CN114726590B - Method for implementing login authentication by decentralization in distributed system - Google Patents
Method for implementing login authentication by decentralization in distributed system Download PDFInfo
- Publication number
- CN114726590B CN114726590B CN202210272137.7A CN202210272137A CN114726590B CN 114726590 B CN114726590 B CN 114726590B CN 202210272137 A CN202210272137 A CN 202210272137A CN 114726590 B CN114726590 B CN 114726590B
- Authority
- CN
- China
- Prior art keywords
- authority
- node
- user
- login
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000013475 authorization Methods 0.000 claims abstract description 56
- 238000012795 verification Methods 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 4
- 101100203319 Schizosaccharomyces pombe (strain 972 / ATCC 24843) skh1 gene Proteins 0.000 claims 3
- 230000000977 initiatory effect Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method for realizing login authentication by decentralization in a distributed system, which comprises the following steps: s1, a client initiates a login authorization request to a login node, and the login node transmits the request to a service system; s2, calculating authority nodes by the service system, and initiating basic information pre-authorization requests to the authority nodes; s3, the authority node returns a basic information temporary authorization token to the service system; s4, the business system returns a basic information temporary authorization token to the login node; s5, the login node acquires basic information authorization data from the authority node, and the authority node returns the basic information authorization data to the login node; s6, the login node returns basic information authorization data and an authorization Token to the client; s7, when the client side calls the data operation interface of the service system, the Token is transmitted, the service system judges whether the interface needs authentication, and if the authentication is not needed, the interface is called to return data; the invention can reduce the loss caused by data exposure.
Description
Technical Field
The invention relates to the field of authority management, in particular to a method for realizing login authentication by decentralization in a distributed system.
Background
At present, most of distributed systems are developed with special rights centers for controlling login and managing rights information of users in the system, and the mode can realize unified management and control of rights, but two problems are caused:
Firstly, when a rights center is unavailable, all login authentication is invalid, and paralysis of the whole system is directly caused, and in this regard, most developers realize high availability by using a cluster mode, but we know that CAP theory exists in the actual development of a distributed system, when the cluster is used, consistency, availability and partition fault tolerance are difficult to ensure, and a lot of resources are consumed for guaranteeing the three points at best;
Secondly, the security problem of the authority data is that all the authorities are stored together, when data leakage occurs, all the authority information of the user is not lost to an external system, and if the authority information is stolen, the user can be simulated to perform illegal operation in the system; with respect to the first point, the risk of data leakage is totally unacceptable, so more software systems are now advocating decentralization.
Disclosure of Invention
The invention aims at least solving the technical problems in the prior art, and particularly creatively provides a method for realizing login authentication by decentralization in a distributed system.
In order to achieve the above object of the present invention, the present invention provides a method for implementing login authentication by decentralization in a distributed system, comprising the following steps:
S1, a client initiates a login authorization request to a login node, and the login node transmits the request to a service system;
s2, the service system acquires a permission node and initiates a basic information pre-authorization request to the permission node;
s3, the authority node returns a basic information temporary authorization token to the service system;
s4, the business system returns a basic information temporary authorization token to the login node;
S5, the login node acquires basic information authorization data from the authority node, and the authority node returns the basic information authorization data to the login node;
S6, the login node returns basic information authorization data and an authorization Token to the client;
S7, when the client side calls a data operation interface of the service system, the user identification UK1 and Token are transmitted, the service system judges whether the interface needs authentication or not, and if so, the next step is executed; if authentication is not needed, calling an interface to return data;
S8, when the interface needs authentication, the service system initiates a permission verification request to the permission node according to the Token and the permission identifier needed by the interface;
s9, the authority node checks Token and authority identification submitted by the service system by combining user interface authority information stored by the node, and returns a check result;
S10, the business system performs interface release or interception according to the permission check result returned by the permission node.
Further, the step S1 includes:
When a client user needs to log in, user identity information and a logged-in service system identifier BK1 are transmitted to a login node, the login node checks the user information to confirm whether the user information is legal or not, if the user information is illegal, the user information is marked as illegal request directly, and login is refused; if the user information is legal user information, the user information is recorded as an identifier UK1.
Further, the step S2 includes:
the login node initiates a permission acquisition credential generation request to the service node, transmits a user identifier UK1, receives the request, initiates a permission information pre-query request to the corresponding permission node, and transmits the user identifier UK1 and a query type permission range SCOPE.
Further, the step S3 includes:
After receiving the pre-query request, the authority node generates a pre-query request identifier RequestId for the pre-query request, generates a pair of temporary keys, holds the public key PK2, returns the pre-query request identifier ReuqestId1 and the private key SK2 to the service node, and caches the corresponding relation of the query type authority range SCOPE, the key pair and the authority pre-query user identifiers UK1 and RequestId 1.
Further, the step S4 includes:
the service system receives the response, returns the private key SK2 to the login node, and simultaneously returns authority node information corresponding to the service system and the pre-query request identifier ReuqestId to the login node.
Further, the step S5 includes:
the login node receives the private key SK2 and corresponding authority node information, encrypts the user identifier UK1 by using the private key SK2 to generate ciphertext ED1, transmits the ciphertext ED1 to initiate an authority information inquiry request to the authority node, and simultaneously transmits a pre-inquiry request RequestId1;
After receiving the request, the authority node decrypts the ciphertext ED1 by utilizing the public key PK2 acquired by the authority pre-inquiry request identifier RequestId to acquire a user identifier UK2 carried in the request, and simultaneously acquires the user identifier UK1 corresponding to the pre-inquiry request stored by the node according to the transmitted RequestId1 to judge whether the UK2 is consistent with the UK1, if the UK2 is inconsistent with the UK1, the user identity information is tampered, marked as an illegal request, and error information is returned to the login node; if the UK2 is consistent with the UK1, indicating that the request is legal, inquiring user authority information stored in the node by the authority node according to the user identifier UK1 and the inquiring type authority range SCOPE, and generating a basic information authorization Token, wherein the validity period of the Token is time T1, and the authority node caches user information UK1 corresponding to the Token; the public key PK2 is used for encrypting the authority information and the basic information authorization Token to generate ciphertext data ED2, the ciphertext data ED2 is returned to the login node, and meanwhile, the pre-query request RequestId and the public key PK2 are invalidated.
Further, the step S6 includes:
The login node receives the returned ciphertext data ED2, decrypts the ED2 by using the held private key SK2, acquires the authority information PD1 and the basic information authorization Token owned by the user, destroys the invalid private key SK2, and returns the user authority information and the basic information authorization Token to the client side to finish user login and basic authority data acquisition.
Further, the step S8 includes the steps of:
the UK1, token and interface type authority range SCOPE2 and the authority identification PEK1 required by the interface are transmitted to the corresponding authority node by using the self-held authorization private key SK1 in an encrypting way.
Further, the step S9 includes the steps of:
The authority node uses the public key PK1 to decrypt, obtains the user identity UK1, token, SCOPE2 and the authority identifier PEK1 to be inquired, verifies whether the basic information authorization Token is legal or not,
If the Token is illegal, returning an error to the service system; if the Token is legal, inquiring authority data according to the transmitted user identity identifier UK1, the interface type authority range SCOPE2 and the authority PEK1, if the corresponding data is inquired, proving that the user has the authority, and returning the authentication result of the service system to pass; if the corresponding data is not queried, the user is proved to have no interface authority, and the authentication result of the service system is returned as failed.
Further, the method of verification includes:
S-A, if the Token exists on the authority node, executing the next step; if the basic information authorization Token does not exist on the authority node, the basic information authorization Token is illegal;
S-B, whether the user identity identifier UK2 corresponding to the Token is consistent with UK1 or not, and if the user identity identifier UK2 is consistent with UK1, explaining that the basic information authorization Token is legal; if the UK2 is inconsistent with the UK1, the basic information authorization Token is illegal.
Further, the rights information includes basic rights information and interface rights information.
The basic authority information corresponds to an inquiry type authority range SCOPE; the interface authority information corresponds to an interface type authority range SCOPE2, and the basic authority information refers to the acquisition authority of basic information such as a user account, a role, a mobile phone number, a name, a menu which can be displayed by the account, and the like; the interface authority information refers to the call execution authority of the program interface corresponding to the account, for example, whether or not certain information can be queried, whether or not certain information can be edited, and whether or not certain information can be deleted.
In summary, by adopting the technical scheme, the node can be authenticated without depending on an authentication center, and the authority information is encrypted and stored in a plurality of nodes based on the blockchain technology, and each node holds a part of data, so that the data can be accessed and used as required, and the loss caused by the exposure of the data is reduced to a certain extent.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the invention will become apparent and may be better understood from the following description of embodiments taken in conjunction with the accompanying drawings in which:
Fig. 1 is a diagram of a distributed system architecture of the present invention.
Fig. 2 is a schematic diagram of a flow chart of an implementation of the decentralized login authentication according to the present invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention.
The application provides a method for realizing login authentication by decentralization in a distributed system, which is realized based on the distributed system, wherein the structure diagram of the distributed system is shown in figure 1, and comprises the following steps:
The system comprises a client application module, a login service module, a business service module, a permission service module and a storage service module, wherein the service module comprises a plurality of nodes. The login service module consists of a plurality of login nodes, the business service module consists of a plurality of business nodes, the authority service module consists of a plurality of authority nodes, and the storage service module consists of a plurality of storage nodes.
Client application modules are intended to represent various forms of programs that provide local services to clients, such as PCs, H5, applets, and other clients.
The application provides a method for realizing login authentication by decentralization in a distributed system, which is shown in fig. 2 and comprises the following steps:
S1, a client initiates a login authorization request to a login node, and the login node transmits the request to a service system;
S2, calculating authority nodes by the service system, and initiating basic information pre-authorization requests to the authority nodes;
s3, the authority node returns a basic information temporary authorization token to the service system;
s4, the business system returns a basic information temporary authorization token to the login node;
S5, the login node acquires basic information authorization data from the authority node, and the authority node returns the basic information authorization data to the login node;
S6, the login node returns basic information authorization data and an authorization Token to the client;
S7, when the client side calls a data operation interface of the service system, the user identification UK1 and Token are transmitted, the service system judges whether the interface needs authentication or not, and if so, the next step is executed; if authentication is not needed, normally calling the interface to return data;
S8, when the interface needs authentication, the service system initiates a permission verification request to the permission node according to the Token and the permission identifier needed by the interface;
s9, the authority node checks Token and authority identification submitted by the service system by combining user interface authority information stored by the node, and returns a check result;
S10, the business system performs interface release or interception according to the permission check result returned by the permission node.
The login node in the scheme is a service for verifying user identity information of a user in the distributed system, a plurality of nodes can exist, and each client system communicates with different login services according to requirements;
The authority node in the scheme represents a distributed system service for storing interfaces, data access and operation authorities of a user, a plurality of nodes can exist, and the number of the nodes can be dynamically expanded and contracted;
The scheme divides the authority types into basic information authorities and interface type authorities, which correspond to the authority types SCOPE and SCOPE2 respectively; the basic information authority corresponds to the authority range SCOPE, and the identification service system acquires basic user information, such as an account number, a mobile phone number, a displayable menu and the like.
Firstly, each service system performs hash operation on authorization information of a client and a user by taking the identity of the client as an identifier and then stores the authorization information in different authority nodes, wherein the authority nodes can dynamically stretch and contract and provide an authorization information operation interface; the authority node issues an access private Key SK1 (SECRET KEY 1) aiming at the service system, and holds a Public Key PK1 (Public Key 1) by itself; wherein the business system may be considered as a client of the entitlement node.
When a client user needs to log in, user identity information and a logged-in service system identifier BK1 (Business Key 1) are transmitted to a login node, the login node checks the user information to determine whether the user information is legal or not, if the user information is illegal, the user information is marked as illegal request directly, and login is refused; if the User information is legal User information, recording the User information as an identifier UK1 (User Key 1);
The login node initiates a permission acquisition credential generation request to the service node, transmits a user identifier UK1, receives the request, initiates a permission information pre-query request to the corresponding permission node, transmits the user identifier UK1 and a query permission range SCOPE (the suggestion SCOPE is the front-end button permission range at the moment),
After receiving the pre-query request, the authority node generates a pre-query request identifier RequestId1 for the pre-query request, and simultaneously generates a pair of temporary keys, wherein the keys are encrypted asymmetrically, such as RSA; the public key PK2 is held by the user, the pre-query request identifier ReuqestId and the private key SK2 are returned to the service node, and the corresponding relation among the SCOPE, the key pair and the authority pre-query user identifiers UK1 and RequestId is cached; wherein the authority node performs buffering by using a memory or an external buffer, such as redis.
The service system receives the response, returns the private key SK2 to the login node, and simultaneously returns authority node information corresponding to the service system and a pre-query request identifier ReuqestId to the login node;
The login node receives the private key SK2 and corresponding authority node information, encrypts the user identifier UK1 by using the private key SK2 to generate ciphertext ED1 (ENCRYPT DATA 1), transmits the ciphertext ED1 to initiate an authority information inquiry request to the authority node, and simultaneously transmits a pre-inquiry request RequestId1;
After receiving the request, the authority node decrypts the ciphertext ED1 by utilizing the public key PK2 acquired by the authority pre-inquiry request identifier RequestId to acquire a user identifier UK2 carried in the request, and simultaneously acquires the user identifier UK1 corresponding to the pre-inquiry request stored by the node according to the transmitted RequestId1 to judge whether the UK2 is consistent with the UK1, if the UK2 is inconsistent with the UK1, the user identity information is tampered, marked as an illegal request, and error information is returned to the login node; if the UK2 is consistent with the UK1, indicating that the request is legal, inquiring user authority information stored in the node by the authority node according to the user identifier UK1 and the authority range SCOPE, and generating a basic information authorization Token, wherein the validity period of the Token is time T1, and the authority node caches user information UK1 corresponding to the Token; encrypting the authority information and the authorization Token by using the public key PK2 to generate ciphertext data ED2, returning the ciphertext data ED2 to the login node, and simultaneously, voiding the pre-query request RequestId and the public key PK 2; the authority information is authority data, namely an interface authority array owned by the account.
The login node receives the returned ciphertext Data ED2, decrypts the ED2 by using a held pre-query request SK2 (SK 2 is generated when the pre-query request is sent, and is used for decrypting the returned Data), obtains authority information PD1 (Permission Data 1) owned by a user and an authorization Token, namely the authorization Token generated by the authority node identified in the previous step, destroys an invalid private key SK2, and returns the user authority information PD1 and the authorization Token to the client side to finish user login and basic authority Data acquisition;
when a client needs to call a business service interface, transmitting a user identifier UK1 and an authorization Token;
The service system receives UK1 and Token, and firstly, the service system judges whether a program interface of the service system needs authentication or not, and the judging method comprises the following steps: program right interceptor/code, based on the interface address of the request, determines within the program. If authentication is not needed, the user directly passes the authentication, namely interface authority verification is not needed, and the client can successfully call the interface for interaction; the client not only interacts with the service system, but also does not interact with the authority node; if the interface needs authentication, using an authorization private Key SK1 held by the interface itself to encrypt and transmit UK1, token and a Permission SCOPE SCOPE2 (the SCOPE identifies the type Permission SCOPE of the interface) and a Permission identifier PEK1 (Permission Key 1) needed by the interface to a corresponding Permission node; the permission identifier PEK1 is preset by the system program interceptor in the encoding stage, for example, permission required for deleting certain information is deletexxx.
The authority node uses the public key PK1 to decrypt, obtains the user identity UK1, token, SCOPE2 and the authority identifier PEK1 to be inquired, and verifies whether the basic information authorization Token is legal or not by the prior verification method, wherein the verification method is that whether the following conditions are met or not:
1. whether Token exists on the rights node;
2. Whether the user identity identifier UK2 corresponding to Token is consistent with UK1 or not.
If the Token is an illegal Token, returning an error to the service system; if the user is legal token, inquiring authority data according to the transmitted user identity identifier UK1, authority range SCOPE2 and authority PEK1, if the corresponding data is inquired, proving that the user has the authority, and returning the authentication result of the service system to pass; if the corresponding data is not queried, the user is proved to have no interface authority, and the authentication result of the service system is returned as failed. Wherein the rights data is stored by the rights node in a storage medium, such as a database, for the rights data owned by the user. The generation and storage of the rights data are distributed by the service node and the rights node is called for storage.
And the service system receives the response and performs different service processing according to the authentication result. So far, authentication ends.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the invention, the scope of which is defined by the claims and their equivalents.
Claims (8)
1. A method for implementing login authentication by decentralization in a distributed system, comprising the following steps:
s1, a client transmits user information to a login node, and the login node checks the user information;
s2, the login node initiates a permission acquisition credential generation request to the service node, and the service node initiates a permission information pre-query request to the corresponding permission node;
S3, after receiving the pre-query request, the authority node generates a pre-query request identifier RequestId1, generates a pair of temporary keys, holds a public key PK2, and returns the pre-query request identifier ReuqestId1 and a private key SK2 to the service node;
S4, the service node obtains a response, returns the private key SK2 to the login node, and simultaneously returns authority node information corresponding to the service node and a pre-query request identifier ReuqestId to the login node;
S5, the login node receives the private key SK2 and corresponding authority node information, encrypts the user identifier UK1 by using the private key SK2 to generate a ciphertext ED1, initiates an authority information inquiry request to the authority node, and simultaneously transmits a pre-inquiry request identifier RequestId1;
After receiving the request, the authority node decrypts the ciphertext ED1 by utilizing the public key PK2 acquired by the authority pre-query request identifier RequestId to acquire a user identifier UK2 carried in the authority pre-query request, and simultaneously acquires the user identifier UK1 corresponding to the pre-query request stored by the node according to the transmitted RequestId1 to judge whether the UK2 is consistent with the UK1, if the UK2 is inconsistent with the UK1, the user identity information is tampered, marked as an illegal request, and error information is returned to the login node; if the UK2 is consistent with the UK1, indicating that the request is legal, inquiring user authority information stored in the node by the authority node according to the user identifier UK1 and the inquiring type authority range SCOPE, and generating a basic information authorization Token, wherein the validity period of the Token is time T1, and the authority node caches user information UK1 corresponding to the Token; encrypting the authority information and the basic information authorization Token by using the public key PK2 to generate ciphertext data ED2, returning the ciphertext data ED2 to the login node, and simultaneously, voiding the pre-query request and the public key PK 2;
S6, the login node returns user authority information PD1 and a basic information authorization Token to the client;
S7, when the client side calls the service node data operation interface, the Token is transmitted, the service node judges whether the interface needs authentication or not, and if the interface needs authentication, the next step is executed; if authentication is not needed, calling an interface to return data;
s8, when the interface needs authentication, the service node initiates an authority verification request to the authority node according to the Token and the authority identifier needed by the interface;
S9, the authority node checks Token and authority identification submitted by the service node in combination with user interface authority information stored by the authority node, and returns a check result;
s10, the service node performs interface release or interception according to the permission check result returned by the permission node.
2. The method for implementing login authentication by decentralization in a distributed system according to claim 1, wherein S1 comprises:
When a client user needs to log in, user identity information and a logged-in service node identifier BK1 are transmitted to a login node, the login node checks the user information to confirm whether the user information is legal or not, if the user information is illegal, the user information is marked as illegal request directly, and login is refused; if the user information is legal user information, the user information is recorded as an identifier UK1.
3. The method for implementing login authentication by decentralization in a distributed system according to claim 1, wherein S2 comprises:
the login node initiates a permission acquisition credential generation request to the service node, transmits a user identifier UK1, receives the request, initiates a permission information pre-query request to the corresponding permission node, and transmits the user identifier UK1 and a query type permission range SCOPE.
4. The method for implementing login authentication by decentralization in a distributed system according to claim 1, wherein S3 comprises:
After receiving the pre-query service node request, the authority node generates a pre-query request identifier RequestId for the pre-query request, generates a pair of temporary keys, holds the public key PK2, returns the pre-query request identifier ReuqestId1 and the private key SK2 to the service node, and caches the corresponding relation of the query type authority range SCOPE, the key pair and the authority pre-query user identifiers UK1 and RequestId 1.
5. The method for implementing login authentication by decentralization in a distributed system according to claim 1, wherein S6 comprises:
The login node receives the returned ciphertext data ED2, decrypts the ED2 by using the held private key SK2, acquires the authority information PD1 and the basic information authorization Token owned by the user, destroys the invalid private key SK2, and simultaneously returns the user authority information PD1 and the basic information authorization Token to the client to finish user login and basic authority data acquisition.
6. The method for implementing login authentication by decentralization in a distributed system according to claim 1, wherein S8 comprises the steps of:
the UK1, token and interface type authority range SCOPE2 and the authority identification PEK1 required by the interface are transmitted to the corresponding authority node by using the self-held authorization private key SK1 in an encrypting way.
7. The method for implementing login authentication by decentralization in a distributed system according to claim 1, wherein S9 comprises the steps of:
The authority node uses the public key PK1 to decrypt, obtains the user identity UK1, token, SCOPE2 and the authority identifier PEK1 to be inquired, verifies whether the basic information authorization Token is legal or not,
If the Token is illegal, returning an error to the service node; if the Token is legal, inquiring authority data according to the transmitted user identity identifier UK1, the interface type authority range SCOPE2 and the authority PEK1, if the corresponding data is inquired, proving that the user has the authority, and returning the authentication result of the service node to pass; if the corresponding data is not queried, the user is proved to have no interface authority, and the service node authentication result is returned as failed.
8. The method for decentralizing of a distributed system for performing login authentication as recited in claim 7, wherein the method for verifying comprises:
S-A, if the Token exists on the authority node, executing the next step; if the basic information authorization Token does not exist on the authority node, the basic information authorization Token is illegal;
S-B, whether the user identity identifier UK2 corresponding to the Token is consistent with UK1 or not, and if the user identity identifier UK2 is consistent with UK1, explaining that the basic information authorization Token is legal; if the UK2 is inconsistent with the UK1, the basic information authorization Token is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210272137.7A CN114726590B (en) | 2022-03-18 | 2022-03-18 | Method for implementing login authentication by decentralization in distributed system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210272137.7A CN114726590B (en) | 2022-03-18 | 2022-03-18 | Method for implementing login authentication by decentralization in distributed system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114726590A CN114726590A (en) | 2022-07-08 |
| CN114726590B true CN114726590B (en) | 2024-05-17 |
Family
ID=82238334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210272137.7A Active CN114726590B (en) | 2022-03-18 | 2022-03-18 | Method for implementing login authentication by decentralization in distributed system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726590B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108449364A (en) * | 2018-05-08 | 2018-08-24 | 北京明朝万达科技股份有限公司 | A kind of distributed identity authentication method and cloud certification node |
| CN110602088A (en) * | 2019-09-11 | 2019-12-20 | 北京京东振世信息技术有限公司 | Block chain-based right management method, block chain-based right management device, block chain-based right management equipment and block chain-based right management medium |
| CN111163109A (en) * | 2020-02-04 | 2020-05-15 | 广州知弘科技有限公司 | Block chain center-removing type node anti-counterfeiting method |
| CN111224784A (en) * | 2019-11-27 | 2020-06-02 | 北京工业大学 | Role separation distributed authentication and authorization method based on hardware trusted root |
| WO2021169112A1 (en) * | 2020-02-28 | 2021-09-02 | 平安国际智慧城市科技股份有限公司 | Shared permission-based service data procesing method, apparatus and device, and medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102014113430A1 (en) * | 2014-09-17 | 2016-03-17 | Bundesdruckerei Gmbh | Distributed data storage using authorization tokens |
-
2022
- 2022-03-18 CN CN202210272137.7A patent/CN114726590B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108449364A (en) * | 2018-05-08 | 2018-08-24 | 北京明朝万达科技股份有限公司 | A kind of distributed identity authentication method and cloud certification node |
| CN110602088A (en) * | 2019-09-11 | 2019-12-20 | 北京京东振世信息技术有限公司 | Block chain-based right management method, block chain-based right management device, block chain-based right management equipment and block chain-based right management medium |
| CN111224784A (en) * | 2019-11-27 | 2020-06-02 | 北京工业大学 | Role separation distributed authentication and authorization method based on hardware trusted root |
| CN111163109A (en) * | 2020-02-04 | 2020-05-15 | 广州知弘科技有限公司 | Block chain center-removing type node anti-counterfeiting method |
| WO2021169112A1 (en) * | 2020-02-28 | 2021-09-02 | 平安国际智慧城市科技股份有限公司 | Shared permission-based service data procesing method, apparatus and device, and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114726590A (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11882442B2 (en) | Handset identifier verification | |
| US8607045B2 (en) | Tokencode exchanges for peripheral authentication | |
| JP4993733B2 (en) | Cryptographic client device, cryptographic package distribution system, cryptographic container distribution system, and cryptographic management server device | |
| CN110489996B (en) | Database data security management method and system | |
| JP5100286B2 (en) | Cryptographic module selection device and program | |
| US10250613B2 (en) | Data access method based on cloud computing platform, and user terminal | |
| CA3176858A1 (en) | Data processing method and system | |
| JP2021511743A (en) | Methods, application servers, IOT devices and media for implementing IOT services | |
| US7958548B2 (en) | Method for provision of access | |
| CN108521424B (en) | Distributed data processing method for heterogeneous terminal equipment | |
| CA2745975A1 (en) | Utilization of a microcode interpreter built in to a processor | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| CN114726590B (en) | Method for implementing login authentication by decentralization in distributed system | |
| CN114785532B (en) | Security chip communication method and device based on bidirectional signature authentication | |
| CN108616517B (en) | High-reliability cloud platform service providing method | |
| CN114338091B (en) | Data transmission method, device, electronic equipment and storage medium | |
| CN113872986B (en) | Power distribution terminal authentication method and device and computer equipment | |
| KR20150115332A (en) | Access control managemnet apparatus and method for open service components | |
| CN108449358B (en) | Cloud-based low-delay secure computing method | |
| CN115664662B (en) | Key processing method and device | |
| JP2002152196A (en) | Method for program authentication without secret key, program id communication processing control method, program id communication range control method, and method for providing communication line by open key | |
| US20230308266A1 (en) | Method and System for Onboarding an IOT Device | |
| JP2017208731A (en) | Management system, management device, on-vehicle computer, management method, and computer program | |
| CA3235743A1 (en) | Authenticating a device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |