corresponding relation between the target identity certificate and the target granted terminal identification is recorded;

and sending a target identity certificate corresponding to the account information to the terminal, wherein the target identity certificate is used for the terminal to install.

In a possible implementation manner, before receiving the network entry request sent by the terminal for the first time, the method further includes: when receiving an identity authentication request sent by the terminal, sending an authentication message to the terminal;

the network access request sent for the first time further comprises: and generating a target identity certificate in a valid state corresponding to the account information when determining that the account information belongs to an accessible account corresponding to the target network, wherein the information to be verified comprises:

and when the account information is determined to belong to the accessible account corresponding to the target network and the verification message is consistent with the message to be verified, generating a target identity certificate in a valid state corresponding to the account information.

In one possible implementation manner, the first sent network entry request further includes: the generating of the target identity certificate in the valid state corresponding to the account information according to the operating system type of the terminal includes:

and generating a target identity certificate of a target file type, wherein the target file type corresponds to the operating system type.

In a possible implementation manner, the identity card library further records the time of failure of the target identity certificate and a user valid state corresponding to the target identity certificate; the method further comprises the following steps:

when a set event is detected, updating the validity state of the target identity certificate in the identity certificate library to an invalid state, wherein the set event comprises at least one of the following items:

the terminal identity is different from the target granted terminal identity,

the current time of the server is greater than the failure time of the target identity certificate recorded in the identity card library,

and updating the user valid state corresponding to the target identity certificate recorded in the identity certificate library to be an invalid user state.

In one possible implementation, the identity certificate includes at least one of: country code, geographical position of the target network, enterprise name, domain name of the target network, and valid days of the identity certificate.

According to a second aspect of the embodiments of the present disclosure, there is provided a network access authentication apparatus, applied to a server, the apparatus including:

the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a network access request of a terminal, the network access request comprises a target identity certificate and a terminal identifier, and the target identity certificate is used for reflecting whether a user corresponding to the terminal has a network access authority of accessing a target network;

the determining module is used for determining a target authorization terminal identifier corresponding to the target identity certificate according to the corresponding relation between the identity certificate and the authorization terminal identifier, wherein the terminal indicated by the authorization terminal identifier is the terminal authorized with the corresponding identity certificate;

the verification module is used for carrying out consistency verification on the terminal identification and the target granted terminal identification;

the access module is used for forbidding the terminal to access the target network when the terminal identification is different from the target granted terminal identification; and the terminal is also used for allowing the terminal to access the target network when the terminal identification is the same as the target granted terminal identification.

In a possible implementation manner, the verifying module is further configured to verify the validity of the target identity certificate by using at least one type of verification data, where the verification data records the validity status of the identity certificate, and the at least one type of verification data includes: the first check data are updated in real time, and the second check data are updated periodically;

the access module is further configured to prohibit the terminal from accessing the target network when it is determined that the target identity certificate is in an invalid state by using any one of the verification data;

the access module is further configured to allow the terminal to access the target network when it is determined that the target identity certificate is in a valid state by using all the verification data.

In one possible implementation manner, the first verification data includes data stored in an identity card library, and the verification module is further configured to:

In one possible implementation, the second verification data includes data recorded in a certificate revocation list, and the verification module is further configured to:

In one possible implementation, the certificate revocation list further includes: the moment of failure of the identity certificate; the verification module is further configured to determine that the target identity certificate is in an invalid state when it is determined that the certificate revocation list includes the target identity certificate and the current time of the server is greater than the time of failure of the target identity certificate.

In a possible implementation manner, the receiving module is further configured to receive a network access request sent by the terminal for the first time, where the network access request sent for the first time includes account information of the user and a terminal identifier of the terminal;

the device further comprises:

the generating module is used for generating a target identity certificate in a valid state corresponding to the account information when the account corresponding to the account information is determined to belong to an accessible account corresponding to the target network, wherein the target identity certificate in the valid state is used for reflecting that the user has a network access authority of accessing the target network;

the recording module is used for taking the terminal identification as a target granted terminal identification of the target identity certificate and recording the corresponding relation between the target identity certificate and the target granted terminal identification;

and the sending module is used for sending a target identity certificate corresponding to the account information to the terminal, wherein the target identity certificate is used for the terminal to install.

In a possible implementation manner, the sending module is further configured to send an authentication message to the terminal when receiving an authentication request sent by the terminal;

the network access request sent for the first time further comprises: and the generating module is further configured to generate a target identity certificate in a valid state corresponding to the account information when it is determined that the account information belongs to an accessible account corresponding to the target network and the verification message is consistent with the to-be-verified message.

In one possible implementation manner, the first sent network entry request further includes: the generation module is further configured to generate a target identity certificate of a target file type, where the target file type corresponds to the operating system type.

In a possible implementation manner, the identity card library further records the time of failure of the target identity certificate and a user valid state corresponding to the target identity certificate; the device further comprises:

a detection module, configured to update a validity state of the target identity certificate in the identity certificate repository to an invalid state when a set event is detected, where the set event includes at least one of:

the terminal identity is different from the target granted terminal identity,

According to a third aspect of the embodiments of the present disclosure, there is provided an electronic apparatus including:

one or more processors;

one or more memories for storing the one or more processor-executable instructions;

wherein the one or more processors are configured to perform the network entry authentication method of any one of the above aspects or any one of the possible implementations of any one of the above aspects.

According to a fourth aspect of embodiments of the present disclosure, there is provided a computer-readable storage medium, where instructions of the computer-readable storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the network access authentication method according to the first aspect or any one of the possible implementations of the first aspect.

According to a fifth aspect of embodiments of the present disclosure, there is provided a computer program product, including computer program instructions, which when executed by a processor, implement the network access authentication method according to the first aspect or any one of the possible implementation manners of the first aspect.

According to a sixth aspect of the embodiments of the present disclosure, there is provided an application program product, where instructions of the application program product, when executed by a processor of a terminal, enable the terminal to perform the network access authentication method according to the first aspect or any one of the possible implementations of the first aspect.

The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects:

after receiving a network access request from a terminal, the network access authentication method, the network access authentication device, the electronic device, and the storage medium according to the embodiments of the present disclosure may determine a target authorized terminal identifier corresponding to a target identity certificate included in the network access request through a correspondence between the identity certificate and the authorized terminal identifier. Therefore, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification. Compared with the mode of carrying out network access authentication on the terminal in the related technology, the technical scheme does not relate to the verification of the account name and the password of the user, avoids the problem of low safety of the network access authentication mode caused by forgetting, revealing, stealing and the like of the account name and the password, reduces the risk of network access authentication of the terminal, and improves the network completeness. And because the terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification, so that the identity check of the network access terminal is realized, the influence of the stolen identity certificate and other conditions on the security of the network access authentication mode is further avoided, and the network completeness is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.

Fig. 1 is a schematic diagram illustrating an implementation environment of a network access authentication method according to an exemplary embodiment.

Fig. 2 is a schematic diagram illustrating an implementation environment of another network access authentication method according to an exemplary embodiment.

Fig. 3 is a flow chart illustrating a method of network entry authentication according to an example embodiment.

FIG. 4 is a schematic diagram illustrating a network entry interface in accordance with an exemplary embodiment.

Fig. 5 is a flowchart illustrating another network entry authentication method according to an example embodiment.

Fig. 6 is a block diagram illustrating a network access authentication apparatus according to an example embodiment.

FIG. 7 is a block diagram illustrating an electronic device in accordance with an example embodiment.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.

It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.

Fig. 1 is a schematic diagram illustrating an implementation environment of a network access authentication method according to an exemplary embodiment. As shown in fig. 1, the implementation environment includes: a terminal 101 and a server 102. The terminal 101 may be connected with the server 102 through a wired network or a wireless network.

The server 102 belongs to a target network, and may be configured to implement a network access authentication function of the target network, so as to ensure security of the target network. By way of example, the server 102 may be any device that can provide computing services and can respond to service requests and perform processing, and may be, for example, a conventional server, a cloud host, a virtual center, or the like. The terminal 101 can access the target network after the network access authentication through the server 102. By way of example, the terminal 101 may be a smartphone, a tablet, a personal computer, a wearable device, or the like. In an implementation scenario, the target network to which the server 102 belongs may be an enterprise network belonging to a certain enterprise, and the network access authentication method provided by the embodiment of the present disclosure may be applied to network access authentication for the enterprise network.

Optionally, the network access authentication function that the server 102 may perform may include: an authentication function in the device dimension and an authentication function in the user identity dimension. The network access request sent by the terminal 101 to the server 102 may include: a target identity certificate and a terminal identification. The target identity certificate is used for reflecting whether a user corresponding to the terminal has the network access authority of accessing the target network. The authentication function of the device dimension may refer to the terminal identifier carried in the network access request and the consistency authentication of the granted terminal identifier granted with the target identity certificate. The authentication function of the user identity dimension may refer to authentication for the validity of the target identity certificate.

In an alternative implementation, as shown in fig. 2, based on the implementation environment shown in fig. 1, the server 102 may include: a first server 102A and at least one second server. The first server 102A may be configured to receive a network access request sent by the terminal 101, and perform an authentication function of a device dimension for an originating terminal of the network access request. The at least one second server may be configured to perform an authentication function of the user identity dimension for the terminal initiating the network access request. In an optional implementation manner, the first service end 102A may be a Remote authentication in user service (Radius) end. The interactive data between the terminal 101 and the server needs to be encapsulated as a Radius protocol packet. The Radius server can be used for performing Radius protocol message encapsulation and decapsulation on data to be transmitted between the terminal and the server, so as to realize data interaction.

Optionally, the authentication of the user identity dimension performed by the terminal initiating the network access request may have a plurality of authentication modes. The number of the second servers may be multiple, and one second server may be configured to implement an authentication function of the user identity dimension based on one authentication manner. Fig. 2 illustrates an example that the implementation environment may include two second servers (102B1 and 102B2) when the user identity dimension authentication function is implemented by two authentication methods.

In the network access authentication system according to the embodiment of the present disclosure, the terminal 101 may authenticate a target network to which the access server 102 belongs through network access. Among other things, the terminal 101 may be configured to initiate a network entry request to the server 102 based on its installed identity certificate. The server 102 may be configured to perform a verification process on the network access right of the user according to the network access request. And when the verification of the network access authority passes, allowing the terminal to access the target network.

Fig. 3 is a flow chart illustrating a method of network entry authentication according to an example embodiment. The network access authentication method may be applied to the implementation environment shown in fig. 1 or fig. 2, and is executed by the server 102 in the implementation environment. As shown in fig. 3, the network entry request includes:

in step 301, a network access request of the terminal is received, where the network access request includes a target identity certificate and a terminal identifier, and the target identity certificate is used to reflect whether a user corresponding to the terminal has a network access right to access a target network.

In the embodiment of the present disclosure, the terminal identifier may be a Media Access Control Address (MAC) and/or an Internet Protocol Address (IP) of the terminal. The target identity certificate can be a digital certificate generated and issued to the terminal by the service terminal. The validity of the target identity certificate can be used for reflecting whether a user corresponding to the terminal has a network access right for accessing the target network. Under the condition that the terminal of the user is provided with the target identity certificate, if the user wants to enable the terminal of the user to access a target network to which the server belongs, the user can execute network access operation, so that the terminal generates a network access request and sends the network access request to the server. The server can receive the network access request of the terminal, so that the subsequent network access authentication operation is executed according to the network access request.

For example, if the terminal of the user wants to access the target network of the enterprise, the terminal of the user already installs the target identity certificate. The user may input the network name sectest-1-sec of the target network, select Extensible Authentication Protocol (EAP) as the identity certificate, select the security type WPA2 enterprise AES, and click the save button on the network login interface as shown in fig. 4. After receiving the click operation for the save button, the terminal may generate a network access request in response to the click operation, where the network access request includes a target identity certificate and a terminal identifier installed on the terminal. And sending the network access request to the server so that the server receives the network access request. The WPA2 enterprise AES is selected as the security type, namely the encryption mode of network transmission is selected as WPA2 enterprise AES, and the WPA2 enterprise AES is an encryption mode based on Wi-Fi protected access II (WPA2) and Advanced Encryption Standard (AES).

In step 302, a target authorized terminal identifier corresponding to the target identity certificate is determined according to a corresponding relationship between the identity certificate and the authorized terminal identifier. And the terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate.

In the embodiment of the present disclosure, the server may store the identity certificate and an authorization terminal identifier of the terminal to which the identity certificate is authorized in an association manner, so as to represent a corresponding relationship between the identity certificate and the authorization terminal identifier based on an association relationship. Alternatively, the server may store the identity certificate document. The identity certificate document records the corresponding relation between the identity certificate and the granted terminal identification. The server can inquire the corresponding relation between the certificate and the authorized terminal identification, and inquire the target authorized terminal identification corresponding to the target identity certificate from the comparison relation. The format of the identity certificate document can be a table or text, etc.

Optionally, the granted terminal identifier may be a Media Access Control Address (MAC) and/or an Internet Protocol Address (IP) of the terminal. For example, the type of the granted terminal identifier may be the same as the type of the terminal identifier carried in the network access request. Or, the type of the granted terminal identifier may be different from the type of the terminal identifier carried in the network access request. If the type of the granted terminal identifier can be different from the type of the terminal identifier carried in the network access request, the server stores the corresponding relation between the type of the granted terminal identifier and the type of the terminal identifier carried in the network access request.

In step 303, the consistency between the terminal identifier and the target granted terminal identifier is verified.

In the embodiment of the present disclosure, the server may compare the target granted terminal identifier corresponding to the determined target identity certificate with the terminal identifier carried in the network access request, so as to determine whether the two identifiers are consistent.

In step 304, when the terminal identification is different from the target granted terminal identification, the terminal is prohibited from accessing the target network.

In the embodiment of the disclosure, when the server determines that the terminal identifier is different from the target granted terminal identifier, it indicates that the terminal currently sending the network access request including the target identity certificate is not the same terminal as the terminal to which the target identity certificate is granted. And further indicating that the target identity certificate is possibly stolen, and the terminal which requests to access the target network at present possibly belongs to an abnormal terminal, the server prohibits the terminal from accessing the target network.

In step 305, the terminal is allowed to access the target network when the terminal identification is the same as the target granted terminal identification.

In the embodiment of the disclosure, when it is determined that the terminal identifier is the same as the identifier of the target granted terminal, the server indicates that the terminal currently sending the network access request including the target identity certificate is the same terminal as the terminal to which the target identity certificate is granted. And further indicating that the terminal currently requesting to access the target network may belong to the accessible terminal, the server allows the terminal to access the target network.

To sum up, in the network access authentication method provided in the embodiment of the present disclosure, after receiving a network access request from a terminal, a target authorized terminal identifier corresponding to a target identity certificate included in the network access request may be determined according to a correspondence between an identity certificate and an authorized terminal identifier. Therefore, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification. Compared with the mode of carrying out network access authentication on the terminal in the related technology, the technical scheme does not relate to the verification of the account name and the password of the user, avoids the problem of low safety of the network access authentication mode caused by forgetting, revealing, stealing and the like of the account name and the password, reduces the risk of network access authentication of the terminal, and improves the network completeness. And because the terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification, so that the identity check of the network access terminal is realized, the influence of the stolen identity certificate and other conditions on the security of the network access authentication mode is further avoided, and the network completeness is improved.

Referring to fig. 5, fig. 5 is a flowchart illustrating another network access authentication method according to an embodiment of the present disclosure. The network access authentication method can be applied to the implementation environment shown in fig. 1. As shown in fig. 5, the network entry request includes:

in step 501, the terminal sends a network access request to the server for the first time, where the network access request includes account information of the user and a terminal identifier of the terminal.

In the embodiment of the disclosure, if a user wants to enable a terminal of the user to access a target network for the first time, the user can execute a network access operation, so that the terminal sends a network access request to a server for the first time. The network access request may include account information of the user and a terminal identifier of the terminal. The account information of the user may include an account name and a password corresponding to the user. The terminal identifier may be a Media Access Control Address (MAC) and/or an Internet Protocol Address (IP) of the terminal.

For example, the terminal may generate a network access request according to a data transmission protocol between the terminal and the server, where the network access request includes a format parameter for carrying an account name, a format parameter for carrying a password corresponding to the account name, and a format parameter for carrying a terminal identifier of the terminal.

In step 502, when determining that the account information belongs to the accessible account corresponding to the target network, the server generates a target identity certificate in a valid state corresponding to the account information.

In the embodiment of the disclosure, the target identity certificate is used for reflecting whether a user corresponding to the terminal has a network access right to access the target network. The target identity certificate in the valid state is used for reflecting that the user has the network access authority of accessing the target network. Correspondingly, the target identity certificate in the invalid state is used for reflecting that the user does not have the network access authority of accessing the target network. After receiving a network access request sent by the terminal for the first time, the server can analyze the network access request to obtain account information included in the network access request. And judging whether the account information belongs to an accessible account corresponding to a target network which the terminal wants to access. The accessible account corresponding to the target network may be determined by an administrator of the target network.

Optionally, the server may communicate with a database storing accessible accounts and passwords corresponding to the accounts. The database may be integrated with the server or the database may be separate from the server. The server can traverse all the accessible accounts in the database, and sequentially judges whether the accessible accounts obtained by traversal are the same as the accounts corresponding to the account information. If the password is the same as the password of the account corresponding to the account information, the server can judge whether the password of the same accessible account is the same as the password of the account corresponding to the account information. If the account information is the same as the accessible account corresponding to the target network, the server side determines that the account information belongs to the accessible account corresponding to the target network. And if the accessible account obtained by traversing is different from the account corresponding to the account information, the server side determines that the account information does not belong to the accessible account corresponding to the target network, and the server side prohibits the terminal from accessing the target network. And if the accessed account obtained by traversing is the same as the account corresponding to the account information, but the password of the same accessible account is different from the password of the account corresponding to the account information, the server side determines that the account information does not belong to the accessible account corresponding to the target network.

As an example, a scenario in which the target network is an enterprise network is taken as an example. After the enterprise staff transacts the job, the enterprise manager generates account names and passwords for logging in the enterprise network for the enterprise staff, wherein the account belongs to accessible accounts of the enterprise network. The enterprise manager synchronizes and persists the account name and password assigned to the employee to a Lightweight Directory Access Protocol (LDAP) database. The LDAP database is used for storing account names and corresponding passwords of accessible accounts corresponding to the enterprise network, and is located on the LDAP server. And after the server acquires the account information included in the network access request, transmitting the account name and the password included in the account information to the LDAP server according to a transmission protocol between the server and the LDAP server. And after receiving the account name and the password included by the network access request, the LDAP server executes account naming and password verification. And determining that the account name included in the network access request exists in the LDAP database, and the password corresponding to the same account name in the LDAP database is the same as the password included in the network access request, and determining that the account name and the password pass the verification. And the LDAP server sends a verification result for indicating that the account name and the password are verified to pass to the server. And when receiving the verification result, the server determines that account information included in the network access request belongs to an accessible account corresponding to the target network, and further generates a target identity certificate in a valid state corresponding to the account information.

In the embodiment of the disclosure, the server can verify the identity of the user by judging whether the account information belongs to the accessible account corresponding to the target network. And generating a target identity certificate in a valid state corresponding to the account information when the account information is determined to belong to the accessible account corresponding to the target network. The server may verify the identity of the user by verifying other factors. The security of the network access authentication is improved.

Optionally, before performing step 501, the method further comprises: and the terminal sends an authentication request to the server. And the server side sends an authentication message to the terminal when receiving the identity authentication request sent by the terminal. Correspondingly, in step 501, the network access request sent by the terminal for the first time may further include: a message to be authenticated. The message to be authenticated may be entered by the user based on the received authentication message.

Correspondingly, when the server determines that the account information belongs to the accessible account corresponding to the target network, the process of generating the target identity certificate in the valid state corresponding to the account information may include: and when the server side determines that the account information belongs to the accessible account corresponding to the target network and the verification message is consistent with the message to be verified, generating the target identity certificate in a valid state corresponding to the account information.

For example, the service end may also verify the user identity through short message authentication, mailbox authentication, and the like. Under the condition that the user identity is verified in a short message authentication mode, before the terminal sends a network access request to the server, an authentication request can be sent to the server, wherein the authentication request comprises a telephone contact mode of the terminal. And the server side sends an authentication message to the terminal through a telephone contact way when receiving an identity authentication request sent by the terminal. The terminal sends a network access request to the server, where the network access request may further include: a message to be authenticated. The message to be authenticated may be entered by the user based on the received authentication message. And when the account information is determined to belong to the accessible account corresponding to the target network and the verification message is consistent with the message to be verified, generating the target identity certificate in a valid state corresponding to the account information. Therefore, by introducing an identity verification mechanism with multiple modes, the checking function of the user identity can be further enhanced, the security of the network access authentication mode is further improved, and the network completeness is improved.

In this embodiment of the present disclosure, the process of the server generating the target identity certificate in the valid state corresponding to the account information may include: and the server generates a target identity certificate with a unique serial number according to the account name included in the account information, wherein the target identity certificate corresponds to the account information. The format of the target identity certificate may be an X509 format, an X500 format, and the like.

Optionally, the identity certificate may comprise at least one of: certificate subject data, certificate extension data, and certificate authority data. The certificate topic data comprises at least one of: the method comprises the following steps of country code, geographical position of a target network, enterprise name, domain name of the target network, valid days of an identity certificate, relevant information of an identity certificate encryption algorithm and public key password.

For example, the target identity certificate generated by the server may include: country code: CN (CN represents China), province of address position of target network: beijing, the city of the address location where the target network is located: beijing, the organization where the target network is located: beijingks, name of business to which the target network belongs: ks, domain name of target network: root, the number of valid days of the identity certificate 365, the information related to the encryption algorithm of the identity certificate, the number of bits of RSA (an encryption algorithm) is 2048, and the public key password: xxx. Public Key Cryptography may refer to the certificate Public Key Cryptography Standards (PCKS) 12 cipher.

Optionally, the network entry request sent by the terminal may further include: the operating system type of the terminal. The process of generating the target identity certificate in the valid state corresponding to the account information by the server may further include: the server generates a target identity certificate of a target file type, wherein the target file type corresponds to the operating system type. For example, the operating system type may be mac, windows, Android (Android), or the like. Therefore, the server side can generate the target identity certificate matched with the file type corresponding to the operating system type according to the operating system type of the terminal, so that the problem that the target identity certificate and the terminal operating system are not matched possibly is solved, the usability of the target identity certificate is improved, and the network access authentication efficiency is further ensured.

In step 503, the server takes the terminal identifier in the network access request sent by the terminal for the first time as the target granted terminal identifier of the target identity certificate, and records the corresponding relationship between the target identity certificate and the target granted terminal identifier.

Optionally, the server may store the target identity certificate in association with a target-granted terminal identifier of the terminal to which the target identity certificate is granted, so as to characterize a correspondence between the target identity certificate and the target-granted terminal identifier based on the association relationship. Alternatively, the server may store the identity certificate document. The identity certificate document records the corresponding relation between the target identity certificate and the target grant terminal identification.

In step 504, the server sends a target identity certificate corresponding to the account information to the terminal, and the target identity certificate is provided for the terminal to install.

In the embodiment of the present disclosure, the server may encrypt the target identity certificate to obtain an encrypted target identity certificate. And the server side sends the encrypted target identity certificate to the terminal. After the terminal receives the encrypted target identity certificate, the encrypted target identity certificate is decrypted to obtain the decrypted target identity certificate. And the user executes the target operation and installs the decrypted target identity certificate to the terminal. Optionally, the server may encrypt the target identity certificate by using a public key password in the target identity certificate. Correspondingly, the terminal can decrypt the encrypted target identity certificate by using a private key corresponding to the public key.

In step 505, the terminal sends a network access request to the server, where the network access request includes a target identity certificate and a terminal identifier.

In the embodiment of the disclosure, after the target identity certificate is installed on the terminal of the user, if the user wants to access the terminal of the user to the target network, the user can execute the network access operation, and the verification of the network access authority of the terminal is realized by using the target identity certificate installed on the terminal. The terminal can generate a network access request based on the target identity certificate and send the network access request to the server, so that the terminal generates the network access request and sends the network access request to the server. The server can receive the network access request of the terminal, so that the subsequent network access authentication operation is executed according to the network access request.

In step 506, the server determines a target authorized terminal identifier corresponding to the target identity certificate according to a correspondence between the identity certificate and the authorized terminal identifier.

In the embodiment of the disclosure, in the case that the server stores the identity certificate and the granted terminal identifier of the terminal to which the identity certificate is granted in an associated manner, so as to represent the corresponding relationship between the identity certificate and the granted terminal identifier based on the associated relationship, the server may read the target granted terminal identifier corresponding to the target identity certificate from the storage address of the target granted terminal identifier according to the associated relationship between the storage address of the target identity certificate and the storage address of the target granted terminal identifier corresponding thereto.

Alternatively, the server may store the identity certificate document. The identity certificate document records the corresponding relation between the identity certificate and the granted terminal identification. The server can obtain the target grant terminal identification corresponding to the target identity certificate from the identity certificate document. The format of the identity certificate document can be a table or text, etc.

In step 507, the server performs consistency verification on the terminal identifier and the target granted terminal identifier.

In step 508, the server prohibits the terminal from accessing the target network when the terminal identifier is different from the target granted terminal identifier.

In step 509, the server verifies the validity of the target identity certificate by using at least one verification data when the terminal identifier is the same as the target granted terminal identifier, and the verification data records the validity status of the identity certificate.

In the embodiment of the disclosure, when it is determined that the terminal identifier is the same as the identifier of the target granted terminal, the server indicates that the terminal currently sending the network access request including the target identity certificate is the same terminal as the terminal to which the target identity certificate is granted. And further indicates that the terminal currently requesting to access the target network may belong to the accessible terminal, the server may further verify the identity certificate. The server side can adopt at least one kind of verification data to verify the validity of the target identity certificate. The at least one verification data may include: the first check data updated in real time and the second check data updated periodically. Therefore, under the condition that the number of the verification data is multiple, the server side can realize multiple verification of various target identity certificates based on different verification data, and the verification accuracy of the identity certificates is improved. And the security of the network access authentication mode is further improved.

Based on this, the embodiment of the present disclosure exemplarily illustrates a process in which the server side verifies the validity of the target identity certificate by using different verification data.

In a first optional implementation manner, in the case that the verification data is the first verification data updated in real time, the verification data may include data stored in the identity card library. The process of verifying the validity of the target identity certificate by the server side using the first verification data includes:

calling an identity card library according to an Online Certificate Status Protocol (OCSP), and querying validity statuses of a target identity Certificate recorded in the identity card library, wherein the validity statuses at least include a valid Status or an invalid Status. And the validity states of the identity certificates stored in the identity certificate library are updated in real time.

In the disclosed embodiments, the authentication criteria are specified based on a data certificate. If the server needs to call the identity certificate library to verify the target identity certificate, the network access request received by the server is a request encoded by adopting an OCSP protocol. The request includes an identification of the target identity certificate, which may be a serial number, formatted as specified by the OCSP protocol. Correspondingly, the server side can adopt an OCSP protocol to analyze the received network access request to obtain the identification of the target identity certificate.

The identity card library records the identification of the full amount of identity certificates issued by the target network and the validity state corresponding to each identity certificate. The validity state of the identity certificate includes at least a valid state or an invalid state. The valid state may be referred to as an un-revoke state, and the identity certificate in the valid state may reflect that the terminal corresponding to the certificate may have a network access permission to access the target network. The invalid state is also called as an revoking state, and the identity certificate in the invalid state can reflect that the terminal corresponding to the certificate does not have the network access permission of accessing the target network. The server side can determine the valid state corresponding to the target identity certificate from the identity certificate library based on the identification of the target identity certificate. The validity of the target identity certificate is verified by adopting the data in the identity certificate library.

In this way, since the identity card repository is usually maintained by an issuing authority of the identity certificate, the validity status of each identity certificate stored in the identity card repository needs to be updated in real time to ensure the accuracy of the validity status of each identity certificate. Therefore, on the basis that the validity state of each identity certificate in the identity card library is higher in accuracy, the accuracy of verifying the validity state of the target identity certificate by adopting the identity card library is higher, and the safety of the network access authentication mode is effectively improved.

Optionally, the server may detect the set event by executing an information detection policy, so as to ensure accuracy of validity states of the identity certificates in the identity certificate repository. The setting event is used for reflecting the failure of the identity certificate. For example, the identity document library further records a time when the target identity document fails and a user valid state corresponding to the target identity document. The method further comprises the following steps: and when the server side detects a set event, the validity state of the target identity certificate in the identity certificate library is updated to be an invalid state. Wherein the setting event comprises at least one of: the terminal identification is different from the target granting terminal identification, the current time of the server is greater than the failure time of the target identity certificate recorded in the identity card library, and the user valid state corresponding to the target identity certificate recorded in the identity card library is updated to be an invalid user state.

In a scenario where the target network is an enterprise network, the valid state of the user in the identity card repository may be an invalid user state under any of the following conditions. The conditions may include: the employee leaves the job, and the network access authority is limited due to the personal behavior of the employee.

In this embodiment of the disclosure, in the aforementioned optional implementation environment as shown in fig. 2, one second server may be a server that verifies the validity of the target identity certificate by using the first verification data, and the server may be an OCSP server. The Radius server may analyze the received network access request to obtain the target identity card. And sending a certificate verification request to the OCSP server according to the OCSP protocol. The certificate verification request includes an identification of the target identity certificate formatted according to the OCSP. After receiving the certificate verification request, the OCSP server may parse the certificate verification request according to the OCSP protocol to obtain an identifier of the target identity certificate. And the OCSP server side determines the valid state corresponding to the target identity certificate from the identity certificate database. And sending a certificate verification response aiming at the certificate verification request to the Radius server. The certificate verification response is used to indicate whether the validity status of the target identity certificate is an invalid status. The Radius server can determine whether the terminal is operated to access the target network according to the certificate verification response.

In a second alternative implementation, in the case that the verification data is second verification data that is periodically updated, the verification data may include data recorded in a certificate revocation list. The process of verifying the validity of the target identity certificate by the server side using the second verification data includes:

a periodically updated Certificate Revocation List (CRL) is obtained, and the Certificate Revocation List records the identity Certificate in an invalid state. Querying whether the certificate revocation list includes a target identity certificate. Determining that the target identity certificate is in a valid state when it is determined that the certificate revocation list does not include the target identity certificate. When it is determined that the certificate revocation list includes the target identity certificate, it is determined that the target identity certificate is in an invalid state. Therefore, the mode of verifying the target identity certificate by using the periodically updated certificate revocation list is adopted, and the updating frequency of the certificate revocation list is low, so that the latest certificate revocation list for verification does not need to be acquired more frequently, and the network overhead is reduced.

In the embodiment of the present disclosure, the certificate revocation list may be manually maintained by an administrator of the target network. It can be seen as an "access blacklist" for the target network. Thus, the certificate revocation list may be updated periodically to save labor costs.

Optionally, the certificate revocation list may further include: the moment of failure of the identity certificate. Then, when it is determined that the certificate revocation list includes the target identity certificate, the process of determining that the target identity certificate is in an invalid state may include: and when the certificate revocation list is determined to comprise the target identity certificate and the current moment of the server is greater than the failure moment of the target identity certificate, determining that the target identity certificate is in an invalid state. Correspondingly, when the server side determines that the target identity certificate is not included in the certificate revocation list, the server side determines that the target identity certificate is in a valid state. Or, when the server determines that the certificate revocation list includes the target identity certificate and the current time of the server is not greater than the expiration time, determining that the target identity certificate is in a valid state. Therefore, the failure time of the identity certificate is added in the certificate revocation list, so that the process of judging whether the target identity certificate is failed or not based on the certificate revocation list is increased, and the judgment condition of the failure time of the identity certificate is increased. Therefore, misoperation under certain conditions can be avoided, and the accuracy of verifying the validity of the target identity certificate based on the certificate revocation list is improved.

In the embodiment of the present disclosure, in the aforementioned optional implementation environment as shown in fig. 2, a second server may be configured to generate a certificate revocation list, and send the generated certificate revocation list to the server. The server may be a CRL server. The second server may send the periodically updated certificate revocation list to the Radius server of the server. The Radius server may parse the received certificate revocation list to determine validity of the target identity certificate using the certificate revocation list obtained by parsing. In an optional implementation, the certificate revocation list may further include: validity of the certificate revocation list. Namely, the server can effectively judge the validity of the target identity certificate by using the certificate revocation list in the validity period.

In a third optional implementation manner, the verifying the data includes: under the condition of the first check data updated in real time and the second check data updated periodically, the process that the server side adopts the first check data and the second check data to verify the validity of the target identity certificate comprises the following steps:

and the server side calls the identity card library according to the online certificate state protocol and inquires the validity state of the target identity certificate recorded in the identity card library. In the event that the validity status of the target identity certificate is determined, a periodically updated certificate revocation list is obtained. Querying whether the certificate revocation list includes a target identity certificate. Determining that the target identity certificate is in a valid state when it is determined that the certificate revocation list does not include the target identity certificate. When it is determined that the certificate revocation list includes the target identity certificate, it is determined that the target identity certificate is in an invalid state.

Or, the server acquires the certificate revocation list after periodic updating. Querying whether the certificate revocation list includes a target identity certificate. Determining that the target identity certificate is in a valid state when it is determined that the certificate revocation list does not include the target identity certificate. And when the certificate revocation list is determined to comprise the target identity certificate, calling an identity certificate library according to an online certificate state protocol, and inquiring the validity state of the target identity certificate recorded in the identity certificate library.

It should be noted that, in the third optional implementation manner, the server invokes the identity document library according to the online certificate status protocol, queries the validity status of the target identity certificate recorded in the identity document library, and acquires the periodically updated certificate revocation list. The explanation and implementation of querying whether the certificate revocation list includes the target identity certificate may refer to the foregoing first optional implementation or the second optional implementation, which is not described in detail in this embodiment of the disclosure.

In step 510, the server prohibits the terminal from accessing the target network when the server determines that the target identity certificate is in an invalid state by using any kind of verification data.

In the embodiment of the disclosure, when the server determines that the target identity certificate is in an invalid state by using any one of the verification data, it indicates that the target identity certificate is currently invalid, and the target identity certificate reflects that the user corresponding to the terminal does not have the access right to the target network, and the server prohibits the terminal from accessing the target network.

In step 511, when the server determines that the target identity certificate is in a valid state by using all the verification data, the server allows the terminal to access the target network.

In the embodiment of the present disclosure, when the server determines that the target identity certificate is in the valid state by using all the verification data, it may indicate that the target identity certificate is currently valid, and the target identity certificate reflects that the user corresponding to the terminal has the network access right to access the target network, and the server allows the terminal to access the target network.

Fig. 6 is a flowchart illustrating a network access authentication apparatus according to an example embodiment. The network access authentication device is applied to a server side. As shown in fig. 6, the network access authentication apparatus includes:

a receiving module 601, configured to receive a network access request of a terminal, where the network access request includes a target identity certificate and a terminal identifier, and the target identity certificate is used to reflect whether a user corresponding to the terminal has a network access right to access a target network;

a determining module 602, configured to determine, according to a correspondence between the identity certificate and the granted terminal identifier, a target granted terminal identifier corresponding to the target identity certificate, where a terminal indicated by the granted terminal identifier is a terminal to which the corresponding identity certificate is granted;

the verification module 603 is configured to perform consistency verification on the terminal identifier and the target granted terminal identifier;

an access module 604, configured to prohibit the terminal from accessing the target network when the terminal identifier is different from the target granted terminal identifier; and also for allowing the terminal to access the target network if the terminal identification is the same as the target granted terminal identification.

In a possible implementation manner, the verifying module 603 is further configured to verify the validity of the target identity certificate by using at least one kind of verification data, where the verification data records the validity status of the identity certificate, and the at least one kind of verification data includes: the first check data are updated in real time, and the second check data are updated periodically;

the access module 604 is further configured to prohibit the terminal from accessing the target network when it is determined that the target identity certificate is in an invalid state by using any one of the verification data;

the accessing module 604 is further configured to allow the terminal to access the target network when it is determined that the target identity certificate is in the valid state by using all the verification data.

In one possible implementation, the first verification data includes data stored in an identity card repository,

the verification module 603 is further configured to: and calling the identity card library according to an online certificate state protocol, and inquiring the validity state of the target identity certificate recorded in the identity card library, wherein the validity state at least comprises a valid state or an invalid state, and the validity state of each identity certificate stored in the identity card library is updated in real time.

In a possible implementation manner, the second verification data includes data recorded in a certificate revocation list, and the verification module 603 is further configured to:

inquiring whether the certificate revocation list comprises a target identity certificate;

determining that the target identity certificate is in a valid state when it is determined that the certificate revocation list does not include the target identity certificate;

when it is determined that the certificate revocation list includes the target identity certificate, it is determined that the target identity certificate is in an invalid state.

In one possible implementation, the certificate revocation list further includes: the moment of failure of the identity certificate; the verifying module 603 is further configured to determine that the target identity certificate is in an invalid state when it is determined that the certificate revocation list includes the target identity certificate and the current time of the server is greater than the time of invalidation of the target identity certificate.

In a possible implementation manner, the receiving module 601 is further configured to receive a network access request sent by a terminal for the first time, where the network access request sent for the first time includes account information of a user and a terminal identifier of the terminal;

the device still includes:

the generation module is used for generating a target identity certificate in a valid state corresponding to the account information when the account corresponding to the account information is determined to belong to an accessible account corresponding to a target network, wherein the target identity certificate in the valid state is used for reflecting that a user has a network access authority of accessing the target network;

the recording module is used for taking the terminal identification as a target grant terminal identification of the target identity certificate and recording the corresponding relation between the target identity certificate and the target grant terminal identification;

and the sending module is used for sending the target identity certificate corresponding to the account information to the terminal, and the target identity certificate is used for the terminal to install.

the network access request sent for the first time further comprises: and the generation module is also used for generating a target identity certificate in a valid state corresponding to the account information when the account information is determined to belong to the accessible account corresponding to the target network and the verification message is consistent with the to-be-verified message.

In one possible implementation manner, the first sent network entry request further includes: the terminal comprises an operating system type of the terminal and a generating module, wherein the generating module is also used for generating a target identity certificate of a target file type, and the target file type corresponds to the operating system type.

In a possible implementation manner, the identity card library also records the failure time of the target identity certificate and the user valid state corresponding to the target identity certificate; the device still includes:

the detection module is used for updating the validity state of the target identity certificate in the identity certificate library to an invalid state when a set event is detected, wherein the set event comprises at least one of the following items:

the terminal identity is different from the target granted terminal identity,

the current time of the server is greater than the failure time of the target identity certificate recorded in the identity certificate library,

In one possible implementation, the identity certificate includes at least one of: country code, geographical location of target network, enterprise name, domain name of target network, and valid days of identity certificate.

To sum up, the network access authentication apparatus provided in the embodiment of the present disclosure, after receiving a network access request from a terminal, may determine, through a correspondence between an identity certificate and an authorization terminal identifier, a target authorization terminal identifier corresponding to a target identity certificate included in the network access request. Therefore, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification. Compared with the mode of carrying out network access authentication on the terminal in the related technology, the technical scheme does not relate to the verification of the account name and the password of the user, avoids the problem of low safety of the network access authentication mode caused by forgetting, revealing, stealing and the like of the account name and the password, reduces the risk of network access authentication of the terminal, and improves the network completeness. And because the terminal granted with the terminal identification indication is the terminal granted with the corresponding identity certificate, whether the terminal is allowed to access the target network is judged according to the consistency check result of the terminal identification included in the network access request and the target granted terminal identification, so that the identity check of the network access terminal is realized, the influence of the stolen identity certificate and other conditions on the security of the network access authentication mode is further avoided, and the network completeness is improved.

FIG. 7 is a block diagram illustrating an electronic device in accordance with an example embodiment. The electronic equipment can be a terminal or a server side of the present disclosure. The electronic device 700 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion video Experts compression standard Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion video Experts compression standard Audio Layer 4), a notebook computer, or a desktop computer. The electronic device 700 may also be referred to by other names such as user equipment, portable terminal, laptop terminal, desktop terminal, and so forth.

In general, the electronic device 700 includes: a processor 701 and a memory 702.

The processor 701 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so on. The processor 701 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 701 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 701 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 701 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.

Memory 702 may include one or more computer-readable storage media, which may be non-transitory. Memory 702 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in the memory 702 is configured to store at least one instruction for execution by the processor 701 to implement the network entry authentication method provided by the method embodiments of the present application.

In some embodiments, the electronic device 700 may further optionally include: a peripheral interface 703 and at least one peripheral. The processor 701, the memory 702, and the peripheral interface 703 may be connected by buses or signal lines. Various peripheral devices may be connected to peripheral interface 703 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 704, display 705, camera 706, audio circuitry 707, positioning components 708, and power source 709.

The peripheral interface 703 may be used to connect at least one peripheral related to I/O (Input/Output) to the processor 701 and the memory 702. In some embodiments, processor 701, memory 702, and peripheral interface 703 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 701, the memory 702, and the peripheral interface 703 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.

The Radio Frequency circuit 704 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 704 communicates with communication networks and other communication devices via electromagnetic signals. The rf circuit 704 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 704 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuitry 704 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the radio frequency circuit 704 may also include NFC (Near Field Communication) related circuits, which are not limited in this application.

The display screen 705 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 705 is a touch display screen, the display screen 705 also has the ability to capture touch signals on or over the surface of the display screen 705. The touch signal may be input to the processor 701 as a control signal for processing. At this point, the display 705 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display 705 may be one, providing the front panel of the electronic device 700; in other embodiments, the number of the display screens 705 may be at least two, and the at least two display screens are respectively disposed on different surfaces of the electronic device 700 or are in a folding design; in still other embodiments, the display 705 may be a flexible display disposed on a curved surface or on a folded surface of the electronic device 700. Even more, the display 705 may be arranged in a non-rectangular irregular pattern, i.e. a shaped screen. The Display 705 may be made of LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), or the like.

The camera assembly 706 is used to capture images or video. Optionally, camera assembly 706 includes a front camera and a rear camera. Generally, a front camera is disposed at a front panel of the terminal, and a rear camera is disposed at a rear surface of the terminal. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments, camera assembly 706 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.

The audio circuitry 707 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 701 for processing or inputting the electric signals to the radio frequency circuit 704 to realize voice communication. For stereo capture or noise reduction purposes, the microphones may be multiple and disposed at different locations of the electronic device 700. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 701 or the radio frequency circuit 704 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, the audio circuitry 707 may also include a headphone jack.

The positioning component 708 is operable to locate a current geographic Location of the electronic device 700 to implement a navigation or LBS (Location Based Service). The Positioning component 708 can be a Positioning component based on the GPS (Global Positioning System) in the united states, the beidou System in china, the graves System in russia, or the galileo System in the european union.

The power supply 709 is used to supply power to various components in the electronic device 700. The power source 709 may be alternating current, direct current, disposable batteries, or rechargeable batteries. When power source 709 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, the electronic device 700 also includes one or more sensors 7010. The one or more sensors 7010 include, but are not limited to: acceleration sensors 7011, gyroscope sensors 7012, pressure sensors 7013, fingerprint sensors 7014, optical sensors 7015, and proximity sensors 7016.

The acceleration sensor 7011 may detect the magnitude of acceleration in three coordinate axes of a coordinate system established with the electronic device 700. For example, the acceleration sensor 7011 may be used to detect the components of the gravitational acceleration in three coordinate axes. The processor 701 may control the display screen 705 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 7011. The acceleration sensor 7011 may also be used for acquisition of motion data of a game or a user.

The gyro sensor 7012 may detect a body direction and a rotation angle of the electronic device 700, and the gyro sensor 7012 may cooperate with the acceleration sensor 7011 to acquire a 3D motion of the user on the electronic device 700. The processor 701 may implement the following functions according to the data collected by the gyro sensor 7012: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.

The pressure sensor 7013 may be disposed on a side bezel of the electronic device 700 and/or underneath the display 705. When the pressure sensor 7013 is disposed on the side frame of the electronic device 700, a holding signal of the user to the electronic device 700 may be detected, and the processor 701 performs left-right hand recognition or shortcut operation according to the holding signal acquired by the pressure sensor 7013. When the pressure sensor 7013 is disposed at the lower layer of the display screen 705, the processor 701 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 705. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.

The fingerprint sensor 7014 is configured to collect a fingerprint of the user, and the processor 701 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 7014, or the fingerprint sensor 7014 identifies the identity of the user according to the collected fingerprint. When the user identity is identified as a trusted identity, the processor 701 authorizes the user to perform relevant sensitive operations, including unlocking a screen, viewing encrypted information, downloading software, paying, changing settings, and the like. The fingerprint sensor 7014 may be disposed on the front, back, or side of the electronic device 700. When a physical button or a vendor Logo is provided on the electronic device 700, the fingerprint sensor 7014 may be integrated with the physical button or the vendor Logo.

The optical sensor 7015 is used to collect the ambient light intensity. In one embodiment, the processor 701 may control the display brightness of the display screen 705 based on the ambient light intensity collected by the optical sensor 7015. Specifically, when the ambient light intensity is high, the display brightness of the display screen 705 is increased; when the ambient light intensity is low, the display brightness of the display screen 705 is adjusted down. In another embodiment, the processor 701 may also dynamically adjust the shooting parameters of the camera assembly 706 according to the ambient light intensity collected by the optical sensor 7015.

A proximity sensor 7016, also referred to as a distance sensor, is typically disposed on the front panel of the electronic device 700. The proximity sensor 7016 is used to gather the distance between the user and the front of the electronic device 700. In one embodiment, the processor 701 controls the display screen 705 to switch from the bright screen state to the dark screen state when the proximity sensor 7016 detects that the distance between the user and the front surface of the electronic device 700 is gradually decreased; when the proximity sensor 7016 detects that the distance between the user and the front surface of the electronic device 700 gradually becomes larger, the processor 701 controls the display 705 to switch from the breath-screen state to the bright-screen state.

Those skilled in the art will appreciate that the configuration shown in fig. 7 does not constitute a limitation of the electronic device 700 and may include more or fewer components than those shown, or combine certain components, or employ a different arrangement of components.

In an exemplary embodiment, a computer-readable storage medium is further provided, and when executed by a processor of an electronic device, the instructions in the computer-readable storage medium enable the electronic device to execute the network access authentication method provided by the above-mentioned method embodiments.

For example, the non-transitory computer readable storage medium may be a ROM (Read-Only Memory), a RAM (Random Access Memory), a CD-ROM (Compact Disc Read-Only Memory), a magnetic tape, a floppy disk, an optical data storage device, and the like.

In an exemplary embodiment, a computer program product is further provided, which includes computer program instructions, and the computer program instructions, when executed by a processor, implement the network access authentication method provided by the above method embodiments.

In an exemplary embodiment, an application program product is further provided, and when instructions in the application program product are executed by a processor of the terminal, the terminal is enabled to execute the network access authentication method provided by the above method embodiments.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. A network access authentication method is applied to a server side, and comprises the following steps:

2. The method of claim 1, wherein before the allowing the terminal to access the target network, the method further comprises:

3. The method according to claim 2, wherein the first verification data includes data stored in an identity certificate repository, and the verifying the validity of the target identity certificate using the first verification data includes:

4. The method of claim 2, wherein the second verification data comprises data recorded in a certificate revocation list, and wherein verifying the validity of the target identity certificate using the second verification data comprises:

5. The method of claim 4, wherein the certificate revocation list further comprises: the moment of failure of the identity certificate; the determining that the target identity certificate is in an invalid state when it is determined that the certificate revocation list includes the target identity certificate comprises:

6. The method according to any of claims 1-5, wherein prior to receiving the network entry request from the terminal, the method further comprises:

7. An access authentication device, applied to a server, the device comprising:

8. An electronic device, comprising:

one or more processors;

wherein the one or more processors are configured to perform the network entry authentication method of any of claims 1-6.

9. A computer-readable storage medium, wherein instructions in the computer-readable storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the network entry authentication method of any of claims 1-6.

10. A computer program product comprising computer program instructions, wherein the computer program instructions, when executed by a processor, implement the network entry authentication method of any of claims 1-6.