[go: up one dir, main page]

CN115664823A - An identity authentication method, device, equipment and storage medium - Google Patents

An identity authentication method, device, equipment and storage medium Download PDF

Info

Publication number
CN115664823A
CN115664823A CN202211329051.XA CN202211329051A CN115664823A CN 115664823 A CN115664823 A CN 115664823A CN 202211329051 A CN202211329051 A CN 202211329051A CN 115664823 A CN115664823 A CN 115664823A
Authority
CN
China
Prior art keywords
target
server
dynamic password
authentication
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211329051.XA
Other languages
Chinese (zh)
Inventor
史书伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Power Commercial Systems Co Ltd
Original Assignee
Inspur Power Commercial Systems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Power Commercial Systems Co Ltd filed Critical Inspur Power Commercial Systems Co Ltd
Priority to CN202211329051.XA priority Critical patent/CN115664823A/en
Publication of CN115664823A publication Critical patent/CN115664823A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)

Abstract

The application discloses an identity authentication method, an identity authentication device, identity authentication equipment and a storage medium, which relate to the technical field of network security and comprise the following steps: when a target server acquires a login request sent by a user, acquiring a target user name, a target fixed password and a target dynamic password input by the user, and verifying the target fixed password according to the target user name; if the verification is passed, the target user name and the target dynamic password are forwarded to an authentication forwarding server to determine a corresponding mobile phone terminal, and the target dynamic password and the corresponding token number are forwarded to the mobile phone terminal; calculating a current dynamic password by using the seed value determined from the mobile phone terminal; and if the current dynamic password is consistent with the target dynamic password, generating a response of passing the authentication and forwarding the response to the target server. According to the method and the system, the seed values of the tokens are dispersedly managed through the mobile phone terminal, the seed information of all the tokens does not need to be stored at the server side, the risk that the token information is stolen is avoided, and the safety of identity authentication is improved.

Description

一种身份认证方法、装置、设备及存储介质An identity authentication method, device, equipment and storage medium

技术领域technical field

本申请涉及网络安全技术领域,特别涉及一种身份认证方法、装置、设备及存储介质。The present application relates to the technical field of network security, in particular to an identity authentication method, device, equipment and storage medium.

背景技术Background technique

动态口令(Dynamic Password)作为最安全的身份认证技术之一,已经被越来越多的行业所应用。由于使用的便捷性,且与平台无关,被广泛应用于网银、网游、电信运营商、电子商务、企业等应用领域,国内外从事动态口令相关研发和生产的企业也越来越多,其优势在于与各种业务系统快速无缝互操作,其认证软件系统稳定、高效、支持多种认证模式,其解决方案可以服务于不同规模的企业。Dynamic Password (Dynamic Password), as one of the most secure identity authentication technologies, has been applied by more and more industries. Due to the ease of use and nothing to do with the platform, it is widely used in application fields such as online banking, online games, telecom operators, e-commerce, and enterprises. More and more companies are engaged in R&D and production of dynamic passwords at home and abroad. Its fast and seamless interoperability with various business systems, its certification software system is stable and efficient, supports multiple certification modes, and its solutions can serve enterprises of different sizes.

目前,在对服务器的身份进行安全认证时采用的主流方案是统一的动态口令认证系统,由管理员统一绑定令牌、设置访问策略(如允许访问日期、时间、IP(网际互连协议,Internet Protocol)等)。具体的,当动态口令牌需要认证时,发送动态口令及待认证的用户名至认证系统,然后通过认证系统查询数据库中用户名对应的口令牌中的种子(seed)值,接着根据OATH(时间或事件)算法计算出相应的口令,并校验口令是否正确,如果正确再查询相应的权限,判断是否有权限登录(如非工作日、夜间、假期等禁止登录),最终返回口令认证是否正确,是否登录受限,是否有权利登录服务器等。At present, the mainstream scheme adopted in the security authentication of the identity of the server is a unified dynamic password authentication system, and the administrator uniformly binds tokens and sets access policies (such as allowed access date, time, IP (Internet Interconnection Protocol, Internet Protocol) etc.). Specifically, when the OTP token needs to be authenticated, send the OTP and the user name to be authenticated to the authentication system, then query the value of the seed (seed) in the OTP token corresponding to the user name in the database through the authentication system, and then according to OATH (time or event) algorithm calculates the corresponding password, and checks whether the password is correct. If it is correct, then query the corresponding authority to determine whether there is authority to log in (such as non-working days, nights, holidays, etc. login is prohibited), and finally returns whether the password authentication is correct , whether the login is restricted, whether you have the right to log in to the server, etc.

然而,实际应用中的服务器一般由多个部门及多个人分别管理,集中的管理方式不能随时随地的由单个服务器负责人及时管理;另外,集中的管理方式也存在令牌的种子值集中被盗的风险,令牌种子值被盗就意味着相应令牌存在安全隐患。However, servers in practical applications are generally managed by multiple departments and individuals, and the centralized management method cannot be managed by a single server person in charge anytime and anywhere; in addition, the centralized management method also has the possibility that the seed value of the token is stolen centrally The risk of the token seed value being stolen means that the corresponding token has a security risk.

发明内容Contents of the invention

有鉴于此,本申请的目的在于提供一种身份认证方法、装置、设备及存储介质,能够杜绝令牌信息被盗的风险,提高身份认证的安全性。其具体方案如下:In view of this, the purpose of this application is to provide an identity authentication method, device, device and storage medium, which can prevent the risk of token information being stolen and improve the security of identity authentication. The specific plan is as follows:

第一方面,本申请公开了一种身份认证方法,包括:In the first aspect, this application discloses an identity authentication method, including:

当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息;When the target server obtains the login request sent by the user, a prompt message that please input the user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user;

通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令,并根据所述目标用户名对所述目标固定口令进行验证;Obtaining the target user name, target fixed password and target dynamic password input by the user for the prompt information through the target server, and verifying the target fixed password according to the target user name;

若验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器,以便通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,并将所述目标动态口令及对应的令牌号转发至所述手机终端;If the verification is passed, then the target user name and the target dynamic password are forwarded to the authentication forwarding server, so that the mobile terminal corresponding to the target user name is determined by the authentication forwarding server, and the target dynamic password and the corresponding The token number is forwarded to the mobile terminal;

从所述手机终端中确定出与所述令牌号对应的种子值,并利用所述种子值计算出当前动态口令;Determine the seed value corresponding to the token number from the mobile terminal, and use the seed value to calculate the current dynamic password;

通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致,若一致则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。The mobile terminal compares whether the current dynamic password is consistent with the target dynamic password, and if they are consistent, generates an authentication response message and forwards it to the target server through the authentication forwarding server.

可选的,所述通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,包括:Optionally, determining the mobile terminal corresponding to the target user name through the authentication forwarding server includes:

通过所述认证转发服务器确定出与所述目标用户名对应的手机号码,并根据所述手机号码查找到对应的手机终端。The mobile phone number corresponding to the target user name is determined through the authentication forwarding server, and the corresponding mobile phone terminal is found according to the mobile phone number.

可选的,所述将所述目标动态口令及对应的令牌号转发至所述手机终端之前,还包括:Optionally, before forwarding the target dynamic password and the corresponding token number to the mobile terminal, it also includes:

根据所述手机号码从所述认证转发服务器中确定出所述手机终端管理的服务器的IP地址,得到目标服务器IP地址;Determine the IP address of the server managed by the mobile terminal from the authentication forwarding server according to the mobile phone number, and obtain the target server IP address;

判断所述认证转发服务器的IP地址是否属于所述目标服务器IP地址,若属于则触发所述将所述目标动态口令及对应的令牌号转发至所述手机终端的步骤,若不属于则将认证失败提示信息发送至所述终端界面上。Judging whether the IP address of the authentication forwarding server belongs to the IP address of the target server, if it belongs, then triggers the step of forwarding the target dynamic password and the corresponding token number to the mobile terminal; An authentication failure prompt message is sent to the terminal interface.

可选的,所述利用所述种子值计算出当前动态口令,包括:Optionally, the calculating the current dynamic password by using the seed value includes:

利用所述种子值并基于OATH算法进行口令计算,得到当前动态口令。The current dynamic password is obtained by using the seed value and performing password calculation based on the OATH algorithm.

可选的,所述生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器,包括:Optionally, said generating a response message of passing the authentication and forwarding it to the target server through the authentication forwarding server includes:

生成认证通过的响应信息,并在所述手机终端的界面上生成访问权限设置的对话框,以便管理人员在所述对话框中设置相应的访问权限,得到目标访问权限;Generate the response information that the authentication is passed, and generate a dialog box for access rights setting on the interface of the mobile terminal, so that the administrator can set the corresponding access rights in the dialog box to obtain the target access rights;

通过所述认证转发服务器将所述响应信息和所述目标访问权限转发至所述目标服务器。forwarding the response information and the target access right to the target server through the authentication forwarding server.

可选的,所述在所述手机终端的界面上生成访问权限设置的对话框,包括:Optionally, the dialog box for generating access permission settings on the interface of the mobile terminal includes:

在所述手机终端的界面上生成临时登录时长权限设置的对话框。A dialog box for setting temporary login duration permission is generated on the interface of the mobile terminal.

可选的,所述根据所述目标用户名对所述目标固定口令进行验证,包括:Optionally, the verifying the target fixed password according to the target user name includes:

通过所述目标服务器中的可插拔式认证模块并根据所述目标用户名对所述目标固定口令进行验证。The target fixed password is verified through the pluggable authentication module in the target server and according to the target user name.

第二方面,本申请公开了一种身份认证装置,包括:In a second aspect, the present application discloses an identity authentication device, including:

提示信息弹出模块,用于当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息;The prompt information pop-up module is used for when the target server obtains the login request sent by the user, and pops up the prompt information of please input the user name, fixed password and dynamic password on the terminal interface corresponding to the user;

信息获取模块,用于通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令;An information acquisition module, configured to acquire, through the target server, the target user name, target fixed password, and target dynamic password input by the user for the prompt information;

固定口令验证模块,用于根据所述目标用户名对所述目标固定口令进行验证;A fixed password verification module, configured to verify the target fixed password according to the target user name;

第一信息转发模块,用于如果验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器;The first information forwarding module is used to forward the target user name and the target dynamic password to the authentication forwarding server if the verification is passed;

手机终端确定模块,用于通过所述认证转发服务器确定出与所述目标用户名对应的手机终端;A mobile terminal determination module, configured to determine the mobile terminal corresponding to the target user name through the authentication forwarding server;

第二信息转发模块,用于将所述目标动态口令及对应的令牌号转发至所述手机终端;The second information forwarding module is used to forward the target dynamic password and the corresponding token number to the mobile terminal;

种子值确定模块,用于从所述手机终端中确定出与所述令牌号对应的种子值;a seed value determination module, configured to determine a seed value corresponding to the token number from the mobile terminal;

当前动态口令计算模块,用于利用所述种子值计算出当前动态口令;The current dynamic password calculation module is used to calculate the current dynamic password by using the seed value;

对比模块,用于通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致;A comparison module, configured to compare whether the current dynamic password is consistent with the target dynamic password through the mobile terminal;

响应生成及转发模块,用于如果所述当前动态口令和所述目标动态口令一致,则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。The response generating and forwarding module is configured to generate a response message of passing the authentication and forward it to the target server through the authentication forwarding server if the current dynamic password is consistent with the target dynamic password.

第三方面,本申请公开了一种电子设备,包括处理器和存储器;其中,所述处理器执行所述存储器中保存的计算机程序时实现前述的身份认证方法。In a third aspect, the present application discloses an electronic device, including a processor and a memory; wherein, the aforementioned identity authentication method is implemented when the processor executes a computer program stored in the memory.

第四方面,本申请公开了一种计算机可读存储介质,用于存储计算机程序;其中,所述计算机程序被处理器执行时实现前述的身份认证方法。In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the aforementioned identity authentication method is implemented.

可见,本申请当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息,然后通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令,并根据所述目标用户名对所述目标固定口令进行验证,若验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器,以便通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,并将所述目标动态口令及对应的令牌号转发至所述手机终端,接着从所述手机终端中确定出与所述令牌号对应的种子值,并利用所述种子值计算出当前动态口令,再通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致,若一致则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。本申请通过手机终端来分散管理令牌的种子值,不需要在服务器端存储所有令牌的种子信息,杜绝了令牌信息被盗的风险,提高了身份认证的安全性。It can be seen that in this application, when the target server obtains the login request sent by the user, a prompt message asking to enter the user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user, and then obtains the user's login request through the target server. For the target user name, target fixed password and target dynamic password input for the prompt information, and verify the target fixed password according to the target user name, if the verification is passed, the target user name and the target dynamic password forward to the authentication forwarding server, so that the mobile terminal corresponding to the target user name is determined by the authentication forwarding server, and the target dynamic password and the corresponding token number are forwarded to the mobile terminal, and then from the Determine the seed value corresponding to the token number in the mobile terminal, and use the seed value to calculate the current dynamic password, and then compare the current dynamic password with the target dynamic password through the mobile terminal. If they match, a response message of passing the authentication is generated and forwarded to the target server through the authentication forwarding server. This application disperses and manages the seed value of the token through the mobile terminal, does not need to store all the seed information of the token on the server side, eliminates the risk of token information being stolen, and improves the security of identity authentication.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present application, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本申请公开的一种身份认证方法流程图;Fig. 1 is a flow chart of an identity authentication method disclosed in the present application;

图2为本申请公开的一种具体的身份认证方法流程图;FIG. 2 is a flow chart of a specific identity authentication method disclosed in the present application;

图3为本申请公开的一种具体的身份认证方法流程图;FIG. 3 is a flow chart of a specific identity authentication method disclosed in the present application;

图4为本申请公开的一种身份认证装置结构示意图;FIG. 4 is a schematic structural diagram of an identity authentication device disclosed in the present application;

图5为本申请公开的一种电子设备结构图。FIG. 5 is a structural diagram of an electronic device disclosed in the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

本申请实施例公开了一种身份认证方法,参见图1所示,该方法包括:The embodiment of the present application discloses an identity authentication method, as shown in Figure 1, the method includes:

步骤S11:当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息。Step S11: When the target server obtains the login request sent by the user, a prompt message of please input the user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user.

本实施例中,当待进行身份认证的目标服务器获取到用户发送的登录请求时,在上述用户对应的终端界面上弹出请输入用户名、固定口令(即固定密码)及动态口令的提示信息。其中,所述目标服务器包括但不限于数据库服务器、FTP(File Transfer ProtocolServer,文件传输协议)服务器等;所述动态口令由动态口令牌产生,具体的位数由所述动态口令牌的类型决定,所述动态口令牌生成所述动态口令的过程中采用的算法包括但不限于对称、非对称、摘要等算法,如国密杂凑算法SM2、国密杂凑算法SM3、国密杂凑算法SM4等。In this embodiment, when the target server to be authenticated obtains the login request sent by the user, a prompt message asking to enter the user name, fixed password (ie fixed password) and dynamic password pops up on the terminal interface corresponding to the user. Wherein, the target server includes but is not limited to a database server, FTP (File Transfer Protocol Server, file transfer protocol) server, etc.; the OTP is generated by an OTP token, and the specific number of digits is determined by the type of the OTP token, The algorithms used in the process of generating the OTP by the OTP token include but are not limited to symmetric, asymmetric, and digest algorithms, such as the national secret hash algorithm SM2, the national secret hash algorithm SM3, and the national secret hash algorithm SM4.

步骤S12:通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令,并根据所述目标用户名对所述目标固定口令进行验证。Step S12: Obtain the target user name, target fixed password and target dynamic password input by the user for the prompt information through the target server, and verify the target fixed password according to the target user name.

本实施例中,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息之后,所述用户可以根据当前终端界面上显示的上述提示信息手动输入自己的用户名、固定口令和动态口令,然后通过上述目标服务器对上述用户输入的信息进行获取得到相应的目标用户名、目标固定口令和目标动态口令,接着根据上述目标用户名对上述目标固定口令进行验证,即判断目标用户名和目标固定口令是否一致。In this embodiment, after the prompt information of please enter the user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user, the user can manually input his user name according to the above prompt information displayed on the current terminal interface , fixed password and dynamic password, and then obtain the corresponding target user name, target fixed password and target dynamic password through the above-mentioned target server to obtain the information input by the above-mentioned user, and then verify the above-mentioned target fixed password according to the above-mentioned target user name, that is Determine whether the target user name is consistent with the target fixed password.

步骤S13:若验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器,以便通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,并将所述目标动态口令及对应的令牌号转发至所述手机终端。Step S13: If the verification is successful, forward the target user name and the target dynamic password to the authentication forwarding server, so that the mobile terminal corresponding to the target user name can be determined through the authentication forwarding server, and the target dynamic password The password and the corresponding token number are forwarded to the mobile terminal.

本实施例中,如果上述目标用户名和上述目标固定口令一致,则初步判定所述用户为合法用户,但是为了进一步的提高登录的安全性,防止用户的固定口令被盗取,因此还需进一步的对上述目标动态口令进行校验来确定所述用户的身份。具体的,如果验证通过,则进一步的将上述目标用户名和上述目标动态口令转发到认证转发服务器中,所述认证转发服务器在获取到上述目标用户名和上述目标动态口令后,先根据所述目标用户名从本地存储的信息中确定出对应的手机终端,然后确定出与上述目标用户名对应的令牌号,接着将所述目标动态口令及对应的所述令牌号转发到上述手机终端。In this embodiment, if the above-mentioned target user name is consistent with the above-mentioned target fixed password, it is preliminarily determined that the user is a legitimate user, but in order to further improve the security of login and prevent the user's fixed password from being stolen, further steps are needed Check the target dynamic password to determine the identity of the user. Specifically, if the verification is passed, the above-mentioned target user name and the above-mentioned target dynamic password are further forwarded to the authentication forwarding server. After the above-mentioned target user name and the above-mentioned target dynamic password are obtained by the authentication forwarding Name determines the corresponding mobile phone terminal from the locally stored information, and then determines the token number corresponding to the above-mentioned target user name, and then forwards the target dynamic password and the corresponding token number to the above-mentioned mobile phone terminal.

在一种具体的实时方式中,所述通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,具体可以包括:通过所述认证转发服务器确定出与所述目标用户名对应的手机号码,并根据所述手机号码查找到对应的手机终端。也即,认证转发服务器在获取到目标服务器转发的目标用户名和目标动态口令之后,先查找出与上述目标用户名对应的手机号码,再确定出上述手机号码所在的手机终端。In a specific real-time manner, the determining the mobile phone terminal corresponding to the target user name through the authentication forwarding server may specifically include: determining the mobile phone terminal corresponding to the target user name through the authentication forwarding server mobile phone number, and find the corresponding mobile phone terminal according to the mobile phone number. That is to say, after obtaining the target user name and target dynamic password forwarded by the target server, the authentication forwarding server first finds out the mobile phone number corresponding to the above target user name, and then determines the mobile terminal where the above mobile phone number is located.

步骤S14:从所述手机终端中确定出与所述令牌号对应的种子值,并利用所述种子值计算出当前动态口令。Step S14: Determine the seed value corresponding to the token number from the mobile terminal, and use the seed value to calculate the current dynamic password.

本实施例中,当所述手机终端获取到所述认证转发服务器发送的所述目标动态口令及对应的所述令牌号之后,先从所述手机终端的本地中查询出与上述令牌号对应的种子值,然后利用上述种子值生成当前动态口令。需要指出的是,所述手机终端作为认证终端,预先存储了自己管理范围内的令牌种子值及自己负责范围内的服务器;另外,所述当前动态口令的计算方法包括但不限于OATH算法等。In this embodiment, after the mobile phone terminal obtains the target dynamic password and the corresponding token number sent by the authentication forwarding server, it first queries the local password of the mobile phone terminal that is related to the token number. The corresponding seed value, and then use the above seed value to generate the current dynamic password. It should be pointed out that, as an authentication terminal, the mobile terminal pre-stores the token seed value within its own management scope and the server within its own responsibility scope; in addition, the calculation method of the current dynamic password includes but is not limited to OATH algorithm, etc. .

步骤S15:通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致,若一致则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。Step S15: compare whether the current dynamic password is consistent with the target dynamic password through the mobile terminal, and if they are consistent, generate a response message of passing the authentication and forward it to the target server through the authentication forwarding server.

本实施例中,利用所述种子值计算出当前动态口令之后,所述手机终端会进一步的对比上述当前动态口令和上述目标动态口令,并判断两者是否一致,若一致则表示上述用户的身份为合法用户,可以正常的登录所述目标服务器,此时所述手机终端可以生成相应的认证通过的响应信息,然后将上述响应信息发送至上述认证转发服务器,再由上述认证转发服务器转发到所述目标服务器,当所述目标服务器获取到上述响应信息后便可以同意所述用户的登录请求,以便所述用户对所述目标服务器进行相应的操作。In this embodiment, after using the seed value to calculate the current OTP, the mobile terminal will further compare the above-mentioned current OTP and the above-mentioned target OTP, and judge whether the two are consistent, and if they are consistent, it indicates the identity of the above-mentioned user As a legitimate user, the target server can be logged in normally, and at this time, the mobile terminal can generate corresponding response information for passing the authentication, and then send the above response information to the above-mentioned authentication forwarding server, and then forward the above-mentioned authentication forwarding server to the above-mentioned authentication forwarding server. The target server, after obtaining the above response information, the target server can agree to the login request of the user, so that the user can perform corresponding operations on the target server.

可见,本申请实施例当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息,然后通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令,并根据所述目标用户名对所述目标固定口令进行验证,若验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器,以便通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,并将所述目标动态口令及对应的令牌号转发至所述手机终端,接着从所述手机终端中确定出与所述令牌号对应的种子值,并利用所述种子值计算出当前动态口令,再通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致,若一致则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。本申请实施例通过手机终端来分散管理令牌的种子值,不需要在服务器端存储所有令牌的种子信息,杜绝了令牌信息被盗的风险,提高了身份认证的安全性。It can be seen that in the embodiment of the present application, when the target server obtains the login request sent by the user, a prompt message asking to enter the user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user, and then obtains the login request through the target server. The target user name, target fixed password and target dynamic password input by the user for the prompt information, and verify the target fixed password according to the target user name, if the verification is passed, the target user name and the target The dynamic password is forwarded to the authentication forwarding server, so that the mobile terminal corresponding to the target user name is determined by the authentication forwarding server, and the target dynamic password and the corresponding token number are forwarded to the mobile terminal, and then from Determine the seed value corresponding to the token number in the mobile terminal, and use the seed value to calculate the current dynamic password, and then compare whether the current dynamic password is consistent with the target dynamic password through the mobile terminal , if consistent, generate a response message of passing the authentication and forward it to the target server through the authentication forwarding server. In the embodiment of the present application, the seed value of the token is decentralized and managed through the mobile phone terminal, and there is no need to store all the seed information of the token on the server side, which eliminates the risk of token information being stolen and improves the security of identity authentication.

本申请实施例公开了一种具体的身份认证方法,参见图2所示,该方法包括:The embodiment of the present application discloses a specific identity authentication method, as shown in Figure 2, the method includes:

步骤S21:当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息。Step S21: When the target server obtains the login request sent by the user, a prompt message asking to enter the user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user.

步骤S22:通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令,并通过所述目标服务器中的可插拔式认证模块并根据所述目标用户名对所述目标固定口令进行验证。Step S22: Obtain the target user name, target fixed password and target dynamic password input by the user for the prompt information through the target server, and pass the pluggable authentication module in the target server and according to the target The username is authenticated against the target fixed password.

本实施例中,参见图3所示,所述目标服务器具体可以为数据库服务器和FTP服务器,当数据库服务器和FTP服务器获取到用户输入的目标用户名(li)、目标固定口令及目标动态口令(即318467)后,可以通过数据库服务器和FTP服务器中的可插拔式认证模块(PAM,Pluggable Authentication Modules)来验证用户输入的目标用户名和目标固定口令是否一致,若一致则验证通过,若不一致则验证失败,可以直接在上述终端界面上生成认证失败的提示信息。In the present embodiment, referring to Fig. 3, described target server can specifically be database server and FTP server, when database server and FTP server obtain the target user name (li), target fixed password and target dynamic password ( That is, after 318467), the pluggable authentication module (PAM, Pluggable Authentication Modules) in the database server and FTP server can be used to verify whether the target user name input by the user is consistent with the target fixed password. If the authentication fails, a prompt message of authentication failure can be directly generated on the above-mentioned terminal interface.

步骤S23:若验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器。Step S23: If the verification is passed, the target user name and the target dynamic password are forwarded to the authentication forwarding server.

步骤S24:通过所述认证转发服务器确定出与所述目标用户名对应的手机号码,并根据所述手机号码查找到对应的手机终端。Step S24: Determine the mobile phone number corresponding to the target user name through the authentication forwarding server, and find the corresponding mobile phone terminal according to the mobile phone number.

本实施例中,参见图3所示,当认证转发服务器获取到数据库服务器和FTP服务器转发的目标用户名(li)和目标动态口令(318467)之后,可以从本地中查询到与目标用户名(li)对应的令牌号(N324)和手机号码(13344445555),接着便可以通过手机号码(13344445555)找到对应的认证手机终端。In this embodiment, as shown in FIG. 3, after the authentication forwarding server obtains the target user name (li) and the target dynamic password (318467) forwarded by the database server and the FTP server, it can query the target user name ( li) The corresponding token number (N324) and mobile phone number (13344445555), and then you can find the corresponding authentication mobile terminal through the mobile phone number (13344445555).

步骤S25:根据所述手机号码从所述认证转发服务器中确定出所述手机终端管理的服务器的IP地址,得到目标服务器IP地址。Step S25: Determine the IP address of the server managed by the mobile terminal from the authentication forwarding server according to the mobile phone number, and obtain the IP address of the target server.

本实施例中,根据所述手机号码查找到对应的手机终端之后,可以进一步的通过上述认证转发服务器查询与上述手机号码对应的服务器的IP地址,该服务器的IP地址是为所述手机号码对应的所述手机终端所能够管理的服务器设置的,即手机终端自己负责范围内的服务器。参见图3所示,通过手机号码(13344445555)找到对应手机终端所管理的服务器的IP地址(即192.168.2.3\192.168.4.32\192.176.3.5)。In this embodiment, after the corresponding mobile phone terminal is found according to the mobile phone number, the IP address of the server corresponding to the mobile phone number can be further inquired through the above-mentioned authentication forwarding server. The IP address of the server is corresponding to the mobile phone number The server settings that can be managed by the mobile terminal, that is, the mobile terminal itself is responsible for the servers within the range. Referring to Fig. 3, find the IP address (ie 192.168.2.3\192.168.4.32\192.176.3.5) of the server managed by the corresponding mobile terminal through the mobile phone number (13344445555).

步骤S26:判断所述认证转发服务器的IP地址是否属于所述目标服务器IP地址,若属于则将所述目标动态口令及对应的令牌号转发至所述手机终端,若不属于则将认证失败提示信息发送至所述终端界面上。Step S26: Judging whether the IP address of the authentication forwarding server belongs to the IP address of the target server, if it does, forward the target dynamic password and the corresponding token number to the mobile terminal, and if it does not, the authentication fails The prompt information is sent to the terminal interface.

本实施例中,根据所述手机号码从所述认证转发服务器中确定出所述手机终端管理的服务器的IP地址得到目标服务器IP地址之后,通过上述认证转发服务器判断上述认证转发服务器的IP地址是否属于上述目标服务器IP地址,如果上述认证转发服务器的IP地址属于上述目标服务器IP地址,则将上述目标动态口令及对应的令牌号转发到所述手机终端,例如,当图3中与手机号码(13344445555)对应的服务器的IP地址(192.168.2.3\192.168.4.32\192.176.3.5)是数据库服务器或FTP服务器的IP地址时,将动态口令(即318467)及对应的令牌号(N324)转发到手机号码为13344445555的手机终端。进一步的,如果上述认证转发服务器的IP地址不属于所述目标服务器IP地址,则表示认证失败,可以生成相应的认证失败提示信息,并将其发送到上述终端界面上。In this embodiment, after the IP address of the server managed by the mobile terminal is determined from the authentication forwarding server according to the mobile phone number to obtain the IP address of the target server, the authentication forwarding server is used to determine whether the IP address of the authentication forwarding server is Belong to the above-mentioned target server IP address, if the IP address of the above-mentioned authentication forwarding server belongs to the above-mentioned target server IP address, then the above-mentioned target dynamic password and the corresponding token number are forwarded to the mobile terminal, for example, when the mobile phone number in Figure 3 (13344445555) corresponding to the IP address of the server (192.168.2.3\192.168.4.32\192.176.3.5) is the IP address of the database server or FTP server, forward the dynamic password (ie 318467) and the corresponding token number (N324) Go to the mobile terminal with the mobile phone number 13344445555. Further, if the IP address of the above-mentioned authentication forwarding server does not belong to the IP address of the target server, it means that the authentication fails, and corresponding authentication failure prompt information can be generated and sent to the above-mentioned terminal interface.

步骤S27:从所述手机终端中确定出与所述令牌号对应的种子值,并利用所述种子值并基于OATH算法进行口令计算,得到当前动态口令。Step S27: Determine the seed value corresponding to the token number from the mobile terminal, and use the seed value to perform password calculation based on the OATH algorithm to obtain the current dynamic password.

本实施例中,当手机终端获取到认证转发服务器发送的所述目标动态口令及对应的令牌号后,先从本地查询是否存在与上述令牌号对应的种子值,若存在则可以利用OATH算法对上述种子值进行口令计算,进而得到当前动态口令。In this embodiment, after the mobile terminal obtains the target dynamic password and the corresponding token number sent by the authentication forwarding server, it first inquires locally whether there is a seed value corresponding to the above token number, and if it exists, it can use OATH The algorithm performs password calculation on the above seed value, and then obtains the current dynamic password.

步骤S28:通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致,若一致则生成认证通过的响应信息,并在所述手机终端的界面上生成访问权限设置的对话框,以便管理人员在所述对话框中设置相应的访问权限,得到目标访问权限。Step S28: compare whether the current dynamic password and the target dynamic password are consistent through the mobile phone terminal, if they are consistent, generate a response message of passing the authentication, and generate a dialog box for access rights settings on the interface of the mobile terminal, So that the administrator can set the corresponding access right in the dialog box to obtain the target access right.

本实施例中,所述手机终端在计算出所述当前动态口令之后,将上述当前动态口令和上述目标动态口令进行对比,并判断两者是否相同,若相同则表示上述用户为合法用户,并生成认证通过的响应信息,接着在上述手机终端的界面上生成访问权限设置的对话框,这样一来,使用所述手机终端的管理人员便可以在上述对话框中设置相应的访问权限。In this embodiment, after the mobile terminal calculates the current dynamic password, it compares the above-mentioned current dynamic password with the above-mentioned target dynamic password, and judges whether the two are the same, if they are the same, it means that the above-mentioned user is a legitimate user, and Generate a response message of passing the authentication, and then generate a dialog box for setting access rights on the interface of the above-mentioned mobile phone terminal, so that the administrator using the mobile phone terminal can set the corresponding access rights in the above-mentioned dialog box.

具体的,所述在所述手机终端的界面上生成访问权限设置的对话框,可以包括:在所述手机终端的界面上生成临时登录时长权限设置的对话框。例如,参见图3所示,在手机终端的界面上生成动态口令正确的提示信息及授权登录时长的访问权限设置对话框,然后通过使用该手机终端的管理人员设置相应的时长,如15分钟,然后点击确定按钮。Specifically, the generating a dialog box for setting access rights on the interface of the mobile terminal may include: generating a dialog box for setting temporary login duration permissions on the interface of the mobile terminal. For example, referring to shown in Figure 3, on the interface of the mobile terminal, generate the correct prompt information of the dynamic password and the access right setting dialog box of the authorized login duration, then set the corresponding duration by using the manager of the mobile terminal, such as 15 minutes, Then click the OK button.

步骤S29:通过所述认证转发服务器将所述响应信息和所述目标访问权限转发至所述目标服务器。Step S29: forwarding the response information and the target access right to the target server through the authentication forwarding server.

本实施例中,当管理人员在图3中的对话框中设置了可以访问15分钟的访问时长权限后,可以进一步的通过上述认证转发服务器将其转发到上述数据库服务器和上述FTP服务器中,此时用户可以在15分钟内对所述数据库服务器和所述FTP服务器进行访问。In this embodiment, after the administrator sets the access duration permission for 15 minutes in the dialog box in Figure 3, it can be further forwarded to the above-mentioned database server and the above-mentioned FTP server through the above-mentioned authentication forwarding server. Then the user can visit the database server and the FTP server within 15 minutes.

其中,关于上述步骤S23更加具体的处理过程可以参考前述实施例中公开的相应内容,在此不再进行赘述。Wherein, for a more specific processing procedure of the above-mentioned step S23, reference may be made to the corresponding content disclosed in the foregoing embodiments, and details are not repeated here.

可见,本申请实施例采用了双因素认证,即要验证固定口令,又要验证动态口令,当全部认证成功后,才判定用户的身份为合法用户,而动态口令的具有一次一密的特性,因此可以防止密码被记录后多次盗用问题,进而实现了安全等级保护要求的多鉴别机制,防止了单一认证方式被轻易破解;再者,在手机终端利用自身管理的令牌的种子值进行认证,并在认证通过后,进行一定的权限再限制,使得管理人员能够实时管理自己职责范围内的服务器,对出现的非法访问及时进行禁止访问,因此可以做到权限的精准化与权利的最小化;另外,本方案可以分散管理令牌的种子值,不需要在服务器端存储所有的令牌种子信息,从而杜绝了购买的令牌信息被盗的安全风险。It can be seen that the embodiment of the present application adopts two-factor authentication, that is, it is necessary to verify the fixed password and the dynamic password. After all the authentications are successful, the identity of the user is determined to be a legitimate user, and the dynamic password has the characteristics of one-time padding. Therefore, it is possible to prevent multiple misappropriation of the password after it is recorded, thereby realizing the multi-authentication mechanism required by the security level protection, and preventing the single authentication method from being easily cracked; moreover, the mobile terminal uses the seed value of the token managed by itself for authentication. , and after the authentication is passed, certain permissions are re-restricted, so that managers can manage servers within their responsibilities in real time, and prohibit access to illegal access in a timely manner, so that precise permissions and rights can be minimized ; In addition, this scheme can manage the seed value of the token in a decentralized manner, and does not need to store all the token seed information on the server side, thereby eliminating the security risk of the purchased token information being stolen.

相应的,本申请实施例还公开了一种身份认证装置,参见图4所示,该装置包括:Correspondingly, the embodiment of the present application also discloses an identity authentication device, as shown in Figure 4, the device includes:

提示信息弹出模块11,用于当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息;Prompt information pop-up module 11, for when the target server obtains the login request sent by the user, the prompt information that please input user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user;

信息获取模块12,用于通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令;An information acquisition module 12, configured to obtain, through the target server, the target user name, target fixed password and target dynamic password input by the user for the prompt information;

固定口令验证模块13,用于根据所述目标用户名对所述目标固定口令进行验证;A fixed password verification module 13, configured to verify the target fixed password according to the target user name;

第一信息转发模块14,用于如果验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器;The first information forwarding module 14 is used to forward the target user name and the target dynamic password to the authentication forwarding server if the verification is passed;

手机终端确定模块15,用于通过所述认证转发服务器确定出与所述目标用户名对应的手机终端;The mobile terminal determination module 15 is used to determine the mobile terminal corresponding to the target user name through the authentication forwarding server;

第二信息转发模块16,用于将所述目标动态口令及对应的令牌号转发至所述手机终端;The second information forwarding module 16 is used for forwarding the target dynamic password and the corresponding token number to the mobile terminal;

种子值确定模块17,用于从所述手机终端中确定出与所述令牌号对应的种子值;Seed value determination module 17, for determining the seed value corresponding to the token number from the mobile terminal;

当前动态口令计算模块18,用于利用所述种子值计算出当前动态口令;Current dynamic password calculation module 18, for utilizing described seed value to calculate current dynamic password;

对比模块19,用于通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致;Comparison module 19, used to compare whether the current dynamic password is consistent with the target dynamic password through the mobile terminal;

响应生成及转发模块110,用于如果所述当前动态口令和所述目标动态口令一致,则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。The response generation and forwarding module 110 is configured to generate a response message of passing the authentication and forward it to the target server through the authentication forwarding server if the current dynamic password is consistent with the target dynamic password.

其中,关于上述各个模块的具体工作流程可以参考前述实施例中公开的相应内容,在此不再进行赘述。For the specific work flow of each of the above modules, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

可见,本申请实施例中,当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息,然后通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令,并根据所述目标用户名对所述目标固定口令进行验证,若验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器,以便通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,并将所述目标动态口令及对应的令牌号转发至所述手机终端,接着从所述手机终端中确定出与所述令牌号对应的种子值,并利用所述种子值计算出当前动态口令,再通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致,若一致则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。本申请实施例通过手机终端来分散管理令牌的种子值,不需要在服务器端存储所有令牌的种子信息,杜绝了令牌信息被盗的风险,提高了身份认证的安全性。It can be seen that in the embodiment of the present application, when the target server obtains the login request sent by the user, a prompt message asking to enter the user name, fixed password and dynamic password will pop up on the terminal interface corresponding to the user, and then the target server will Acquiring the target user name, target fixed password and target dynamic password input by the user for the prompt information, and verifying the target fixed password according to the target user name, if the verification is passed, the target user name and the target dynamic password are The target dynamic password is forwarded to the authentication forwarding server, so that the mobile terminal corresponding to the target user name is determined by the authentication forwarding server, and the target dynamic password and the corresponding token number are forwarded to the mobile terminal, Then determine the seed value corresponding to the token number from the mobile terminal, and use the seed value to calculate the current dynamic password, then compare the current dynamic password and the target dynamic password by the mobile terminal Whether they are consistent, if they are consistent, a response message of passing the authentication is generated and forwarded to the target server through the authentication forwarding server. In the embodiment of the present application, the seed value of the token is decentralized and managed through the mobile phone terminal, and there is no need to store all the seed information of the token on the server side, which eliminates the risk of token information being stolen and improves the security of identity authentication.

在一些具体实施例中,所述手机终端确定模块15,具体可以包括:In some specific embodiments, the mobile phone terminal determining module 15 may specifically include:

手机号码确定单元,用于通过所述认证转发服务器确定出与所述目标用户名对应的手机号码;A mobile phone number determination unit, configured to determine the mobile phone number corresponding to the target user name through the authentication forwarding server;

手机终端确定单元,用于根据所述手机号码查找到对应的手机终端。The mobile phone terminal determination unit is used to find the corresponding mobile phone terminal according to the mobile phone number.

在一些具体实施例中,所述手机终端确定模块15之前,还可以包括:In some specific embodiments, before the mobile phone terminal determination module 15, it may also include:

服务器IP地址确定单元,用于根据所述手机号码从所述认证转发服务器中确定出所述手机终端管理的服务器的IP地址,得到目标服务器IP地址;The server IP address determination unit is used to determine the IP address of the server managed by the mobile terminal from the authentication forwarding server according to the mobile phone number, and obtain the target server IP address;

判断单元,用于判断所述认证转发服务器的IP地址是否属于所述目标服务器IP地址;a judging unit, configured to judge whether the IP address of the authentication forwarding server belongs to the IP address of the target server;

触发单元,用于如果所述认证转发服务器的IP地址属于所述目标服务器IP地址,则触发所述将所述目标动态口令及对应的令牌号转发至所述手机终端的步骤;A triggering unit, configured to trigger the step of forwarding the target dynamic password and the corresponding token number to the mobile terminal if the IP address of the authentication forwarding server belongs to the target server IP address;

提示信息发送单元,用于如果所述认证转发服务器的IP地址是不属于所述目标服务器IP地址,则将认证失败提示信息发送至所述终端界面上。A prompt information sending unit, configured to send authentication failure prompt information to the terminal interface if the IP address of the authentication forwarding server does not belong to the IP address of the target server.

在一些具体实施例中,所述当前动态口令计算模块18,具体可以包括:In some specific embodiments, the current dynamic password calculation module 18 may specifically include:

当前动态口令计算单元,用于利用所述种子值并基于OATH算法进行口令计算,得到当前动态口令。The current dynamic password calculation unit is used to use the seed value and perform password calculation based on the OATH algorithm to obtain the current dynamic password.

在一些具体实施例中,所述响应生成及转发模块110,具体可以包括:In some specific embodiments, the response generating and forwarding module 110 may specifically include:

响应信息生成单元,用于生成认证通过的响应信息;A response information generation unit, configured to generate a response information for passing the authentication;

对话框生成单元,用于在所述手机终端的界面上生成访问权限设置的对话框,以便管理人员在所述对话框中设置相应的访问权限,得到目标访问权限;A dialog box generation unit is used to generate a dialog box for setting access rights on the interface of the mobile terminal, so that managers can set corresponding access rights in the dialog box and obtain target access rights;

信息转发单元,用于通过所述认证转发服务器将所述响应信息和所述目标访问权限转发至所述目标服务器。An information forwarding unit, configured to forward the response information and the target access right to the target server through the authentication forwarding server.

在一些具体实施例中,所述对话框生成单元,具体可以包括:In some specific embodiments, the dialog generating unit may specifically include:

权限设置对话框生成单元,用于在所述手机终端的界面上生成临时登录时长权限设置的对话框。The permission setting dialog generating unit is used to generate a temporary login duration permission setting dialog on the interface of the mobile terminal.

在一些具体实施例中,所述固定口令验证模块13,具体可以包括:In some specific embodiments, the fixed password verification module 13 may specifically include:

固定口令验证单元,用于通过所述目标服务器中的可插拔式认证模块并根据所述目标用户名对所述目标固定口令进行验证。A fixed password verification unit, configured to verify the target fixed password through the pluggable authentication module in the target server and according to the target user name.

进一步的,本申请实施例还公开了一种电子设备,图5是根据一示例性实施例示出的电子设备20结构图,图中的内容不能认为是对本申请的使用范围的任何限制。Further, the embodiment of the present application also discloses an electronic device. FIG. 5 is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content in the figure should not be regarded as any limitation on the application scope of the present application.

图5为本申请实施例提供的一种电子设备20的结构示意图。该电子设备20,具体可以包括:至少一个处理器21、至少一个存储器22、电源23、通信接口24、输入输出接口25和通信总线26。其中,所述存储器22用于存储计算机程序,所述计算机程序由所述处理器21加载并执行,以实现前述任一实施例公开的身份认证方法中的相关步骤。另外,本实施例中的电子设备20具体可以为电子计算机。FIG. 5 is a schematic structural diagram of an electronic device 20 provided in an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21 , at least one memory 22 , a power supply 23 , a communication interface 24 , an input/output interface 25 and a communication bus 26 . Wherein, the memory 22 is used to store a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the identity authentication method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in this embodiment may specifically be an electronic computer.

本实施例中,电源23用于为电子设备20上的各硬件设备提供工作电压;通信接口24能够为电子设备20创建与外界设备之间的数据传输通道,其所遵循的通信协议是能够适用于本申请技术方案的任意通信协议,在此不对其进行具体限定;输入输出接口25,用于获取外界输入数据或向外界输出数据,其具体的接口类型可以根据具体应用需要进行选取,在此不进行具体限定。In this embodiment, the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows is applicable Any communication protocol in the technical solution of the present application is not specifically limited here; the input and output interface 25 is used to obtain external input data or output data to the external, and its specific interface type can be selected according to specific application needs, here Not specifically limited.

另外,存储器22作为资源存储的载体,可以是只读存储器、随机存储器、磁盘或者光盘等,其上所存储的资源可以包括操作系统221、计算机程序222等,存储方式可以是短暂存储或者永久存储。In addition, the memory 22, as a resource storage carrier, can be a read-only memory, random access memory, magnetic disk or optical disk, etc., and the resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage. .

其中,操作系统221用于管理与控制电子设备20上的各硬件设备以及计算机程序222,其可以是Windows Server、Netware、Unix、Linux等。计算机程序222除了包括能够用于完成前述任一实施例公开的由电子设备20执行的身份认证方法的计算机程序之外,还可以进一步包括能够用于完成其他特定工作的计算机程序。Wherein, the operating system 221 is used to manage and control various hardware devices and computer programs 222 on the electronic device 20 , which may be Windows Server, Netware, Unix, Linux, etc. In addition to the computer program that can be used to complete the identity authentication method performed by the electronic device 20 disclosed in any of the foregoing embodiments, the computer program 222 can further include a computer program that can be used to complete other specific tasks.

进一步的,本申请还公开了一种计算机可读存储介质,用于存储计算机程序;其中,所述计算机程序被处理器执行时实现前述公开的身份认证方法。关于该方法的具体步骤可以参考前述实施例中公开的相应内容,在此不再进行赘述。Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, the aforementioned disclosed identity authentication method is realized. Regarding the specific steps of the method, reference may be made to the corresponding content disclosed in the foregoing embodiments, and details are not repeated here.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same or similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible For interchangeability, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

以上对本申请所提供的一种身份认证方法、装置、设备及存储介质进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The above is a detailed introduction to an identity authentication method, device, equipment and storage medium provided by this application. In this paper, specific examples are used to illustrate the principle and implementation of this application. The description of the above embodiments is only for help. Understand the method of this application and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of this application, there will be changes in the specific implementation and scope of application. In summary, the content of this specification does not It should be understood as a limitation on the present application.

Claims (10)

1.一种身份认证方法,其特征在于,包括:1. An identity authentication method, characterized in that, comprising: 当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息;When the target server obtains the login request sent by the user, a prompt message that please input the user name, fixed password and dynamic password pops up on the terminal interface corresponding to the user; 通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令,并根据所述目标用户名对所述目标固定口令进行验证;Obtaining the target user name, target fixed password and target dynamic password input by the user for the prompt information through the target server, and verifying the target fixed password according to the target user name; 若验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器,以便通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,并将所述目标动态口令及对应的令牌号转发至所述手机终端;If the verification is passed, then the target user name and the target dynamic password are forwarded to the authentication forwarding server, so that the mobile terminal corresponding to the target user name is determined by the authentication forwarding server, and the target dynamic password and the corresponding The token number is forwarded to the mobile terminal; 从所述手机终端中确定出与所述令牌号对应的种子值,并利用所述种子值计算出当前动态口令;Determine the seed value corresponding to the token number from the mobile terminal, and use the seed value to calculate the current dynamic password; 通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致,若一致则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。The mobile terminal compares whether the current dynamic password is consistent with the target dynamic password, and if they are consistent, generates an authentication response message and forwards it to the target server through the authentication forwarding server. 2.根据权利要求1所述的身份认证方法,其特征在于,所述通过所述认证转发服务器确定出与所述目标用户名对应的手机终端,包括:2. The identity authentication method according to claim 1, wherein the determining the mobile terminal corresponding to the target user name through the authentication forwarding server comprises: 通过所述认证转发服务器确定出与所述目标用户名对应的手机号码,并根据所述手机号码查找到对应的手机终端。The mobile phone number corresponding to the target user name is determined through the authentication forwarding server, and the corresponding mobile phone terminal is found according to the mobile phone number. 3.根据权利要求2所述的身份认证方法,其特征在于,所述将所述目标动态口令及对应的令牌号转发至所述手机终端之前,还包括:3. The identity authentication method according to claim 2, wherein, before the described target dynamic password and the corresponding token number are forwarded to the mobile terminal, further comprising: 根据所述手机号码从所述认证转发服务器中确定出所述手机终端管理的服务器的IP地址,得到目标服务器IP地址;Determine the IP address of the server managed by the mobile terminal from the authentication forwarding server according to the mobile phone number, and obtain the target server IP address; 判断所述认证转发服务器的IP地址是否属于所述目标服务器IP地址,若属于则触发所述将所述目标动态口令及对应的令牌号转发至所述手机终端的步骤,若不属于则将认证失败提示信息发送至所述终端界面上。Judging whether the IP address of the authentication forwarding server belongs to the IP address of the target server, if it belongs, then triggers the step of forwarding the target dynamic password and the corresponding token number to the mobile terminal; An authentication failure prompt message is sent to the terminal interface. 4.根据权利要求1所述的身份认证方法,其特征在于,所述利用所述种子值计算出当前动态口令,包括:4. The identity authentication method according to claim 1, wherein said utilizing said seed value to calculate the current dynamic password comprises: 利用所述种子值并基于OATH算法进行口令计算,得到当前动态口令。The current dynamic password is obtained by using the seed value and performing password calculation based on the OATH algorithm. 5.根据权利要求1所述的身份认证方法,其特征在于,所述生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器,包括:5. The identity authentication method according to claim 1, wherein said generating a response message of passing the authentication and forwarding it to the target server through the authentication forwarding server comprises: 生成认证通过的响应信息,并在所述手机终端的界面上生成访问权限设置的对话框,以便管理人员在所述对话框中设置相应的访问权限,得到目标访问权限;Generate the response information that the authentication is passed, and generate a dialog box for access rights setting on the interface of the mobile terminal, so that the administrator can set the corresponding access rights in the dialog box to obtain the target access rights; 通过所述认证转发服务器将所述响应信息和所述目标访问权限转发至所述目标服务器。forwarding the response information and the target access right to the target server through the authentication forwarding server. 6.根据权利要求5所述的身份认证方法,其特征在于,所述在所述手机终端的界面上生成访问权限设置的对话框,包括:6. The identity authentication method according to claim 5, wherein the dialog box for generating access rights settings on the interface of the mobile terminal comprises: 在所述手机终端的界面上生成临时登录时长权限设置的对话框。A dialog box for setting temporary login duration permission is generated on the interface of the mobile terminal. 7.根据权利要求1至6任一项所述的身份认证方法,其特征在于,所述根据所述目标用户名对所述目标固定口令进行验证,包括:7. The identity authentication method according to any one of claims 1 to 6, wherein the verifying the target fixed password according to the target user name includes: 通过所述目标服务器中的可插拔式认证模块并根据所述目标用户名对所述目标固定口令进行验证。The target fixed password is verified through the pluggable authentication module in the target server and according to the target user name. 8.一种身份认证装置,其特征在于,包括:8. An identity authentication device, characterized in that it comprises: 提示信息弹出模块,用于当目标服务器获取到用户发送的登录请求时,在所述用户对应的终端界面上弹出请输入用户名、固定口令及动态口令的提示信息;The prompt information pop-up module is used for when the target server obtains the login request sent by the user, and pops up the prompt information of please input the user name, fixed password and dynamic password on the terminal interface corresponding to the user; 信息获取模块,用于通过所述目标服务器获取所述用户针对所述提示信息输入的目标用户名、目标固定口令及目标动态口令;An information acquisition module, configured to acquire, through the target server, the target user name, target fixed password, and target dynamic password input by the user for the prompt information; 固定口令验证模块,用于根据所述目标用户名对所述目标固定口令进行验证;A fixed password verification module, configured to verify the target fixed password according to the target user name; 第一信息转发模块,用于如果验证通过则将所述目标用户名和所述目标动态口令转发至认证转发服务器;The first information forwarding module is used to forward the target user name and the target dynamic password to the authentication forwarding server if the verification is passed; 手机终端确定模块,用于通过所述认证转发服务器确定出与所述目标用户名对应的手机终端;A mobile terminal determination module, configured to determine the mobile terminal corresponding to the target user name through the authentication forwarding server; 第二信息转发模块,用于将所述目标动态口令及对应的令牌号转发至所述手机终端;The second information forwarding module is used to forward the target dynamic password and the corresponding token number to the mobile terminal; 种子值确定模块,用于从所述手机终端中确定出与所述令牌号对应的种子值;a seed value determination module, configured to determine a seed value corresponding to the token number from the mobile terminal; 当前动态口令计算模块,用于利用所述种子值计算出当前动态口令;The current dynamic password calculation module is used to calculate the current dynamic password by using the seed value; 对比模块,用于通过所述手机终端对比所述当前动态口令和所述目标动态口令是否一致;A comparison module, configured to compare whether the current dynamic password is consistent with the target dynamic password through the mobile terminal; 响应生成及转发模块,用于如果所述当前动态口令和所述目标动态口令一致,则生成认证通过的响应信息并经过所述认证转发服务器转发至所述目标服务器。The response generating and forwarding module is configured to generate a response message of passing the authentication and forward it to the target server through the authentication forwarding server if the current dynamic password is consistent with the target dynamic password. 9.一种电子设备,其特征在于,包括处理器和存储器;其中,所述处理器执行所述存储器中保存的计算机程序时实现如权利要求1至7任一项所述的身份认证方法。9. An electronic device, characterized by comprising a processor and a memory; wherein, when the processor executes the computer program stored in the memory, the identity authentication method according to any one of claims 1 to 7 is implemented. 10.一种计算机可读存储介质,其特征在于,用于存储计算机程序;其中,所述计算机程序被处理器执行时实现如权利要求1至7任一项所述的身份认证方法。10. A computer-readable storage medium, characterized by being used to store a computer program; wherein, when the computer program is executed by a processor, the identity authentication method according to any one of claims 1 to 7 is realized.
CN202211329051.XA 2022-10-27 2022-10-27 An identity authentication method, device, equipment and storage medium Pending CN115664823A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211329051.XA CN115664823A (en) 2022-10-27 2022-10-27 An identity authentication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211329051.XA CN115664823A (en) 2022-10-27 2022-10-27 An identity authentication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115664823A true CN115664823A (en) 2023-01-31

Family

ID=84993866

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211329051.XA Pending CN115664823A (en) 2022-10-27 2022-10-27 An identity authentication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115664823A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506190A (en) * 2023-04-27 2023-07-28 山东海量信息技术研究院 Login authentication method, system, device and computer storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582763A (en) * 2009-04-02 2009-11-18 北京飞天诚信科技有限公司 Method and system for identity authentication based on dynamic password
CN105262588A (en) * 2015-11-03 2016-01-20 网易(杭州)网络有限公司 Log-in method based on dynamic password, account number management server and mobile terminal
CN105721159A (en) * 2016-01-20 2016-06-29 浪潮(北京)电子信息产业有限公司 Operation system identity authentication method and operation system identity authentication system
KR101659847B1 (en) * 2015-07-14 2016-09-26 (주)케이스마텍 Method for two channel authentication using smart phone
CN106453321A (en) * 2016-10-18 2017-02-22 郑州云海信息技术有限公司 Authentication server, system and method, and to-be-authenticated terminal
US20180337783A1 (en) * 2015-02-27 2018-11-22 Feitian Technologies Co., Ltd. Operating method for push authentication system and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582763A (en) * 2009-04-02 2009-11-18 北京飞天诚信科技有限公司 Method and system for identity authentication based on dynamic password
US20180337783A1 (en) * 2015-02-27 2018-11-22 Feitian Technologies Co., Ltd. Operating method for push authentication system and device
KR101659847B1 (en) * 2015-07-14 2016-09-26 (주)케이스마텍 Method for two channel authentication using smart phone
CN105262588A (en) * 2015-11-03 2016-01-20 网易(杭州)网络有限公司 Log-in method based on dynamic password, account number management server and mobile terminal
CN105721159A (en) * 2016-01-20 2016-06-29 浪潮(北京)电子信息产业有限公司 Operation system identity authentication method and operation system identity authentication system
CN106453321A (en) * 2016-10-18 2017-02-22 郑州云海信息技术有限公司 Authentication server, system and method, and to-be-authenticated terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐荣龙, 魏建国, 潘鹏: "基于强匿名多节点分布网络终端跨域认证研究", 计算机仿真, vol. 38, no. 12, 11 January 2022 (2022-01-11) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506190A (en) * 2023-04-27 2023-07-28 山东海量信息技术研究院 Login authentication method, system, device and computer storage medium

Similar Documents

Publication Publication Date Title
US11606352B2 (en) Time-based one time password (TOTP) for network authentication
AU2021206913B2 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
US8196186B2 (en) Security architecture for peer-to-peer storage system
US8392702B2 (en) Token-based management system for PKI personalization process
CN112532599B (en) Dynamic authentication method, device, electronic equipment and storage medium
US9225525B2 (en) Identity management certificate operations
US7366900B2 (en) Platform-neutral system and method for providing secure remote operations over an insecure computer network
CA2868896C (en) Secure mobile framework
EP1914658B1 (en) Identity controlled data center
US8898457B2 (en) Automatically generating a certificate operation request
US8220032B2 (en) Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
US9825938B2 (en) System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration
US20170353464A1 (en) Techniques for secure debugging and monitoring
EP2171911A2 (en) Device provisioning and domain join emulation over non-secured networks
CN108111518B (en) Single sign-on method and system based on secure password proxy server
CN115150831B (en) Method, device, server and medium for processing network access request
US11611541B2 (en) Secure method to replicate on-premise secrets in a cloud environment
CN114491435A (en) A secure access method and device based on an industrial Internet platform
US20220247578A1 (en) Attestation of device management within authentication flow
CN115664823A (en) An identity authentication method, device, equipment and storage medium
Kim et al. Can we create a cross-domain federated identity for the industrial Internet of Things without Google?
US20240007454A1 (en) Systems and methods for using enterprise idp functionality to authorize user access across servers
Binu et al. A mobile based remote user authentication scheme without verifier table for cloud based services
US11570163B2 (en) User authentication system
WO2021067116A1 (en) Secure communication application registration process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination