CN119544349A

CN119544349A - Identity authentication method, device and computer equipment for accessing application

Info

Publication number: CN119544349A
Application number: CN202411741273.1A
Authority: CN
Inventors: 冷佳豫; 李刘威; 常雪枫; 郑毅彬; 傅兵
Original assignee: China Life Insurance Co ltd
Current assignee: China Life Insurance Co ltd
Priority date: 2024-11-29
Filing date: 2024-11-29
Publication date: 2025-02-28

Abstract

The present application relates to an identity authentication method, device and computer equipment for accessing an application. The method includes: determining the application type of the application to be accessed; the application type includes an application with session control and an application without session control; according to the application type, querying and determining the key information, and extracting a random password from the key information in a preset manner; splicing the random password and the timestamp information of the current time to obtain a plain text, and encrypting the plain text according to the key information to obtain a password value; obtaining identity authentication information according to the type identifier of the application type to be accessed, the application identifier of the application to be accessed and the password value; sending the application access request and identity authentication information for the application to be accessed to the server. The use of this method can improve the efficiency of identity authentication processing.

Description

Identity authentication method and device for access application and computer equipment

Technical Field

The present application relates to the field of network application security technologies, and in particular, to an identity authentication method, an apparatus, a computer device, a computer readable storage medium, and a computer program product for accessing an application.

Background

With the rise of interactive Web applications, application systems need to manage user sessions, and in order to distinguish users, session identification (Session ID) needs to be performed on users. However, the session identifier is not encrypted and can be falsified, so that an attacker can attack the application system by falsifying the session identifier, and stress is brought to the server and even the server is crashed.

In the prior art, in order to avoid that an application system is attacked by CSRF (Cross-Site Request Forgery, cross-site request forging), an attacker can be prevented from forging a mark by using a Token, and the attacker cannot forge the Token to reach an attack server or other adverse actions by using an encryption algorithm. However, this approach usually requires the server to save the state and dynamically generate Token, which easily puts stress on server performance in a high concurrency scenario, resulting in lower authentication processing efficiency of the system in the high concurrency environment.

Disclosure of Invention

In view of the foregoing, it is desirable to provide an authentication method, apparatus, computer device, computer-readable storage medium, and computer program product for accessing an application that can improve the efficiency of authentication processing.

In a first aspect, the present application provides an identity authentication method for accessing an application, including:

Determining application types of applications to be accessed, wherein the application types comprise applications with session control and applications without session control;

Inquiring and determining key information according to the application type, and extracting random password from the key information according to a preset mode;

splicing the random password with the timestamp information of the current time to obtain a plaintext, and carrying out encryption processing on the plaintext according to the key information to obtain a password value;

obtaining identity authentication information according to the type identifier of the application type of the application to be accessed, the application identifier of the application to be accessed and the password value;

And sending the application access request aiming at the application to be accessed and the identity authentication information to a server side.

In one embodiment, the querying and determining key information according to the application type includes:

Acquiring a session identifier between the application type and the application to be accessed under the condition that the application type is the application with session control;

Intercepting a first preset number of effective characters from the session identifier according to a reading sequence to obtain the key information;

And under the condition that the application type is the application without session control, inquiring to obtain preset key information according to the application identifier of the application to be accessed.

In one embodiment, the extracting the random password from the key information according to the preset manner includes:

Taking the character number of the key information as a value upper limit, and randomly determining a sequence number value of a second preset number according to the value upper limit;

Extracting the target characters which are correspondingly ordered from the key information according to the sequence number value;

forming a key value pair by the serial number value and the corresponding target character;

and splicing the second preset number of key value pairs to obtain the random password.

In one embodiment, the obtaining the identity authentication information according to the type identifier of the application type of the application to be accessed, the application identifier of the application to be accessed, and the password value includes:

Splicing the application type identifier of the application to be accessed, the application identifier of the application to be accessed and the password value to obtain a ciphertext;

and adopting a preset coding mode to code the ciphertext to obtain the identity authentication information.

In a second aspect, the present application provides an identity authentication method for accessing an application, including:

receiving an application access request and identity authentication information which are sent by a client and are aimed at an application to be accessed;

obtaining an application identifier of the application to be accessed, a type identifier of an application type of the application to be accessed and a password value from the identity authentication information;

Inquiring and determining key information according to the type identifier, and decrypting the password value according to the key information to obtain random password and time stamp information;

And authenticating the identity of the application access request according to the key information, the random password and the timestamp information.

In one embodiment, the authenticating the application access request according to the key information, the random password and the timestamp information includes:

Under the condition that the timestamp information is effective information and the random password is matched with the key information, determining that the identity authentication of the application access request passes;

and under the condition that the timestamp information is invalid information or the random password is not matched with the key information, determining that the identity authentication of the application access request is not passed.

In a third aspect, the present application also provides an identity authentication device for accessing an application, including:

The system comprises an application type determining module, a storage module and a storage module, wherein the application type determining module is used for determining the application type of an application to be accessed, and the application type comprises an application with session control and an application without session control;

The random password acquisition module is used for inquiring and determining key information according to the application type and extracting random password from the key information according to a preset mode;

The plaintext encryption processing module is used for splicing the random password with the timestamp information of the current time to obtain plaintext, and encrypting the plaintext according to the key information to obtain a password value;

The identity authentication acquisition module is used for acquiring identity authentication information according to the type identifier of the application type of the application to be accessed, the application identifier of the application to be accessed and the password value;

And the request authentication sending module is used for sending the application access request aiming at the application to be accessed and the identity authentication information to a server side.

In a fourth aspect, the present application also provides an identity authentication device for accessing an application, including:

The request authentication receiving module is used for receiving an application access request and identity authentication information which are sent by the client and are aimed at an application to be accessed;

the authentication information analysis module is used for obtaining the application identifier of the application to be accessed, the type identifier of the application type of the application to be accessed and the password value from the identity authentication information;

The ciphertext decryption processing module is used for inquiring and determining key information according to the type identifier, and decrypting the password value according to the key information to obtain random password and time stamp information;

and the access request authentication module is used for carrying out identity authentication on the application access request according to the key information, the random password and the timestamp information.

In a fifth aspect, the present application also provides a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:

In a sixth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:

In a seventh aspect, the application also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of:

The identity authentication method, the device, the computer equipment, the computer readable storage medium and the computer program product for accessing the application are characterized in that firstly, the application type of the application to be accessed is determined, wherein the application type comprises an application with session control and an application without session control, different types of requirements are adapted by distinguishing the application with session control and the application without session control, the universality of a scheme is improved, the basis is provided for the determination of subsequent key information, and the flexible adaptation to various application scenes is ensured; then, the random password and the timestamp information of the current time are spliced to obtain a plaintext, and the plaintext is encrypted according to the key information to obtain a password value, after the timestamp is spliced, the password value generated each time is unique, the plaintext is encrypted by the key to ensure the security of the password value in the transmission process, so as to prevent information from being stolen or tampered, next, the identity authentication information is obtained according to the type identifier of the application type to be accessed, the application identifier of the application to be accessed and the password value, the type identifier is added, so that the identity authentication information is bound with the specific application, the attack across the application is prevented, the integrity of the authentication information is improved, the context consistency in the authentication process is ensured, finally, the application to be accessed is sent to the server for the application to be accessed, and the application to be accessed is requested, the method has the advantages that the identity authentication information is generated at the client and is sent to the server together with the access request, so that the maintenance requirement of the server on the session state is reduced, the calculation and storage pressure caused by the dynamic generation and state storage of the identity authentication information is reduced, the processing efficiency of the server in a high concurrency scene is remarkably improved, and meanwhile, the safety and the integrity in the authentication information transmission process are ensured. According to the method, the uniqueness and the anti-counterfeiting capability of the identity authentication information are realized by distinguishing application types (including applications with session control and applications without session control) and combining the dynamic generation of random password and the technical means of timestamp splicing encryption, the authentication information is generated by the client, the storage state of the server is avoided, the calculation and storage pressure under a high concurrency scene is reduced, and the adaptability of expansibility and distributed deployment is improved, so that the identity authentication method with safety, light weight and high efficiency is provided.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are needed in the description of the embodiments of the present application or the related technologies will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other related drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.

FIG. 1 is an application environment diagram of an identity authentication method for accessing an application in one embodiment;

FIG. 2 is a flow diagram of a method of identity authentication for an access application in one embodiment;

FIG. 3 is a flow diagram of a method of identity authentication for an access application in one embodiment;

FIG. 4 is a flow chart of an authentication method for accessing an application in another embodiment;

FIG. 5 is a flowchart of an identity authentication method for accessing an application according to another embodiment;

FIG. 6 is a block diagram of an identity authentication device accessing an application in one embodiment;

FIG. 7 is a block diagram of an authentication device for accessing an application in another embodiment;

Fig. 8 is an internal structural diagram of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

The identity authentication method for accessing the application provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the client 102 communicates with the server 104 via a network. The data storage system may store data that server side 104 needs to process. The data storage system may be integrated on the server side 104 or may be located on a cloud or other network server. The client 102 firstly determines the application type of the application to be accessed, wherein the application type comprises an application with session control and an application without session control, the client 102 inquires and determines key information according to the application type, extracts random password from the key information according to a preset mode, then splices the random password and timestamp information of the current time to obtain a plaintext, encrypts the plaintext according to the key information to obtain a password value, and obtains identity authentication information according to the type identification of the application type of the application to be accessed, the application identification of the application to be accessed and the password value, and finally, the client 102 sends an application access request and the identity authentication information aiming at the application to be accessed to the server 104. The client 102 may be a terminal, which may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, projection devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The head-mounted device may be a Virtual Reality (VR) device, an augmented Reality (Augmented Reality, AR) device, smart glasses, or the like. The server 104 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server for providing cloud computing services.

In an exemplary embodiment, as shown in fig. 2, there is provided an identity authentication method for accessing an application, which is illustrated by taking the application of the method to the client 102 in fig. 1 as an example, and includes the following steps:

step S201, determining an application type of an application to be accessed.

The application type refers to whether an application system needs to manage and maintain the session state of a user, and comprises an application with session control and an application without session control. An application with Session control refers to an application that maintains a user's login state and Session information through Session identification (Session ID), and an application without Session control refers to an application that does not rely on Session identification, but performs authentication through other means (e.g., a fixed key or a dynamically generated key).

The client determines the application type by accessing the configuration information or preset rules of the application, wherein the client queries the configuration center or the predefined interface for the type identification of the application to be accessed currently, if the query result indicates that the application has Session control, the client extracts necessary information from the Session identification (Session ID) to complete subsequent operation, and if the query result indicates that the application has no Session control, the client completes the generation of identity authentication information through preset key configuration or dynamically generated keys. The client can select a proper key processing flow according to the application type, and an accurate basis is provided for the execution of the subsequent steps.

Step S202, inquiring and determining key information according to the application type, and extracting random password from the key information according to a preset mode.

The key information refers to core data required for generating identity authentication information, and the key information may be a result of processing a Session identifier (Session ID) generated dynamically, or may be a fixed key value predefined from a configuration file or a configuration center. The random password is a unique identifier obtained by carrying out specific algorithm processing on the key information and is used for ensuring the dynamic property and the safety of the identity authentication information.

Illustratively, the client selects different key acquisition modes and extracts the random password according to different application types. If the application type is "application with Session control", the client extracts the Session ID from the current Session and formats it (e.g., remove special characters, intercept fixed length). The result of the extraction is used as key information. If the application type is 'application without session control', the client side queries corresponding key information according to the application identifier by accessing the configuration center or reading the local configuration file. After obtaining the key information, the client generates random password from the key information according to a preset algorithm or rule. The method comprises the steps of selecting a plurality of characters or data segments from key information randomly to form a password foundation, and processing the data by combining certain randomness logic, such as key value pair generation or encryption operation, so as to generate a unique and safe random password. The dynamic property and unpredictability of the password are ensured, and a foundation is laid for subsequent encryption operation.

And step S203, splicing the random password and the timestamp information of the current time to obtain a plaintext, and carrying out encryption processing on the plaintext according to the key information to obtain a password value.

The time stamp information refers to the time of the current client system, and represents the specific time of random password generation in units of milliseconds.

The client acquires the time stamp of the current system after the generation of the random password is completed, and splices the random password and the time stamp according to a preset format to form a plaintext. For example, the random password is 2=c, 5=3, 8=f, the timestamp is 1690000000000, the spliced plaintext is 2=c, and 5=3, 8=f 1690000000000. The client then encrypts the plaintext using an encryption algorithm (e.g., SM4 algorithm) based on the obtained key information. The encryption process comprises the step of taking key information as an input key of an encryption algorithm to ensure the security and consistency of each encryption operation. And (5) encrypting the plaintext to generate a password value. The encrypted password value is a ciphertext which cannot be directly read, and has uniqueness and tamper resistance. By adding the time stamp, timeliness of the plaintext data is ensured, and replay attack is prevented.

Step S204, according to the type identification of the application type of the application to be accessed, the application identification of the application to be accessed and the password value, the identity authentication information is obtained.

The type identifier is a mark for distinguishing the type of the application to be accessed and indicating whether the application has session control, the application identifier is mark information for uniquely identifying the application to be accessed, such as an application ID or a name, and the identity authentication information is a complete authentication credential generated by combining the elements and is used for a server to verify the identity of a user.

The client side assembles the identity authentication information according to a preset format according to the type identifier, the application identifier and the password value acquired in the preamble step. For example, the type identifier is "D" (application with session control). The application is identified as "App123". The password VALUE is "encrypted_value". The splicing format of the identity authentication information is D-App 123-enhanced_value. The client combines these elements into complete identity authentication information in separators (e.g., "-") to ensure structural clarity and analytical consistency of each part. The method and the device have the advantages that the type identifier, the application identifier and the password value are combined to generate the authentication information bound with the specific application, so that the context consistency in the authentication process is ensured, meanwhile, compatibility under various application scenes is provided, cross-application attack is prevented, and the transmission and verification of the identity authentication information are safer and more reliable. The identity authentication information is used as a complete certificate, necessary basis is provided for verification logic of the server, and validity and effectiveness of the request are ensured.

Step S205, an application access request and identity authentication information for an application to be accessed are sent to a server side.

The application access request is an access operation request for specific application resources or services initiated by a user and comprises information such as operation targets, parameters and the like, and the server side is a service target for receiving and verifying the user request and is responsible for analyzing and processing request contents.

The client, after generating the authentication information, packages it with the application access request and sends it to the server. The specific implementation process comprises the step of combining the content of the application access request (such as parameters of API call, targets of user operation and the like) and the identity authentication information into a complete request data packet. The whole data packet is encrypted by using a secure transmission protocol (such as HTTPS), so that the security and anti-eavesdropping of the data in the transmission process are ensured. And sending the data packet to a server-side designated interface of the application to be accessed. Through carrying the identity authentication information, the validity verification of the request source is realized, a reliable basis is provided for the security processing of the server side, and unauthorized access and malicious requests are effectively prevented.

The method comprises determining application types of applications to be accessed, wherein the application types comprise applications with session control and applications without session control, adapting to different types of requirements by distinguishing the applications with session control and the applications without session control, improving universality of schemes, providing basis for determining subsequent key information, ensuring flexible adaptation to various application scenes, inquiring and determining key information according to application types, extracting random password from the key information according to a preset mode, ensuring safety and reliability of key information sources, increasing dynamic property of an authentication process through extraction of the random password, improving randomness and uniqueness of generated password, enhancing anti-counterfeiting capability, splicing the random password with timestamp information of current time, obtaining plaintext, encrypting the plaintext according to key information, obtaining password values, enabling generated password values to be unique each time, encrypting by key pair, ensuring safety of the password values in transmission, preventing the password values from being stolen in the process, protecting the application from being stolen, protecting the application from being attached to the application type, and the application type from being attacked by the application type, and the application type being used for the access request, and finally protecting the identity of the application from being attacked by the application type, and the application type from being attacked by the application type, and the identifier from being accessed by the application type, and the identifier being used to be added to the specific to the authentication information, and the application type is ensured, and the access request is prevented from being sent to the access to the application type to be encrypted, the method has the advantages that the identity authentication information is generated at the client and is sent to the server together with the access request, so that the maintenance requirement of the server on the session state is reduced, the calculation and storage pressure caused by the dynamic generation and state storage of the identity authentication information is reduced, the processing efficiency of the server in a high concurrency scene is remarkably improved, and meanwhile, the safety and the integrity in the authentication information transmission process are ensured. According to the method, the uniqueness and the anti-counterfeiting capability of the identity authentication information are realized by distinguishing application types (including applications with session control and applications without session control) and combining the dynamic generation of random password and the technical means of timestamp splicing encryption, the authentication information is generated by the client, the storage state of the server is avoided, the calculation and storage pressure under a high concurrency scene is reduced, and the adaptability of expansibility and distributed deployment is improved, so that the identity authentication method with safety, light weight and high efficiency is provided.

In an exemplary embodiment, the step S202 of querying and determining the key information according to the application type further includes obtaining a session identifier with the application to be accessed in the case that the application type is an application with session control, intercepting a first preset number of valid characters from the session identifier according to a reading sequence to obtain the key information, and querying to obtain the preset key information according to the application identifier of the application to be accessed in the case that the application type is an application without session control.

Illustratively, after the client identifies the type of application to be accessed, for applications with Session control, the client extracts the Session ID associated with the application, e.g., from a Cookie or request header. The extracted Session ID may contain special characters, which the client formats (e.g., removes-etc. invalid characters), and intercepts the first few characters as key information according to preset rules. For example, the extracted Session ID is 123e4567-e89b-12d3-a456-426614174000, the special character is removed after formatting and the first 16 characters are truncated, and the key information is 123e4567e89b12d3. For the application without session control, the client acquires preset key information by querying a configuration center or reading a local configuration file according to the identification (such as App 123) of the application to be accessed. For example, key information is AbcD123456EFGH obtained by a configuration query.

In this embodiment, key information is obtained in a dynamic or static manner, so that flexible adaptation of a key generation manner and an application scene is realized. In the application without session control, the realization complexity and the server pressure are reduced by a fixed key inquiry mode, and the stability of the authentication process is ensured.

In an exemplary embodiment, the step S202 extracts the random password from the key information according to a preset manner, and further includes taking the number of characters of the key information as an upper value limit, randomly determining a second preset number of sequence number values according to the upper value limit, extracting the target characters from the key information according to the sequence number values, combining one sequence number value and the corresponding target character into a key value pair, and concatenating the second preset number of key value pairs to obtain the random password.

Illustratively, when the client generates a random password from the key information, the length of the key information is first determined. For example, the key information is AbcD123456EFGH, and the number of characters is 14, which is the upper limit of random value. Subsequently, the client randomly generates a second predetermined number of sequence number values (e.g., 4), such as the generated sequence number value [2,5,9,14]. And extracting the characters at the corresponding positions from the key information according to the serial number values to obtain a target character sequence b,1,5 and H. Each sequence number value and its target character are combined into a key value pair of 2=b, 5=1, 9=5, 14=h. Then the client concatenates the key-value pairs according to the separator to form the final random password, 2=b, 5= 1;9 =5 and 14=h.

In this embodiment, the dynamic and unpredictable performance of the random password is significantly enhanced by the generation of the random sequence number value and the splicing manner of the key value pairs. The combination mode of the sequence number value and the target character not only standardizes the structure of the password, but also ensures that the random password has strong dependence on the key information, improves the security of authentication information and further reduces the possibility of counterfeiting.

In an exemplary embodiment, the step S204 obtains the identity authentication information according to the type identifier of the application type of the application to be accessed, the application identifier of the application to be accessed, and the password value, and further includes performing a concatenation process on the application type identifier of the application to be accessed, the application identifier of the application to be accessed, and the password value to obtain the ciphertext, and performing a coding process on the ciphertext by using a preset coding mode to obtain the identity authentication information.

The client side splices the application type identifier of the application to be accessed, the application identifier of the application to be accessed and the password value according to a preset format to form a ciphertext, and then encodes the ciphertext by adopting a preset encoding mode (such as Base64 encoding) to obtain final identity authentication information. Assuming that the application type of the application to be accessed is identified as D, the application is identified as App123, and the password VALUE is identified as encrypted_value. The client first splices the three into a ciphertext D-App123-ENCRYPTED_VALUE according to a preset format. Then, the ciphertext is encoded by using Base64 encoding to generate identity authentication information, namely RC1BcHAxMjMtRU DUllQVEVEX1ZBTFVFEw = =.

In this embodiment, the identity authentication information is generated by splicing and encoding, so that the integrity and relevance of the authentication data are ensured. The splicing operation binds the type identifier, the application identifier and the password value, enhances the context association of authentication information and specific applications, and prevents cross-application authentication counterfeiting. The encoding process effectively masks the authentication data while improving the data compatibility, reduces the risk of directly exposing the ciphertext content, improves the safety and transmissibility of the identity authentication information, and optimizes the applicability of the authentication process in various scenes.

In an exemplary embodiment, as shown in fig. 3, an identity authentication method for accessing an application is provided, and the method is applied to the server 104 in fig. 1 for illustration, and includes the following steps:

step S301, receiving an application access request and identity authentication information which are sent by a client and are aimed at an application to be accessed;

Step S302, obtaining an application identifier of an application to be accessed, a type identifier of an application type of the application to be accessed and a password value from the identity authentication information;

Step S303, inquiring and determining key information according to the type identifier, and decrypting the password value according to the key information to obtain random password and time stamp information;

step S304, according to the key information, the random password and the time stamp information, identity authentication is carried out on the application access request.

Illustratively, the server receives a message packet containing an application access request sent by the client, and extracts identity authentication information from the message packet. The identity authentication information may include encoded ciphertext, and may be decoded to obtain specific authentication content. The server side analyzes the received identity authentication information and separates out the type identifier, the application identifier and the password value of the application to be accessed according to a preset format (such as type identifier-application identifier-password value). For example, the parsed content may be a type identifier of D, an application identifier of App123, and a password VALUE of ENCRYPTED_VALUE. The server end distinguishes the application type according to the type identifier, if the type identifier is D (application with session control), the key information is dynamically generated through the associated session identifier. If the type identifier is F (application without session control), the key information corresponding to the application identifier is queried through a configuration file or a configuration center. Then, the server uses the determined key information as a key, and decrypts the password value through a decryption algorithm (such as SM4 algorithm) to obtain plaintext data, including random password and time stamp information. The server side firstly verifies whether the time stamp information is in an allowed time window (such as the current time is +/-5 minutes) so as to judge whether the identity authentication information is out of date, and then uses the key information to verify the random password so as to ensure the matching property of the random password and the key information. If the time stamp is valid and the password verification is passed, the server side performs identity authentication and passes the application access request, otherwise, the request is refused.

In this embodiment, the server side effectively performs identity authentication on the client request by analyzing the identity authentication information, dynamically querying and verifying the key information, and verifying the random password. The dynamic property of random password and key binding property ensure the uniqueness and anti-counterfeiting capability of authentication information. Meanwhile, the combination of the type identifier and the application identifier enables the authentication process to adapt to different types of applications, and provides a safe, flexible and efficient identity authentication solution.

In an exemplary embodiment, the step S304 performs identity authentication on the application access request according to the key information, the random password and the timestamp information, and further includes determining that the identity authentication of the application access request passes if the timestamp information is valid information and the random password is matched with the key information, and determining that the identity authentication of the application access request does not pass if the timestamp information is invalid information or if the random password is not matched with the key information.

The identity authentication is to judge whether the client request has validity or not by checking whether the timestamp information and the random password meet preset conditions or not.

The server side receives the application access request, and then verifies the validity of the time stamp information and the random password by analyzing the time stamp information and comparing the time stamp information with the current system time. If the time stamp information is within the allowable time window (such as the current time is +/-5 minutes), the effective information is judged, otherwise, the ineffective information is judged. For example, the current time is 1690000005000 (milliseconds). The received time stamp information is 1690000000000. The difference is 5000ms, which is within + -5 minutes (300,000 ms), so the time stamp information is valid. And then, the server side generates an expected random password according to the key information and compares the expected random password with the received random password item by item. If all key value pairs are matched, the random password is judged to be matched with the key information, otherwise, the random password is judged to be not matched.

In the embodiment, the client is prevented from replaying old authentication information by checking the timestamp information, and the uniqueness and the dynamic property of the authentication information are ensured by matching and checking the random password and the key information, so that counterfeit attacks are effectively prevented. The accuracy and the safety of identity authentication are obviously improved by combining double logics of time stamp and password verification, and meanwhile, the processing efficiency of the system in a high concurrency scene is improved through clear authentication result judgment.

In another exemplary embodiment, as shown in fig. 4, the present application provides an identity authentication method for accessing an application, the method comprising:

Step S401, judging whether the application is in butt joint with the session management system. If yes, go to step S402, otherwise go to step S403.

Step S402, the type is D, and the session identifier is used as a seed value.

Step S403, the type is F, using the configuration center specified value as the seed value.

Step S404, 7 numbers in the length of the seed value text are randomly selected, and a long string text is formed according to the ' number: value; ' format '.

In step S405, a timestamp is added to the end of the long text string to form a plaintext.

In step S406, the SM4 algorithm encrypts the plaintext with the seed value as the key to form a password value.

Step S407, splicing according to the format of the type-application ID-password value to obtain a final ciphertext.

Step S408, base64 encoding is carried out on the ciphertext to form identity authentication information.

For example, the D type, dynamic application with Session control, i.e. logging in Session, can use Session ID to filter special characters such as "-" and then take the first 16 bits to generate SEED value SEED, and the F type, fixed application with no Session control, which is commonly maintained and recorded by the back end in the properties configuration file or configuration center, and the server end, the framework layer provides a general query interface for querying SEED value SEED according to application ID.

After the SEED value is obtained, 7 numbers of which the SEED does not exceed the text length value are randomly selected, a key value pair is formed by the numbers and character contents with the numbers as serial numbers in the SEED corresponding to the numbers, and the 7 key value pairs are separated and connected in series to form a long string of text. And acquiring the time millisecond number of the current client as a time stamp, and adding the time stamp to the end of the long text string to form a plaintext. And encrypting the plaintext by using the SEED as a key by using an SM4 algorithm to form a password value. And splicing according to the format of the type-application ID-password value to obtain the final ciphertext. And performing one-time encoding operation on the final ciphertext by using the Base64 to form final identity authentication information Token.

Further, in an exemplary embodiment, as shown in fig. 5, the present application provides an identity authentication method for accessing an application, the method comprising:

step S501, base64 decoding processing is performed on the identity authentication information.

Step S502, obtaining a ciphertext, and splitting the ciphertext to obtain a password value.

Step S503, the type is D, and the session identifier is obtained as a seed value.

Step S504, the type is F, and the seed value is obtained from the configuration center.

And step S505, decrypting the password value by taking the seed value as a key to obtain a plaintext.

Step S506, judging whether the time stamp is valid. If yes, go to step S507, otherwise go to step S509.

In step S507, it is clear whether the key value pair corresponds to the seed value content. If yes, go to step S508, otherwise go to step S509.

Step S508, the access request is released.

Step S509 returns an exception without issuing an access request.

The analysis process of the identity authentication information is the inverse process of the generation process, and the Base64 decoding is performed on the identity authentication information Token obtained in the request to obtain the ciphertext, and the ciphertext is split according to "-" to obtain the password value, and the type judgment is performed, (1) type D, the Session ID is obtained as the SEED value, and (2) type F, the SEED value is obtained from the configuration center properties file.

After the SEED value is obtained, the secret code value is decrypted by taking the SEED value as a secret key to obtain a plaintext. Judging whether the timestamp in the text is a valid Token or not, if so, continuously judging whether the key value pair accords with the corresponding character in the SEED value, if so, releasing the request, otherwise, intercepting the request and returning to the exception.

In this embodiment, a new Token authentication method for identity authentication information is provided, which is lighter, does not need a server to save a state, merges an SM4 encryption algorithm, and has higher security and usability. And Token generation support algorithm generation is carried out, acquisition is not required to be requested to a server, and the pressure of the server is relieved.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a plurality of identity authentication devices for the access application for realizing the identity authentication method for the access application. The implementation of the solutions provided by these devices is similar to the implementation described in the above method, so the specific limitations in the embodiments of the identity authentication device for one or more access applications provided below may be referred to the above limitations of the identity authentication method for the access application, and will not be repeated here.

In an exemplary embodiment, as shown in fig. 6, there is provided an identity authentication apparatus for accessing an application, including an application type determining module 601, a random password obtaining module 602, a plaintext encryption processing module 603, an identity authentication obtaining module 604, and a request authentication transmitting module 605, wherein:

An application type determining module 601, configured to determine an application type of an application to be accessed, where the application type includes an application with session control and an application without session control;

the random password acquisition module 602 is configured to query and determine key information according to an application type, and extract a random password from the key information according to a preset manner;

The plaintext encryption processing module 603 is configured to splice the random password and the timestamp information of the current time to obtain a plaintext, and encrypt the plaintext according to the key information to obtain a password value;

the identity authentication obtaining module 604 is configured to obtain identity authentication information according to a type identifier of an application type of the application to be accessed, an application identifier of the application to be accessed, and a password value;

the request authentication sending module 605 is configured to send an application access request and identity authentication information for an application to be accessed to a server side.

In one embodiment, the random password obtaining module 602 is further configured to obtain a session identifier between the random password obtaining module and an application to be accessed when the application type is an application with session control, intercept a first preset number of valid characters from the session identifier according to a reading order to obtain key information, and query the application type to obtain the preset key information according to the application identifier of the application to be accessed when the application type is an application without session control.

In one embodiment, the random password obtaining module 602 is further configured to take the number of characters of the key information as an upper value limit, randomly determine a sequence number value of a second preset number according to the upper value limit, extract the target characters from the key information according to the sequence number value, form a key value pair from one sequence number value and the corresponding target characters, and splice the key value pair of the second preset number to obtain the random password.

In one embodiment, the identity authentication obtaining module 604 is further configured to splice the application type identifier of the application to be accessed, the application identifier of the application to be accessed, and the password value to obtain a ciphertext, and encode the ciphertext by using a preset encoding manner to obtain the identity authentication information.

In an exemplary embodiment, as shown in fig. 7, there is provided an identity authentication apparatus for accessing an application, including a request authentication receiving module 701, an authentication information parsing module 702, a ciphertext decryption processing module 703, and an access request authentication module 704, wherein:

A request authentication receiving module 701, configured to receive an application access request and identity authentication information sent by a client for an application to be accessed;

The authentication information analysis module 702 is configured to obtain, from the identity authentication information, an application identifier of an application to be accessed, a type identifier of an application type of the application to be accessed, and a password value;

the ciphertext decryption processing module 703 is configured to query and determine key information according to the type identifier, and decrypt the password value according to the key information to obtain random password and timestamp information;

and the access request authentication module 704 is configured to perform identity authentication on the application access request according to the key information, the random password and the timestamp information.

In one embodiment, the access request authentication module 704 is further configured to determine that the identity authentication of the application access request passes when the timestamp information is valid information and the random password is matched with the key information, and determine that the identity authentication of the application access request does not pass when the timestamp information is invalid information or the random password is not matched with the key information.

The above-described modules in the identity authentication device for accessing an application may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In an exemplary embodiment, a computer device, which may be a terminal, is provided, and an internal structure thereof may be as shown in fig. 8. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The Communication interface of the computer device is used for conducting wired or wireless Communication with an external terminal, and the wireless Communication can be realized through WIFI, a mobile cellular network, near field Communication (NEAR FIELD Communication) or other technologies. The computer program, when executed by a processor, implements a method of identity authentication for an access application. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structure shown in FIG. 8 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are both information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to meet the related regulations.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile memory and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (RESISTIVE RANDOM ACCESS MEMORY, reRAM), magneto-resistive Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computation, an artificial intelligence (ARTIFICIAL INTELLIGENCE, AI) processor, or the like, but is not limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the present application.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. An identity authentication method for an access application, the method comprising:

2. The method of claim 1, wherein querying the determined key information based on the application type comprises:

3. The method according to claim 1, wherein said extracting random password from said key information in a preset manner comprises:

4. The method according to claim 1, wherein the obtaining the identity authentication information according to the type identifier of the application type of the application to be accessed, the application identifier of the application to be accessed, and the password value includes:

5. An identity authentication method for an access application, the method comprising:

6. The method of claim 5, wherein authenticating the application access request based on the key information, the random password, and the timestamp information comprises:

7. An identity authentication device for accessing an application, the device comprising:

8. An identity authentication device for accessing an application, the device comprising:

9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.