CN113806798A - User side verification method, system, equipment and medium - Google Patents
User side verification method, system, equipment and medium Download PDFInfo
- Publication number
- CN113806798A CN113806798A CN202110932822.3A CN202110932822A CN113806798A CN 113806798 A CN113806798 A CN 113806798A CN 202110932822 A CN202110932822 A CN 202110932822A CN 113806798 A CN113806798 A CN 113806798A
- Authority
- CN
- China
- Prior art keywords
- token
- base point
- user
- challenge information
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000012795 verification Methods 0.000 title claims abstract description 15
- 230000004044 response Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a user side verification method, which comprises the following steps: responding to a login request sent by a user side received by a server side, and determining access authority according to a user name and a password carried in the login request; acquiring registration information corresponding to the user side, generating a token by using the registration information and the access authority, and returning the token to the user side; responding to the token received by the user side, generating challenge information by using the generated random number and the token, and returning the challenge information to the server side; and responding to the server side receiving the challenge information, and verifying the legality of the user side by using the token, the challenge information and the registration information of the server side. The invention also discloses a system, a computer device and a readable storage medium. According to the scheme provided by the invention, after the token is received by the user side, the token is not directly adopted to carry out the resource access request on the server side, but the token challenge information is constructed to carry out the resource access request, so that the confidentiality of the token is ensured.
Description
Technical Field
The invention relates to the field of servers, in particular to a user side verification method, a system, equipment and a storage medium.
Background
With the rapid development of the cloud computing technology, more and more users and enterprises put own data and applications on the cloud computing platform, and the development and maintenance cost of the system is reduced. When a user uses the cloud computing platform, the client needs to frequently request data from the server. In order to verify the validity of the user, the server frequently goes to the database to inquire and compare the user name and the password, judges whether the user name and the password are correct or not, and makes a corresponding prompt. This approach is very inefficient and risks revealing the user name and password. For this reason, token technology arose.
The Token is a string of character strings generated by the server and used as a Token for the client to request, when the user logs in for the first time, the server generates a Token and returns the Token to the client, and the client only needs to take the Token to request data later, and does not need to take the user name and the password again. the purpose of token is to reduce the pressure of the server, reduce the frequent inquiry database, and make the server more robust.
There are many types of tokens, such as UUID tokens, PKI tokens, and Fernet tokens. The UUID token is simple and easy to use, and is only 32 bytes in length. However, because the UUID token does not carry other information, after receiving the token, the server can neither determine whether the token is valid nor know the user information carried by the token. Whenever the server receives a user request, it needs to interact with the database to verify whether the token is valid. The PKI token supports the local authentication of the rest of the service components, but the CA is required to issue a certificate, but the request fails due to the fact that the certificate is too large. Compared with the UUID, the PKI token carries more user information and is attached with a digital signature so as to support local authentication. However, since the PKI token carries more information, the information includes service catalog, and the larger the number of entries carried by the service catalog, the larger the maximum HTTP request header size (default to 8kB) allowed by the HTTP protocol is easily exceeded, resulting in failure of the HTTP request. The Fernet token is a lightweight safety message format, the encrypting token is encrypted by a cryptograph symmetric encryption library without a persistent token, only necessary information is encrypted by the Fernet token, the length of the Fernet token is generally not more than 255 bytes, and the problem of overlarge PKI token is solved. A disadvantage of Fernet tokens is that the symmetric encryption key used to encrypt the token needs to be distributed and rotated.
And the client directly uses the token to access the cloud computing platform each time, so that the risk that the token is hijacked exists, and an attacker can impersonate a normal user to access the cloud computing platform.
Disclosure of Invention
In view of the above, in order to overcome at least one aspect of the above problems, an embodiment of the present invention provides a method for authenticating a user end, including:
responding to a login request sent by a user side received by a server side, and determining access authority according to a user name and a password carried in the login request;
acquiring registration information corresponding to the user side, generating a token by using the registration information and the access authority, and returning the token to the user side;
responding to the user side receiving the token, generating challenge information by using the generated random number and the token, and returning the challenge information to the server side;
and responding to the server end receiving the challenge information, and verifying the validity of the user end by using the token of the server end, the challenge information and the registration information.
In some embodiments, obtaining the registration information corresponding to the user side further includes:
the user side sends a user name and a password to the server side to register the user, and receives an elliptic curve parameter returned by the server side;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to be used as a private key, and multiplying the private key by the first base point and the second base point respectively to obtain a first public key and a second public key;
and the user side sends the first base point, the second base point, the first public key and the second public key as registration information to a server side so that the server side stores the registration information.
In some embodiments, generating a first base point and a second base point from the elliptic curve parameters further comprises:
judging whether the first base point and the second base point are equal or not;
the first base point and the second base point are regenerated in response to the first base point and the second base point being equal.
In some embodiments, the server generates a token by using the registration information and the access right, further comprising:
generating the token using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key, and the second public key;
calculating a first hash value of the token;
storing the token, the first hash value, the first radix point, the second radix point, the first public key, and the second public key in a cache.
In some embodiments, further comprising:
running the cache in a trusted execution environment.
In some embodiments, the user terminal generates challenge information using the generated random number and the token, further comprising:
calculating a second hash value of the token;
and subtracting the product of the second hash value and the hash value corresponding to the password by using the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by using the random number respectively to obtain second challenge information and third challenge information.
In some embodiments, verifying the validity of the user side using the token of the server side, the challenge information, and the registration information further includes:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
determining that the user terminal is legitimate in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a user side authentication system, including:
the determining module is configured to respond to a login request sent by a user side received by a server side, and determine access authority according to a user name and a password carried in the login request;
the token module is configured to acquire registration information corresponding to the user side, generate a token by using the registration information and the access right, and return the token to the user side;
the challenge information module is configured to respond to the fact that the user side receives the token, generate challenge information by using the generated random number and the token, and return the challenge information to the server side;
and the verification module is configured to respond to the server end receiving the challenge information and verify the validity of the user end by using the token of the server end, the challenge information and the registration information.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a computer apparatus, including:
at least one processor; and
a memory storing a computer program operable on the processor, wherein the processor executes the program to perform any of the steps of the user-side authentication method described above.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a computer-readable storage medium, which stores a computer program, which when executed by a processor performs the steps of any of the user side authentication methods described above.
The invention has one of the following beneficial technical effects: according to the scheme provided by the invention, after the token is received by the user side, the token is not directly adopted to carry out the resource access request on the server side, but the token challenge information is constructed to carry out the resource access request, so that the confidentiality of the token is ensured. Moreover, a randomization technology is adopted when challenge information is constructed, token challenge information sent to the server end every time is different, and the dynamics of the token in the using process is ensured, so that the verification of the user end is more reliable.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a user side authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart of a user side authentication method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a user-side authentication system according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a computer device provided in an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In the embodiment of the present invention, the SGX is an instruction set extension (software guard extensions), and is intended to provide a trusted execution environment of a user space by taking hardware security as mandatory guarantee and independent of the security states of firmware and software, and guarantee that confidentiality and integrity of user key code and data are not damaged by malware.
According to an aspect of the present invention, an embodiment of the present invention provides a method for authenticating a user end, as shown in fig. 1, which may include the steps of:
s1, responding to the login request sent by the user side received by the server side, and determining the access authority according to the user name and the password carried in the login request;
s2, acquiring the registration information corresponding to the user terminal, generating a token by using the registration information and the access authority, and returning the token to the user terminal;
s3, responding to the user end receiving the token, generating challenge information by using the generated random number and the token, and returning the challenge information to the server end;
and S4, responding to the server end receiving the challenge information, and verifying the validity of the user end by using the token of the server end, the challenge information and the registration information.
According to the scheme provided by the invention, after the token is received by the user side, the token is not directly adopted to carry out the resource access request on the server side, but the token challenge information is constructed to carry out the resource access request, so that the confidentiality of the token is ensured. Moreover, a randomization technology is adopted when challenge information is constructed, token challenge information sent to the server end every time is different, and the dynamics of the token in the using process is ensured, so that the verification of the user end is more reliable.
In some embodiments, obtaining the registration information corresponding to the user side further includes:
the user side sends a user name and a password to the server side to register the user, and receives an elliptic curve parameter returned by the server side;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to be used as a private key, and multiplying the private key by the first base point and the second base point respectively to obtain a first public key and a second public key;
and the user side sends the first base point, the second base point, the first public key and the second public key as registration information to a server side so that the server side stores the registration information.
In some embodiments, generating a first base point and a second base point from the elliptic curve parameters further comprises:
judging whether the first base point and the second base point are equal or not;
the first base point and the second base point are regenerated in response to the first base point and the second base point being equal.
Specifically, as shown in fig. 2, in the registration phase, a user at a user end may select a corresponding user name n and a corresponding password s, and initiate a user registration request to a server at a server end or a cloud server. The username n and password s may then be sent to the server side via the encryption protocol SSL. The server receives a user registration request. And the login authentication module at the server side authenticates the compliance of the user name and the password of the user. And if the user name and the password meet the requirements of the system, registering the user. The server side can preset an asymmetric encrypted elliptic curve to generate corresponding elliptic curve parameters. And after the user registration is completed, the server side sends the elliptic curve to the user side to request to generate a base point. The user end can generate a first base point G and a second base point H on the elliptic curve according to the elliptic curve, and verify whether the two base points G, H are equal. And if equal, regenerating. And the user calculates a corresponding Hash value sk (Hash(s) according to the password s, and the sk is used as a private key of the user. And the user calculates a first public key and a second public key of the user according to the private key sk, wherein the first public key is Pk1 sk G, and the second public key is Pk2 sk H. The user sends two base points G and H, two public keys Pk1 ═ sk G, and Pk2 ═ sk H to the server side through the encryption protocol SSL. The server side stores a user name n, an encrypted password s, a public key Pk1, a public key Pk2 and two base points G and H.
In some embodiments, the server generates a token by using the registration information and the access right, further comprising:
generating the token using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key, and the second public key;
calculating a first hash value of the token;
storing the token, the first hash value, the first radix point, the second radix point, the first public key, and the second public key in a cache.
In some embodiments, further comprising:
running the cache in a trusted execution environment.
Specifically, as shown in fig. 2, when a user requests to log in, the user selects a corresponding user name n and a corresponding password s, and caches sk (hash)(s) in a token challenge generation module of the client, and sends a login request to the server. The user sends a username n and a password s to the server via an encryption protocol SSL. And the server receives the user name n and the password s of the user, verifies the legality and the access authority of the user, and generates a corresponding token for the user. Token may include a user name, a role, a project, a creation time, an expiration time, an accessible project, an elliptic curve parameter, two base points G, H, and the like. The server calculates the Hash value Ht1 of the token as Hash (token), and stores the Hash value Ht1 and token of the token, two base points G, H, and two public keys Pk1, Pk2 as key values in a memcached (cache). The Memcached service module runs in an SGX trusted execution environment and is responsible for secret protection of a user token. The server sends the token to the user through an encryption protocol SSL.
In some embodiments, the user terminal generates challenge information using the generated random number and the token, further comprising:
calculating a second hash value of the token;
and subtracting the product of the second hash value and the hash value corresponding to the password by using the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by using the random number respectively to obtain second challenge information and third challenge information.
Specifically, as shown in fig. 2, the user side receives the token sent by the server, and sends the token to the challenge generating module. The challenge generation module parses token, receiving two base points G, H. The challenge generation module calculates the Hash value of token, Ht2 Hash (token), and creates a random number v. The challenge generation module calculates first challenge information r-v-Ht 2 sk, second challenge information v G, and third challenge information v H. And finally, sending the challenge information r, vG and vH to the server through an encryption protocol SSL.
In some embodiments, verifying the validity of the user side using the token of the server side, the challenge information, and the registration information further includes:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
determining that the user terminal is legitimate in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
Specifically, as shown in fig. 2, the server receives token challenge information of the user, and sends the challenge information to the token verification module. the token verification module runs in the SGX trusted execution environment and is responsible for verifying the validity of the user token. the token verification module establishes a trusted connection with the memcached service module, and acquires Ht1 and token, two base points G and H, two public keys Pk1 and Pk2 corresponding to the user from the memcached service module. And the token verification module verifies the legality of the user token according to the challenge information sent by the user and the information corresponding to the user token obtained from the memcached service module. the token validation module calculates if v × G is equal to r × G + Ht1 × Pk1, v × H is r × H + Ht1 × Pk 2. If the two formulas are equal, the token is owned by the user, the cloud computing platform can be accessed, and the user is allowed to access the corresponding cloud computing resource.
According to the scheme provided by the embodiment of the invention, for the conditions of leakage, counterfeiting and the like existing in the token using process, after the user side receives the token, the token is not directly adopted to carry out the resource access request on the cloud server, but the token challenge information is constructed to carry out the resource access request, so that the confidentiality of the token is ensured. And moreover, a randomization technology is adopted when challenge information is constructed, so that token challenge information generated by requesting cloud service every time is different, and the dynamism of the token in the using process is ensured. The user side combines the user private key with token challenge information in the token construction process, and the token cannot be forged effectively. Meanwhile, the Memcached service module and the token verification module in the server run in a trusted execution environment of the SGX, so that confidential data cannot be stolen.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a user side authentication 400, as shown in fig. 3, including:
the determining module 401 is configured to determine, in response to a server receiving a login request sent by a user, an access right according to a user name and a password carried in the login request;
a token module 402, configured to obtain registration information corresponding to the user side, generate a token by using the registration information and the access right, and return the token to the user side;
a challenge information module 403, configured to, in response to the client receiving the token, generate challenge information by using the generated random number and the token, and return the challenge information to the server;
a verification module 404 configured to verify the validity of the user side by using the token of the server side, the challenge information and the registration information in response to the server side receiving the challenge information.
In some embodiments, obtaining the registration information corresponding to the user side further includes:
the user side sends a user name and a password to the server side to register the user, and receives an elliptic curve parameter returned by the server side;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to be used as a private key, and multiplying the private key by the first base point and the second base point respectively to obtain a first public key and a second public key;
and the user side sends the first base point, the second base point, the first public key and the second public key as registration information to a server side so that the server side stores the registration information.
In some embodiments, generating a first base point and a second base point from the elliptic curve parameters further comprises:
judging whether the first base point and the second base point are equal or not;
the first base point and the second base point are regenerated in response to the first base point and the second base point being equal.
In some embodiments, the server generates a token by using the registration information and the access right, further comprising:
generating the token using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key, and the second public key;
calculating a first hash value of the token;
storing the token, the first hash value, the first radix point, the second radix point, the first public key, and the second public key in a cache.
In some embodiments, further comprising:
running the cache in a trusted execution environment.
In some embodiments, the user terminal generates challenge information using the generated random number and the token, further comprising:
calculating a second hash value of the token;
and subtracting the product of the second hash value and the hash value corresponding to the password by using the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by using the random number respectively to obtain second challenge information and third challenge information.
In some embodiments, verifying the validity of the user side using the token of the server side, the challenge information, and the registration information further includes:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
determining that the user terminal is legitimate in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
According to the scheme provided by the embodiment of the invention, for the conditions of leakage, counterfeiting and the like existing in the token using process, after the user side receives the token, the token is not directly adopted to carry out the resource access request on the cloud server, but the token challenge information is constructed to carry out the resource access request, so that the confidentiality of the token is ensured. And moreover, a randomization technology is adopted when challenge information is constructed, so that token challenge information generated by requesting cloud service every time is different, and the dynamism of the token in the using process is ensured. The user side combines the user private key with token challenge information in the token construction process, and the token cannot be forged effectively. Meanwhile, the Memcached service module and the token verification module in the server run in a trusted execution environment of the SGX, so that confidential data cannot be stolen.
Based on the same inventive concept, according to another aspect of the present invention, as shown in fig. 4, an embodiment of the present invention further provides a computer apparatus 501, including:
at least one processor 520; and
the memory 510, the memory 510 stores a computer program 511 that can be executed on the processor, and the processor 520 executes the program to perform any of the above steps of the user-side authentication method.
Based on the same inventive concept, according to another aspect of the present invention, as shown in fig. 5, an embodiment of the present invention further provides a computer-readable storage medium 601, where the computer-readable storage medium 601 stores computer program instructions 610, and the computer program instructions 610, when executed by a processor, perform the steps of any of the above user-side authentication methods.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of the embodiments of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. A user side authentication method is characterized by comprising the following steps:
responding to a login request sent by a user side received by a server side, and determining access authority according to a user name and a password carried in the login request;
acquiring registration information corresponding to the user side, generating a token by using the registration information and the access authority, and returning the token to the user side;
responding to the user side receiving the token, generating challenge information by using the generated random number and the token, and returning the challenge information to the server side;
and responding to the server end receiving the challenge information, and verifying the validity of the user end by using the token of the server end, the challenge information and the registration information.
2. The method of claim 1, wherein obtaining the registration information corresponding to the user side further comprises:
the user side sends a user name and a password to the server side to register the user, and receives an elliptic curve parameter returned by the server side;
generating a first base point and a second base point according to the elliptic curve parameters;
calculating a hash value corresponding to the password to be used as a private key, and multiplying the private key by the first base point and the second base point respectively to obtain a first public key and a second public key;
and the user side sends the first base point, the second base point, the first public key and the second public key as registration information to a server side so that the server side stores the registration information.
3. The method of claim 2, wherein generating a first base point and a second base point from the elliptic curve parameters further comprises:
judging whether the first base point and the second base point are equal or not;
the first base point and the second base point are regenerated in response to the first base point and the second base point being equal.
4. The method of claim 2, wherein the server generates a token using the registration information and the access right, further comprising:
generating the token using the user name, the access right, the elliptic curve parameter, the first base point, the second base point, the first public key, and the second public key;
calculating a first hash value of the token;
storing the token, the first hash value, the first radix point, the second radix point, the first public key, and the second public key in a cache.
5. The method of claim 4, further comprising:
running the cache in a trusted execution environment.
6. The method of claim 4, wherein the user terminal generates challenge information using the generated random number and the token, further comprising:
calculating a second hash value of the token;
and subtracting the product of the second hash value and the hash value corresponding to the password by using the generated random number to obtain first challenge information, and multiplying the first base point and the second base point by using the random number respectively to obtain second challenge information and third challenge information.
7. The method of claim 6, wherein verifying the validity of the user side using the token of the server side, the challenge information, and the registration information further comprises:
obtaining the token, the first hash value, the first base point, the second base point, the first public key and the second public key from the cache;
determining whether a product of the first challenge information and the first base point plus a product of the first hash value and the first public key is equal to the second challenge information, and determining whether a product of the first challenge information and the second base point plus a product of the first hash value and the second public key is equal to the third challenge information;
determining that the user terminal is legitimate in response to the product of the first challenge information and the first base point plus the product of the first hash value and the first public key being equal to the second challenge information and the product of the first challenge information and the second base point plus the product of the first hash value and the second public key being equal to the third challenge information.
8. A client authentication system, comprising:
the determining module is configured to respond to a login request sent by a user side received by a server side, and determine access authority according to a user name and a password carried in the login request;
the token module is configured to acquire registration information corresponding to the user side, generate a token by using the registration information and the access right, and return the token to the user side;
the challenge information module is configured to respond to the fact that the user side receives the token, generate challenge information by using the generated random number and the token, and return the challenge information to the server side;
and the verification module is configured to respond to the server end receiving the challenge information and verify the validity of the user end by using the token of the server end, the challenge information and the registration information.
9. A computer device, comprising:
at least one processor; and
memory storing a computer program operable on the processor, wherein the processor executes the program to perform the steps of the method according to any of claims 1-7.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932822.3A CN113806798B (en) | 2021-08-13 | 2021-08-13 | User side verification method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932822.3A CN113806798B (en) | 2021-08-13 | 2021-08-13 | User side verification method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113806798A true CN113806798A (en) | 2021-12-17 |
| CN113806798B CN113806798B (en) | 2023-07-14 |
Family
ID=78942946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110932822.3A Active CN113806798B (en) | 2021-08-13 | 2021-08-13 | User side verification method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113806798B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201742438U (en) * | 2010-06-12 | 2011-02-09 | 杭州驭强科技有限公司 | Bidirectional authentication type dynamic password token device and dynamic password authentication system |
| CN108092776A (en) * | 2017-12-04 | 2018-05-29 | 南京南瑞信息通信科技有限公司 | A kind of authentication server and authentication token |
| CN111050314A (en) * | 2018-08-23 | 2020-04-21 | 刘高峰 | Client registration method, device and system |
-
2021
- 2021-08-13 CN CN202110932822.3A patent/CN113806798B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201742438U (en) * | 2010-06-12 | 2011-02-09 | 杭州驭强科技有限公司 | Bidirectional authentication type dynamic password token device and dynamic password authentication system |
| CN108092776A (en) * | 2017-12-04 | 2018-05-29 | 南京南瑞信息通信科技有限公司 | A kind of authentication server and authentication token |
| CN111050314A (en) * | 2018-08-23 | 2020-04-21 | 刘高峰 | Client registration method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113806798B (en) | 2023-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11128477B2 (en) | Electronic certification system | |
| US10437985B2 (en) | Using a second device to enroll a secure application enclave | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| JP5860815B2 (en) | System and method for enforcing computer policy | |
| CA2708059C (en) | System and method for dynamic, multi-attribute authentication | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| JP2022545627A (en) | Decentralized data authentication | |
| KR20190114434A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| KR102192370B1 (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| KR20130084315A (en) | A bidirectional entity authentication method based on the credible third party | |
| IL266535A (en) | System and method for transparent multi-factor authentication and security posture checking | |
| US10897353B2 (en) | Computer-implemented method for generating passwords and computer program products of same | |
| KR20190114432A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| US20180007021A1 (en) | Public key pinning for private networks | |
| CN114301617A (en) | Identity authentication method and device for multi-cloud application gateway, computer equipment and medium | |
| CN110365632B (en) | Authentication method and data processing equipment in computer network system | |
| Schwarz et al. | Feido: Recoverable FIDO2 tokens using electronic ids | |
| Hussain et al. | An improved authentication scheme for digital rights management system | |
| KR20090054774A (en) | Method of integrated security management in distribution network | |
| Heilman et al. | OpenPubkey: Augmenting OpenID connect with user held signing keys | |
| CN115834149A (en) | Numerical control system safety protection method and device based on state cryptographic algorithm | |
| CN113806798A (en) | User side verification method, system, equipment and medium | |
| KR20200112771A (en) | Method for oauth service through blockchain, and terminal and server using the same | |
| Fongen et al. | The integration of trusted platform modules into a tactical identity management system | |
| KR20170111809A (en) | Bidirectional authentication method using security token based on symmetric key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |