CN107332862A - A kind of identity identifying method, front end processor and identity authorization system - Google Patents
A kind of identity identifying method, front end processor and identity authorization system Download PDFInfo
- Publication number
- CN107332862A CN107332862A CN201710700835.1A CN201710700835A CN107332862A CN 107332862 A CN107332862 A CN 107332862A CN 201710700835 A CN201710700835 A CN 201710700835A CN 107332862 A CN107332862 A CN 107332862A
- Authority
- CN
- China
- Prior art keywords
- user information
- current
- end processor
- server terminal
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a kind of identity identifying method, front end processor and identity authorization system, identity identifying method includes:Front end processor is set between user terminal and server terminal, and user terminal is connected by wide area network with front end processor, and front end processor is connected by LAN with server terminal, front end processor is performed:Prestore at least one validated user information and the corresponding key of each validated user information;Receive at least one service request that user terminal is sent;For each service request, it is performed both by:A1, obtains the corresponding current user information of current service request;A2, compares current user information and at least one validated user information, when exist target effective user profile it is identical with current user information when, extraction target cipher key corresponding with target effective user profile;A3, target cipher key is sent to server terminal, to carry out authentication.When the technical scheme that the present invention is provided is so that user carries out authentication, it is not necessary to send key to server terminal.
Description
Technical field
The present invention relates to network communication field, more particularly to a kind of identity identifying method, front end processor and identity authorization system.
Background technology
With network technology science and technology development, how it is safe and reliable identification certification user identity, can effectively protect
The personal interests of user.
Normally, user sends key to server terminal, and server terminal recognizes user identity according to key, and builds
Vertical contacting with user.
However, when user sends key to server terminal, criminal can take advantage of the occasion to steal the key of user, and utilize
The key login service device terminal of user, so as to compromise the personal interests of user.
The content of the invention
The embodiments of the invention provide a kind of identity identifying method, front end processor and identity authorization system so that user is carried out
During authentication, it is not necessary to send key to server terminal.
In a first aspect, the invention provides a kind of identity identifying method, being set between user terminal and server terminal
Front end processor, the user terminal is connected by wide area network with the front end processor, and the front end processor passes through LAN and the service
Device terminal is connected, and the front end processor is performed:
Prestore at least one validated user information and the corresponding key of each validated user information;
Receive at least one service request that user terminal is sent;
For each service request, it is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user
When information is identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
Preferably, the validated user information, including:Effective identity information, effective application identities and active block agreement
Address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The comparison current user information and at least one validated user information, including:
Detect whether effective identity information is identical with the current identity information, and return to the first testing result;
Detect that effective application identities are identified whether with the current application identical, and return to the second testing result;
Detect whether the active block protocol address is identical with the current network protocol address, and return to the 3rd and detect
As a result;
When first testing result, second testing result and the 3rd testing result are identical, it is determined that
The user profile to be verified is identical with the validated user information.
Preferably, after the A3, further comprise:
Receive the first authentication result that the server terminal is authenticated obtaining to the target cipher key;
When first authentication result for it is invalid when, it is determined that the server terminal updated the target cipher key it
Afterwards, the current user information is compared whether identical with the target effective user profile;
When the current user information is identical with the target effective user profile, updated target cipher key is extracted,
And send to the server terminal;
Receive the second authentication result that the server terminal is authenticated obtaining to the updated target cipher key;
When second authentication result is invalid, determine that the current service request is invalid.
Preferably, after the A3, further comprise:
Record the current user information and the final of the corresponding current service request of the current user information is recognized
Demonstrate,prove result;
When the final authentication result is that invalid number of times reaches the default number of times upper limit, active user's letter is determined
Cease for illegal user information.
Second aspect, the invention provides a kind of front end processor, between user terminal and server terminal, the user
Terminal is connected by wide area network with the front end processor, and the front end processor is connected by LAN with the server terminal,
The front end processor includes:Memory module, receiving module and request processing module;
The memory module, for storing at least one validated user information and each validated user information pair
The key answered;
The receiving module, at least one service request for receiving user's transmission;
The request processing module, for each service request received for the receiving module, is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user
When information is identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
Preferably, the validated user information, including:Effective identity information, effective application identities and active block agreement
Address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The request processing module, including:First detection unit, the second detection unit, the 3rd detection unit and judgement are single
Member;
First detection unit, for detecting whether effective identity information is identical with the current identity information,
And return to the first testing result;
Second detection unit, for detecting that it is identical that effective application identities and the current application are identified whether,
And return to the second testing result;
3rd detection unit, be for detecting the active block protocol address with the current network protocol address
It is no identical, and return to the 3rd testing result;
The judging unit, for when first testing result, second testing result and the 3rd detection knot
When fruit is identical, determine that the user profile to be verified is identical with the validated user information.
Preferably, further comprise:Result treatment module;
The result treatment module, for receiving the server terminal is authenticated obtaining to the target cipher key
One authentication result;When first authentication result is invalid, it is determined that the server terminal has updated the target cipher key
Afterwards, the current user information is compared whether identical with the target effective user profile;When the current user information with
When the target effective user profile is identical, updated target cipher key is extracted, and send to the server terminal;Receive institute
State the second authentication result that server terminal is authenticated obtaining to the updated target cipher key;Stating the second authentication result is
When invalid, determine that the current service request is invalid.
Preferably, further comprise:Logging modle and counting module;
The logging modle, it is corresponding described current for recording the current user information and the current user information
The final authentication result of service request;
The counting module, for when the final authentication result be invalid number of times reach the default number of times upper limit when,
It is illegal user information to determine the current user information.
The third aspect, the invention provides a kind of identity authorization system, including:Server terminal and at least one second
Any front end processor in aspect;
The server terminal, for receiving at least one target cipher key that at least one described front end processor is sent.
Preferably, the server terminal, is further used for being directed to each described target cipher key, certification current goal
Whether the corresponding user profile of key is effective, and generates authentication result;According to the identification information of the default front end processor, by institute
State authentication result and be sent to the corresponding front end processor.
The embodiments of the invention provide a kind of identity identifying method, front end processor and identity authorization system, user terminal with
Front end processor is set between server terminal, and front end processor is connected by LAN with server terminal, compared with wide area network, LAN
The transmission range of key can be effectively reduced, is conducive to preventing key from being stolen by hacker;Front end processor passes through wide area network and user
Terminal is connected, it is ensured that each user can have access to server terminal.In order to carry out authentication, it is necessary to preposition
At least one validated user information and the corresponding key of each validated user information are prestored in machine, this is using preposition
Machine replaces user to the precondition of server terminal transmission key.When at least one service for receiving user terminal transmission please
When asking, for each service request, obtain the corresponding current user information of current service request, substituted by the above method
User sends user name to server terminal.The validated user information of current user information and storage is compared, active user is determined
Whether information is validated user information, if it is, the corresponding current user information of explanation current server is correct;Active user
After information is by checking, key corresponding with validated user information is exactly the corresponding target cipher key of current user information, is extracted
Target cipher key simultaneously sends target cipher key to server terminal instead of user, to carry out authentication.As can be seen here, present invention profit
User terminal is bridged with server terminal with the front end processor of setting so that when user carries out authentication, it is not necessary to send out
Key is sent to server terminal.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart for identity identifying method that one embodiment of the invention is provided;
Fig. 2 is the flow chart for another identity identifying method that one embodiment of the invention is provided;
Fig. 3 is the structural representation for the front end processor annexation that one embodiment of the invention is provided;
Fig. 4 is a kind of structural representation for front end processor that one embodiment of the invention is provided;
Fig. 5 is the structural representation for another front end processor that one embodiment of the invention is provided;
Fig. 6 is the structural representation for another front end processor that one embodiment of the invention is provided;
Fig. 7 is the structural representation for another front end processor that one embodiment of the invention is provided;
Fig. 8 is a kind of structural representation for identity authorization system that one embodiment of the invention is provided.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of identity identifying method, comprising the following steps:
Step 101, front end processor is set between user terminal and server terminal, the user terminal by wide area network with
The front end processor is connected, and the front end processor is connected by LAN with the server terminal.
Step 102, prestore at least one validated user information and each validated user information is corresponding
Key.
Step 103, at least one service request that user terminal is sent is received.
Step 104, for each service request, it is performed both by:Obtain the corresponding active user of current service request
Information;Compare the current user information and at least one validated user information, when exist target effective user profile with
When the current user information is identical, target cipher key corresponding with the target effective user profile is extracted;The target is close
Key is sent to server terminal, to carry out authentication.
The embodiments of the invention provide a kind of identity identifying method, set preposition between user terminal and server terminal
Machine, front end processor is connected by LAN with server terminal, compared with wide area network, and LAN can effectively reduce the biography of key
Defeated scope, is conducive to preventing key from being stolen by hacker;Front end processor is connected by wide area network with user terminal, it is ensured that each user
Server terminal can be had access to.In order to carry out authentication, it is necessary to which at least one is prestored in front end processor has
User profile and the corresponding key of each validated user information are imitated, this is to replace user to server terminal using front end processor
Send the precondition of key.When receiving at least one service request of user terminal transmission, for being serviced with each
Request, obtains the corresponding current user information of current service request, and substitute user by the above method sends to server terminal
User name.The validated user information of current user information and storage is compared, whether determine current user information is validated user letter
Breath, if it is, the corresponding current user information of explanation current server is correct;After current user information is by checking, with
The corresponding key of validated user information is exactly the corresponding target cipher key of current user information, extracts target cipher key and replaces user will
Target cipher key is sent to server terminal, to carry out authentication.As can be seen here, the present invention utilizes the front end processor set to user
Terminal is bridged with server terminal so that when user carries out authentication, it is not necessary to send key to server terminal.
In order to accurately determine certification current user information, in one embodiment of the invention, the validated user letter
Breath, including:Effective identity information, effective application identities and active block protocol address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The comparison current user information and at least one validated user information, including:
Detect whether effective identity information is identical with the current identity information, and return to the first testing result;
Detect that effective application identities are identified whether with the current application identical, and return to the second testing result;
Detect whether the active block protocol address is identical with the current network protocol address, and return to the 3rd and detect
As a result;
When first testing result, second testing result and the 3rd testing result are identical, it is determined that
The user profile to be verified is identical with the validated user information.
Subscriber identity information may be employed to determine the information of user identity, such as cell-phone number, identification card number, validated user
Identity information refers to subscriber identity information by certification;Internet protocol address refers to the IP (Internet of user terminal
Protocol Internet protocols) address, active block protocol address refers to IP address in the default network segment, and by by recognizing
The internet protocol address of card;Application identities can represent concrete application in service terminal, and effectively spy's application identities refer to validated user
The application of mandate is obtained.Only three is effectively just to illustrate that user profile is effective, for example, effectively identity information is
A, active block protocol address is B, and effectively spy's application identities are C, if current identity information is not A and/or current network association
When view address is not B, illustrate to have the people without server mandate to attempt to enter server, therefore authentication can not be passed through.Such as
Fruit current application mark is not C, illustrates to attempt to obtain the service exceeded beyond authorization privilege, it may be possible to which user's operation is lost
By mistake, authority expires or someone usurps user profile login service device, therefore can not pass through authentication.Only current identity information
When being that A, current network protocol address are B and current application mark is C, illustrate that this user can use application through server mandate
It is validated user information to identify the corresponding applications of C, i.e. current user information.
Under normal circumstances, key has ageing, i.e., can be failed through key after a period of time.In certification user identity
When, if the key of front end processor, which does not upgrade in time, can cause user authentication failure, in order to avoid there is above-mentioned situation, in this hair
In bright one embodiment, after the A3, further comprise:
Receive the first authentication result that the server terminal is authenticated obtaining to the target cipher key;
When first authentication result for it is invalid when, it is determined that the server terminal updated the target cipher key it
Afterwards, the current user information is compared whether identical with the target effective user profile;
When the current user information is identical with the target effective user profile, updated target cipher key is extracted,
And send to the server terminal;
Receive the second authentication result that the server terminal is authenticated obtaining to the updated target cipher key;
When second authentication result is invalid, determine that the current service request is invalid.
Front end processor is sent after target cipher key, and server terminal can be authenticated to target cipher key, and returns to the first certification
As a result;If the first authentication result shows that service request is invalid, it may be possible to which front end processor does not upgrade in time key, now server
Terminal can be updated according to timestamp to the target cipher key in front end processor, it is ensured that target cipher key it is ageing.Now, front end processor
Again contrast user profile and effective information, and extract updated target cipher key, and by updated target cipher key send to
Server terminal, if still not over certification, illustrating it is not that the ageing of key causes certification not pass through, so assert
The service request is invalid.
For example, service request A the first authentication result is invalid, then server terminal can be asked according to update of time stamp service
A target cipher key is sought, now front end processor authentication service can ask whether A user profile is validated user information again, if
It is to send the target cipher key after updating to server terminal, carries out second of certification, second can be returned after server terminal certification
Authentication result, if the second authentication result is invalid, confirmed service request A is invalid, otherwise effectively.
By the above method, the no longer effective property of key in front end processor can be avoided to cause server terminal to enter to user
The correct certification of row.
In order to be further ensured that the rights and interests of user are not encroached on, in one embodiment of the invention, after the A3,
Further comprise:
Record the current user information and the final of the corresponding current service request of the current user information is recognized
Demonstrate,prove result;
When the final authentication result is that invalid number of times reaches the default number of times upper limit, active user's letter is determined
Cease for illegal user information.
By each request results for recording each user, it can be determined that each user sends the number of times of invalidation request, such as
Fruit does not reach the default number of times upper limit, and it is probably maloperation to illustrate the user;If meeting or exceeding the default number of times upper limit, say
The bright user deliberately may attempt invasion server by various methods, therefore the user is defined as into disabled user, not later
The service request of the user is received again.
In order to which the embodiment of the present invention is better described, as shown in Fig. 2 the embodiments of the invention provide another authentication
Method, by taking authentication service request A as an example, comprises the following steps:
Step 201, front end processor is set between user terminal and server terminal.
In embodiments of the present invention, front end processor is connected by the way that wide area network and user terminal are logical, passes through LAN and server
Terminal is connected.
Step 202, at least one validated user information and the corresponding key of each validated user information are prestored.
In embodiments of the present invention, front end processor is obtained by server terminal and had described in validated user information and each
Imitate the corresponding key of user profile.Effective identity information, effective application identities and the active block agreement of validated user information
Location corresponds to effective cell-phone number, effective application name and valid ip address respectively.
Step 203, service request A is received.
In embodiments of the present invention, a plurality of service request can be received simultaneously, due to the processing side of each service request
Method and step are all identical, so only description receives the situation of a service request.
Step 204, the corresponding current user informations of service request A are obtained.
In embodiments of the present invention, identity information, application identities and network in the corresponding current user informations of service request A
Protocol address corresponds to cell-phone number 130********, application name " map inquiry " and IP address 198.**.**.** respectively.
For IP address, before acquisition, IP address can be filtered according to the default network segment, such as network segment scope
Including 3000 IP address, then front end processor can only obtain at least one in this 3000 IP address.If the corresponding User IPs of A
Address is not in this 3000 IP address, then the corresponding IP address of A will not be acquired.
Step 205, at least one effective information and current user information are compared, effective identity information is detected respectively and current
Whether identity information, effective application identities and current application mark and active block protocol address and current network protocol address
It is identical, and obtain the first testing result, the second testing result and the 3rd testing result.
In embodiments of the present invention, whether detection cell-phone number and effective cell-phone number are identical, obtain the first testing result;Detection
Whether " map inquiry " be identical with effective application name, obtains the second testing result;Detect IP address and active block agreement
Whether address is identical, obtains the 3rd testing result.
Step 206, judge whether the first testing result, the second testing result and the 3rd testing result are identical, if
It is to perform step 207, otherwise, performs step 218.
In embodiments of the present invention, when the effective cell-phone number that there is a validated user information B is 130********, have
Effect when valid ip address is 198.**.**.**, illustrates that the effective information is corresponding with service request A with entitled " map inquiry "
Current user information it is identical.
Step 207, it is determined that there is target effective user profile, and it is close to extract target corresponding with target effective user profile
Key.
In embodiments of the present invention, the corresponding ciphering key of validated user information B is extracted.
Step 208, target cipher key is sent to delivering to server terminal.
In embodiments of the present invention, ciphering key is sent to server terminal, to be authenticated to service request A.
Step 209, the reception server terminal-pair target cipher key is authenticated the first obtained authentication result.
In embodiments of the present invention, the authentication result of the reception server terminal-pair ciphering key.
Step 210, when the first authentication result is that invalid and server terminal has updated target cipher key, compare again current
Whether user profile is identical with targeted customer's effective information, if it is, performing step 211;Otherwise, step 215 is performed.
Step 211, updated target cipher key is extracted, and is sent to the server terminal.
In embodiments of the present invention, the authentication result of ciphering key is no, then server terminal, can be according to timestamp by ciphering key
It is updated to key D.Compare current user information again and whether validated user information B is identical, if identical extraction key D is concurrent
Deliver to server terminal.
Step 212, the updated target cipher key of the reception server terminal-pair is authenticated the second obtained authentication result.
In embodiments of the present invention, the reception server terminal-pair key D authentication result.
Step 213, judge whether second of authentication result be effective, if it is, performing step 214;Otherwise, step is performed
215。
Step 214, determine that service request A is effective.
Step 215, determine that service request A is invalid.
Step 216, record current user information and service request A final authentication result.
Step 217, when the invalid number of times of service request A final authentication result reaches the default number of times upper limit, it is determined that
The corresponding current user informations of service request A are illegal user information.
In embodiments of the present invention, if the corresponding current user informations of service request A are confirmed as illegal user information,
So front end processor can filter out the corresponding IP address of current user information in the default network segment so that front end processor will not connect
The user's request sent by active user.
Step 218, the effective data that can be compared are judged whether, if it is, performing step 205;Otherwise, hold
Row step 219.
In embodiments of the present invention, comparing current user information and the termination condition of validated user information has two, one
It was found that it is identical with current user information to there is validated user information;Another is to have compared institute's validated user information.
Step 219, determine that active user is invalid, and terminate current process.
As can be seen here, method provided in an embodiment of the present invention by encryption key distribution without, to user, and being stored in front end processor
In, key is sent to server terminal therefore, it is possible to substitute user, certification is completed.
As shown in figure 3, the embodiments of the invention provide a kind of front end processor, between user terminal and server terminal,
The user terminal is connected by wide area network with the front end processor, and the front end processor passes through LAN and the server terminal phase
Even.
As shown in figure 4, the embodiments of the invention provide a kind of front end processor, the front end processor, including:Memory module 401, connect
Receive module 402 and request processing module 403;
Memory module 401, for storing at least one validated user information and each validated user information pair
The key answered;
Receiving module 402, at least one service request for receiving user's transmission;
Request processing module 403, for each service request received for receiving module 402, is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user
When information is identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
As shown in figure 5, the embodiments of the invention provide another front end processor, request processing module 403, including:First inspection
Survey unit 4031, the second detection unit 4032, the 3rd detection unit 4033 and judging unit 4034;
The validated user information, including:Effective identity information, effective application identities, active block protocol address;
The current user information, including:Current identity information, current application mark, current network protocol address;
First detection unit 4031, for detecting whether effective identity information is identical with the current identity information,
And return to the first testing result;
Second detection unit 4032, for detecting that it is identical that effective application identities and the current application are identified whether,
And return to the second testing result;
3rd detection unit 4033, be for detecting the active block protocol address with the current network protocol address
It is no identical, and return to the 3rd testing result;
Judging unit 4034, for when first testing result, second testing result and the 3rd detection knot
When fruit is identical, determine that the user profile to be verified is identical with the validated user information.
As shown in fig. 6, the embodiments of the invention provide another front end processor, further comprising:Result treatment module 601;
Result treatment module 601, for receiving the server terminal is authenticated obtaining to the target cipher key
One authentication result;When first authentication result is invalid, it is determined that the server terminal has updated the target cipher key
Afterwards, the current user information is compared whether identical with the target effective user profile;When the current user information with
When the target effective user profile is identical, updated target cipher key is extracted, and send to the server terminal;Receive institute
State the second authentication result that server terminal is authenticated obtaining to the updated target cipher key;When the second certification knot
When fruit is invalid, determine that the current service request is invalid.
As shown in fig. 7, the embodiments of the invention provide another front end processor, further comprising:Logging modle 701 and counting
Module 702;
Logging modle 701, it is corresponding described current for recording the current user information and the current user information
The final authentication result of service request;
Counting module 702, for when the final authentication result be invalid number of times reach the default number of times upper limit when, really
The fixed current user information is illegal user information.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method
Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
As shown in figure 8, the embodiments of the invention provide a kind of identity authorization system, server terminal 801 and at least one
Front end processor 802 in individual any of the above-described embodiment;
Server terminal 801, for receiving at least one target cipher key that at least one described front end processor is sent.
In one embodiment of the invention, the server terminal, is further used for being directed to each described target
Whether key, the corresponding user profile of certification current goal key is effective, and generates authentication result;According to default described preposition
The identification information of machine, the corresponding front end processor is sent to by the authentication result.
The embodiments of the invention provide a kind of computer-readable recording medium, including execute instruction, when the computing device of storage control
During the execute instruction, the storage control performs the identity identifying method provided in any one embodiment of the invention.
The embodiments of the invention provide a kind of storage control, including:Processor, memory and bus;
The memory is used to store execute instruction, and the processor is connected with the memory by the bus, when
During the storage control operation, the execute instruction of memory storage described in the computing device, so that the storage
Controller performs the identity identifying method provided in any one embodiment of the invention.
In summary, each embodiment of the invention at least has the advantages that:
1st, in one embodiment of the invention, front end processor is set between user terminal and server terminal, front end processor passes through
LAN is connected with server terminal, compared with wide area network, and LAN can effectively reduce the transmission range of key, be conducive to
Prevent key from being stolen by hacker;Front end processor is connected by wide area network with user terminal, it is ensured that each user can have access to
Server terminal.In order to carry out authentication, it is necessary to prestored in front end processor at least one validated user information with
And the corresponding key of each validated user information, this replaces user to be sent to server terminal before key using front end processor
Put forward condition.When receiving at least one service request of user terminal transmission, for each service request, obtain current
The corresponding current user information of service request, user is substituted to server terminal transmission user name by the above method.Compare and work as
Preceding user profile and the validated user information of storage, whether be validated user information, if it is, saying if determining current user information
The corresponding current user information of bright current server is correct;After current user information is by checking, with validated user information pair
The key answered is exactly the corresponding target cipher key of current user information, extract target cipher key and replace user by target cipher key send to
Server terminal, to carry out authentication.As can be seen here, the present invention is whole to user terminal and server using the front end processor set
End is bridged so that when user carries out authentication, it is not necessary to send key to server terminal.
2nd, in one embodiment of the invention, by detecting whether effective identity information is identical with current identity information, effectively
Application identities identify whether whether identical and active block protocol address is identical with current network protocol address with current application,
The degree of accuracy of authenticating user identification can be improved.
3rd, in one embodiment of the invention, set up re-authentication mechanism, it is to avoid the no longer effective property of key in front end processor and
Caused certification be able to can not pass through, and improve the degree of accuracy to service requiring authentication.
4th, in one embodiment of the invention, by the final authentication result of record each time, each user letter can be monitored
The invalid authentication number of times of corresponding service request is ceased, when invalid authentication number of times reaches the default number of times upper limit, the user is believed
Breath is defined as illegal user information, criminal's intrusion server terminal probability is reduced, so as to ensure that the rights and interests of user.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity
Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation
Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non-
It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements,
But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment
Some key elements.In the absence of more restrictions, the key element limited by sentence " including one ", is not arranged
Except also there is other identical factor in the process including the key element, method, article or equipment.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention,
Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.
Claims (10)
1. a kind of identity identifying method, it is characterised in that front end processor, the use are set between user terminal and server terminal
Family terminal is connected by wide area network with the front end processor, and the front end processor is connected by LAN with the server terminal, institute
State front end processor execution:
Prestore at least one validated user information and the corresponding key of each validated user information;
Receive at least one service request that user terminal is sent;
For each service request, it is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user profile
When identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
2. according to the method described in claim 1, it is characterised in that
The validated user information, including:Effective identity information, effective application identities and active block protocol address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The comparison current user information and at least one validated user information, including:
Detect whether effective identity information is identical with the current identity information, and return to the first testing result;
Detect that effective application identities are identified whether with the current application identical, and return to the second testing result;
Detect whether the active block protocol address is identical with the current network protocol address, and return to the 3rd detection knot
Really;
When first testing result, second testing result and the 3rd testing result are identical, it is determined that described
User profile to be verified is identical with the validated user information.
3. according to the method described in claim 1, it is characterised in that
After the A3, further comprise:
Receive the first authentication result that the server terminal is authenticated obtaining to the target cipher key;
When first authentication result for it is invalid when, after it is determined that the server terminal updated the target cipher key, than
It is whether identical with the target effective user profile to the current user information;
When the current user information is identical with the target effective user profile, updated target cipher key is extracted, concurrently
Deliver to the server terminal;
Receive the second authentication result that the server terminal is authenticated obtaining to the updated target cipher key;
When second authentication result is invalid, determine that the current service request is invalid.
4. method according to claim 3, it is characterised in that
After the A3, further comprise:
Record the final authentication knot of the current user information and the corresponding current service request of the current user information
Really;
When the final authentication result is that invalid number of times reaches the default number of times upper limit, determine that the current user information is
Illegal user information.
5. a kind of front end processor, it is characterised in that between user terminal and server terminal, the user terminal passes through wide area
Net is connected with the front end processor, and the front end processor is connected by LAN with the server terminal, the front end processor, including:
Memory module, receiving module and request processing module;
The memory module, it is corresponding for storing at least one validated user information and each validated user information
Key;
The receiving module, at least one service request for receiving user's transmission;
The request processing module, for each service request received for the receiving module, is performed both by:
A1, obtains the corresponding current user information of current service request;
A2, compares the current user information and at least one validated user information, when there is target effective user profile
When identical with the current user information, target cipher key corresponding with the target effective user profile is extracted;
A3, the target cipher key is sent to server terminal, to carry out authentication.
6. front end processor according to claim 5, it is characterised in that
The validated user information, including:Effective identity information, effective application identities and active block protocol address;
The current user information, including:Current identity information, current application mark and current network protocol address;
The request processing module, including:First detection unit, the second detection unit, the 3rd detection unit and judging unit;
First detection unit, for detecting whether effective identity information is identical with the current identity information, and is returned
Return the first testing result;
Second detection unit, for detecting that it is identical that effective application identities and the current application are identified whether, and is returned
Return the second testing result;
3rd detection unit, for detect the active block protocol address and the current network protocol address whether phase
Together, and return the 3rd testing result;
The judging unit, for when first testing result, second testing result and the 3rd testing result it is equal
For it is identical when, determine that the user profile to be verified is identical with the validated user information.
7. front end processor according to claim 5, it is characterised in that
Further comprise:Result treatment module;
The result treatment module, recognizes for receiving the server terminal is authenticated obtaining to the target cipher key first
Demonstrate,prove result;When first authentication result for it is invalid when, after it is determined that the server terminal updated the target cipher key,
Compare the current user information whether identical with the target effective user profile;When the current user information and the mesh
When mark validated user information is identical, updated target cipher key is extracted, and send to the server terminal;Receive the service
Updated target cipher key described in device terminal-pair is authenticated the second obtained authentication result;It is invalid to state the second authentication result
When, determine that the current service request is invalid.
8. front end processor according to claim 7, it is characterised in that
Further comprise:Logging modle and counting module;
The logging modle, for recording the current user information and the corresponding current service of the current user information
The final authentication result of request;
The counting module, for when the final authentication result be invalid number of times reach the default number of times upper limit when, it is determined that
The current user information is illegal user information.
9. a kind of identity authorization system, it is characterised in that including:Appoint in server terminal and at least one claim 5 to 8
Front end processor described in one;
The server terminal, for receiving at least one target cipher key that at least one described front end processor is sent.
10. system according to claim 9, it is characterised in that
The server terminal, is further used for being directed to each described target cipher key, certification current goal key is corresponding
Whether user profile is effective, and generates authentication result;According to the identification information of the default front end processor, by the authentication result
It is sent to the corresponding front end processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710700835.1A CN107332862A (en) | 2017-08-16 | 2017-08-16 | A kind of identity identifying method, front end processor and identity authorization system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710700835.1A CN107332862A (en) | 2017-08-16 | 2017-08-16 | A kind of identity identifying method, front end processor and identity authorization system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107332862A true CN107332862A (en) | 2017-11-07 |
Family
ID=60200961
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710700835.1A Pending CN107332862A (en) | 2017-08-16 | 2017-08-16 | A kind of identity identifying method, front end processor and identity authorization system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107332862A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109474592A (en) * | 2018-11-08 | 2019-03-15 | 蓝信移动(北京)科技有限公司 | Public key binding method and system |
CN113325746A (en) * | 2021-04-30 | 2021-08-31 | 北京戴纳实验科技有限公司 | Unified management control method and system for laboratory equipment |
CN116260582A (en) * | 2023-05-16 | 2023-06-13 | 中汽智联技术有限公司 | Identity authentication and encryption communication method for network-connected vehicle |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101145233A (en) * | 2006-09-12 | 2008-03-19 | 中国农业银行 | Data ciphered-mortgage transaction system, teller identification system, trans-center transaction system and method |
US20100095113A1 (en) * | 2008-10-11 | 2010-04-15 | Blankenbeckler David L | Secure Content Distribution System |
CN101764808A (en) * | 2009-12-22 | 2010-06-30 | 中国联合网络通信集团有限公司 | Authentication processing method and system for automatic login as well as server |
CN102204307A (en) * | 2011-06-15 | 2011-09-28 | 华为技术有限公司 | Wlan authentication method based on MAC address and device thereof |
CN104052616A (en) * | 2013-03-15 | 2014-09-17 | 深圳市腾讯计算机系统有限公司 | Method and system for managing services in Internet data center |
CN104486346A (en) * | 2014-12-19 | 2015-04-01 | 北京奇艺世纪科技有限公司 | Stepping stone system |
-
2017
- 2017-08-16 CN CN201710700835.1A patent/CN107332862A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101145233A (en) * | 2006-09-12 | 2008-03-19 | 中国农业银行 | Data ciphered-mortgage transaction system, teller identification system, trans-center transaction system and method |
US20100095113A1 (en) * | 2008-10-11 | 2010-04-15 | Blankenbeckler David L | Secure Content Distribution System |
CN101764808A (en) * | 2009-12-22 | 2010-06-30 | 中国联合网络通信集团有限公司 | Authentication processing method and system for automatic login as well as server |
CN102204307A (en) * | 2011-06-15 | 2011-09-28 | 华为技术有限公司 | Wlan authentication method based on MAC address and device thereof |
CN104052616A (en) * | 2013-03-15 | 2014-09-17 | 深圳市腾讯计算机系统有限公司 | Method and system for managing services in Internet data center |
CN104486346A (en) * | 2014-12-19 | 2015-04-01 | 北京奇艺世纪科技有限公司 | Stepping stone system |
Non-Patent Citations (1)
Title |
---|
王崇霞,朱艳琴: "一种动态口令身份认证协议的设计与研究", 《计算机工程与应用》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109474592A (en) * | 2018-11-08 | 2019-03-15 | 蓝信移动(北京)科技有限公司 | Public key binding method and system |
CN113325746A (en) * | 2021-04-30 | 2021-08-31 | 北京戴纳实验科技有限公司 | Unified management control method and system for laboratory equipment |
CN116260582A (en) * | 2023-05-16 | 2023-06-13 | 中汽智联技术有限公司 | Identity authentication and encryption communication method for network-connected vehicle |
CN116260582B (en) * | 2023-05-16 | 2023-08-15 | 中汽智联技术有限公司 | Identity authentication and encryption communication method for network-connected vehicle |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10826684B1 (en) | System and method of validating Internet of Things (IOT) devices | |
US20170221068A1 (en) | Personal authentication | |
US7447910B2 (en) | Method, arrangement and secure medium for authentication of a user | |
CN104301302B (en) | Go beyond one's commission attack detection method and device | |
CN114598540B (en) | Access control system, method, device and storage medium | |
CN105939326A (en) | Message processing method and device | |
US20110270969A1 (en) | Virtual server and method for identifying zombie, and sinkhole server and method for integratedly managing zombie information | |
US20140020067A1 (en) | Apparatus and method for controlling traffic based on captcha | |
EP1922632A2 (en) | Extended one-time password method and apparatus | |
EP3874716B1 (en) | Detecting and responding to attempts to gain unauthorized access to user accounts in an online system | |
CN107948287B (en) | Medical services authenticity verification methods based on Internet of Things | |
JP4120997B2 (en) | Unauthorized access determination device and method | |
CN112583607A (en) | Equipment access management method, device, system and storage medium | |
CN107332862A (en) | A kind of identity identifying method, front end processor and identity authorization system | |
CN106330828A (en) | Method for network secure access, terminal device and authentication server | |
US10243961B2 (en) | Enhanced security using wearable device with authentication system | |
CN111131303A (en) | Request data verification system and method | |
CN113221180A (en) | Database security access system and method | |
CN110430213A (en) | Service request processing method, apparatus and system | |
CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
CN108282443A (en) | A kind of reptile Activity recognition method and apparatus | |
KR101468798B1 (en) | Apparatus for tracking and preventing pharming or phishing, method using the same | |
CN107864146A (en) | A kind of safe cloud storage system | |
CN105141642B (en) | A kind of method and device preventing illegal user's behavior | |
CN115118442B (en) | Port protection method and device under software defined boundary framework |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |
|
RJ01 | Rejection of invention patent application after publication |