CN115225286A - Application access authentication method and device - Google Patents

Application access authentication method and device Download PDF

Info

Publication number
CN115225286A
CN115225286A CN202210859459.1A CN202210859459A CN115225286A CN 115225286 A CN115225286 A CN 115225286A CN 202210859459 A CN202210859459 A CN 202210859459A CN 115225286 A CN115225286 A CN 115225286A
Authority
CN
China
Prior art keywords
party
information
key
butt
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210859459.1A
Other languages
Chinese (zh)
Inventor
李登峰
李奕辰
孙馨愉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202210859459.1A priority Critical patent/CN115225286A/en
Publication of CN115225286A publication Critical patent/CN115225286A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an application access authentication method and device, relating to network security, wherein the method comprises the following steps: after receiving the first ciphertext information and the second ciphertext information sent by the butt-joint party, the service party decrypts the second ciphertext information by using a private key of a second key of an asymmetric algorithm to obtain a first key; decrypting the first ciphertext information by using a first key to obtain first information, wherein the first information comprises current time, equipment identification and application identification; determining whether the butt-joint party has the authorization of the service corresponding to the application identifier according to the preset rule and the current time; when the license is provided, generating second information containing the unique license number according to the equipment identifier; the server side carries out hash algorithm processing on the second information and then encrypts the first hash value by using a private key of a second key to obtain third information; encrypting the second information with the first key to obtain fourth information; and sending the third information and the fourth information to the butt-joint party. The invention can avoid causing safety risk.

Description

Application access authentication method and device
Technical Field
The invention relates to the technical field of network security, in particular to an application access authentication method and device.
Background
With the rapid development of the internet, the network security situation is becoming more and more severe. At present, a plurality of internet products are provided by a service party, and scenes of accessing and using the internet products of the service party by a client through the internet are also visible everywhere.
The defects of the prior art are as follows: existing internet product access mechanisms present security risks.
Disclosure of Invention
The embodiment of the invention provides an application access authentication method, which is used for solving the problem that the existing internet product access mechanism has safety risk and comprises the following steps:
the method comprises the steps that a butt party determines the current time, equipment identification and application identification, wherein the application is accessed on a service party through the Internet as a butt party of an external third party;
a butt party generates a first key of a symmetric algorithm, encrypts first information by using the first key to obtain first ciphertext information, wherein the first information comprises current time, equipment identification and application identification;
the butt joint party encrypts the first secret key by using a public key of a second secret key of an asymmetric algorithm to obtain second ciphertext information, wherein the public key of the second secret key is provided for the butt joint party by the service party;
the butt joint party sends the first ciphertext information and the second ciphertext information to the service party;
the butt joint party receives third information and fourth information sent by the service party;
the butt joint party decrypts the third information by using the public key of the second key to obtain a first hash value;
the butt joint party decrypts the fourth information by using the first key to obtain second information;
the butt joint party carries out hash algorithm processing on the second information to obtain a second hash value;
the butt party compares the first hash value with the second hash value;
and when the comparison result is the same, the dockee uses the equipment identified by the equipment identification to carry the application identified by the application identification of the service party with the unique permission number, wherein the unique permission number is an authorization certificate for the dockee to access the service corresponding to the application identification.
The embodiment of the invention provides an application access authentication method, which is used for solving the problem that the existing internet product access mechanism has safety risk and comprises the following steps:
the service side receives first ciphertext information and second ciphertext information sent by the butt-joint side;
the server side decrypts the second ciphertext information by using a private key of a second key of the asymmetric algorithm to obtain a first key, wherein the private key of the second key is a private key corresponding to a public key of the second key provided by the server side to the butt side;
the server side decrypts the first ciphertext information by using a first key to obtain first information, wherein the first information comprises current time, equipment identification and application identification;
the service side determines whether the butt-joint side has the authorization of the service corresponding to the application identification according to the preset rule and the current time;
when the service party is provided with the service, second information containing a unique permission number is generated according to the equipment identifier, wherein the unique permission number is an authorization certificate for the butt party to access the service corresponding to the application identifier;
the server side performs hash algorithm processing on the second information to obtain a first hash value, and encrypts the first hash value by using a private key of a second key to obtain third information;
the server side encrypts the second information by using the first key to obtain fourth information;
and the server sends the third information and the fourth information to the butt joint party.
The embodiment of the invention also provides an application access authentication device, which is used for solving the problem that the existing internet product access mechanism has safety risk, and comprises the following components:
the system comprises a butt-joint party equipment module, a service party equipment module and a service party equipment module, wherein the butt-joint party equipment module is used for determining the current time, equipment identification and application identification, and the application is accessed on the service party through the Internet as a butt-joint party of an external third party;
the system comprises a butt party first encryption and decryption module, a first cipher text information acquisition module and a second cipher text information acquisition module, wherein the butt party first encryption and decryption module is used for generating a first secret key of a symmetric algorithm, and encrypting first information by using the first secret key to obtain first cipher text information, and the first information comprises current time, equipment identification and application identification;
the butt party second encryption and decryption module is used for encrypting the first secret key by using a public key of a second secret key of an asymmetric algorithm to obtain second ciphertext information, wherein the public key of the second secret key is provided for the butt party by the service party;
the butt party sending module is used for sending the first ciphertext information and the second ciphertext information to the server party;
the butt-joint party receiving module is used for receiving third information and fourth information sent by the service party;
the second encryption and decryption module of the butt-joint party is also used for obtaining a first hash value after decrypting the third information by using the public key of the second secret key;
the butt party first encryption and decryption module is further used for obtaining second information after decrypting the fourth information by using the first key;
the docking Fang Sanlie module is used for performing hash algorithm processing on the second information to obtain a second hash value;
the butt party comparison module is used for comparing the first hash value with the second hash value;
and the dockee access module is used for accessing the application identified by the application identifier of the service party by using the equipment identified by the equipment identifier and carrying the unique permission number when the comparison result is the same, wherein the unique permission number is an authorization certificate for the dockee to access the service corresponding to the application identifier.
The embodiment of the invention also provides an application access authentication device, which is used for solving the problem of safety risk of the existing internet product access mechanism and comprises the following components:
the server side receiving module is used for receiving the first ciphertext information and the second ciphertext information sent by the butt-joint side;
the server side second encryption and decryption module is used for decrypting the second ciphertext information by using a private key of a second key of the asymmetric algorithm to obtain a first key, wherein the private key of the second key is a private key corresponding to a public key of the second key provided by the server side to the butt side;
the server side first encryption and decryption module is used for decrypting the first ciphertext information by using a first key to obtain first information, wherein the first information comprises current time, equipment identification and application identification;
the service party authentication module is used for determining whether the butt-joint party has the authorization of the service corresponding to the application identifier according to the preset rule and the current time;
the service side authorization module is used for generating second information containing a unique permission number according to the equipment identifier when the service side authorization module is provided with the equipment identifier, wherein the unique permission number is an authorization certificate of the butt-joint side for accessing the service corresponding to the application identifier;
the server side hash module is used for carrying out hash algorithm processing on the second information to obtain a first hash value;
the server side second encryption and decryption module is also used for encrypting the first hash value by using a private key of a second key to obtain third information;
the server side first encryption and decryption module is also used for encrypting the second information by using the first key to obtain fourth information;
and the server sending module is used for sending the third information and the fourth information to the butt joint party.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the application access authentication method when executing the computer program.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the application access authentication method is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the application access authentication method is implemented.
In the embodiment of the invention, compared with the technical scheme that the legality of the access source is not checked in the prior art, the transmitted information is encrypted by adopting a symmetric algorithm and an asymmetric algorithm, so that the safety of the interactive information between the butt-joint party and the service party is ensured; because the service time (current time) of the butt party is authenticated according to the preset rule meeting the safety requirement, the reliability of the user is ensured; because the unique license number is generated based on the device identifier used by the butt-joint party at the current time, the legality and the safety of the butt-joint party for accessing the device are ensured; the hash algorithm is adopted to verify the transmission information, so that the consistency of the data is ensured, and the risk of data inconsistency is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a schematic flow chart illustrating an implementation of an application access authentication method on a dockee side according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating an implementation of the method for authenticating application access on the server side according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a main flow of application access authentication in an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating an implementation flow of an application access authentication method according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an application access authentication apparatus on the dockee side according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an application access authentication apparatus on a server side in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
The inventor notices in the process of invention that:
with the rapid development of the internet, the network security situation is becoming more and more severe. At present, the internet products provided by the service party are numerous, and scenes of accessing and using the internet products of the service party by the client through the internet are also visible everywhere. When a customer uses an internet product provided by a service party through the internet, the legality of an access source needs to be checked at the moment, and the security risk can be avoided.
However, the existing internet products lack an authentication mechanism when being accessed, namely, the access source is not authenticated, so that the security risk exists.
Based on this, the embodiment of the invention provides an application which can prevent an external visitor who does not obtain legal authorization from accessing the internet product, so that the internet product provided by the service party cannot be used.
The following describes embodiments of the present invention with reference to the drawings.
In the process of description, the implementation of the dockee and the server side will be described separately, and then an example of the cooperative implementation of the dockee and the server side will be given to better understand the implementation of the scheme given in the embodiment of the present invention. Such a description does not mean that the two must be implemented together or separately, and actually, when the dockee and the service side are implemented separately, the dockee and the service side solve the problem on their own side, and when the two are used in combination, a better technical effect is obtained.
First, technical features related to the embodiments will be briefly described.
And (3) butt joint: an external third party accessing through the internet and using an internet product provided by the service provider;
public key, private key: the public key (publicKey) and the private key (privateKey) appear in pairs, the content encrypted by the public key can be decrypted only by the private key, and only the public key can be decrypted after the private key is encrypted;
application (APP) number: after each butt-joint party applies for the internet product authorization provided by the service party successfully, a unique number is distributed;
the SM4 algorithm: a symmetric encryption algorithm, wherein the same key is used for encryption and decryption;
the SM2 algorithm: the asymmetric encryption algorithm comprises public key encryption, private key decryption, private key encryption and public key decryption;
hash algorithm: the hash algorithm is used for generating an abstract of data with an indefinite length through the hash algorithm and ensuring the consistency of the data;
license number (license id): the license number used for recording a certain device has uniqueness and non-reusability, and the access source is limited by the validity period and the access times.
Fig. 1 is a schematic diagram of an implementation flow of an application access authentication method on a dockee side, as shown in the figure, the method may include:
step 101, a butt party determines the current time, a device identifier and an application identifier, wherein the application is an application which is accessed by the butt party of an external third party on a service party through the internet;
102, a butt-joint party generates a first key of a symmetric algorithm, encrypts first information by using the first key to obtain first ciphertext information, wherein the first information comprises current time, equipment identification and application identification;
103, the butt party encrypts the first key by using a public key of a second key of the asymmetric algorithm to obtain second ciphertext information, wherein the public key of the second key is provided for the butt party by the service party;
104, the butt joint party sends the first ciphertext information and the second ciphertext information to the service party;
105, the butt party receives third information and fourth information sent by the server party;
106, the butt party decrypts the third information by using the public key of the second key to obtain a first hash value;
step 107, the butt party decrypts the fourth information by using the first key to obtain second information;
108, the butt party performs hash algorithm processing on the second information to obtain a second hash value;
step 109, comparing the first hash value with the second hash value;
and step 110, when the comparison result is the same, the dockee uses the device identified by the device identifier to access the application identified by the application identifier of the service party with the unique permission number, wherein the unique permission number is an authorization certificate for the dockee to access the service corresponding to the application identifier.
Fig. 2 is a schematic flow chart of an implementation process of the application access authentication method at the server side, as shown in the figure, the implementation process may include:
step 201, a server side receives first ciphertext information and second ciphertext information sent by a butt-joint side;
step 202, the server uses a private key of a second key of the asymmetric algorithm to decrypt the second ciphertext information to obtain a first key, wherein the private key of the second key is a private key corresponding to a public key of the second key provided by the server to the butt-joint party;
step 203, the server uses the first key to decrypt the first ciphertext information to obtain first information, wherein the first information includes current time, equipment identification and application identification;
step 204, the service side determines whether the butt joint side has the authorization of the service corresponding to the application identification according to the preset rule and the current time;
step 205, when the service party is provided with the service, generating second information containing a unique permission number according to the device identifier, wherein the unique permission number is an authorization credential for the butt party to access the service corresponding to the application identifier;
step 206, the server side performs hash algorithm processing on the second information to obtain a first hash value, and encrypts the first hash value by using a private key of a second key to obtain third information;
step 207, the server side encrypts the second information by using the first key to obtain fourth information;
and step 208, the server sends the third information and the fourth information to the butt joint party.
In an implementation, the hash algorithm is a hash algorithm.
In implementation, the first key of the symmetric algorithm is a 32-bit SM4 key plaintext consisting of one of numbers, capital letters, lowercase letters, or a combination thereof randomly.
Specifically, the technical solution provided by the embodiment aims to establish an authentication mechanism for accessing an internet product provided by a service party through the internet.
In implementation, the scheme is completed based on an SM2 asymmetric algorithm, a HASH HASH algorithm and an SM4 symmetric algorithm. Firstly, a butt-joint party needs to obtain a public key, an application number and a device number, data is assembled and then sent to a service party for authentication, the service party returns a permission number after authentication, and the butt-joint party can continue to access an internet product provided by the service party through the permission number; if the authentication fails, the butt-joint party is determined not to obtain the authorization of the service party, and the internet product provided by the service party is not accessed.
When the butt-joint party does not acquire the permission number, the steps of fig. 1 and fig. 2 are all required to be completed; when the license number is acquired and the license is within the validity period, the steps of fig. 1 and 2 may be skipped.
More specifically, the dockee: the method comprises the steps of accessing and using an external third party of an internet product provided by a service party through the internet, recording and sending customer operation, and meeting customer requirements;
the service party: and receiving information uploaded by the Internet product, authenticating the access source, and judging whether the access source is legal or not. The access source contract rules continue the transaction, and the transaction is refused when the access source contract rules are illegal.
The encryption and signature checking function adopted in the scheme is used for determining whether the requester has legal authorization.
Fig. 3 is a schematic diagram of the main process of application access authentication, and as shown in the figure, the main interaction process between the dockee and the service party includes:
301, the butt party applies for the internet product authorization of the service party and acquires the authorization information returned by the service party after the internet product authorization passes;
step 302, the butt-joint party generates a data object according to the authorization information and sends the data object to a background system of the service party through the Internet to request transaction;
step 303, the background system of the service party receives the data object, identifies the validity of the data source, and executes the request and returns a response if the data source is valid;
and step 304, after the response is received by the opposite party, the consistency of the data is determined to be effective, and then the data is displayed on the client.
The following is an example.
Fig. 4 is a schematic flow chart of an implementation of the application access authentication method, as shown in the figure, the implementation may include:
step 401, the butt-joint party initiates an access application;
step 402, the server side returns a public key certificate and an application number;
step 403, the butt joint party completes data assembly and sends a data request;
step 404, the server completes authentication and data assembly and returns a result;
step 405, after the party receives the license number, the internet product provided by the service party can be accessed normally.
The following description of the specific implementation will be made in a manner more closely similar to that of the specific implementation, for the convenience of the practitioner to understand, for example, public key file publicKey and application number appId, and for understanding the relationship with the steps in fig. 1 and fig. 2, corresponding descriptions will also be made, for example: a key original oriKey (first key), an oriStr (first information) encrypted using the oriKey, and a ciphertext secStr (first ciphertext information).
1. And (5) preparing.
1. Before a butt party accesses an internet product provided by a service party through the internet, the service party can apply for the authorization of the service;
2. after the authorization is passed, the server side sends the public key file publicKey used for encrypting data and the application number appId to the butt-joint side.
That is, in the implementation, the method may further include, for the dockee side:
the butt joint party applies for the authorization of the service corresponding to the application identification to the service party;
and after the authorization of the butt joint party is passed, receiving a public key of a second secret key of the asymmetric algorithm provided by the service party to the butt joint party and an application identifier.
Correspondingly, for the service side, the method can further comprise the following steps:
the service party receives an application of the butt-joint party for authorization of the service corresponding to the application identifier;
and after the authorization is passed, the service party provides the public key of the second secret key of the asymmetric algorithm and the application identification to the butt-joint party.
2. And assembling data by the butting party.
1. The butt party obtains the current time (in the example, shown by the beijing time bjTime), the device number deviceId, and the application number appId, and generates a request original text oriStr (first information) through "|" connection;
2. generating an original oriKey (first key) of a 32-bit SM4 key (which may be composed of numbers and upper and lower case letters at random), symmetrically encrypting the oriKey by SM4, encrypting the oriStr (first information) by using the oriKey, generating a ciphertext secStr (first ciphertext information), storing the oriKey, and subsequently using the oriKey in section 2 of the fifth part;
3. encrypting oriKey by using a public key file public key (public key of a second key) through an SM2 asymmetric algorithm to generate a key ciphertext secKey (second ciphertext information);
4. after the secStr and the secKey are combined into a data object secObj (first ciphertext information and second ciphertext information), an internet product provided by a service access request party is sent, and the data object secObj is carried.
3. And (5) authenticating the service party.
1. The internet product provided by the service side sends the received data object to the background system, and the background system decrypts secKey (second ciphertext information) contained in the received secObj by using a private key privateKey (private key of a second key) paired with the publicKey received by the opposite side to obtain oriKey (first key). Then, decrypting secStr (first ciphertext information) through oriKey to obtain oriStr (first information);
2. checking whether bjTime, deviceId and appId are contained in oriStr, checking whether the current beijing time and bjTime are in a reasonable range (the range can be set by a service party), and comparing whether appId has service authorization; if the authentication is successful, the authentication is confirmed, and response data responsetr (second information) generated according to the deviceId is returned (the second information contains a unique license ID);
4. the server side assembles the return data.
1. A background system of the service party performs a hash algorithm on responsetr (second information) to obtain a digest oriHmac (first hash value), and then uses a privateKey (private key of a second key) to encrypt the oriHmac to generate a signature sign (third information);
2. encrypting the responseStr (second information) by using oriKey (first key), generating secResponseStr (fourth information), and assembling sign and secResponseStr into an object to return to the butt-joint party;
5. the dockee receives the data.
1. The dockee decrypts sign (third information) by using publicKey (public key of the second key) to obtain oriHmac (first hash value);
2. decrypting secResponseStr (fourth information) by using oriKey (first key) stored in section 2 of the second part to obtain responseStr (second information), and hashing the responseStr to generate a digest hmac (second hash value);
3. comparing oriHmac (first hash value) with hmac (second hash value), if the oriHmac and the hmac (second hash value) are the same, determining that responsetr is not tampered in the data transmission process and that the license id is valid; if the comparison result is different, refusing the transaction and returning error information;
4. when the butt-joint party accesses the internet product provided by the authorized service party in the following process, the same equipment is used and the license id is carried, as long as the license id is in the validity period, the internet product provided by the service party can be normally used, and the limited period duration and the access times of the license id can be configured.
The embodiment of the invention also provides an application access authentication device, which is described in the following embodiment. Because the principle of the device for solving the problem is similar to the application access authentication method of the dockee side and/or the service side, the implementation of the device can refer to the implementation of the application access authentication method of the dockee side and/or the service side, and repeated details are not repeated.
Fig. 5 is a schematic structural diagram of an application access authentication device on the dockee side, which may include:
a dockee device module 501, configured to determine a current time, a device identifier, and an application identifier, where the application is an application that a dockee serving as an external third party accesses on a service side through the internet;
a first encryption and decryption module 502 of the butt-joint party, configured to generate a first key of a symmetric algorithm, and encrypt first information using the first key to obtain first ciphertext information, where the first information includes current time, a device identifier, and an application identifier;
the second encryption and decryption module 503 of the butt-joint party is configured to encrypt the first key with a public key of a second key of the asymmetric algorithm to obtain second ciphertext information, where the public key of the second key is provided by the service party to the butt-joint party;
the dockee sending module 504 is configured to send the first ciphertext information and the second ciphertext information to the service provider;
a dockee receiving module 505, configured to receive third information and fourth information sent by a server;
the butt-joint party second encryption and decryption module is also used for decrypting the third information by using the public key of the second secret key to obtain a first hash value;
the butt party first encryption and decryption module is further used for obtaining second information after decrypting the fourth information by using the first key;
a docking Fang Sanlie module 506, configured to perform hash algorithm processing on the second information to obtain a second hash value;
a butt party comparison module 507, configured to compare the first hash value with the second hash value;
the dockee accessing module 508 is configured to access, for the same comparison result, the application identified by the application identifier of the service party carried by the device identified by the device identifier, where the unique license number is an authorization credential for the dockee to access the service corresponding to the application identifier.
In an implementation, the dockee hashing module is further configured to employ a hash hashing algorithm.
In an implementation, the dockee first encryption and decryption module is further configured to use a 32-bit SM4 key plaintext randomly composed of one of a number, a capital letter, a lowercase letter, or a combination thereof as the first key of the symmetric algorithm.
In implementation, the dockee sending module is further configured to apply for authorization of a service corresponding to the application identifier to the service party;
the dockee receiving module is further used for receiving the public key of the second secret key of the asymmetric algorithm provided by the service party to the dockee and the application identification after the authorization is passed.
Fig. 6 is a schematic structural diagram of an application access authentication apparatus on a server side, as shown in the figure, the apparatus may include:
the server receiving module 601 is configured to receive first ciphertext information and second ciphertext information sent by a peer;
the server side second encryption and decryption module 602 is configured to decrypt the second ciphertext information using a private key of a second key of the asymmetric algorithm to obtain a first key, where the private key of the second key is a private key corresponding to a public key of the second key provided by the server side to the peer side;
the server side first encryption and decryption module 603 is configured to decrypt the first ciphertext information using the first key to obtain first information, where the first information includes current time, a device identifier, and an application identifier;
the service party authentication module 604 is configured to determine, according to a preset rule and according to the current time, whether the butt-joint party has authorization for the service corresponding to the application identifier;
a service side authorization module 605, configured to generate, when the service side authorization module is provided, second information including a unique permission number according to the device identifier, where the unique permission number is an authorization credential for the dockee to access the service corresponding to the application identifier;
the server side hashing module 606 is configured to perform hashing algorithm processing on the second information to obtain a first hash value;
the server side second encryption and decryption module is also used for encrypting the first hash value by using a private key of a second key to obtain third information;
the server side first encryption and decryption module is also used for encrypting the second information by using the first key to obtain fourth information;
and a server sending module 607, configured to send the third information and the fourth information to the dockee.
In an implementation, the server side hashing module is further configured to employ a hash hashing algorithm.
In an implementation, the server-side first encryption and decryption module is further configured to use a 32-bit SM4 key plaintext randomly composed of one of numbers, capital letters, lowercase letters, or a combination thereof as the first key of the symmetric algorithm.
In implementation, the service side receiving module is further configured to receive an application for authorization of a service corresponding to the application identifier by the dockee;
the server sending module is further used for providing the public key of the second secret key of the asymmetric algorithm and the application identification to the butt-joint party after the authorization is passed.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the application access authentication method when executing the computer program.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the application access authentication method is implemented.
An embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the application access authentication method is implemented.
In the embodiment of the invention, compared with the technical scheme that the legality of the access source is not checked in the prior art, the transmitted information is encrypted by adopting a symmetric algorithm and an asymmetric algorithm, so that the safety of the interactive information between the butt-joint party and the service party is ensured; because the service time (current time) of the butt party is authenticated according to the preset rule meeting the safety requirement, the reliability of the user is ensured; because the unique license number is generated based on the device identifier used by the butt-joint party at the current time, the legality and the safety of the butt-joint party for accessing the device are ensured; the hash algorithm is adopted to verify the transmission information, so that the consistency of the data is ensured, and the risk of data inconsistency is avoided.
According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations, and various types of data such as personal identity data, operation data, behavior data and the like related to individuals, clients, crowds and the like are authorized.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (19)

1. An application access authentication method, comprising:
the method comprises the steps that a butt party determines the current time, equipment identification and application identification, wherein the application is accessed on a service party through the Internet as a butt party of an external third party;
a butt party generates a first key of a symmetric algorithm, encrypts first information by using the first key to obtain first ciphertext information, wherein the first information comprises current time, equipment identification and application identification;
the butt party encrypts the first key by using a public key of a second key of the asymmetric algorithm to obtain second ciphertext information, wherein the public key of the second key is provided for the butt party by the service party;
the butt-joint party sends the first ciphertext information and the second ciphertext information to the service party;
the butt joint party receives third information and fourth information sent by the service party;
the butt party decrypts the third information by using the public key of the second key to obtain a first hash value;
the butt party decrypts the fourth information by using the first key to obtain second information;
the butt party performs hash algorithm processing on the second information to obtain a second hash value;
the butt party compares the first hash value with the second hash value;
and when the comparison result is the same, the dockee uses the equipment identified by the equipment identification to carry an application identified by the application identification of the service party with a unique permission number, wherein the unique permission number is an authorization certificate for the dockee to access the service corresponding to the application identification.
2. The method of claim 1, wherein the hash algorithm is a hash algorithm.
3. The method of claim 1, wherein the first key of the symmetric algorithm is a 32-bit SM4 key plaintext consisting randomly of one of a number, a capital letter, a lowercase letter, or a combination thereof.
4. The method of any of claims 1 to 3, further comprising:
the butt joint party applies for the authorization of the service corresponding to the application identification to the service party;
and after the authorization of the butt joint party is passed, receiving a public key of a second secret key of the asymmetric algorithm provided by the service party to the butt joint party and an application identifier.
5. An application access authentication method, comprising:
the service side receives first ciphertext information and second ciphertext information sent by the butt-joint side;
the server side decrypts the second ciphertext information by using a private key of a second key of the asymmetric algorithm to obtain a first key, wherein the private key of the second key is a private key corresponding to a public key of the second key provided by the server side to the butt side;
the server side decrypts the first ciphertext information by using a first key to obtain first information, wherein the first information comprises current time, equipment identification and application identification;
the service side determines whether the butt-joint side has the authorization of the service corresponding to the application identification according to the preset rule and the current time;
when the service party is provided with the service, second information containing a unique permission number is generated according to the equipment identifier, wherein the unique permission number is an authorization certificate for the butt party to access the service corresponding to the application identifier;
the server side performs hash algorithm processing on the second information to obtain a first hash value, and encrypts the first hash value by using a private key of a second key to obtain third information;
the server side encrypts the second information by using the first key to obtain fourth information;
and the server sends the third information and the fourth information to the butt joint party.
6. The method of claim 5, wherein the hash algorithm is a hash algorithm.
7. The method of claim 5, wherein the first key of the symmetric algorithm is a 32-bit SM4 key plaintext consisting randomly of one of a number, a capital letter, a lowercase letter, or a combination thereof.
8. The method of any of claims 5 to 7, further comprising:
the service party receives an application of the butt-joint party for authorization of the service corresponding to the application identifier;
and after the authorization is passed, the service party provides the public key of the second secret key of the asymmetric algorithm and the application identification to the butt-joint party.
9. An application access authentication apparatus, comprising:
the system comprises a butt-joint party equipment module, a service party equipment module and a service party equipment module, wherein the butt-joint party equipment module is used for determining the current time, equipment identification and application identification, and the application is accessed on the service party through the Internet as a butt-joint party of an external third party;
the system comprises a butt party first encryption and decryption module, a first cipher text information acquisition module and a second cipher text information acquisition module, wherein the butt party first encryption and decryption module is used for generating a first secret key of a symmetric algorithm, and encrypting first information by using the first secret key to obtain first cipher text information, and the first information comprises current time, equipment identification and application identification;
the butt party second encryption and decryption module is used for encrypting the first secret key by using a public key of a second secret key of an asymmetric algorithm to obtain second ciphertext information, wherein the public key of the second secret key is provided for the butt party by the service party;
the butt joint party sending module is used for sending the first ciphertext information and the second ciphertext information to the service party;
the butt joint party receiving module is used for receiving third information and fourth information sent by the service party;
the second encryption and decryption module of the butt-joint party is also used for obtaining a first hash value after decrypting the third information by using the public key of the second secret key;
the butt party first encryption and decryption module is further used for obtaining second information after decrypting the fourth information by using the first key;
the docking Fang Sanlie module is used for performing hash algorithm processing on the second information to obtain a second hash value;
the butt party comparison module is used for comparing the first hash value with the second hash value;
and the dockee access module is used for accessing the application identified by the application identifier of the service party by using the equipment identified by the equipment identifier and carrying a unique permission number when the comparison result is the same, wherein the unique permission number is an authorization certificate for the dockee to access the service corresponding to the application identifier.
10. The apparatus of claim 9, wherein the dockee hash module is further to employ a hash hashing algorithm.
11. The apparatus of claim 9, wherein the dockee first cryptographic module is further operable to employ a 32-bit SM4 key plaintext consisting randomly of one of a number, a capital letter, a lowercase letter, or a combination thereof as the first key of the symmetric algorithm.
12. The apparatus of any of claims 9 to 11,
the butt party sending module is further used for applying for authorization of the service corresponding to the application identifier to the service party;
the dockee receiving module is further used for receiving the public key of the second secret key of the asymmetric algorithm provided by the service party to the dockee and the application identification after the authorization is passed.
13. An application access authentication apparatus, comprising:
the server side receiving module is used for receiving the first ciphertext information and the second ciphertext information sent by the butt-joint side;
the server side second encryption and decryption module is used for decrypting the second ciphertext information by using a private key of a second key of the asymmetric algorithm to obtain a first key, wherein the private key of the second key is a private key corresponding to a public key of the second key provided by the server side to the butt side;
the server side first encryption and decryption module is used for decrypting first ciphertext information by using a first secret key to obtain first information, wherein the first information comprises current time, equipment identification and application identification;
the service party authentication module is used for determining whether the butt-joint party has the authorization of the service corresponding to the application identifier according to the current time according to a preset rule;
the service party authorization module is used for generating second information containing a unique permission number according to the equipment identifier when the service party authorization module is provided with the equipment identifier, wherein the unique permission number is an authorization certificate of the butt party for accessing the service corresponding to the application identifier;
the server side hash module is used for carrying out hash algorithm processing on the second information to obtain a first hash value;
the server side second encryption and decryption module is also used for encrypting the first hash value by using a private key of a second key to obtain third information;
the server side first encryption and decryption module is also used for obtaining fourth information after encrypting the second information by using the first secret key;
and the server sending module is used for sending the third information and the fourth information to the butt joint party.
14. The apparatus of claim 13, wherein the server side hashing module is further for employing a hash hashing algorithm.
15. The apparatus of claim 13, wherein the server-side first encryption/decryption module is further configured to use a 32-bit SM4 key plaintext consisting randomly of one of a number, a capital letter, a lowercase letter, or a combination thereof as the first key of the symmetric algorithm.
16. The apparatus of any of claims 13 to 15,
the service party receiving module is further used for receiving an application of the butt party for authorization of the service corresponding to the application identifier;
the server sending module is further used for providing the public key of the second secret key of the asymmetric algorithm and the application identification to the butt-joint party after the authorization is passed.
17. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 8 when executing the computer program.
18. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 8.
19. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1 to 8.
CN202210859459.1A 2022-07-21 2022-07-21 Application access authentication method and device Pending CN115225286A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210859459.1A CN115225286A (en) 2022-07-21 2022-07-21 Application access authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210859459.1A CN115225286A (en) 2022-07-21 2022-07-21 Application access authentication method and device

Publications (1)

Publication Number Publication Date
CN115225286A true CN115225286A (en) 2022-10-21

Family

ID=83613083

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210859459.1A Pending CN115225286A (en) 2022-07-21 2022-07-21 Application access authentication method and device

Country Status (1)

Country Link
CN (1) CN115225286A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115842679A (en) * 2022-12-30 2023-03-24 江西曼荼罗软件有限公司 Data transmission method and system based on digital envelope technology

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115842679A (en) * 2022-12-30 2023-03-24 江西曼荼罗软件有限公司 Data transmission method and system based on digital envelope technology

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
CN106850699B (en) A kind of mobile terminal login authentication method and system
CN107251035B (en) Account recovery protocol
JP5695120B2 (en) Single sign-on between systems
US8843415B2 (en) Secure software service systems and methods
CN109274652B (en) Identity information verification system, method and device and computer storage medium
JP4617763B2 (en) Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program
CN110990827A (en) Identity information verification method, server and storage medium
CN111275419B (en) Block chain wallet signature right confirming method, device and system
US20200412554A1 (en) Id as service based on blockchain
MXPA04003226A (en) Method and system for providing client privacy when requesting content from a public server.
CN108809633B (en) Identity authentication method, device and system
CN111030814A (en) Key negotiation method and device
WO2017000479A1 (en) Identity information authentication method, user terminal, service terminal, authentication server, and service system
US11412068B2 (en) User and user device authentication
CN111327629B (en) Identity verification method, client and server
EP1886204A1 (en) Transaction method and verification method
CN110855426A (en) Method for software use authorization
KR102157695B1 (en) Method for Establishing Anonymous Digital Identity
CN110740116B (en) System and method for multi-application identity authentication
CN112800392A (en) Authorization method and device based on soft certificate and storage medium
CN106656955A (en) Communication method and system and user terminal
CN114338201B (en) Data processing method and device, electronic equipment and storage medium
KR102032210B1 (en) User authentication processing apparatus capable of simple authentication by inputting personal identification number and operating method thereof
CN115225286A (en) Application access authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination