CN116707983A - Authorization authentication method and device, access authentication method and device, equipment and medium - Google Patents
Authorization authentication method and device, access authentication method and device, equipment and medium Download PDFInfo
- Publication number
- CN116707983A CN116707983A CN202310834577.1A CN202310834577A CN116707983A CN 116707983 A CN116707983 A CN 116707983A CN 202310834577 A CN202310834577 A CN 202310834577A CN 116707983 A CN116707983 A CN 116707983A
- Authority
- CN
- China
- Prior art keywords
- token
- authentication
- authorization
- information
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 193
- 238000000034 method Methods 0.000 title claims abstract description 134
- 238000012795 verification Methods 0.000 claims description 77
- 238000004422 calculation algorithm Methods 0.000 claims description 37
- 230000006854 communication Effects 0.000 claims description 35
- 238000004891 communication Methods 0.000 claims description 33
- 238000003860 storage Methods 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 20
- 230000004044 response Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000004364 calculation method Methods 0.000 description 24
- 230000008569 process Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 15
- 230000015654 memory Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 7
- 230000009977 dual effect Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000007547 defect Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
The disclosure provides an authorization authentication method and device, an access authentication method and device, equipment and medium, and can be applied to the technical fields of information security, internet of things, blockchain technology and financial science and technology. The authorization authentication method comprises the following steps: receiving an authorization authentication request sent by terminal equipment; performing authorization authentication on the terminal equipment based on the authorization authentication request; generating an identity token of the terminal equipment under the condition that the authorization authentication is passed; and sending the identity token to the terminal equipment so that the terminal equipment initiates an access authentication request to the edge authentication node based on the identity token.
Description
Technical Field
The present disclosure relates to the field of information security technology, the field of internet of things, the field of blockchain technology, and the field of financial technology, and in particular, to an authorization authentication method and apparatus, an access authentication method and apparatus, a device, a medium, and a program product.
Background
Authentication solves the problem of proving to the opposite party who is, and the identity authentication needs to be performed by having some physical basis such as a password held by the user, a key pad, a digital certificate, or characteristics of the user such as fingerprint, iris, voiceprint, genetic information, and the like.
In the process of implementing the disclosed concept, the inventor finds that at least the following problems exist in the related art: the terminal equipment of the internet of things is huge in quantity and limited in resources, the digital certificate-based identity authentication of the traditional internet is not suitable for a perception layer environment with huge quantity of terminal equipment, the authentication and authorization process is complex, the efficiency is low, and the computer processing overhead and the network transmission overhead are increased.
Disclosure of Invention
In view of the foregoing, the present disclosure provides an authorization authentication method and apparatus, an access authentication method and apparatus, a device, a medium, and a program product.
In one aspect of the present disclosure, there is provided an authorization authentication method including:
receiving an authorization authentication request sent by terminal equipment;
performing authorization authentication on the terminal equipment based on the authorization authentication request;
generating an identity token of the terminal equipment under the condition that the authorization authentication is passed;
and sending the identity token to the terminal equipment so that the terminal equipment initiates an access authentication request to the edge authentication node based on the identity token.
According to the embodiment of the disclosure, the authorization authentication request includes authorization authentication information, the authorization authentication information includes a device public key, the device public key is generated by the terminal device through executing a predetermined key generation algorithm, and public parameters of the predetermined key generation algorithm and the device public key are issued to a public network and shared by the terminal device, the edge authentication node and the authorization center;
The authorization authentication of the terminal device based on the authorization authentication request comprises the following steps:
and carrying out authorization authentication on the terminal equipment based on the equipment public key.
According to an embodiment of the present disclosure, wherein the terminal device further generates a device private key by executing a predetermined key generation algorithm;
the authorization authentication of the terminal equipment based on the equipment public key comprises the following steps:
acquiring public parameters from a public network;
generating a first verification random number according to the public parameter, and sending the first verification random number to the terminal equipment;
receiving second random number signature information sent by the terminal equipment, wherein the second random number signature information is generated by signing the first verification random number by the terminal equipment by utilizing an equipment private key;
and verifying the second random number signature information by using the device public key based on the public parameter.
According to an embodiment of the present disclosure, the authorization authentication information further includes an authorization authentication request timestamp, and before the terminal device is authorized to be authenticated based on the device public key, the method further includes:
and verifying the validity of the communication duration of the authorization authentication request according to the authorization authentication request time stamp.
According to an embodiment of the present disclosure, wherein generating the identity token of the terminal device comprises:
Obtaining token-appended authentication information, the token-appended authentication information including at least one of: the equipment identification of the terminal equipment, the token generation time of the identity token and the token validity period of the identity token;
an identity token for the terminal device is generated based on the device public key and the token additional authentication information.
According to an embodiment of the present disclosure, the authorization authentication information further includes a device identifier of the terminal device and an authorization authentication request timestamp, and the obtaining the token additional verification information includes:
generating a token generation time based on the authorization request timestamp;
and setting the validity period of the token and determining the device identification based on the authorization authentication information.
According to an embodiment of the present disclosure, wherein generating an identity token for a terminal device based on a device public key and token additional authentication information comprises:
generating a public key of the authorization center and a private key of the authorization center by executing a preset key generation algorithm, wherein the public key of the authorization center is issued to a public network and shared by terminal equipment, an edge authentication node and the authorization center;
generating token abstract dominant information by assembling the device identification, the token generation time, the token validity period and the device public key;
calculating a hash value of the token abstract dominant information as token abstract implicit information;
Signing the token abstract explicit information by using an authorization center private key to generate token abstract signature information;
and assembling the token digest implicit information and the token digest signature information to generate an identity token.
Another aspect of the present disclosure provides an access authentication method, including:
receiving an access authentication request sent by a terminal device, wherein the access authentication request comprises access authentication information, the access authentication information comprises an identity token of the terminal device, and the identity token is generated under the condition that an authorization center carries out authorization authentication on the terminal device;
and carrying out access authentication on the terminal equipment based on the access authentication request.
According to an embodiment of the present disclosure, wherein performing access authentication on the terminal device based on the access authentication request includes:
performing token authentication on the identity token;
and carrying out key authentication on the terminal equipment under the condition that the token authentication is passed.
According to an embodiment of the present disclosure, wherein:
the identity token comprises token digest implicit information and token digest signed information, wherein the token digest implicit information is associated with the token digest explicit information, the token digest explicit information comprises equipment identification of terminal equipment, token generation time of the identity token, token validity period of the identity token and equipment public key of the terminal equipment, and the token digest signed information is generated by signing the token digest explicit information by an authorization center by utilizing an authorization center private key;
Token authentication of an identity token includes:
acquiring an authorization center public key from a public network;
and carrying out signature verification operation on the token abstract signature information by using the public key of the authorization center.
According to an embodiment of the disclosure, the signing verifying operation on the token digest signature information by using the public key of the authorization center includes:
decrypting the token abstract signature information by using the public key of the authorization center to obtain reference information;
matching the hash value of the reference information with the hidden information of the token abstract;
and in the case that the hash value of the reference information is matched with the hidden information of the token digest, the token authentication of the identity token is passed.
According to the embodiment of the disclosure, the access authentication information further comprises a device identifier of the terminal device;
before the token authentication of the identity token, the method further comprises the following steps:
querying a trusted list based on the device identification;
and carrying out token authentication on the identity token under the condition that the trusted list does not contain the equipment identification.
According to the embodiment of the disclosure, the access authentication information further comprises token generation time of the identity token and token validity period of the identity token;
before the token authentication of the identity token, the method further comprises the following steps:
Acquiring an access authentication request time stamp;
verifying the validity period of the identity token based on the token generation time, the token validity period and the access authentication request time stamp;
and carrying out token authentication on the identity token under the condition that the trusted list does not contain the equipment identifier and the validity period of the identity token passes verification.
According to an embodiment of the present disclosure, performing key authentication on a terminal device includes:
sending an identity challenge request to terminal equipment;
receiving second random number signature information sent by the terminal equipment, wherein the second random number signature information is generated by the terminal equipment by signing a second verification random number based on a public parameter and an equipment private key in response to an identity challenge request, the public parameter is obtained by the terminal equipment from a public network, and the second verification random number is randomly generated by the terminal equipment;
acquiring public parameters and a device public key of the terminal device from a public network;
and verifying the second random number signature information by using the device public key based on the public parameter.
According to the embodiment of the disclosure, the access authentication information comprises a message random number;
before the access authentication is performed on the terminal equipment, the method further comprises the following steps:
And carrying out anti-attack verification on the terminal equipment based on the message random number.
Another aspect of the present disclosure provides an authorization authentication apparatus, including:
the authorization request receiving module is used for receiving an authorization authentication request sent by the terminal equipment;
the authorization authentication module is used for carrying out authorization authentication on the terminal equipment based on the authorization authentication request;
the token generation module is used for generating an identity token of the terminal equipment under the condition that the authorization authentication passes;
and the token sending module is used for sending the identity token to the terminal equipment so that the terminal equipment initiates an access authentication request to the edge authentication node based on the identity token.
According to the embodiment of the disclosure, the authorization authentication request includes authorization authentication information, the authorization authentication information includes a device public key, the device public key is generated by the terminal device through executing a predetermined key generation algorithm, and public parameters of the predetermined key generation algorithm and the device public key are issued to a public network and shared by the terminal device, the edge authentication node and the authorization center;
the authorization authentication module comprises an authorization authentication unit which is used for carrying out authorization authentication on the terminal equipment based on the equipment public key.
According to an embodiment of the present disclosure, wherein the terminal device further generates a device private key by executing a predetermined key generation algorithm;
The authorization authentication unit includes:
an acquisition subunit, configured to acquire a public parameter from a public network;
the random number generation unit is used for generating a first verification random number according to the public parameter and sending the first verification random number to the terminal equipment;
a receiving subunit, configured to receive second random number signature information sent by the terminal device, where the second random number signature information is generated by signing the first verification random number with a device private key by the terminal device;
and the signature verification subunit is used for verifying the second random number signature information by utilizing the device public key based on the public parameter.
According to the embodiment of the disclosure, the authorization and authentication information further comprises an authorization and authentication request time stamp, and the device further comprises a communication duration verification module, which is used for verifying the validity of the communication duration of the authorization and authentication request according to the authorization and authentication request time stamp before the terminal device is authorized and authenticated based on the device public key.
According to an embodiment of the present disclosure, wherein the token generation module comprises:
an additional information generating unit for acquiring token additional authentication information including at least one of: the equipment identification of the terminal equipment, the token generation time of the identity token and the token validity period of the identity token;
And a token generation unit for generating an identity token of the terminal device based on the device public key and the token additional authentication information.
According to an embodiment of the present disclosure, the authorization authentication information further includes a device identifier of the terminal device and an authorization authentication request timestamp, and the additional information generating unit includes:
a first generation subunit configured to generate a token generation time based on the authorization authentication request timestamp;
and the setting subunit is used for setting the validity period of the token and determining the equipment identification based on the authorization authentication information.
According to an embodiment of the present disclosure, wherein the token generation unit includes:
the second generation subunit is used for generating a public key of the authorization center and a private key of the authorization center by executing a preset key generation algorithm, wherein the public key of the authorization center is published to a public network and is shared by the terminal equipment, the edge authentication node and the authorization center;
the first assembly subunit is used for assembling the equipment identifier, the token generation time, the token validity period and the equipment public key to generate token abstract explicit information;
the hash subunit is used for calculating the hash value of the token abstract explicit information and taking the hash value as the token abstract implicit information;
the signature subunit is used for signing the token abstract explicit information by using the private key of the authorization center to generate token abstract signature information;
And the second assembling subunit is used for assembling the token abstract hidden information and the token abstract signature information to generate an identity token.
Another aspect of the present disclosure provides an access authentication apparatus, including:
the access request receiving module is used for receiving an access authentication request sent by the terminal equipment, wherein the access authentication request comprises access authentication information, the access authentication information comprises an identity token of the terminal equipment, and the identity token is generated under the condition that the authorization center carries out authorization authentication on the terminal equipment;
and the access authentication module is used for carrying out access authentication on the terminal equipment based on the access authentication request.
According to an embodiment of the present disclosure, the access authentication module includes:
the token authentication sub-module is used for carrying out token authentication on the identity token;
and the key authentication sub-module is used for carrying out key authentication on the terminal equipment under the condition that the token authentication passes.
According to an embodiment of the present disclosure, wherein:
the identity token comprises token digest implicit information and token digest signed information, wherein the token digest implicit information is associated with the token digest explicit information, the token digest explicit information comprises equipment identification of terminal equipment, token generation time of the identity token, token validity period of the identity token and equipment public key of the terminal equipment, and the token digest signed information is generated by signing the token digest explicit information by an authorization center by utilizing an authorization center private key;
The token authentication submodule includes:
a first information acquisition unit configured to acquire an authorization center public key from a public network;
the first signature verification unit is used for carrying out signature verification operation on the token abstract signature information by using the public key of the authorization center.
According to an embodiment of the present disclosure, wherein the check-in unit comprises:
the decryption subunit is used for decrypting the token abstract signature information by using the public key of the authorization center to obtain reference information;
the matching subunit is used for matching the hash value of the reference information with the hidden information of the token abstract;
and the token authentication subunit is used for passing token authentication of the identity token under the condition that the hash value of the reference information is matched with the hidden information of the token abstract.
According to the embodiment of the disclosure, the access authentication information further comprises a device identifier of the terminal device;
the device further comprises a query module for querying the trusted list based on the device identification before token authentication of the identity token, so that the token authentication of the identity token is performed in case the device identification is not included in the trusted list.
According to the embodiment of the disclosure, the access authentication information further comprises token generation time of the identity token and token validity period of the identity token;
The apparatus further comprises:
the time stamp obtaining module is used for obtaining an access authentication request time stamp before token authentication is carried out on the identity token;
the validity period verification module is used for verifying the validity period of the identity token based on the token generation time, the token validity period and the access authentication request timestamp;
and the processing module is used for carrying out token authentication on the identity token under the condition that the trusted list does not contain the equipment identifier and the validity period of the identity token is verified.
According to an embodiment of the present disclosure, wherein the key authentication submodule includes:
a challenge request sending unit, configured to send an identity challenge request to a terminal device;
a signature information receiving unit, configured to receive second random number signature information sent by the terminal device, where the second random number signature information is generated by the terminal device by signing a second verification random number based on a public parameter and a device private key in response to an identity challenge request, the public parameter is obtained by the terminal device from a public network, and the second verification random number is randomly generated by the terminal device;
a second information acquisition unit configured to acquire a public parameter and a device public key of the terminal device from the public network;
And the second signature verification unit is used for verifying the second random number signature information by using the device public key based on the public parameter.
According to the embodiment of the disclosure, the access authentication information comprises a message random number;
the device also comprises an anti-attack verification module which is used for carrying out anti-attack verification on the terminal equipment based on the message random number before carrying out access authentication on the terminal equipment.
Another aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described authorization authentication method or access authentication method.
Another aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described authorization authentication method or access authentication method.
Another aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described authorization authentication method or access authentication method.
According to the embodiment of the disclosure, in the authorization authentication method, after the authorization center performs authorization authentication on the terminal device, an identity token of the terminal device is generated, the identity token can be reused after being generated, and for each terminal device, only one identity authentication process is performed to generate the identity token for the terminal device, the identity token can be used as the identity of the terminal device, and the terminal device can initiate multiple access authentication requests to the edge authentication node after holding the identity token. The identity token is only required to be provided for the edge authentication node when each access request is made, and the edge authentication node is not required to send the request information of the terminal equipment to an authentication center for identity authentication. Therefore, the authentication method for one-time authorization and multiple-time authentication is provided, the defect of the traditional authentication center that the digital certificate is stored and managed is overcome, the problem of large storage and calculation cost of the traditional authentication center is solved, the calculation load of the authentication center is reduced to a large extent, the communication cost and the calculation amount are reduced, the method is well suitable for scenes with large structural difference of terminal equipment and limited storage and calculation resources, and the method has the advantages of safety, high efficiency and light weight.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of an authorization authentication method or access authentication method, apparatus, device, medium, and program product according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of an authorization authentication method according to an embodiment of the disclosure;
fig. 3 schematically illustrates a system configuration diagram of an authorization authentication method or an access authentication method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a data interaction schematic of an authorization authentication method according to an embodiment of the present disclosure;
fig. 5 schematically illustrates a flow chart of an access authentication method according to an embodiment of the disclosure;
fig. 6 schematically illustrates a data interaction schematic of an access authentication method according to an embodiment of the present disclosure;
fig. 7 schematically illustrates a block diagram of a structure of an authorization authentication device according to an embodiment of the present disclosure;
fig. 8 schematically illustrates a block diagram of an access authentication apparatus according to an embodiment of the present disclosure;
fig. 9 schematically illustrates a block diagram of an electronic device adapted to implement an authorization authentication method or an access authentication method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In embodiments of the present disclosure, the collection, updating, analysis, processing, use, transmission, provision, disclosure, storage, etc., of the data involved (including, but not limited to, user personal information) all comply with relevant legal regulations, are used for legal purposes, and do not violate well-known. In particular, necessary measures are taken for personal information of the user, illegal access to personal information data of the user is prevented, and personal information security, network security and national security of the user are maintained.
In embodiments of the present disclosure, the user's authorization or consent is obtained before the user's personal information is obtained or collected.
The embodiment of the disclosure provides an authorization authentication method, which comprises the following steps:
receiving an authorization authentication request sent by terminal equipment; performing authorization authentication on the terminal equipment based on the authorization authentication request; generating an identity token of the terminal equipment under the condition that the authorization authentication is passed; and sending the identity token to the terminal equipment so that the terminal equipment initiates an access authentication request to the edge authentication node based on the identity token.
Fig. 1 schematically illustrates an application scenario diagram of an authorization authentication method or an access authentication method, apparatus, device, medium and program product according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include a terminal device 101, an authorization center 102, and an edge authentication node 103. The terminal device 101, the authorization center 102, and the edge authentication node 103 may communicate with each other via a network. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The terminal device 101 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The authorization center 102 is used for issuing an identity token to the terminal device 101, checking information such as hardware specification, version information, physical specification index and the like of the terminal device in a mode of off-line or unified detection by manufacturers, and then signing key information of the legal device to generate the identity token of the device. The process is the authorization of the terminal equipment to access the internet of things. The authorization center 102 is the core of the whole system, has the highest authority and is a prover of legal identity of equipment.
The edge authentication node 103 may be provided with a plurality of blockchain networks, which may be formed by the plurality of edge authentication nodes 103, and is responsible for access authentication of the terminal device 101, for example, a trusted list of the terminal device may be locally stored, a token-based dual authentication identity authentication protocol may be executed with the terminal device 101, the validity of the identity of the token-based dual authentication identity authentication protocol may be checked, and after the access is completed, two-party key negotiation may be performed with the terminal device 101, and encrypted communication may be performed with the terminal device 101.
According to an application scenario of the embodiment of the present disclosure, the terminal device 101 needs to perform authentication in a process of accessing to the internet of things. The terminal device 101 may take an identity token from the rights issuer 102 and then initiate an access authentication request to the edge authentication node 103 and perform a token-based dual authentication protocol with the edge authentication node 103. Finally, the key agreement is carried out with the edge authentication node 103, and data acquisition and encryption communication are carried out.
It should be understood that the number of terminal devices 101, rights issuer 102, edge authentication nodes 103 in fig. 1 is merely illustrative. There may be any number of terminal devices 101, authorization centers 102, edge authentication nodes 103, as desired for implementation.
The authorization authentication method and the access authentication method according to the embodiments of the present disclosure will be described in detail below with reference to the scenario described in fig. 1, by referring to fig. 2 to 9.
It should be noted that the authorization authentication method and apparatus, the access authentication method and apparatus, the device, and the medium of the present disclosure may be applied to the information security technical field, the internet of things technical field, the blockchain technical field, and the financial technology technical field, and may also be applied to any field other than the above fields, and the application fields of the authorization authentication method and apparatus, the access authentication method and apparatus, the device, and the medium of the present disclosure are not limited.
Fig. 2 schematically illustrates a flowchart of an authorization authentication method according to an embodiment of the present disclosure.
As shown in fig. 2, the authorization authentication method of this embodiment includes operations S201 to S204.
In operation S201, an authorization authentication request sent by a terminal device is received;
in operation S202, performing authorization authentication on the terminal device based on the authorization authentication request;
in operation S203, in case that the authorization authentication is passed, an identity token of the terminal device is generated;
in operation S204, an identity token is sent to the terminal device, such that the terminal device initiates an access authentication request to the edge authentication node based on the identity token.
Fig. 3 schematically illustrates a system configuration diagram of an authorization authentication method or an access authentication method according to an embodiment of the present disclosure.
As shown in fig. 3, a system architecture of an authorization authentication method of an embodiment of the present disclosure may include a terminal device, an authorization center (LAC), an edge authentication node (edge authentication service).
The terminal device is used for accessing the internet of things to perform data interaction, and authentication, such as authorization authentication (i.e. identity authentication) and access authentication, is required before accessing the internet of things.
The terminal device, the authorization center and the edge authentication node can respectively generate respective private keys and public keys by executing a predetermined key generation algorithm (for example, based on an elliptic curve cryptography algorithm), public parameters of the predetermined key generation algorithm and the respective public keys can be issued to a public network to realize sharing, and the private keys are respectively stored and are used for generating signature information by using the private keys in the authentication process.
In the application scenario of the embodiment of the disclosure, the authorization center is used for issuing an identity token to the terminal equipment, and can check information such as hardware specification, version information, physical specification index and the like of the terminal equipment in a mode of off-line or unified detection by manufacturers, and then sign key information of the legal equipment to generate the identity token of the equipment. The process is the authorization of the terminal equipment to access the internet of things. The authorization center 102 is the core of the whole system, has the highest authority and is a prover of legal identity of equipment.
The edge authentication nodes can be provided with a plurality of edge authentication nodes, and the plurality of edge authentication nodes can form a blockchain network so as to facilitate authentication consensus through the blockchain network. The edge authentication node is responsible for access authentication of the terminal equipment, for example, a trusted list of the terminal equipment can be locally saved, a token-based identity authentication protocol is executed with the terminal equipment, the validity of the identity of the token-based identity authentication protocol is checked, two-party key negotiation is carried out with the terminal equipment after the access is completed, and encrypted communication is carried out with the terminal equipment.
The terminal device may retrieve the identity token from the authorization center and then initiate an access authentication request to the edge authentication node and perform a token-based dual authentication protocol with the edge authentication node. And finally, carrying out key negotiation with the edge authentication node, and carrying out data acquisition and encryption communication.
Specifically, the execution subject of the operations S201 to S204 is an authorization center, and mainly represents the operation that the authorization center performs authorization authentication on the terminal device to issue the identity token.
In operation S202, after the authorization center performs authorization authentication on the terminal device, that is, identity authentication on the terminal device is passed, or access authorization is performed on the terminal device to access the internet of things, after the authorization authentication is passed, an identity token of the terminal device is generated, and the identity token is sent to the terminal device, so that the terminal device can conveniently hold the identity token to initiate an access authentication request to the edge authentication node.
In the scene of the internet of things, the terminal equipment of the internet of things is huge in quantity and limited in resources, and the identity authentication based on the digital certificate of the traditional internet is generally as follows: the terminal equipment initiates an access request to the edge service, the edge service needs to allow the terminal equipment to access under the condition that the identity of the terminal equipment is legal, but the edge service cannot determine whether the identity of the terminal equipment is legal or not, so that request information needs to be sent to an authentication center, and an authentication result is returned to the authentication center after the authentication center performs identity authentication. Thus, each time of access authentication of the terminal equipment needs to pass through the authentication center for one time of identity authentication. The authentication and authorization process is complex, is not suitable for a huge quantity of terminal equipment to sense a layer environment, has low efficiency, and increases the processing cost of a computer and the network transmission cost.
According to the embodiment of the disclosure, in the authorization authentication method, after the authorization center performs authorization authentication on the terminal device, an identity token of the terminal device is generated, the identity token can be reused after being generated, and for each terminal device, only one identity authentication process is performed to generate the identity token for the terminal device, the identity token can be used as the identity of the terminal device, and the terminal device can initiate multiple access authentication requests to the edge authentication node after holding the identity token. The identity token is only required to be provided for the edge authentication node when each access request is made, and the edge authentication node is not required to send the request information of the terminal equipment to an authentication center for identity authentication. Therefore, the authentication method for one-time authorization and multiple-time authentication is provided, the defect of large storage and calculation cost of the traditional authentication center is overcome, the calculation load of the authentication center is reduced to a large extent, the communication cost and the calculation amount are reduced, the method is well suitable for scenes with large structural difference of terminal equipment and limited storage and calculation resources, and the method has the advantages of safety, high efficiency and light weight.
According to an embodiment of the present disclosure, specifically, the authorization authentication request includes authorization authentication information, the authorization authentication information includes a device public key, the device public key is generated by the terminal device by executing a predetermined key generation algorithm, and public parameters of the predetermined key generation algorithm and the device public key are issued to the public network and shared by the terminal device, the edge authentication node, and the authorization center.
Based on this, performing authorization authentication on the terminal device based on the authorization authentication request includes: and carrying out authorization authentication on the terminal equipment based on the equipment public key.
Further, after the identity authorization authentication is performed on the terminal equipment based on the equipment public key, an identity token of the terminal equipment can be further generated based on the equipment public key.
According to the embodiment of the disclosure, the device public key represents the identity of the device, other devices cannot impersonate, and the identity authorization authentication can be performed on the terminal device based on the device public key.
According to an embodiment of the present disclosure, the identity token is a symbolism authoritative by the authority, representing the legal identity of the terminal device, and the identity token of the terminal device generated based on the device public key may represent the device identity.
According to the embodiment of the disclosure, since the identity token of the terminal equipment generated based on the equipment public key is required to bind the equipment public key information to the identity token, if the public key is illegal, for example, false public key, the identity token generated based on the equipment public key cannot represent the legal identity of the equipment, therefore, the validity of the public key needs to be authenticated in advance, on one hand, in order to realize the identity authentication of the terminal equipment, and on the other hand, the validity of the identity token is ensured.
Specifically, generating the identity token of the terminal device includes:
first, token-attached authentication information is acquired, the token-attached authentication information including at least one of: the device identification of the terminal device, the token generation time of the identity token and the token validity period of the identity token. The authorization authentication information further includes a device identifier of the terminal device and an authorization authentication request timestamp, and the obtaining of the token additional verification information includes: generating a token generation time based on the authorization request timestamp; and setting the validity period of the token and determining the device identification based on the authorization authentication information.
Thereafter, an identity token for the terminal device is generated based on the device public key and the token additional authentication information.
According to embodiments of the present disclosure, token additional verification information may be used to characterize the device and other additional information of the token, such as, for example, identifying the device, indicating the time of generation and expiration date of the token, and the like.
According to the embodiment of the disclosure, the terminal device, the authorization center and the edge authentication node can respectively generate the respective private key and the public key by executing a predetermined key generation algorithm (for example, based on an elliptic curve cryptography algorithm), public parameters of the predetermined key generation algorithm and the respective public key can be issued to the public network to realize sharing, and the private keys are respectively saved and are used for generating signature information by using the private keys in the authentication process.
Specifically, the method for generating the private key and the public key by executing the predetermined key generation algorithm in the terminal device, the authorization center and the edge authentication node is the same, and the authorization center is taken as an example for illustration.
Firstly, initializing a system and selecting a base domain F q Q is a prime power. Definition at F q An elliptic curve E (F q ) The upper one is the base point P of prime number n. Finite field F q The elliptic curve parameter, the point P and the order n are common parameters.
Based on predefined common parameters, the rights issuer is in interval [1, n-1 ]]An integer d is randomly selected as a private key SK of the authorization center LAC ;
Rights issuer public key PK LAC According to the algorithm: q=d×p calculation, where Q is the public key PK LAC . The public key of the authorization center is issued to the public network and shared by the terminal equipment, the edge authentication node and the authorization center.
According to the same method, the terminal equipment acquires public parameters from a public network, executes a preset key generation algorithm to generate own equipment private keyAnd device public key->The device public key is issued to the public network and shared by the terminal device, the edge authentication node and the authorization center.
The edge authentication node also generates its own node private key and node public key according to the same method, namely generates a key pair
According to the embodiment of the disclosure, unlike a traditional method of generating a key pair for a device by one hosting center, in the method, a terminal device generates a public key and a private key by itself, the private key is kept by the device, the problem of key hosting is solved, and the security risk of keeping the key by the hosting center is avoided.
Fig. 4 schematically illustrates a data interaction schematic diagram of an authorization authentication method according to an embodiment of the present disclosure.
The method for performing the authorization authentication on the terminal device and generating the identity token of the terminal device in the authorization authentication method is specifically described below with reference to fig. 4.
As shown in fig. 4, in the preparation phase, the terminal device acquires public parameters from the public network, executes a predetermined key generation algorithm to generate its own device private keyAnd device public key->
Specifically, the terminal device dev i Selecting a random number r epsilon [1, n-1 ]]Calculating the generator P r R×p, where r is the device private keyP r For device public key->Is a common parameter.
Then, the authorization center performs authorization authentication on the terminal equipment based on the equipment public key by adopting a Schnorr protocol in a zero knowledge proof system, and the method specifically comprises the following steps:
operation 11, obtaining public parameters from a public network;
an operation 12 of generating a first verification random number according to the public parameter and transmitting the first verification random number to the terminal equipment;
Operation 13, receiving second random number signature information sent by the terminal equipment, wherein the second random number signature information is generated by signing the first verification random number by the terminal equipment by utilizing an equipment private key;
operation 14, verifying the second random number signature information with the device public key based on the public parameter.
The authorization authentication information further includes an authorization authentication request timestamp, and before the terminal device is authorized and authenticated based on the device public key, the authorization authentication information further includes: and verifying the validity of the communication duration of the authorization authentication request according to the authorization authentication request time stamp.
Referring to fig. 4, the above method is, for example: terminal equipment sends equipment identificationCurrent timestamp T cur1 (i.e., authorization authentication request timestamp), device public key P r To the authorization center, the authorization center obtains the current system time T 'after receiving the data' cur Check request time T' cur -T cur1 Whether or not it is longer than the authentication procedure one-way communication time T max The operation is to verify the validity of the communication duration of the authorization authentication request. If T' cur -T cur1 Greater than T max And ignoring the current request, otherwise, verifying the validity of the communication duration.
After checking the time stamping method, the authorization center generates a first verification random number according to the public parameter n, specifically, generates a first verification random number c epsilon [1, n-1], and sends the first verification random number c epsilon [1, n-1] to the terminal equipment.
The terminal device signs the first verification random number by using the device private key to generate second random number signature information. The second random number signature information z is calculated and may be sent to the authorization center together with the time stamp.
The calculation method of the second random number signature information refers to the following formula (1):
after receiving the second random number signature information sent by the terminal equipment, the authorization center utilizes the equipment public key based on the public parameter pVerifying the second random number signature information, specifically verifying whether the following formula (2) holds:
if yes, the verification passes, the device key is proved to be legal, and the explanation is carried outIs->The corresponding private key completes the key verification under the condition of zero knowledge, and the identity authentication of the equipment passes.
According to the embodiment of the disclosure, the risk of exposure of the private key in the authentication process is reduced through the zero knowledge proof protocol, the protocol security is improved through the zero knowledge proof, the complexity of the simplified message structure in the protocol is reduced, the authentication protocol algorithm has certain advantages in the selection of the encryption algorithm and the length of the ciphertext, the calculation cost in the encryption and decryption process and the communication cost in the data transmission can be reduced, and the authentication protocol algorithm is more suitable for the environment of the Internet of things with limited resources.
According to an embodiment of the present disclosure, as shown in fig. 4, after the device key is authenticated, the rights issuer generates the device dev using a signature algorithm i Is a token of (c).
The token additional verification information comprises the equipment identification of the terminal equipment, the token generation time of the identity token and the token validity period of the identity token. Generating an identity token for the terminal device based on the device public key and the token additional authentication information comprises:
an operation 21 of generating a public key of the authority center and a private key of the authority center by executing a predetermined key generation algorithm, wherein the public key of the authority center is issued to a public network and shared by the terminal device, the edge authentication node and the authority center;
operation 22, generating token abstract dominant information M by assembling the device identification, the token generation time, the token validity period and the device public key; the following (3)
Wherein the method comprises the steps ofFor token generation time, T val Is the expiration date of the device.
The token generation time may be based on the current timestamp T cur1 I.e. authorization request timestamp determination.
Operation 23, calculating a hash value of the token digest explicit information M as token digest implicit information:
operation 24, using rights issuer private key SK LAc Signing the token digest explicit information M to generate token digest signature information: sign (M, SK) LAC );
Operation 25, assembling the token digest implicit information and the token digest signed information to generate an identity tokenThe following formula (4):
according to the embodiment of the disclosure, the authorization center replaces the function of the traditional authentication center CA, the identity token replaces the digital certificate, and in the stage of authorizing the terminal equipment to acquire the token, the Schnorr protocol with zero knowledge property is adopted for binding the public key of the terminal, so that the identity token of the equipment is generated.
Another aspect of the present disclosure provides an access authentication method, and fig. 5 schematically shows a flowchart of the access authentication method according to an embodiment of the present disclosure.
As shown in fig. 5, the access authentication method of this embodiment includes operations S501 to S502.
In operation S501, an access authentication request sent by a terminal device is received, where the access authentication request includes access authentication information, the access authentication information includes an identity token of the terminal device, and the identity token is generated when an authorization center performs authorization authentication on the terminal device;
in operation S502, access authentication is performed on the terminal device based on the access authentication request.
Specifically, the execution body of the operations S501 to S502 is an edge authentication node, and mainly represents an operation of the edge authentication node for performing access authentication on the terminal device.
According to the embodiment of the disclosure, the access authentication information includes the identity token of the terminal device, and the identity token is generated after the authorization center performs authorization authentication on the terminal device, so that the identity token can be repeatedly used after being generated, and for each terminal device, only one identity authentication process is performed to generate the identity token for the terminal device, the identity token can be used as the identity of the terminal device, and the terminal device can initiate multiple access authentication requests to the edge authentication node by holding the identity token. The terminal equipment only needs to provide the identity token for the edge authentication node when accessing to the request every time, and the edge authentication node is not required to send the request information of the terminal equipment to the authentication center for identity authentication. The method realizes the light weight of the authorization center, performs one-time identity authentication on each device, performs multiple authentications only by completing one-time authorization in the authorization center, eliminates the defect of large storage and calculation cost of the traditional authentication center, solves the problems of large storage and calculation cost of the traditional method, reduces the calculation load of the authentication center to a great extent, reduces the communication cost and the calculation amount, can be better suitable for scenes with large structural difference of terminal devices and limited storage and calculation resources, and has the advantages of safety, high efficiency and light weight.
Specifically, the edge authentication node performs access authentication on the terminal device, including dual authentication: token authentication + key authentication. For example, authenticating the terminal device based on the access authentication request includes:
first, token authentication is performed on an identity token.
And then, if the token authentication is passed, carrying out key authentication on the terminal equipment.
Fig. 6 schematically illustrates a data interaction schematic of an access authentication method according to an embodiment of the present disclosure. The access authentication method according to the embodiment of the present disclosure is described in detail below with reference to fig. 6.
As shown in fig. 6, the access authentication information of the access request may include an identity token of the terminal deviceDevice identifier of terminal device->Token generation time of identity token->Token validity period T of identity token val Device public key->Message random number R msg Etc. The terminal device sends this information to the edge authentication node that is least in communication overhead with the device.
Before token authentication is performed on the terminal equipment, the edge authentication node can perform attack prevention verification on the terminal equipment based on the message random number. If not, rejecting access, and returning message error information. For example, if the random numbers of the messages of the multiple requests sent by the terminal device are the same in the same time period, the device is considered to risk attacking the edge authentication node to refuse access.
The edge authentication node can check the validity of the communication duration according to the request time stamp, and if the communication duration is not legal, the edge authentication node refuses to access and returns message error information.
As shown in fig. 6, before token authentication of the identity token, according to an embodiment of the present disclosure, may further include:
querying a trusted list based on the device identification; if the trusted list contains the equipment identifier, the identity token of the equipment is authenticated before, the token authentication is not carried out, and the key authentication of the second step is directly carried out. And carrying out token authentication on the identity token under the condition that the trusted list does not contain the equipment identification.
In accordance with an embodiment of the present disclosure, the authentication token is further included with a validity period of the authentication token prior to token authentication of the identity token. If the token has expired, the token authentication is not needed, access is refused, message error information is returned, the information is deleted from the trusted list, and only the token in the validity period is authenticated.
The validity period of the verification token specifically comprises the following steps:
operation 31, acquiring access authentication request timestamp T cur2 ;
Operation 32, generating time based on tokenToken expiration T val Access authentication request timestamp T cur2 Verifying the validity period of the identity token;
in particular, ifIt is stated that the token has failed and access is denied. Otherwise, the verification passes.
Operation 33, in case the trusted list does not contain a device identification and the validity period verification of the identity token is passed, token authentication is performed on the identity token.
According to an embodiment of the present disclosure, token authentication of an identity token includes:
acquiring an authorization center public key from a public network; and carrying out signature verification operation on the token abstract signature information by using the public key of the authorization center.
With reference to the above embodiment, the identity token includes token digest implicit information and token digest signed information, where the token digest implicit information is associated with token digest explicit information, and the token digest explicit information includes a device identifier of the terminal device, a token generation time of the identity token, a token validity period of the identity token, and a device public key of the terminal device, and the token digest signed information is generated by signing the token digest explicit information with an authorization center private key by using an authorization center private key.
Specifically, the signing verifying operation for the token abstract signature information by using the public key of the authorization center comprises the following steps:
operation 41, decrypting the token digest signature information by using the public key of the authorization center to obtain reference information; signature information Sign (M, SK) due to token digest LAC ) Is obtained by the authorization center by using the private key SK of the authorization center LAC Signature generation of token digest explicit information M, therefore, may utilize rights issuer public key PK LAC The token digest signature information is decrypted to obtain reference information Verify (Sign (M, SK) LAC ),PK LAC ). If the key is legal, verify (Sign (m, SK) LAC ),PK LAC )=M。
Operation 42, matching the hash value of the reference information with the hidden information of the token abstract;
operation 43, in case the hash value of the reference information matches the token digest implicit information, passing token authentication of the identity token.
I.e. Verify H (Verify (Sign (M, SK) LAC ),PK LAC ) With (d) and (d)I.e. equal to H (M). If the key is legal, then-> Through token authentication of an identity token.
According to the embodiment of the disclosure, since the authorization center gives the private key of the authorization center to generate the signature information of the token in the authorization stage, the edge authentication node can check the signature information of the abstract of the token by using the public key of the authorization center, so that the legitimacy of the identity token is verified. By the method, on one hand, the security of the token information can be improved, and on the other hand, the required parameters of an authentication process algorithm are fewer, so that the communication overhead is saved, and the authentication efficiency is improved.
The method for signing the public key and the effective timestamp of the terminal equipment by using the authentication server to generate the equipment identity token replaces a digital certificate, on one hand, the private key of the equipment is generated by the equipment, the authentication server cannot sense, and the problem of key escrow is solved. On the other hand, the token proves the legitimacy of the identity of the device, and illegal device access can be prevented by verifying the token. The most critical point is that the token authentication mode solves the problems of storage and management of the digital certificate of the third party trusted center, reduces the calculation pressure of the terminal equipment and reduces the communication overhead.
According to an embodiment of the present disclosure, after passing authentication of an identity token of a terminal device, performing key authentication on the terminal device includes:
an operation 51 of sending an identity challenge request to a terminal device;
an operation 52 of receiving second random number signature information sent by the terminal device, wherein the second random number signature information is generated by the terminal device by signing a second verification random number based on a public parameter and a device private key in response to the identity challenge request, the public parameter is obtained by the terminal device from a public network, and the second verification random number is randomly generated by the terminal device;
operation 53, obtaining public parameters and a device public key of the terminal device from the public network;
operation 54 verifies the second random number signature information with the device public key based on the public parameter.
As shown in fig. 6, the edge authentication node needs to authenticate the public key and the private key of the device after checking the token legitimacy of the device.
Firstly, an edge authentication node sends an identity challenge request to terminal equipment, and the terminal equipment performs the following operations after receiving the challenge:
based on the public parameter, selecting a random number k epsilon [1, n-1], and calculating points according to the following formulas (5) and (6):
k×P=(x 1 ,y 1 )----(5)
R=x 1 mod n----(6)
If r=0, the random number is selected again for calculation.
Calculated according to the following formula (7):
k -1 mod n----(7)
selecting a second verification random number m, and calculating a hash value z=h (m)
Inspection ofIf 0, the random number k is selected again. Until a suitable parameter k is determined.
The terminal device signs the second verification random number m based on the public parameter and the device private key to generate second random number signature information (R, S).
The terminal device then transmits the second random number signature information to the edge authentication node. Simultaneously transmittable message time stamp T cur3 Message random number R msg . For example, the terminal device will { m, R, S, R msg ,T cur Information such as is transmitted to the edge authentication node.
After receiving the challenge information sent by the terminal, the edge authentication node firstly checks the validity of the message random number and the message time stamp, if the message random number and the message time stamp are legal, the challenge information is checked, and otherwise, the access is refused.
The edge authentication node performs challenge information verification as follows: and verifying the second random number signature information by using the device public key based on the public parameter.
Specific algorithms for performing the verification can be referred to the following formulas (8) to (13).
Calculating parameters:
e’=H(m)----(8)
w=S -1 mod n----(9)
u 1 =e’×w mod n----(10)
u 2 =R×w mod n----(11)
calculating the point:
if x 2 If the number is not equal to 0, the verification is failed, access is refused, otherwise, parameters are calculated
v=x 2 mod n----(13)
If v=r, then verification is successful.
As shown in fig. 6, further, according to an embodiment of the present disclosure, the edge authentication node may be provided with a plurality, and the plurality of edge authentication nodes may form a blockchain network, so as to facilitate authentication consensus through the blockchain network.
After the current node authenticates the access of the terminal equipment to be treated, the authentication information can be further issued to the blockchain, and the access to the terminal equipment is determined through the consensus of all nodes on the authentication information. In this way, the security and reliability of authentication can be further enhanced.
For example, if the current node is an unsafe node, even if the access authentication of the node to the device is passed, the reliability of the authentication cannot be ensured, and if the access authentication of all the nodes to the terminal device is passed by issuing the authentication information to the blockchain, the final access authentication to the terminal device is passed.
The authentication information includes, for example:m,R,S。
and when the authentication consensus of the terminal equipment is passed, adding the equipment information into the trusted list, and simultaneously passing the access authentication application of the equipment.
In order to further illustrate the reliability of the authentication method of the embodiments of the present disclosure, according to embodiments of the present disclosure, several attack approaches are envisaged below to illustrate the reliability of the authentication algorithm in the embodiments of the present disclosure.
For example, a user may want to impersonate or falsify an identity, requiring the private key of a device or node to be obtained. If the random number k used by the device to sign during authentication is obtained by an attacker, the attacker can calculate the point R from the random number k:
P R =k×P=(x R ,y R )
then pass through
R=x R mod n
Re-stealing signature information { m, R, S } of a device by computing
P r =R -1 (S×k-H(m))mod n
Obtaining the private key P of the user r Since the public key and the token of the terminal equipment are disclosed outwards, an attacker can impersonate the terminal identity in a mode of holding the private key of the user, and forge the signature.
Specifically, the random number k is cracked by, for example, a random collision method.
The user passes through randomly generated k 1 Calculation ofThen calculateFinally, looking up signature information { m, R, S } in communication process to see whether R exists 1 If present, the private key of the node can be calculated.
Since the random number generation algorithm adopted by the embodiment of the disclosure makes the distribution probability of the random number k in the value space uniform, if the bit length of k is n, the success rate of each trial k isThe bit length used here is 256, the probability of success is +.>So that an attack by random collisions is almost impossible.
For another example, assume that there are u problematic terminal devices, where a problematic terminal device refers to a device that intends to obtain a private key of another device for identity impersonation. Each terminal device dev i Random numbers that are used when generating a signature by itself under local storage each time a signature of the user is generatedAnd corresponding->Then continuously acquiring signature information in the network, and checking whether signature exists>And if the corresponding private key is obtained by performing the calculation.
In the worst case, all nodes in the network are problem nodes, i.e. the parties involved in authentication will hold the random number and signature used to generate the signature, in which case the probability problem that the private key is calculated translates into: at least two signatures in all signature information in the whole communication network use the same random number k. Then in case of a uniform k distribution (N bits in length), according to the birthday attack theory, when the number of signatures in the network is N, the adversary will have
1-p probability attack success, whereinWhen n=256 is substituted, if the adversary attacks successfully with a probability of 0.01 or more, N is not less than 2 126 Assume that the adversary is at 1 x 10 -10 If the probability attack of (2) is successful, N is more than or equal to 2 113 . The terminal equipment authenticates once every 10 minutes, 10000 equipments in total, the signature number generated by authentication for 100 years is 24 multiplied by 6 multiplied by 10000 multiplied by 365 multiplied by 100 multiplied by 2 36 Far less than 2 113 。
The security of the authentication protocol designed by the embodiments of the present disclosure is analyzed in a non-formal manner as follows:
Anti-counterfeiting attack: when an attacker uses an authentication request forging a legal device to access, the access is denied because the counterfeiter does not hold the private key of the legal device and thus cannot complete the authentication challenge, and the blockchain network denies the access.
Anti-replay attack: the communication data packets between different devices and between nodes can carry unique time stamps and random numbers, and if an attacker uses repeated data packets to carry out replay attack in the communication process, the authentication node can verify the random numbers and the time stamps and discard the random numbers and the time stamps.
Since the communication data packet of each authentication request has private key signatures of the device and the authentication node and is written into the blockchain, the terminal device cannot deny its own authentication request.
Traceable: after each terminal successfully passes the access authentication, the authentication information of the terminal is packaged and written into a blockchain by adding a time stamp, the information in the blockchain generates an integrity abstract through a hash function, the information cannot be tampered through a Merkle tree, and the authenticity of the tracing information is ensured.
In the protocol, the third party authority is an authority center LAC, the Schnorr protocol with zero knowledge property is used for carrying out private key authentication of the terminal equipment in the authorization process, and any information about the private key of the terminal equipment is not disclosed in the protocol interaction process. Compared with the traditional authentication mode of public key signature verification, the method has the advantages that although interaction processes are more, the safety of the private key of the equipment is guaranteed to a certain extent, and the risk of private key leakage is reduced.
Based on the authorization authentication method, the disclosure further provides an authorization authentication device. The device will be described in detail below in connection with fig. 7.
Fig. 7 schematically illustrates a block diagram of a structure of an authorization authentication device according to an embodiment of the present disclosure.
As shown in fig. 7, the authorization authentication apparatus 700 of this embodiment includes an authorization request receiving module 701, an authorization authentication module 702, a token generating module 703, and a token transmitting module 704.
An authorization request receiving module 701, configured to receive an authorization authentication request sent by a terminal device;
an authorization authentication module 702, configured to perform authorization authentication on the terminal device based on the authorization authentication request;
a token generation module 703, configured to generate an identity token of the terminal device if the authorization authentication passes;
the token sending module 704 is configured to send an identity token to the terminal device, so that the terminal device initiates an access authentication request to the edge authentication node based on the identity token.
According to the embodiment of the disclosure, after the terminal device passes the authorization authentication through the authorization authentication module 702, the token generation module 703 generates an identity token of the terminal device, the identity token can be repeatedly used after being generated, and for each terminal device, only one identity authentication process is performed to generate the identity token for the terminal device, the identity token can be used as the identity of the terminal device, and the terminal device can hold the identity token to initiate multiple access authentication requests to the edge authentication node. The identity token is only required to be provided for the edge authentication node when each access request is made, and the edge authentication node is not required to send the request information of the terminal equipment to an authentication center for identity authentication. Therefore, the device realizes the light weight of the authorization center, performs one-time identity authentication on each equipment, can perform multiple authentications only by completing one-time authorization at the authorization center, provides an authentication method for one-time authorization and multiple authentications, eliminates the defect of the traditional authentication center that digital certificates are stored and managed, solves the problems of large storage and calculation costs of the traditional method, reduces the calculation load of the authentication center to a large extent, reduces the communication costs and the calculation amount, can be better suitable for scenes with large structural differences of terminal equipment and limited storage and calculation resources, and has the advantages of safety, high efficiency and light weight.
According to the embodiment of the disclosure, the authorization authentication request includes authorization authentication information, the authorization authentication information includes a device public key, the device public key is generated by the terminal device through executing a predetermined key generation algorithm, and public parameters of the predetermined key generation algorithm and the device public key are issued to a public network and are shared by the terminal device, the edge authentication node and the authorization center.
The authorization authentication module 702 includes an authorization authentication unit for performing authorization authentication on the terminal device based on the device public key.
According to an embodiment of the present disclosure, the terminal device further generates a device private key by executing a predetermined key generation algorithm.
The authorization authentication unit comprises an acquisition subunit, a random number generation unit, a receiving subunit and a signature verification subunit.
An acquisition subunit, configured to acquire a public parameter from a public network; the random number generation unit is used for generating a first verification random number according to the public parameter and sending the first verification random number to the terminal equipment; a receiving subunit, configured to receive second random number signature information sent by the terminal device, where the second random number signature information is generated by signing the first verification random number with a device private key by the terminal device; and the signature verification subunit is used for verifying the second random number signature information by utilizing the device public key based on the public parameter.
According to the embodiment of the disclosure, the authorization and authentication information further comprises an authorization and authentication request time stamp, and the device further comprises a communication duration verification module, which is used for verifying the validity of the communication duration of the authorization and authentication request according to the authorization and authentication request time stamp before the terminal device is authorized and authenticated based on the device public key.
According to an embodiment of the disclosure, the token generation module comprises an additional information generation unit and a token generation unit.
Wherein the additional information generating unit is configured to acquire token additional verification information, where the token additional verification information includes at least one of: the equipment identification of the terminal equipment, the token generation time of the identity token and the token validity period of the identity token; and a token generation unit for generating an identity token of the terminal device based on the device public key and the token additional authentication information.
According to the embodiment of the disclosure, the authorization authentication information further includes a device identifier of the terminal device and an authorization authentication request timestamp, and the additional information generating unit includes a first generating subunit and a setting subunit.
The first generation subunit is used for generating token generation time based on the authorization authentication request time stamp; and the setting subunit is used for setting the validity period of the token and determining the equipment identification based on the authorization authentication information.
According to an embodiment of the disclosure, the token generation unit comprises a second generation subunit, a first assembly subunit, a hash subunit, a signature subunit, and a second assembly subunit.
The second generation subunit is used for generating a public key of the authorization center and a private key of the authorization center by executing a preset key generation algorithm, wherein the public key of the authorization center is published to a public network and is shared by the terminal equipment, the edge authentication node and the authorization center; the first assembly subunit is used for assembling the equipment identifier, the token generation time, the token validity period and the equipment public key to generate token abstract explicit information; the hash subunit is used for calculating the hash value of the token abstract explicit information and taking the hash value as the token abstract implicit information; the signature subunit is used for signing the token abstract explicit information by using the private key of the authorization center to generate token abstract signature information; and the second assembling subunit assembles the hidden information of the token abstract and the signature information of the token abstract to generate an identity token.
Any of the authorization request receiving module 701, the authorization authenticating module 702, the token generating module 703, the token transmitting module 704 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules according to an embodiment of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the authorization request receiving module 701, the authorization authenticating module 702, the token generating module 703, the token transmitting module 704 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware such as any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the authorization request receiving module 701, the authorization authenticating module 702, the token generating module 703, the token transmitting module 704 may be at least partially implemented as a computer program module which, when executed, may perform the respective functions.
Based on the access authentication method, the disclosure also provides an access authentication device. The device will be described in detail below in connection with fig. 8.
Fig. 8 schematically shows a block diagram of an access authentication apparatus 800 according to an embodiment of the present disclosure.
As shown in fig. 8, the access authentication apparatus 800 of this embodiment includes an access request receiving module 801, an access authentication module 802.
The access request receiving module is used for receiving an access authentication request sent by the terminal equipment, wherein the access authentication request comprises access authentication information, the access authentication information comprises an identity token of the terminal equipment, and the identity token is generated under the condition that the authorization center carries out authorization authentication on the terminal equipment; and the access authentication module is used for carrying out access authentication on the terminal equipment based on the access authentication request.
According to an embodiment of the disclosure, the access authentication module includes a token authentication sub-module, a key authentication sub-module.
The token authentication sub-module is used for carrying out token authentication on the identity token; and the key authentication sub-module is used for carrying out key authentication on the terminal equipment under the condition that the token authentication passes.
According to the embodiment of the disclosure, the identity token comprises token digest implicit information and token digest signature information, wherein the token digest implicit information is associated with the token digest explicit information, the token digest explicit information comprises equipment identification of the terminal equipment, token generation time of the identity token, token validity period of the identity token and equipment public key of the terminal equipment, and the token digest signature information is generated by signing the token digest explicit information by an authorization center by utilizing an authorization center private key.
The token authentication submodule comprises a first information acquisition unit and a first signature verification unit.
A first information acquisition unit configured to acquire an authorization center public key from a public network; the first signature verification unit is used for carrying out signature verification operation on the token abstract signature information by using the public key of the authorization center.
According to an embodiment of the present disclosure, the verification unit includes a decryption subunit, a matching subunit, and a token authentication subunit.
The decryption subunit is used for decrypting the token abstract signature information by using the public key of the authorization center to obtain reference information; the matching subunit is used for matching the hash value of the reference information with the hidden information of the token abstract; and the token authentication subunit is used for passing token authentication of the identity token under the condition that the hash value of the reference information is matched with the hidden information of the token abstract.
According to the embodiment of the disclosure, the access authentication information further comprises a device identifier of the terminal device.
The device further comprises a query module for querying the trusted list based on the device identification before token authentication of the identity token, so that the token authentication of the identity token is performed in case the device identification is not included in the trusted list.
According to the embodiment of the disclosure, the access authentication information further comprises token generation time of the identity token and token validity period of the identity token.
The device also comprises a time stamp acquisition module, a validity period verification module and a processing module.
The time stamp obtaining module is used for obtaining an access authentication request time stamp before token authentication is carried out on the identity token; the validity period verification module is used for verifying the validity period of the identity token based on the token generation time, the token validity period and the access authentication request timestamp; and the processing module is used for carrying out token authentication on the identity token under the condition that the trusted list does not contain the equipment identifier and the validity period of the identity token is verified.
According to the embodiment of the disclosure, the key authentication sub-module comprises a challenge request sending unit, a signature information receiving unit, a second information obtaining unit and a second signature verification unit.
The challenge request sending unit is used for sending an identity challenge request to the terminal equipment; a signature information receiving unit, configured to receive second random number signature information sent by the terminal device, where the second random number signature information is generated by the terminal device by signing a second verification random number based on a public parameter and a device private key in response to an identity challenge request, the public parameter is obtained by the terminal device from a public network, and the second verification random number is randomly generated by the terminal device; a second information acquisition unit configured to acquire a public parameter and a device public key of the terminal device from the public network; and the second signature verification unit is used for verifying the second random number signature information by using the device public key based on the public parameter.
According to the embodiment of the disclosure, the access authentication information comprises a message random number; the device also comprises an anti-attack verification module which is used for carrying out anti-attack verification on the terminal equipment based on the message random number before carrying out access authentication on the terminal equipment.
According to an embodiment of the present disclosure, any of the access request receiving module 801 and the access authentication module 802 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the access request receiving module 801, the access authentication module 802 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuits, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the access request receiving module 801, the access authentication module 802 may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
Fig. 9 schematically illustrates a block diagram of an electronic device adapted to implement an authorization authentication method or an access authentication method according to an embodiment of the disclosure.
As shown in fig. 9, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of the following components connected to an input/output (I/O) interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to an input/output (I/O) interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (20)
1. An authorization authentication method, comprising:
receiving an authorization authentication request sent by terminal equipment;
performing authorization authentication on the terminal equipment based on the authorization authentication request;
Generating an identity token of the terminal equipment under the condition that the authorization authentication is passed;
and sending the identity token to the terminal equipment so that the terminal equipment initiates an access authentication request to an edge authentication node based on the identity token.
2. The method of claim 1, wherein the authorization authentication request includes authorization authentication information, and the authorization authentication information includes a device public key, the device public key is generated by the terminal device by executing a predetermined key generation algorithm, and public parameters of the predetermined key generation algorithm and the device public key are issued to a public network and are shared by the terminal device, the edge authentication node and the authorization center;
the step of carrying out authorization authentication on the terminal equipment based on the authorization authentication request comprises the following steps:
and carrying out authorization authentication on the terminal equipment based on the equipment public key.
3. The method of claim 2, wherein the terminal device further generates a device private key by executing the predetermined key generation algorithm;
the authentication of the terminal equipment based on the equipment public key comprises the following steps:
acquiring the public parameters from a public network;
Generating a first verification random number according to the public parameter, and sending the first verification random number to the terminal equipment;
receiving second random number signature information sent by the terminal equipment, wherein the second random number signature information is generated by the terminal equipment by signing the first verification random number by utilizing the equipment private key;
and verifying the second random number signature information by using the device public key based on the public parameter.
4. The method of claim 2, wherein the authorization authentication information further includes an authorization authentication request timestamp, and further includes, before authorizing the terminal device based on the device public key:
and verifying the validity of the communication duration of the authorization authentication request according to the authorization authentication request time stamp.
5. The method of claim 2, wherein generating the identity token for the terminal device comprises:
obtaining token-attached authentication information, the token-attached authentication information including at least one of: the equipment identifier of the terminal equipment, the token generation time of the identity token and the token validity period of the identity token;
An identity token for the terminal device is generated based on the device public key and the token additional authentication information.
6. The method of claim 5, wherein the authorization authentication information further includes a device identifier of the terminal device and an authorization authentication request timestamp, and acquiring token additional verification information includes:
generating a token generation time based on the authorization request timestamp;
and setting the validity period of the token and determining the device identification based on the authorization authentication information.
7. The method of claim 5, wherein generating an identity token for the terminal device based on the device public key and the token additional authentication information comprises:
generating a public key of a public authority and a private key of the public authority by executing the preset key generation algorithm, wherein the public key of the public authority is published to a public network and shared by the terminal equipment, the edge authentication node and the private authority;
generating token abstract explicit information by assembling the equipment identifier, the token generation time, the token validity period and the equipment public key;
calculating a hash value of the token abstract dominant information to be used as token abstract implicit information;
Signing the token abstract explicit information by using the private key of the authorization center to generate token abstract signature information;
and assembling the hidden information of the token abstract and the signature information of the token abstract to generate the identity token.
8. An access authentication method, comprising:
receiving an access authentication request sent by a terminal device, wherein the access authentication request comprises access authentication information, the access authentication information comprises an identity token of the terminal device, and the identity token is generated under the condition that an authorization center carries out authorization authentication on the terminal device;
and carrying out access authentication on the terminal equipment based on the access authentication request.
9. The method of claim 8, wherein authenticating the terminal device for access based on the access authentication request comprises:
performing token authentication on the identity token;
and carrying out key authentication on the terminal equipment under the condition that the token authentication is passed.
10. The method according to claim 9, wherein:
the identity token comprises token digest implicit information and token digest signed information, wherein the token digest implicit information is associated with token digest explicit information, the token digest explicit information comprises equipment identification of the terminal equipment, token generation time of the identity token, token validity period of the identity token and equipment public key of the terminal equipment, and the token digest signed information is generated by signing the token digest explicit information by an authorization center by utilizing an authorization center private key;
Performing token authentication on the identity token comprises:
acquiring an authorization center public key from a public network;
and carrying out signature verification operation on the token abstract signature information by using the public key of the authorization center.
11. The method of claim 10, wherein signing the token digest signature information with the rights issuer public key comprises:
decrypting the token digest signature information by using the public key of the authorization center to obtain reference information;
matching the hash value of the reference information with the hidden information of the token abstract;
and if the hash value of the reference information is matched with the hidden information of the token digest, the token authentication of the identity token is passed.
12. The method of claim 9, wherein the access authentication information further includes a device identifier of the terminal device;
before the identity token is subjected to token authentication, the method further comprises the following steps:
querying a trusted list based on the device identification;
and carrying out token authentication on the identity token under the condition that the trusted list does not contain the equipment identifier.
13. The method of claim 12, wherein the access authentication information further includes a token generation time of the identity token and a token validity period of the identity token;
Before the identity token is subjected to token authentication, the method further comprises the following steps:
acquiring an access authentication request time stamp;
verifying the validity period of the identity token based on the token generation time, the token validity period and the access authentication request timestamp;
and carrying out token authentication on the identity token under the condition that the trusted list does not contain the equipment identifier and the validity period of the identity token passes verification.
14. The method of claim 9, wherein authenticating the terminal device comprises:
sending an identity challenge request to the terminal equipment;
receiving second random number signature information sent by the terminal equipment, wherein the second random number signature information is generated by the terminal equipment by signing a second verification random number based on a public parameter and an equipment private key in response to the identity challenge request, the public parameter is obtained by the terminal equipment from a public network, and the second verification random number is randomly generated by the terminal equipment;
acquiring the public parameters and the equipment public key of the terminal equipment from a public network;
and verifying the second random number signature information by using the device public key based on the public parameter.
15. The method of claim 8, wherein the access authentication information includes a message random number therein;
before the access authentication is performed on the terminal equipment, the method further comprises the following steps:
and carrying out anti-attack verification on the terminal equipment based on the message random number.
16. An authorization authentication device, comprising:
the authorization request receiving module is used for receiving an authorization authentication request sent by the terminal equipment;
the authorization authentication module is used for carrying out authorization authentication on the terminal equipment based on the authorization authentication request;
the token generation module is used for generating an identity token of the terminal equipment under the condition that the authorization authentication passes;
and the token sending module is used for sending the identity token to the terminal equipment so that the terminal equipment initiates an access authentication request to an edge authentication node based on the identity token.
17. An access authentication apparatus comprising:
an access request receiving module, configured to receive an access authentication request sent by a terminal device, where the access authentication request includes access authentication information, where the access authentication information includes an identity token of the terminal device, and the identity token is generated when authorization authentication is performed on the terminal device by an authorization center;
And the access authentication module is used for carrying out access authentication on the terminal equipment based on the access authentication request.
18. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-15.
19. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1 to 15.
20. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 15.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310834577.1A CN116707983A (en) | 2023-07-07 | 2023-07-07 | Authorization authentication method and device, access authentication method and device, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310834577.1A CN116707983A (en) | 2023-07-07 | 2023-07-07 | Authorization authentication method and device, access authentication method and device, equipment and medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116707983A true CN116707983A (en) | 2023-09-05 |
Family
ID=87841172
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310834577.1A Pending CN116707983A (en) | 2023-07-07 | 2023-07-07 | Authorization authentication method and device, access authentication method and device, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116707983A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117579403A (en) * | 2024-01-17 | 2024-02-20 | 永鼎行远(南京)信息科技有限公司 | Device for accessing trusted application |
-
2023
- 2023-07-07 CN CN202310834577.1A patent/CN116707983A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117579403A (en) * | 2024-01-17 | 2024-02-20 | 永鼎行远(南京)信息科技有限公司 | Device for accessing trusted application |
CN117579403B (en) * | 2024-01-17 | 2024-03-29 | 永鼎行远(南京)信息科技有限公司 | Device for accessing trusted application |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Xu et al. | An identity management and authentication scheme based on redactable blockchain for mobile networks | |
CN107810617B (en) | Secret authentication and provisioning | |
KR100843081B1 (en) | System and method for providing security | |
US10079686B2 (en) | Privacy-preserving attribute-based credentials | |
EP2747377A2 (en) | Trusted certificate authority to create certificates based on capabilities of processes | |
US11700125B2 (en) | zkMFA: zero-knowledge based multi-factor authentication system | |
KR101004829B1 (en) | An apparatus and method for direct anonymous attestation from bilinear maps | |
CN111800378A (en) | Login authentication method, device, system and storage medium | |
CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
CN110020869B (en) | Method, device and system for generating block chain authorization information | |
CN115277168A (en) | Method, device and system for accessing server | |
KR102157695B1 (en) | Method for Establishing Anonymous Digital Identity | |
CN115694838A (en) | Anonymous trusted access control method based on verifiable certificate and zero-knowledge proof | |
CN116633522A (en) | Two-party privacy intersection method and system based on blockchain | |
CN115622812A (en) | Digital identity verification method and system based on block chain intelligent contract | |
CN110086818B (en) | Cloud file secure storage system and access control method | |
CN116707983A (en) | Authorization authentication method and device, access authentication method and device, equipment and medium | |
CN110572392A (en) | Identity authentication method based on HyperLegger network | |
CN114765533B (en) | Remote proving method, device and system based on quantum key communication | |
Tiwari et al. | Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos | |
JP2024513521A (en) | Secure origin of trust registration and identification management of embedded devices | |
Fongen et al. | The integration of trusted platform modules into a tactical identity management system | |
CN116318637A (en) | Method and system for secure network access communication of equipment | |
US12143476B2 (en) | Method of data transfer, a method of controlling use of data and cryptographic device | |
CN114005190B (en) | Face recognition method for class attendance system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |