CN114449515A - Verification method, system, application platform and terminal - Google Patents
Verification method, system, application platform and terminal Download PDFInfo
- Publication number
- CN114449515A CN114449515A CN202011126283.6A CN202011126283A CN114449515A CN 114449515 A CN114449515 A CN 114449515A CN 202011126283 A CN202011126283 A CN 202011126283A CN 114449515 A CN114449515 A CN 114449515A
- Authority
- CN
- China
- Prior art keywords
- terminal
- application platform
- key
- session key
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 255
- 238000000034 method Methods 0.000 title claims abstract description 70
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 51
- 238000005315 distribution function Methods 0.000 claims abstract description 42
- 238000009826 distribution Methods 0.000 claims abstract description 31
- 230000008569 process Effects 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 19
- 230000006870 function Effects 0.000 description 6
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 239000006185 dispersion Substances 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/12—Messaging; Mailboxes; Announcements
- H04W4/14—Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The disclosure relates to a verification method, a verification system, an application platform and a terminal, and relates to the technical field of communication. The method of the present disclosure comprises: the application platform responds to a service request of the terminal and sends a verification request to the terminal; the method comprises the steps that an application platform receives verification information sent by a terminal, wherein the verification information comprises a one-time verification code and a key identification, the one-time verification code is generated by taking a session key of the terminal and the application platform as a parameter through a one-time cryptographic algorithm, and the session key and the key identification are obtained after mutual authentication is carried out between the terminal and a key distribution function entity of a core network; the application platform acquires a session key of the terminal and the application platform from a key distribution functional entity of the core network according to the key identification; the application platform generates a one-time verification code according to a one-time password algorithm which is configured in advance and corresponds to the terminal and the acquired session key, compares the one-time verification code with the one-time verification code sent by the terminal and determines a verification result; and the application platform returns a verification result to the terminal.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a verification method, a verification system, an application platform, and a terminal.
Background
With the development of internet technology, various internet applications appear to provide services for people and enrich the lives of people.
In order to ensure the security of user data, the user needs to verify the identity of the user when logging in various application platforms. At present, one of the verification methods that is commonly used is that an application platform sends a short message verification code, and a user inputs the verification code for verification.
Disclosure of Invention
The inventor finds that: the short message verification code verification mode is sometimes that the short message delay is long or the user cannot receive the verification code, so that the short message verification code is not convenient to use and is possible to be hijacked, and the risk of user account leakage caused by user information is caused.
One technical problem to be solved by the present disclosure is: the safety of the application platform in verifying the user is improved, and the response speed and the user experience are improved.
According to some embodiments of the present disclosure, there is provided a verification method including: the application platform responds to a service request of the terminal and sends a verification request to the terminal; the method comprises the steps that an application platform receives verification information sent by a terminal, wherein the verification information comprises a one-time verification code and a key identification, the one-time verification code is generated by taking a session key of the terminal and the application platform as a parameter through a one-time cryptographic algorithm, and the session key and the key identification are obtained after mutual authentication is carried out between the terminal and a key distribution function entity of a core network; the application platform acquires a session key of the terminal and the application platform from a key distribution functional entity of the core network according to the key identification; the application platform generates a one-time verification code according to a one-time password algorithm which is configured in advance and corresponds to the terminal and the acquired session key, compares the one-time verification code with the one-time verification code sent by the terminal and determines a verification result; and the application platform returns a verification result to the terminal.
In some embodiments, the obtaining, by the application platform, the session key between the terminal and the application platform from the key distribution function entity of the core network according to the key identifier includes: the application platform searches the corresponding session key and the validity period of the session key locally according to the key identification; the method comprises the following steps that when a session key between a terminal and an application platform is not found or the validity period of the session key is over, the application platform sends a key acquisition request to a key distribution function entity of a core network, wherein the key acquisition request comprises the following steps: the key identification is used for receiving a session key of the terminal and the application platform returned by the key distribution functional entity of the core network; and the application platform uses the searched session key as the session key of the terminal and the application platform under the condition that the session key of the terminal and the application platform is searched and the validity period of the session key is not over.
In some embodiments, the one-time verification code in the verification information is encrypted by using a session key of the terminal and the application platform; after the application platform obtains the session key between the terminal and the application platform from the key distribution function entity of the core network according to the key identifier, the method further comprises the following steps: and the application platform decrypts the encrypted one-time verification code by using the acquired session key to obtain the one-time verification code.
In some embodiments, the authentication information further includes a random number, or the application platform generates a random number, adds the random number to the authentication request, and sends the random number to the terminal; the application platform generates a one-time verification code according to a one-time password algorithm which is configured in advance and corresponds to the terminal and a session key of the terminal and the application platform, and the one-time verification code comprises the following steps: the application platform acquires a plurality of timestamps within a preset time range of a current time point; and aiming at each timestamp, the application platform generates a one-time verification code by using a hash algorithm by taking the timestamp, the random number and the session key as parameters.
In some embodiments, comparing with the one-time verification code sent by the terminal, and determining the verification result includes: the application platform compares each generated one-time verification code with the one-time verification code sent by the terminal, and under the condition that one of the generated one-time verification codes is consistent with the one-time verification code sent by the terminal, the application platform determines that the verification is successful.
In some embodiments, the mutual authentication between the terminal and the key distribution function entity of the core network is implemented by a GBA authentication process of a generic bootstrapping architecture, or an AKMA authentication process of authentication and key management of an application program.
According to further embodiments of the present disclosure, there is provided a verification method including: the terminal receives a verification request sent by an application platform, wherein the verification request is sent by a service platform in response to a service request of the terminal; a terminal acquires a session key of the terminal and an application platform; the terminal takes the session key as a parameter and generates a one-time verification code through a one-time password algorithm which is configured in advance and corresponds to the application platform; the terminal sends verification information to the application platform, wherein the verification information comprises a one-time verification code and a key identifier, and the session key and the key identifier are obtained after mutual authentication between the terminal and a key distribution functional entity of a core network; and the terminal receives a verification result sent by the application platform, wherein the verification result is a result obtained by the application platform according to a pre-configured one-time password algorithm corresponding to the terminal and a session key of the terminal and the application platform, which is acquired by the application platform to the key distribution functional entity of the core network according to the key identification, generating a one-time verification code, and comparing the one-time verification code with the one-time verification code sent by the terminal.
In some embodiments, the obtaining, by the terminal, the session key between the terminal and the application platform includes: the terminal searches a session key between the terminal and the application platform and a corresponding validity period in the user card; the terminal takes the searched session key of the terminal and the application platform as the session key of the terminal and the application platform under the condition that the validity period of the session key is not over; and under the condition that the validity period of the session key is over, the terminal re-performs mutual authentication with the key distribution functional entity of the core network to generate a new session key which is used as the session key of the terminal and the application platform.
In some embodiments, the terminal sending the verification information to the application platform comprises: and the terminal encrypts the generated one-time verification code by adopting a session key, adds the encrypted one-time verification code and the key identification into verification information and sends the verification information to the application platform.
In some embodiments, the generating, by the terminal, the one-time passcode by using the session key as a parameter and through a preconfigured one-time passcode algorithm corresponding to the application platform includes: the terminal generates a random number or receives the random number sent by the application platform; the terminal generates the one-time verification code by using a hash algorithm with the timestamp, the random number and the session key of the current time point as parameters.
According to still other embodiments of the present disclosure, there is provided an application platform including: the first sending module is used for responding to a service request of the terminal and sending a verification request to the terminal; the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving verification information sent by a terminal, the verification information comprises a one-time verification code and a key identification, the one-time verification code is generated by taking a session key of the terminal and an application platform as a parameter through a one-time cryptographic algorithm, and the session key and the key identification are obtained after mutual authentication is carried out between the terminal and a key distribution functional entity of a core network; the acquisition module is used for acquiring a session key of the terminal and the application platform from the key distribution functional entity of the core network according to the key identification; the determining module is used for generating a one-time verification code according to a one-time password algorithm which is configured in advance and corresponds to the terminal and the acquired session key, comparing the one-time verification code with the one-time verification code sent by the terminal and determining a verification result; and the second sending module is used for returning the verification result to the terminal.
According to still further embodiments of the present disclosure, there is provided a terminal including: the terminal comprises a first receiving module, a second receiving module and a verification module, wherein the first receiving module is used for receiving a verification request sent by an application platform, and the verification request is sent by a service platform in response to a service request of the terminal; the acquisition module is used for acquiring a session key of the terminal and the application platform; the generation module is used for generating a one-time verification code by taking the session key as a parameter through a one-time password algorithm which is configured in advance and corresponds to the application platform; the system comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending verification information to an application platform, the verification information comprises a one-time verification code and a key identification, and a session key and the key identification are obtained after mutual authentication is carried out between a terminal and a key distribution functional entity of a core network; and the second receiving module is used for receiving a verification result sent by the application platform, wherein the verification result is a result obtained by the application platform according to a pre-configured one-time password algorithm corresponding to the terminal and a session key of the terminal and the application platform, which is acquired by the key identifier to the core network key distribution functional entity, generating a one-time verification code, and comparing the one-time verification code with the one-time verification code sent by the terminal.
According to still further embodiments of the present disclosure, there is provided a verification system including: the application platform of any of the foregoing embodiments and the terminal of any of the foregoing embodiments.
In some embodiments, the system further comprises: and the core network key distribution functional entity is used for sending the session key of the terminal and the application platform to the application platform.
In some embodiments, the core network key distribution function entity is configured to perform mutual authentication with the terminal, generate a key identifier, and send the key identifier to the terminal; and receiving a key acquisition request sent by the application platform, generating a session key of the terminal and the application platform, and sending the session key to the application platform.
According to still further embodiments of the present disclosure, there is provided an electronic device including: a processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the authentication method of any of the preceding embodiments.
According to further embodiments of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the authentication method of any of the preceding embodiments.
In the method, the terminal generates a one-time verification code by taking a session key of the terminal and an application platform as a parameter through a one-time password algorithm, and sends the one-time verification code and a key identifier to the application platform. The session key and the key identification are obtained after mutual authentication between the terminal and the key distribution functional entity of the core network. The application platform acquires a session key of the terminal and the application platform from the key distribution function entity of the core network through the key identification, and then generates a disposable verification code by adopting a disposable cryptographic algorithm corresponding to the terminal and the acquired session key, and compares the disposable verification code with the disposable verification code sent by the terminal to realize the verification of the terminal. The application platform does not need to send the verification code to the terminal through a short message or other modes, but generates the local verification code based on the session key generated by mutual authentication between the terminal and the key distribution functional entity of the core network, thereby reducing the interaction between the application platform and the terminal, avoiding the possibility of intercepting the short message of the verification code, having rapid response and improving the safety. And the verification code is automatically generated by the terminal in the whole verification process, so that the user does not need to input the verification code, the operation complexity of the user is reduced, and the user experience is improved.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 illustrates a flow diagram of a validation method of some embodiments of the present disclosure.
Fig. 2 shows a flow diagram of a validation method of further embodiments of the present disclosure.
Fig. 3 illustrates a structural schematic of an application platform of some embodiments of the present disclosure.
Fig. 4 illustrates a schematic structural diagram of a terminal of some embodiments of the present disclosure.
Fig. 5 illustrates a schematic structural diagram of a verification system of some embodiments of the present disclosure.
Fig. 6 illustrates a schematic structural diagram of an electronic device of some embodiments of the present disclosure.
Fig. 7 shows a schematic structural diagram of an electronic device of further embodiments of the disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The present disclosure provides a verification method, which is described below with reference to fig. 1-2.
Fig. 1 is a flow chart of some embodiments of a verification method of the present disclosure. As shown in fig. 1, the method of this embodiment includes: steps S102 to S116.
In step S102, the terminal sends a service request to the application platform.
For example, a user operates an Application (APP) on a terminal, and triggers the terminal to send a service request to an application platform through the APP, where the service request may be a login request or the like.
In step S104, the application platform responds to the service request of the terminal, and sends a verification request to the terminal, and correspondingly, the terminal receives the verification request sent by the application platform.
The authentication request may include information instructing the terminal to transmit the one-time authentication code.
In step S106, the terminal obtains a session key between the terminal and the application platform.
The session key is obtained after mutual authentication between the terminal and the key distribution function entity of the core network. For example, mutual Authentication between the terminal and the Key distribution function entity of the core network is achieved through a GBA (Generic Bootstrapping Architecture) Authentication procedure or an AKMA (Authentication and Key Management for Applications) Authentication procedure. The core network key distribution Function entity is, for example, a BSF (Bootstrapping service Function) network element or an AAnF (AKMA anchor Function). The session key between the terminal and the application platform is Ks _ NAF in GBA procedure or K in AKMA procedureAF. The GBA and AKMA processes may refer to the existing standard, and may be implemented by interacting with a key distribution function entity of a core network through a terminal, a user card, and are not described herein again.
In step S108, the terminal generates a one-time authentication code by using the session key as a parameter and using a pre-configured one-time cryptographic algorithm corresponding to the application platform.
The terminal may generate the One-Time passcode through an OTP (One Time Password) algorithm. In some embodiments, the terminal generates a random number or receives a random number sent by an application platform; and generating the one-time verification code by using a hash algorithm by taking the timestamp, the random number and the session key of the current time point as parameters. And if the terminal generates the random number, adding the random number to the application platform sent in the verification information. If the application platform generates the random number, the random number can be sent to the terminal through the verification request. For example, the terminal calculates SHA1{ K, random, timestamp } by using SHA1 algorithm, and forms the left 32 or 48 bits of the obtained value into a 4-bit or 6-bit verification code, which is not limited to the illustrated example.
In step S110, the terminal sends the verification information to the application platform, and accordingly, the application platform receives the verification information sent by the terminal.
The authentication information includes a one-time authentication code and a key identification. The key identifier is obtained after mutual authentication between the terminal and the key distribution function entity of the core network, for example, the key identifier is obtained through a GBA authentication process or an AKMA authentication process. For example, the Key Identifier is B-TID (Bootstrapping Transaction Identifier) in the GBA authentication procedure or a-KID (AKMA Key Identifier) in the AKMA authentication procedure. The key identification uniquely corresponds to a session key of the terminal and the application platform.
In step S112, the application platform obtains the session key between the terminal and the application platform from the key distribution function entity of the core network according to the key identifier.
In some embodiments, the application platform sends a key acquisition request to the core network key distribution function entity, where the key acquisition request includes: and the key identifier receives a session key of the terminal and the application platform returned by the key distribution function entity of the core network. The key acquisition request may further include an application platform identifier. For example, in the GBA authentication procedure or the AKMA authentication procedure, the key distribution function entity of the core network first generates the key identifier and the root key of the terminal, where the root key is, for example, Ks in the GBA procedure or K in the AKMA procedureASUFThe terminal also generates a root key. And the terminal generates a session key of the terminal and the application platform according to the root key and the identifier of the application platform. After receiving the key acquisition request, the application platform searches a root key corresponding to the locally stored terminal according to the key identifier, and generates a session key of the terminal and the application platform according to the searched root key and the identifier of the application platform.
In step S114, the application platform generates a one-time authentication code according to a one-time password algorithm configured in advance and corresponding to the terminal and the acquired session key, and compares the one-time authentication code with the one-time authentication code sent by the terminal to determine an authentication result.
The application platform and the terminal negotiate a one-time password algorithm in advance, and the one-time password algorithm corresponding to the terminal is configured in advance. In some embodiments, the authentication information further includes a random number, or the application platform generates a random number to be added to the authentication request and send the random number to the terminal. The application platform acquires a plurality of timestamps within a preset time range of a current time point; and aiming at each timestamp, the application platform generates a one-time verification code by using a hash algorithm by taking the timestamp, the random number and the session key as parameters. The application platform compares each generated one-time verification code with the one-time verification code sent by the terminal, and under the condition that one of the generated one-time verification codes is consistent with the one-time verification code sent by the terminal, the application platform determines that the verification is successful, otherwise, the verification fails. For example, the application platform calculates SHA1{ K, random, timestamp } by using the same algorithm as in the previous embodiment and using SHA1 algorithm, and forms the left 32 or 48 bits of the obtained value into a 4-bit or 6-bit verification code.
In step S116, the application platform returns a verification result to the terminal, and correspondingly, the terminal receives the verification result sent by the application platform.
If the terminal passes the verification, the user can log in the application to carry out service operation.
In the above embodiment, the terminal uses the session key of the terminal and the application platform as a parameter to generate a one-time verification code through a one-time cryptographic algorithm, and sends the one-time verification code and the key identifier to the application platform. The session key and the key identification are obtained after mutual authentication between the terminal and the key distribution functional entity of the core network. The application platform acquires a session key of the terminal and the application platform from the key distribution function entity of the core network through the key identification, and then generates a disposable verification code by adopting a disposable cryptographic algorithm corresponding to the terminal and the acquired session key, and compares the disposable verification code with the disposable verification code sent by the terminal to realize the verification of the terminal. The application platform does not need to send the verification code to the terminal through a short message or other modes, but generates the local verification code based on the session key generated by mutual authentication between the terminal and the key distribution functional entity of the core network, thereby reducing the interaction between the application platform and the terminal, avoiding the possibility of intercepting the short message of the verification code, having rapid response and improving the safety. And the verification code is automatically generated by the terminal in the whole verification process, so that the user does not need to input the verification code, the operation complexity of the user is reduced, and the user experience is improved.
Further embodiments of the disclosed authentication method are described below in conjunction with fig. 2.
FIG. 2 is a flow chart of further embodiments of a verification method of the present disclosure. As shown in fig. 2, the method of this embodiment includes: steps S202 to S226.
In step S202, the terminal sends a service request to the application platform.
In step S204, the application platform sends a verification request to the terminal, and requests the terminal to send a verification code.
In step S206, the terminal searches the session key between the terminal and the application platform and the corresponding validity period in the user card, and if the validity period of the session key has not expired, step S208 is executed, otherwise step S210 is executed.
The process of calculating the one-time passcode by the terminal can be triggered by a verification request or software sent by the application platform. The validity period corresponding to the session key of the terminal and the application platform is generated in the process of mutual authentication between the terminal and the key distribution functional entity of the core network. For example, the core network key distribution function entity generates a root key and also generates a validity period of a session key, and sends the validity period to the terminal.
In step S208, the terminal uses the session key of the found terminal and application platform as the session key of the terminal and application platform when the validity period of the session key has not yet expired.
In step S210, when the validity period of the session key has expired, the terminal re-authenticates with the core network key distribution function entity and generates a new session key as the session key between the terminal and the application platform.
The terminal and the key distribution functional entity of the core network re-perform mutual authentication to generate a new session key, which may refer to the GBA authentication process or the AKMA authentication process.
In step S212, the terminal generates a one-time passcode by using the session key as a parameter and using a pre-configured one-time passcode algorithm corresponding to the application platform.
In step S214, the terminal encrypts the one-time passcode by using the session key between the terminal and the application platform, adds the encrypted one-time passcode and the key identifier to the verification information, and sends the verification information to the application platform.
In step S216, the application platform locally searches the corresponding session key and the validity period of the session key according to the key identifier, if the session key between the terminal and the application platform is not found or the validity period of the session key has passed, then step S218 is executed, otherwise step S220 is executed.
The application platform can also locally search the corresponding session key and the validity period of the session key according to the identifier of the terminal. After the application platform obtains the session key corresponding to the terminal and the corresponding validity period from the key distribution function entity of the core network for the first time, the application platform can be stored in correspondence with the key identifier and/or the terminal identifier.
In step S218, the application platform sends a key obtaining request to the key distribution function entity of the core network and receives the session key of the terminal and the application platform returned by the key distribution function entity of the core network when the session key of the terminal and the application platform is not found or the validity period of the session key has passed.
In step S220, the application platform uses the searched session key as the session key of the terminal and the application platform when the session key of the terminal and the application platform is found and the validity period of the session key is not over.
The application platform can monitor the validity period of the session key, and meanwhile, the terminal can also monitor the validity period of the session key. And under the condition that the terminal finds that the validity period of the session key is over, the terminal and the key distribution functional entity of the core network carry out mutual authentication again and generate a new session key. And under the condition that the application platform finds that the validity period of the session key is over, the application platform waits for the terminal to acquire a new session key and then sends a corresponding key identifier, and then acquires the session key from the key distribution function entity of the core network according to the key identifier.
In step S222, the application platform generates a one-time password according to a pre-configured one-time password algorithm corresponding to the terminal and the acquired session key.
In step S224, the application platform decrypts the encrypted one-time passcode in the verification information by using the session key between the terminal and the application platform, and compares the decrypted one-time passcode with the generated one-time passcode to determine the verification result.
In step S226, the application platform sends the verification result to the terminal.
And if the verification is passed, allowing the service to be carried out.
In the above embodiments, the generation of the one-time passcode and the encryption of the one-time passcode both use session keys of the terminal and the application platform, and in other embodiments, the terminal and the application platform use the same pre-configured decentralized algorithm to decentralize a plurality of decentralized keys based on the session keys of the terminal and the application platform. The terminal selects one distributed key to generate the one-time verification code, and selects another distributed key to encrypt the one-time verification code. The process of generating the one-time passcode is as described in the previous embodiments.
Further, the verification information sent by the terminal to the application platform includes the encrypted one-time verification code, the identifier of the distributed key for generating the one-time verification code, and the identifier of the distributed key used for encryption. After the application platform obtains the session key of the terminal and the application platform from the key distribution functional entity of the core network according to the key identification, based on the session key, the identification of the distributed key for generating the one-time verification code and the identification of the distributed key for encryption, the first distributed key and the second distributed key are generated to respectively correspond to the distributed key for generating the one-time verification code and the distributed key for encryption. The application platform generates a one-time verification code according to a pre-configured one-time password algorithm corresponding to the terminal and the first dispersion key, decrypts the encrypted one-time verification code by adopting the second dispersion key, compares the generated one-time verification code with the decrypted one-time verification code, and determines a verification result.
The session key in the embodiments corresponding to fig. 1 and 2 may be replaced by any distributed key of the terminal and the application platform, and details are not described herein again.
The invention provides a key distribution system in an LTE/NG network based on an operator, and a method for generating an OTP (one time programmable) verification code, wherein the verification code is not transmitted through the network, is generated locally, and is not delayed and hijacked by the network in a large amount. The scheme can relate to a user card (such as a USIM card), a terminal (an SDK can be used for generating a one-time verification code), a 4G/5G core network key distribution function entity (BSF/AUSF), an application platform and the like. When the terminal sends a service request to the application platform, the application platform may request authentication, and after receiving the authentication request, the terminal checks a session key (e.g., Ks _ NAF or K) in the user cardAF) If it is expired. If the Ks is expired, GBA or AKMA authentication is carried out, and then new Ks _ NAF or K is obtainedAF(ii) a If not, then use the existing Ks _ NAF or KAFCorresponding changes are made to obtain the required OTP verification code. The verification code can be displayed on a screen (the user experience of the original short message verification code is reserved) or not displayed, and then the verification code and a key identifier (such as BTID in GBA process or A-KID in AKMA process) are sent to an application platform together, so that the OTP verification code can be encrypted; the application platform obtains new Ks _ NAF or K from the network side through key identificationAFOr finding Ks _ NAF or K in the life cycle in the platformAFAnd carrying out the same algorithm calculation to obtain the OTP verification code, and comparing the OTP verification code with the application side. The method can also be used in a scene that a Personal Computer (PC) displays the two-dimensional code, and a terminal scans the two-dimensional code to log in and uses the verification code.
Compared with the existing short message verification code method, the scheme disclosed by the invention has the advantages of higher and more reliable response speed and higher safety. When the terminal locally generates the verification code and sends the verification code to the application platform, the key in the GBA or AKMA framework can be used for encryption, so that the confidentiality of return is enhanced.
The present disclosure also provides an application platform, described below in conjunction with fig. 3.
Fig. 3 is a block diagram of some embodiments of an application platform of the present disclosure. As shown in fig. 3, the application platform 30 of this embodiment includes: a first sending module 310, a receiving module 320, an obtaining module 330, a determining module 340, and a second sending module 350.
A first sending module 310, configured to send an authentication request to the terminal in response to a service request of the terminal.
The receiving module 320 is configured to receive verification information sent by the terminal, where the verification information includes a one-time verification code and a key identifier, the one-time verification code is generated by using a session key of the terminal and the application platform as a parameter through a one-time cryptographic algorithm, and the session key and the key identifier are obtained after mutual authentication is performed between the terminal and a key distribution function entity of the core network.
In some embodiments, the mutual authentication between the terminal and the key distribution function entity of the core network is implemented by a GBA authentication process of a generic bootstrapping architecture, or an AKMA authentication process of authentication and key management of an application program.
The obtaining module 330 is configured to obtain a session key between the terminal and the application platform from the key distribution function entity of the core network according to the key identifier.
In some embodiments, the obtaining module 330 is configured to locally search, according to the key identifier, a corresponding session key and a validity period of the session key, and send a key obtaining request to the core network key distribution function entity when the session key between the terminal and the application platform is not found or the validity period of the session key has passed, where the key obtaining request includes: the key identification is used for receiving a session key of the terminal and the application platform returned by the key distribution functional entity of the core network; and under the condition that the session key of the terminal and the application platform is found and the validity period of the session key is not over, taking the found session key as the session key of the terminal and the application platform.
The determining module 340 is configured to generate a one-time authentication code according to a one-time password algorithm configured in advance and corresponding to the terminal and the acquired session key, and compare the one-time authentication code with the one-time authentication code sent by the terminal to determine an authentication result.
In some embodiments, the one-time verification code in the verification information is encrypted by using a session key of the terminal and the application platform; the determining module 340 is further configured to decrypt the encrypted one-time passcode by using the obtained session key to obtain the one-time passcode.
In some embodiments, the authentication information further includes a random number, or the first sending module 310 is further configured to generate a random number to be added to the authentication request and send the random number to the terminal; the determining module 340 is configured to obtain a plurality of timestamps within a preset time range of a current time point; and aiming at each timestamp, taking the timestamp, the random number and the session key as parameters, and generating the one-time verification code by adopting a hash algorithm.
In some embodiments, the determining module 340 is configured to compare the generated one-time verification codes with the one-time verification code sent by the terminal, and determine that the verification is successful when one of the generated one-time verification codes is consistent with the one-time verification code sent by the terminal.
And a second sending module 350, configured to return the verification result to the terminal.
The present disclosure also provides a terminal, described below in conjunction with fig. 4.
Fig. 4 is a block diagram of some embodiments of the terminal of the present disclosure. As shown in fig. 4, the terminal 40 of this embodiment includes: the device comprises a first receiving module 410, an obtaining module 420, a generating module 430, a sending module 440 and a second receiving module 450.
The first receiving module 410 is configured to receive an authentication request sent by an application platform, where the authentication request is sent by a service platform in response to a service request of a terminal.
The obtaining module 420 is configured to obtain a session key between the terminal and the application platform.
In some embodiments, the obtaining module 420 is configured to search, in the user card, a session key of the terminal and the application platform and a corresponding validity period, and use the searched session key of the terminal and the application platform as the session key of the terminal and the application platform when the validity period of the session key has not yet expired; and under the condition that the validity period of the session key is over, mutually authenticating with the key distribution functional entity of the core network again and generating a new session key which is used as the session key of the terminal and the application platform.
The generating module 430 is configured to generate a one-time authentication by using the session key as a parameter through a preconfigured one-time cryptographic algorithm corresponding to the application platform.
In some embodiments, the generation module 430 is configured to generate a random number or receive a random number sent by an application platform; and generating the one-time verification code by using a hash algorithm by taking the timestamp, the random number and the session key of the current time point as parameters.
The sending module 440 is configured to send verification information to the application platform, where the verification information includes a one-time verification code and a key identifier, and the session key and the key identifier are obtained after mutual authentication is performed between the terminal and the key distribution function entity of the core network.
In some embodiments, the sending module 440 is configured to encrypt the generated one-time passcode with a session key, add the encrypted one-time passcode and the key identifier to the verification information, and send the verification information to the application platform.
The second receiving module 450 is configured to receive a verification result sent by the application platform, where the verification result is a result obtained by the application platform generating a one-time verification code according to a one-time cryptographic algorithm configured in advance and corresponding to the terminal, and a session key of the terminal and the application platform obtained from the key identifier to the core network key distribution function entity, and comparing the generated one-time verification code with the one-time verification code sent by the terminal.
The present disclosure also provides an authentication system, described below in conjunction with fig. 5.
FIG. 5 is a block diagram of some embodiments of a verification system of the present disclosure. As shown in fig. 5, the authentication system 5 of this embodiment includes: the application platform 30 of any of the embodiments described above and the terminal 40 of any of the embodiments described above.
In some embodiments, the system 5 further comprises: and the core network key distribution function 52 is configured to send the session key of the terminal 40 and the application platform 30 to the application platform 30.
In some embodiments, the core network key distribution function entity 52 is configured to perform mutual authentication with the terminal 40, generate a key identifier, and send the key identifier to the terminal; and receiving a key acquisition request sent by the application platform 30, generating a session key between the terminal 40 and the application platform 30, and sending the session key to the application platform 30.
In some embodiments, the terminal 40 further includes a user card for storing a session key with the application platform 30, and performing mutual authentication with the core network key distribution function 52. The terminal 40 further includes an application, which corresponds to the application platform, and information of interaction between the terminal and the application platform may be sent through the application, which is not described any further.
The electronic devices, such as the application platform, the terminal, the core network key distribution function entity, and the like, in the embodiments of the present disclosure may be implemented by various computing devices or computer systems, which are described below with reference to fig. 6 and 7.
Fig. 6 is a block diagram of some embodiments of an electronic device of the present disclosure. As shown in fig. 6, the electronic apparatus 60 of this embodiment includes: a memory 610 and a processor 620 coupled to the memory 610, the processor 620 configured to perform the authentication method in any of the embodiments of the present disclosure based on instructions stored in the memory 610.
FIG. 7 is a block diagram of further embodiments of the electronic device of the present disclosure. As shown in fig. 7, the electronic apparatus 70 of this embodiment includes: memory 710 and processor 720 are similar to memory 610 and processor 620, respectively. An input output interface 730, a network interface 740, a storage interface 750, and the like may also be included. These interfaces 730, 740, 750, as well as the memory 710 and the processor 720, may be connected, for example, by a bus 760. The input/output interface 730 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 740 provides a connection interface for various networking devices, such as a database server or a cloud storage server. The storage interface 750 provides a connection interface for external storage devices such as an SD card and a usb disk.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present disclosure and is not intended to limit the present disclosure, so that any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (17)
1. A method of authentication, comprising:
the application platform responds to a service request of a terminal and sends a verification request to the terminal;
the application platform receives verification information sent by the terminal, wherein the verification information comprises a one-time verification code and a key identifier, the one-time verification code is generated by taking a session key of the terminal and the application platform as a parameter through a one-time cryptographic algorithm, and the session key and the key identifier are obtained after mutual authentication is carried out between the terminal and a key distribution functional entity of a core network;
the application platform acquires a session key of the terminal and the application platform from a key distribution functional entity of a core network according to the key identification;
the application platform generates a disposable verification code according to a preconfigured disposable password algorithm corresponding to the terminal and the acquired session key, and compares the disposable verification code with the disposable verification code sent by the terminal to determine a verification result;
and the application platform returns a verification result to the terminal.
2. The authentication method according to claim 1, wherein the obtaining, by the application platform, the session key between the terminal and the application platform to a core network key distribution function entity according to the key identifier comprises:
the application platform searches a corresponding session key and the validity period of the session key locally according to the key identifier;
the application platform sends a key acquisition request to the core network key distribution function entity under the condition that the session key between the terminal and the application platform is not found or the validity period of the session key is over, wherein the key acquisition request comprises: the key identification is used for receiving the session key of the terminal and the application platform returned by the key distribution function entity of the core network;
and the application platform uses the searched session key as the session key of the terminal and the application platform under the condition that the session key of the terminal and the application platform is searched and the validity period of the session key is not over.
3. The authentication method according to claim 1, wherein the one-time authentication code in the authentication information is encrypted with a session key of the terminal and the application platform;
after the application platform obtains the session key between the terminal and the application platform from the key distribution function entity of the core network according to the key identifier, the method further comprises the following steps:
and the application platform decrypts the encrypted one-time verification code by using the acquired session key to obtain the one-time verification code.
4. The authentication method according to claim 1, wherein the authentication information further comprises a random number, or the application platform generates a random number to be added to the authentication request and sends the random number to the terminal;
the application platform generates a one-time verification code according to a pre-configured one-time password algorithm corresponding to the terminal and a session key of the terminal and the application platform, and the one-time verification code comprises the following steps:
the application platform acquires a plurality of timestamps within a preset time range of a current time point;
and for each time stamp, the application platform generates a one-time verification code by using a hash algorithm with the time stamp, the random number and the session key as parameters.
5. The authentication method according to claim 4, wherein the comparing with the one-time authentication code sent by the terminal and the determining the authentication result comprises:
the application platform compares each generated one-time verification code with the one-time verification code sent by the terminal, and under the condition that one of the generated one-time verification codes is consistent with the one-time verification code sent by the terminal, the application platform determines that the verification is successful.
6. The authentication method according to any one of claims 1 to 5,
mutual authentication between the terminal and the key distribution functional entity of the core network is realized through a general guide architecture GBA authentication process, or an authentication of an application program and an AKMA authentication process.
7. A method of authentication, comprising:
a terminal receives a verification request sent by an application platform, wherein the verification request is sent by the service platform in response to a service request of the terminal;
the terminal acquires a session key of the terminal and the application platform;
the terminal takes the session key as a parameter and generates a disposable verification code through a disposable cryptographic algorithm which is configured in advance and corresponds to the application platform;
the terminal sends verification information to the application platform, wherein the verification information comprises the one-time verification code and a key identifier, and the session key and the key identifier are obtained after mutual authentication between the terminal and a key distribution functional entity of a core network;
and the terminal receives a verification result sent by the application platform, wherein the verification result is a result obtained by the application platform generating a one-time verification code according to a one-time password algorithm which is configured in advance and corresponds to the terminal and a session key of the terminal and the application platform which is obtained from a key distribution functional entity of a core network according to the key identification, and comparing the one-time verification code with the one-time verification code sent by the terminal.
8. The authentication method according to claim 7, wherein the terminal obtaining the session key of the terminal and the application platform comprises:
the terminal searches a session key of the terminal and the application platform and a corresponding validity period in a user card;
the terminal takes the searched session key of the terminal and the application platform as the session key of the terminal and the application platform under the condition that the validity period of the session key is not over;
and under the condition that the validity period of the session key is over, the terminal performs mutual authentication with the core network key distribution functional entity again to generate a new session key which is used as the session key of the terminal and the application platform.
9. The authentication method of claim 7, wherein the terminal sending authentication information to the application platform comprises:
and the terminal encrypts the generated one-time verification code by using the session key, adds the encrypted one-time verification code and the key identification into the verification information and sends the verification information to the application platform.
10. The authentication method according to claim 7, wherein the terminal generates a one-time authentication code by using the session key as a parameter through a preconfigured one-time password algorithm corresponding to the application platform, and comprises:
the terminal generates a random number or receives the random number sent by the application platform;
and the terminal generates a one-time verification code by using a hash algorithm by taking the timestamp of the current time point, the random number and the session key as parameters.
11. An application platform, comprising:
the first sending module is used for responding to a service request of a terminal and sending a verification request to the terminal;
the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving verification information sent by the terminal, the verification information comprises a one-time verification code and a key identification, the one-time verification code is generated by taking a session key of the terminal and the application platform as a parameter through a one-time cryptographic algorithm, and the session key and the key identification are obtained after mutual authentication is carried out between the terminal and a key distribution functional entity of a core network;
an obtaining module, configured to obtain, according to the key identifier, a session key between the terminal and the application platform from a key distribution function entity of a core network;
the determining module is used for generating a one-time verification code according to a one-time password algorithm which is configured in advance and corresponds to the terminal and the acquired session key, comparing the one-time verification code with the one-time verification code sent by the terminal and determining a verification result;
and the second sending module is used for returning the verification result to the terminal.
12. A terminal, comprising:
a first receiving module, configured to receive a verification request sent by an application platform, where the verification request is sent by the service platform in response to a service request of the terminal;
the acquisition module is used for acquiring a session key of the terminal and the application platform;
the generation module is used for generating a one-time verification code by taking the session key as a parameter through a pre-configured one-time password algorithm corresponding to the application platform;
a sending module, configured to send verification information to the application platform, where the verification information includes the one-time verification code and a key identifier, and the session key and the key identifier are obtained after mutual authentication is performed between the terminal and a key distribution function entity of a core network;
and the second receiving module is used for receiving a verification result sent by the application platform, wherein the verification result is a result obtained by the application platform generating a one-time verification code according to a one-time password algorithm which is configured in advance and corresponds to the terminal and a session key of the terminal and the application platform which is obtained from a key distribution functional entity of a core network according to the key identification, and comparing the one-time verification code with the one-time verification code sent by the terminal.
13. A verification system, comprising: the application platform of claim 11 and the terminal of claim 12.
14. The authentication system of claim 13, further comprising:
and the core network key distribution function entity is used for sending the session key of the terminal and the application platform to the application platform.
15. The authentication system of claim 13,
the core network key distribution functional entity is used for mutually authenticating with the terminal, generating a key identifier and sending the key identifier to the terminal; and receiving a key acquisition request sent by the application platform, generating a session key of the terminal and the application platform, and sending the session key to the application platform.
16. An electronic device, comprising:
a processor; and
a memory coupled to the processor for storing instructions that, when executed by the processor, cause the processor to perform the authentication method of any one of claims 1 to 6, or the authentication method of any one of claims 7 to 10.
17. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the steps of the authentication method of any one of claims 1 to 6 or any one of claims 7 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011126283.6A CN114449515A (en) | 2020-10-20 | 2020-10-20 | Verification method, system, application platform and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011126283.6A CN114449515A (en) | 2020-10-20 | 2020-10-20 | Verification method, system, application platform and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114449515A true CN114449515A (en) | 2022-05-06 |
Family
ID=81357966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011126283.6A Pending CN114449515A (en) | 2020-10-20 | 2020-10-20 | Verification method, system, application platform and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114449515A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11838422B1 (en) * | 2023-02-15 | 2023-12-05 | Research Cooperation Foundation Of Yeungnam University | User authentication method and unmanned delivery system based on user authentication |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101990201A (en) * | 2009-07-31 | 2011-03-23 | ***通信集团公司 | Method, system and device for generating general bootstrapping architecture (GBA) secret key |
| CN108353279A (en) * | 2016-07-14 | 2018-07-31 | 华为技术有限公司 | A kind of authentication method and Verification System |
| CN110831002A (en) * | 2018-08-10 | 2020-02-21 | 华为技术有限公司 | Extended universal boot architecture authentication method, device and storage medium |
| CN111147231A (en) * | 2018-11-05 | 2020-05-12 | 华为技术有限公司 | Key agreement method, related device and system |
| WO2020094475A1 (en) * | 2018-11-05 | 2020-05-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication and key agreement for a terminal device |
| CN111654861A (en) * | 2019-03-04 | 2020-09-11 | ***通信有限公司研究院 | Authentication method, device, equipment and computer readable storage medium |
-
2020
- 2020-10-20 CN CN202011126283.6A patent/CN114449515A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101990201A (en) * | 2009-07-31 | 2011-03-23 | ***通信集团公司 | Method, system and device for generating general bootstrapping architecture (GBA) secret key |
| CN108353279A (en) * | 2016-07-14 | 2018-07-31 | 华为技术有限公司 | A kind of authentication method and Verification System |
| CN110831002A (en) * | 2018-08-10 | 2020-02-21 | 华为技术有限公司 | Extended universal boot architecture authentication method, device and storage medium |
| CN111147231A (en) * | 2018-11-05 | 2020-05-12 | 华为技术有限公司 | Key agreement method, related device and system |
| WO2020094475A1 (en) * | 2018-11-05 | 2020-05-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication and key agreement for a terminal device |
| CN111654861A (en) * | 2019-03-04 | 2020-09-11 | ***通信有限公司研究院 | Authentication method, device, equipment and computer readable storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11838422B1 (en) * | 2023-02-15 | 2023-12-05 | Research Cooperation Foundation Of Yeungnam University | User authentication method and unmanned delivery system based on user authentication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP4216081A1 (en) | Information verification method, related apparatus, device, and storage medium | |
| CN108173662B (en) | Equipment authentication method and device | |
| CN107465689B (en) | Key management system and method of virtual trusted platform module in cloud environment | |
| CN107295011B (en) | Webpage security authentication method and device | |
| CN111435913B (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| TW201706900A (en) | Method and device for authentication using dynamic passwords | |
| CN114900338B (en) | Encryption and decryption method, device, equipment and medium | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN105391734A (en) | Secure login system, secure login method, login server and authentication server | |
| CN113572728B (en) | Method, device, equipment and medium for authenticating Internet of things equipment | |
| CN111327629B (en) | Identity verification method, client and server | |
| CN111130798B (en) | Request authentication method and related equipment | |
| CN110839240B (en) | Method and device for establishing connection | |
| CN109362074A (en) | The method of h5 and server-side safety communication in a kind of mixed mode APP | |
| CN104426659A (en) | Dynamic password generating method, authentication method, authentication system and corresponding equipment | |
| CN109815666B (en) | Identity authentication method and device based on FIDO protocol, storage medium and electronic equipment | |
| CN111460410A (en) | Server login method, device and system and computer readable storage medium | |
| CN117240625A (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN111901303A (en) | Device authentication method and apparatus, storage medium, and electronic apparatus | |
| CN111654503A (en) | Remote control method, device, equipment and storage medium | |
| CN114079921B (en) | Session key generation method, anchor point function network element and system | |
| CN113472722A (en) | Data transmission method, storage medium, electronic device and automatic ticket selling and checking system | |
| CN114449515A (en) | Verification method, system, application platform and terminal | |
| CN115549930B (en) | Verification method for logging in operating system | |
| CN116599719A (en) | User login authentication method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |