+

WO2018145605A1 - Authentication method and server, and access control device - Google Patents

Authentication method and server, and access control device Download PDF

Info

Publication number
WO2018145605A1
WO2018145605A1 PCT/CN2018/075201 CN2018075201W WO2018145605A1 WO 2018145605 A1 WO2018145605 A1 WO 2018145605A1 CN 2018075201 W CN2018075201 W CN 2018075201W WO 2018145605 A1 WO2018145605 A1 WO 2018145605A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
server
control device
access control
access request
Prior art date
Application number
PCT/CN2018/075201
Other languages
French (fr)
Chinese (zh)
Inventor
袁哲
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018145605A1 publication Critical patent/WO2018145605A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present application relates to the field of information security technologies, and in particular, to an authentication method, a server, and an access control device.
  • Cloud service providers can provide users with a large number of cloud services or cloud products.
  • the cloud resources on which the cloud services are based can be managed through a management platform.
  • users can access cloud resources through the cloud service management platform.
  • the cloud service management platform not all users have the right to access cloud resources. Therefore, the access user needs to be authenticated to determine whether the user has access. Permissions.
  • the embodiment of the present invention provides an authentication method, a server, and an access control device.
  • a temporary key to generate a signature for authentication, the risk of the inherent private key being compromised can be avoided, and the security of the inherent private key is ensured.
  • An embodiment of the present application provides an authentication method, including:
  • the server authenticates the resource access request
  • the server processes the resource access request.
  • An embodiment of the present application provides an authentication method, including:
  • the access control device receives the resource access request initiated by the user
  • the access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device;
  • the access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
  • An embodiment of the present application provides a server, including: a processor and a memory, where the computer stores readable instructions, where the computer readable instructions are executed by the processor to complete the following operations:
  • the resource access request is authenticated
  • the resource access request is processed.
  • An embodiment of the present application provides an access control apparatus, including: a processor and a memory, where the computer stores computer readable instructions that are executed by the processor to perform the following operations:
  • the embodiment of the present application provides an authentication method for a server, where the server includes a processor and a memory, and the method includes the following steps:
  • the server authenticates the resource access request
  • the server processes the resource access request.
  • the embodiment of the present application provides an authentication method for accessing a control device, where the access control device includes a processor and a memory, and the method includes:
  • the access control device receives the resource access request initiated by the user
  • the access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device;
  • the access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
  • Embodiments of the present application provide a non-volatile storage medium in which computer readable instructions are stored, which may be executed by a processor to perform the following operations:
  • the resource access request is authenticated
  • the resource access request is processed.
  • Embodiments of the present application provide a non-volatile storage medium in which computer readable instructions are stored, which may be executed by a processor to perform the following operations:
  • FIG. 1 is a schematic diagram of an application environment of an authentication method provided by an embodiment of the present application.
  • FIG. 2a is a schematic flowchart of an authentication method provided by an embodiment of the present application.
  • 2b is a schematic flowchart of another authentication method provided by an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of another authentication method provided by an embodiment of the present application.
  • FIG. 4 is a diagram showing an example of an authentication method provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a server according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of another server according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of another access control apparatus according to an embodiment of the present application.
  • the cloud service management platform needs to generate a signature for the access request of the user to access the cloud resource, and send the signature and the access request to the server corresponding to the cloud service management platform, so that the server verifies the signature, if the verification passes
  • the access request is authenticated to determine the authentication result, and the signature in the cloud service management platform is generated by encrypting the access request according to the user's inherent private key, because the user's inherent private key is saved by the server, and the cloud service is
  • the management platform needs to generate a signature, it will directly obtain the user's inherent private key from the server, so that in the process of transmitting the inherent private key, the inherent private key is easily exposed, and the security of the user's inherent private key transmission is reduced.
  • the embodiment of the present application provides an authentication method, a server, and an access control device, which can reduce the risk of user key leakage and improve the overall security of the authentication system.
  • FIG. 1 is a schematic diagram of an application environment of an authentication method according to an embodiment of the present application. These include the client 101 and the server 102. Among them, the client 101. Client 101 and server 102 can communicate over a network.
  • the access control device may be any device having communication and storage functions, such as a computer, a mobile phone computer, etc.; or the function of the access control device may be in any device having communication and storage functions.
  • Implementation such as client 101 of FIG. 1 or server 102.
  • the client 101 can be any device capable of implementing intelligent input and output, such as a computer, or other devices having the above structure.
  • the access control device receives the user-initiated resource access request; the access control device encrypts the resource access request by using the stored temporary key to generate a first signature, where the temporary key is previously controlled by the server for the access control Assigned by the device; the access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
  • the server 102 involved in FIG. 1 may be a background device that allocates a key and can authenticate a resource access request, etc., which is not limited in this embodiment of the present application.
  • the server can provide services such as computing, storage, database, video, security, network, content distribution network (CDN) and acceleration, big data, artificial intelligence (AI), etc., along with other devices of the cloud service provider.
  • services such as computing, storage, database, video, security, network, content distribution network (CDN) and acceleration, big data, artificial intelligence (AI), etc., along with other devices of the cloud service provider.
  • CDN content distribution network
  • AI artificial intelligence
  • the server Receiving, by the server, a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request; a temporary key allocated by the access control device, and encrypting the resource access request by using the temporary key to generate first verification data; if the first signature matches the first verification data, the The server authenticates the resource access request; if the authentication result of the resource access request is authentication, the server processes the resource access request.
  • FIG. 2 is a schematic flowchart of an authentication method according to an embodiment of the present application. As shown in FIG. 2a, the method in the embodiment of the present application is performed by a server, and may include the following steps 101-104.
  • the server receives a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request.
  • the application programming interface (API) in the server authenticates each resource access request, that is, each resource access request needs to include signature information (Signature) in the public request parameter to verify the identity of the requester.
  • the server receives the resource access request and the first signature sent by the access control device.
  • the first signature is generated by the access control device, and is specifically generated by encrypting the resource access request by using a stored temporary key.
  • the temporary key may be allocated by the server for the access control device.
  • the temporary key has a certain timeliness, that is, the temporary key is valid within a certain time range and fails in other time ranges.
  • the temporary key is, for example, a key Key.
  • the server may simultaneously allocate a key ID for identifying the identity of the access control device, and the server may configure a certain key ID to invoke the API.
  • the key ID can be transmitted over the clear text network.
  • the access control device can simultaneously transmit the key ID when transmitting the resource access request and the first signature to the server.
  • the temporary key can also include a session token (Token).
  • Token session token
  • the server and the access control device stipulate a preset encryption algorithm, and the access control device encrypts the resource access request by using a temporary key according to a preset encryption algorithm to generate a first signature.
  • the preset encryption algorithm may be, for example, a Data Encryption Standard (DES), an International Data Encryption Algorithm (IDEA), or the like.
  • the resource access request is a request by a user to request a server to access a target access resource.
  • the resource access request includes, for example, a user identification, information of a target access resource, and a target operation mode of accessing the resource to the target.
  • the user identifier is used to mark a user who performs a target operation mode on the target access resource, for example, a user account. In the case where the user has multiple accounts, the user's root account and sub-account may be included.
  • the target access resource may be, for example, a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the manner in which the target operation mode is included in the embodiment of the present application is not limited.
  • the target access resources may also be cloud server resources, databases, virtual private clouds (VPCs), and the like.
  • Users can use the API provided by the cloud server to perform related operations on the cloud server: such as creating, changing bandwidth, restarting, and so on.
  • the creation operation is, for example, to create a volume-based cloud server.
  • the restart operation is, for example, restarting one or more cloud servers.
  • Changing the bandwidth operation is, for example, changing the bandwidth of the cloud server.
  • the server acquires the stored temporary key allocated to the access control device, and encrypts the resource access request by using the temporary key to generate first verification data.
  • the server acquires the stored temporary key allocated to the access control device, where the temporary key stored by the server corresponds to the access control device, and at the same time, There is only one temporary key corresponding to the access control device.
  • the server may save the temporary key and the device identifier of the access control device, and further, the access control device may carry the access control device together with the resource access request and the first signature.
  • Device identifier for example, a key ID, such that after the server receives the resource access request, the first signature, and the device identifier, the server searches for a temporary key corresponding to the device identification key ID, ie, the key Key .
  • the server encrypts the resource access request by using a stored temporary key to generate first verification data. The first verification data is used to compare with the received first signature to determine whether the access control device is legitimate.
  • the server authenticates the resource access request.
  • the server matches the received first signature with the generated first verification data, and if the first signature matches the first verification data, the server determines that the access control device is legal. And authenticating the resource access request.
  • the server determines that the access control device is invalid, and does not authenticate the resource access request.
  • the server may transmit a notification message to the access control device indicating that the access control device fails to pass the verification.
  • the specific process of the server for authenticating the resource access request may obtain, by the server, an accessible resource corresponding to the user identifier and an operable manner for the accessible resource. Determining, by the server, whether the target access resource exists in the accessible resource; if the target access resource exists, the server determining whether the target operation mode exists in an operable manner of the target access resource; If the target operation mode exists, the server determines that the authentication result of the resource access request is an authentication pass. If the target access method does not exist in the accessible resource, or the target operation method does not exist in the operable mode, the server determines that the authentication result of the resource access request is that the authentication fails. In this case, the server may send a notification message to the access control device that the resource access request cannot be performed.
  • the server processes the resource access request.
  • the server processes the resource access request.
  • the server processes the target access resource according to the target operation mode in the resource access request, and after the process is completed, the server may feed back the processing result to the access control device, so that the user knows that the The result of processing the resource access request.
  • the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control.
  • the temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed.
  • the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
  • FIG. 2b a schematic flowchart of another authentication method is provided in the embodiment of the present application.
  • the method in the embodiment of the present application is performed by the access control device, and may include the following steps 201-203.
  • the access control device can be on the client side or on the server side.
  • the access control device receives a resource access request initiated by the user.
  • the access control device receives a resource access request initiated by the user to access the target access resource, and the user may initiate a resource access request by using an access control platform or page provided by the access control device. Further, the user can initiate a resource access request after successfully logging in through the user name and login password in the access control platform or page.
  • the resource access request is a request by a user to request a server to access a target access resource.
  • the resource access request includes, for example, a user identification, information of a target access resource, and a target operation mode of accessing the resource to the target.
  • the user identifier is used to mark a user who performs a target operation mode on the target access resource, for example, a user account. In the case where the user has multiple accounts, the user's root account and sub-account may be included.
  • the target access resource may be, for example, a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the manner in which the target operation mode is included in the embodiment of the present application is not limited.
  • the target access resources may also be cloud server resources, databases, virtual private clouds (VPCs), and the like.
  • Users can use the API provided by the cloud server to perform related operations on the cloud server: such as creating, changing bandwidth, restarting, and so on.
  • the creation operation is, for example, to create a volume-based cloud server.
  • the restart operation is, for example, restarting one or more cloud servers.
  • Changing the bandwidth operation is, for example, changing the bandwidth of the cloud server.
  • the access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device.
  • the access control device encrypts the resource access request by using a stored temporary key to generate a first signature.
  • the temporary key is allocated by the server to the access control device. It can be understood that the temporary key has a certain time validity, that is, the temporary key is valid within a certain time range. Invalid in other time frames.
  • the temporary key is, for example, a key Key.
  • the server allocates a temporary key to the access control device, the server may simultaneously allocate a key ID for identifying the identity of the access control device, and the server may configure a certain key ID to invoke the API.
  • the key ID can be transmitted over the clear text network.
  • the access control device can simultaneously transmit the key ID when transmitting the resource access request and the first signature to the server.
  • the temporary key can also include a session token (Token).
  • Token session token
  • the server and the access control device stipulate a preset encryption algorithm, and the access control device encrypts the resource access request by using a temporary key according to a preset encryption algorithm to generate a first signature.
  • the preset encryption algorithm may be, for example, DES, IDEA, or the like.
  • the access control apparatus sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
  • the access control device sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
  • the access control device may further carry the device identifier of the access control device, that is, the key ID, so that the resource access request, the first signature, and the server are received at the server.
  • the server After the device is identified, the server searches for a temporary key corresponding to the device identification key ID, that is, a key Key, and after the server finds the temporary key corresponding to the device identifier, generates the first verification data to complete the authentication. .
  • the access control device encrypts the received resource access request by using a temporary key to generate a first signature, and the temporary key is previously allocated by the server for the access control device, and the resource access request and the first
  • the signature is sent to the server, so that the server authenticates the resource access request, so that the inherent private key of the user is not needed, and the risk of the inherent private key being compromised is avoided, thereby ensuring the security of the inherent private key.
  • FIG. 3 is a schematic flowchart diagram of another authentication method according to an embodiment of the present application. As shown in FIG. 3, the method in the embodiment of the present application is performed by a server and an access control device, and may include the following steps 301-314.
  • the access control device receives a resource access request initiated by a user.
  • the access control device receives a resource access request initiated by the user to request access to the target access resource.
  • the user may initiate a resource access request by using an access control platform or a page provided by the access control device.
  • the user can initiate a resource access request after successfully logging in through the user name and login password in the access control platform or page.
  • the resource access request includes, for example, a user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the user identifier is used to mark the user who performs the target operation mode on the target access resource.
  • the target access resource may be, for example, a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the embodiment of the present application does not limit the manner in which the target operation mode is included.
  • the access control device encrypts the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device.
  • the access control device encrypts the resource access request by using a fixed key to generate a second signature.
  • the fixed key is allocated by the server for the access control device, and the fixed key is in one-to-one correspondence with the access control device.
  • the fixed key is sent to the access control device, and after receiving the fixed key, the access control device will The fixed key is saved, and when the access control device needs to send a temporary key acquisition request to the server, acquiring the stored fixed key, and encrypting the resource access request by using a fixed key to generate Second signature.
  • the access control device sends a temporary key acquisition request to the server.
  • the access control device sends a temporary key acquisition request to the server, where the temporary key acquisition request carries the resource access request and the second signature, so that the server pairs the second signature
  • the temporary key is assigned to the access control device after the verification is passed.
  • the server and the access control device may jointly agree on an encryption algorithm used for the second signature in the temporary key acquisition request, so that the server can determine the second signature after receiving the temporary key acquisition request.
  • the encryption algorithm used may be any encryption algorithm used for the second signature in the temporary key acquisition request.
  • the server receives a temporary key acquisition request sent by the access control device.
  • the server receives a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries a resource access request and a second signature.
  • the temporary key acquisition request may further carry the device identifier of the access control device, so that the server determines, after receiving the temporary key acquisition request, a fixed density corresponding to the device identifier. key.
  • the server acquires a fixed key allocated to the access control apparatus, and encrypts the resource access request by using the fixed key to generate second verification data.
  • the server acquires a fixed key allocated for the access control device. For example, the server may search for a fixed key corresponding to the device identifier according to the device identifier carried in the temporary key acquisition request, and encrypt the resource access request by using the fixed key to generate a second verification. data.
  • the encryption algorithm used by the server to generate the second verification data is the same as the encryption algorithm used by the access control device to generate the second signature.
  • the server allocates a temporary key to the access control device.
  • the server allocates a temporary key to the access control device.
  • the temporary key may have a certain timeliness, that is, the temporary key is valid within a certain time range and fails in other time ranges.
  • the server does not allocate a temporary key, and may also send a notification message to the access control device that the temporary key cannot be allocated due to the verification failure.
  • the server stores and sends the temporary key to the access control device.
  • the server stores the allocated temporary key to determine a temporary key of the access control device.
  • the server may store the temporary key in association with the device identifier of the access control device, and record the effective duration of the temporary key. After the valid duration of the record is exceeded, the temporary key may be deleted.
  • the access control device receives the temporary key allocated by the server, and stores the temporary key.
  • the access control device encrypts the resource access request by using a stored temporary key to generate a first signature.
  • the access control device sends the resource access request and the first signature to the server.
  • the access control device sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
  • the access control device may further carry the device identifier of the access control device, in addition to the resource access request and the first signature, after the server receives the resource access request, the first signature, and the device identifier, The server searches for a temporary key corresponding to the device identifier, and after the server finds the temporary key corresponding to the device identifier, generates the first verification data to complete the authentication.
  • the server receives the resource access request and the first signature sent by the access control device.
  • the server receives the resource access request and the first signature sent by the access control device.
  • the first signature is generated by the access control device, and is specifically generated by encrypting the resource access request by using a stored temporary key.
  • the server acquires the stored temporary key allocated to the access control device, and encrypts the resource access request by using the temporary key to generate first verification data.
  • the server acquires the stored temporary key allocated to the access control device, where the temporary key stored by the server corresponds to the access control device, and at the same time, There is only one temporary key corresponding to the access control device.
  • the server After the server receives the resource access request, the first signature, and the device identifier, the server searches for a temporary key corresponding to the device identifier.
  • the server encrypts the resource access request by using a stored temporary key to generate first verification data.
  • the first verification data is used to compare with the received first signature to determine whether the access control device is legitimate.
  • the encryption algorithm used by the server to generate the first verification data is the same as the encryption algorithm used by the access control device to generate the first signature.
  • the server deletes the temporary key due to timeliness, even if the temporary key acquisition request sent by the access control device is received, the first signature of the access control device cannot be verified, so that the verification cannot be performed.
  • the access control device transmits a notification message that the temporary key has expired.
  • the server authenticates the resource access request.
  • the server matches the received first signature with the generated first verification data, and if the first signature matches the first verification data, the server determines that the access control device is legal. And authenticating the resource access request.
  • the server determines that the access control device is invalid, and does not authenticate the resource access request.
  • the server may transmit a notification message to the access control device indicating that the access control device fails to pass the verification.
  • the specific process of the server for authenticating the resource access request may obtain, by the server, an accessible resource corresponding to the user identifier and an operable manner for the accessible resource; the server determines that the Whether the target access resource exists in the access resource; if the target access resource exists, the server determines whether the target operation mode exists in an operable manner of the target access resource; if the target operation mode exists And determining, by the server, that the authentication result of the resource access request is an authentication pass. If the target access method does not exist in the accessible resource, or the target operation method does not exist in the operable mode, the server determines that the authentication result of the resource access request is that the authentication fails. In this case, the server may send a notification message to the access control device that the resource access request cannot be performed.
  • the server processes the resource access request.
  • the server processes the resource access request.
  • the server processes the target access resource according to the target operation mode in the resource access request, and after the process is completed, the server may feed back the processing result to the access control device, so that the user knows that the The result of processing the resource access request.
  • the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control.
  • the temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed.
  • the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
  • the server first verifies the access control device.
  • the server allocates a temporary key, and sends the temporary key to the access control device, and the access control device uses the temporary key to access the resource.
  • the request for encryption generates a first signature, and the server performs verification and authentication again after receiving the first signature sent by the access control device.
  • the first signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, and ensuring the security of the inherent private key.
  • the accuracy of authentication is also ensured by means of verification of the access control device and verification of the identity of the user.
  • FIG. 4 is a schematic diagram of an authentication method provided by an embodiment of the present application, so as to further understand the technical solutions described in the present application.
  • the authentication method is jointly performed by the client 1 and the server 2, wherein the client 1 has an access control platform, and the server 2 includes an authentication service module, a key service module, and a resource access request processing module. . These can correspond to the various functions that the server has.
  • the access control platform may receive a resource access request initiated by the user, and encrypt the resource access request by using the stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control platform.
  • the access control platform sends the resource access request and the first signature to the server after generating the first signature.
  • the authentication service module in the server receives the resource access request and the first signature sent by the access control platform, and the authentication service module obtains the stored temporary key allocated for the access control platform from the key service module, and the authentication service module adopts The temporary key encrypts the resource access request to generate first verification data; the authentication service module matches the first signature with the first verification data, if the first signature matches the first verification data If the authentication service module authenticates the resource access request, the resource access request processing module is triggered to process the resource access request.
  • the access control platform encrypts the resource access request by using the stored temporary key.
  • the resource access request may be encrypted by using a fixed key to generate a second signature.
  • the key is allocated by the server for the access control platform; the access control platform sends a temporary key acquisition request to the server, where the temporary key acquisition request carries the resource access request and the second signature, And causing the server to allocate a temporary key to the access control platform after the second signature verification is passed; the authentication service module in the server receives the temporary key acquisition request sent by the access control platform; the authentication service module slave key
  • the service module acquires a fixed key allocated to the access control platform, and the authentication service module encrypts the resource access request by using the fixed key to generate second verification data; if the second signature and the first If the verification data matches consistently, the authentication service module allocates a temporary key to the access control platform, and the The time key is stored in the key service module and the temporary key is sent to the access control platform.
  • the access control platform receives the temporary key allocated by the server and stores
  • the key service module may include a temporary key storage module and a fixed key storage module to store the temporary key and the fixed key, respectively.
  • the authentication service module can include a rights library that maintains the accessible resources of various users and the manner in which the resources are accessible.
  • the authentication service module, the key service module, and the resource access request processing module shown in FIG. 4 are logical functional descriptions.
  • the servers involved in the embodiment shown in Figures 2a, 2b and 3 can perform the corresponding method steps by means of the various modules shown in Figure 4.
  • the access control device of the embodiment shown in Figures 2a, 2b and 3 can perform the corresponding method steps through the access control platform shown in Figure 4.
  • the authentication service module, the key service module, and the resource access request processing module in the server 2 may be respectively deployed on the same physical machine, or deployed in different virtual machines of the same physical machine, or deployed in different physical machines. This example does not limit this.
  • FIG. 5 is a schematic structural diagram of a server according to an embodiment of the present application.
  • the server 10 of the embodiment of the present application may include: a data receiving unit 11, a first generating unit 12, a request authentication unit 13, and a request processing unit 14.
  • the server 10 may further include a request receiving unit 15, a second generating unit 16, and a key assigning unit 17.
  • the data receiving unit 11 is configured to receive a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request.
  • the data receiving unit 11 receives the resource access request and the first signature sent by the access control device.
  • the first signature is generated by the access control device, and is specifically generated by encrypting the resource access request by using a stored temporary key.
  • the temporary key is allocated by the server 10 for the access control device. It can be understood that the temporary key has a certain time limit, that is, the temporary key is valid within a certain time range. And expires in other time frames.
  • the server 10 and the access control device stipulate a preset encryption algorithm, and the access control device encrypts the resource access request by using a temporary key according to a preset encryption algorithm to generate a first A signature.
  • the preset encryption algorithm may be, for example, DES, IDEA, or the like.
  • the resource access request may include a user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the user identifier is used to mark the user who performs the target operation mode on the target access resource.
  • the target access resource may be a file, data, or the like in the server 10.
  • the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like. The embodiment of the present application does not limit the manner in which the target operation mode is included.
  • the first generating unit 12 is configured to obtain the stored temporary key allocated to the access control device, and encrypt the resource access request by using the temporary key to generate first verification data.
  • the first generating unit 12 acquires the stored temporary key allocated to the access control device, where the temporary key stored by the server 10 corresponds to the access control device, and is in the same At the moment, there is only one temporary key corresponding to the access control device.
  • the server 10 may save the temporary key and the device identifier of the access control device, and further, the access control device may carry the access control together with the resource access request and the first signature.
  • the device identifier of the device such that after the data receiving unit 11 receives the resource access request, the first signature, and the device identifier, the first generating unit 12 searches for a temporary key corresponding to the device identifier.
  • the server 10 encrypts the resource access request by using the stored temporary key to generate first verification data.
  • the first verification data is used to compare with the received first signature to determine whether the access control device is legitimate.
  • the request authentication unit 13 is configured to authenticate the resource access request if the first signature matches the first verification data.
  • the request authentication unit 13 matches the received first signature with the generated first verification data, and if the first signature matches the first verification data, the server 10 determines the location.
  • the access control device is legal and authenticates the resource access request.
  • the server 10 determines that the access control device is invalid and does not authenticate the resource access request.
  • the server 10 may transmit a notification message to the access control device indicating that the access control device fails to pass the verification.
  • the request authentication unit 13 includes an information acquisition subunit, a first judgment subunit, and a second judgment subunit, and a result determination subunit.
  • an information obtaining subunit configured to acquire an accessible resource corresponding to the user identifier and an operable manner of the accessible resource.
  • the first determining subunit is configured to determine whether the target access resource exists in the accessible resource.
  • a second determining subunit configured to determine whether the target operating mode exists in an operable mode of the target access resource if the first determining subunit determines that the target access resource exists in the accessible resource .
  • a result determining sub-unit configured to determine that the authentication result of the resource access request is an authentication pass if the second determining sub-unit determines that the target operating mode exists in an operable manner for accessing the target resource.
  • the request processing unit 14 is configured to process the resource access request if the authentication result of the resource access request is the authentication pass.
  • the request processing unit 14 processes the resource access request.
  • the server 10 processes the target access resource according to the target operation mode in the resource access request, and after the process is completed, the server 10 may feed back the processing result to the access control device, so that the user knows The processing result of the resource access request.
  • the server 10 may further execute the request receiving unit 15, the second generating unit 16, and the key assigning unit 17 before executing the data receiving unit 11.
  • the request receiving unit 15 is configured to receive a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries a resource access request and a second signature.
  • the second generating unit 16 is configured to acquire a fixed key allocated to the access control device, and encrypt the resource access request by using the fixed key to generate second verification data.
  • the key distribution unit 17 is configured to: if the second signature matches the second verification data, the server 10 allocates a temporary key to the access control device, and stores and sends the temporary key to The access control device.
  • the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control.
  • the temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed.
  • the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
  • the access control apparatus 20 of the embodiment of the present application may include a request receiving unit 21, a first generating unit 22, and a data transmitting unit 23.
  • the access control device 20 may further include a second generating unit 24, a request transmitting unit 25, and a key receiving unit 26.
  • the request receiving unit 21 is configured to receive a resource access request initiated by the user.
  • the request receiving unit 21 receives a resource access request initiated by the user.
  • the user may initiate a resource access request by using an access control platform or a page provided by the access control device 20. Further, the user can initiate a resource access request after successfully logging in through the user name and login password in the access control platform or page.
  • the resource access request includes, for example, a user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the user identifier is used to mark the user who performs the target operation mode on the target access resource.
  • the target access resource may be a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like.
  • the embodiment of the present application does not limit the manner in which the target operation mode is included.
  • the first generating unit 22 is configured to encrypt the resource access request by using the stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device 20.
  • the first generating unit 22 encrypts the resource access request by using the stored temporary key to generate a first signature.
  • the temporary key is allocated by the server to the access control device 20. It can be understood that the temporary key has a certain timeliness, that is, the temporary key is valid within a certain time range. And expires in other time frames.
  • the server and the access control device 20 agree on a preset encryption algorithm, and the access control device 20 encrypts the resource access request by using a temporary key according to a preset encryption algorithm.
  • the preset encryption algorithm may be, for example, DES, IDEA, or the like.
  • the data sending unit 23 is configured to send the resource access request and the first signature to the server, so that the server authenticates the resource access request.
  • the data sending unit 23 sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
  • the data sending unit 23 carries the device identifier of the access control device 20 in addition to the resource access request and the first signature, so that after the server receives the resource access request, the first signature, and the device identifier, The server searches for a temporary key corresponding to the device identifier, and after the server finds the temporary key corresponding to the device identifier, generates the first verification data to complete the authentication.
  • the access control device 20 may further execute the second generation unit 24, the request transmission unit 25, and the key reception unit 26 after executing the request reception unit 21 and before executing the first generation unit 22.
  • the second generating unit 24 is configured to encrypt the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device 20.
  • a request sending unit 25 configured to send a temporary key acquisition request to the server, where the temporary key acquisition request carries the resource access request and the second signature, so that the server verifies the second signature
  • the temporary key is then assigned to the access control device 20.
  • the key receiving unit 26 is configured to receive the temporary key allocated by the server, and store the temporary key.
  • the key receiving unit 26 is further configured to receive an inherent key allocated by the server for the access control device 20, and store the unique key.
  • the access control device encrypts the received resource access request by using a temporary key to generate a first signature, and the temporary key is previously allocated by the server for the access control device, and the resource access request and the first
  • the signature is sent to the server, so that the server authenticates the resource access request, so that the inherent private key of the user is not needed, and the risk of the inherent private key being compromised is avoided, thereby ensuring the security of the inherent private key.
  • FIG. 7 is a schematic structural diagram of another server according to an embodiment of the present application.
  • the server 1000 may include at least one processor 1001, such as a CPU, at least one network interface 1004, a memory 1005, and at least one communication bus 1002.
  • Network interface 1004 can include, for example, a standard wired interface, a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
  • the memory 1005 may also be, for example, at least one storage device located remotely from the aforementioned processor 1001.
  • the communication bus 1002 is used to implement connection communication between these components.
  • the server 1000 can include a user interface 1003, wherein the user interface 1003 can include a display, a keyboard. As shown in FIG. 7, an operating system, a network communication module, a user interface module, and an authentication application may be included in the memory 1005 as a computer storage medium.
  • the network interface 1004 is mainly used to exchange data with the access control device, for example, a resource access request, a first signature, a temporary key acquisition request, and the like; and the processor 1001 can be used to call the memory.
  • the resource access request is authenticated
  • the resource access request is processed.
  • the processor 1001 before the processor 1001 performs the resource access request and the first signature sent by the access control device, the processor 1001 further performs:
  • the server allocates a temporary key to the access control device, and stores and sends the temporary key to the access control device.
  • the resource access request includes a user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the processor 1001 performs an authentication on the resource access request, and specifically executes:
  • the target access resource exists, determining whether the target operation mode exists in an operable manner of accessing the resource to the target;
  • the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control.
  • the temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed.
  • the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
  • FIG. 8 is a schematic structural diagram of another access control apparatus according to an embodiment of the present application.
  • the access control device 2000 may include at least one processor 2001, such as a CPU, at least one network interface 2004, a user interface 2003, a memory 2005, and at least one communication bus 2002.
  • the communication bus 2002 is used to implement connection communication between these components.
  • the user interface 2003 may include a display and a keyboard.
  • Network interface 2004 may include a standard wired interface, a wireless interface (such as a WI-FI interface).
  • the memory 2005 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory.
  • the memory 2005 can also be at least one storage device located remotely from the aforementioned processor 2001.
  • an operating system, a network communication module, a user interface module, and an authentication application may be included in the memory 2005 as a computer storage medium.
  • the user interface 2003 is mainly used to provide an input interface for the user, and obtains a resource operation request sent by the user.
  • the network interface 2004 is mainly used to exchange data with the access control device, for example, resource access.
  • the request, the first signature, the temporary key acquisition request, and the like; and the processor 2001 can be used to invoke the authentication application stored in the memory 2005, and specifically perform the following operations:
  • the processor 2001 performs encryption on the resource access request by using the stored temporary key, and before executing the first signature, performing:
  • the device Sending a temporary key acquisition request to the server, the temporary key acquisition request carrying the resource access request and the second signature, so that the server passes the second signature after verifying the access control
  • the device allocates a temporary key
  • the processor 2001 performs an access control device to encrypt the resource access request by using a fixed key.
  • the method further includes:
  • the resource access request includes a user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
  • the access control device encrypts the received resource access request by using a temporary key to generate a first signature, and the temporary key is previously allocated by the server for the access control device, and the resource access request and the first
  • the signature is sent to the server, so that the server authenticates the resource access request, so that the inherent private key of the user is not needed, and the risk of the inherent private key being compromised is avoided, thereby ensuring the security of the inherent private key.
  • the module or unit in the embodiment of the present application may be implemented by a general-purpose integrated circuit, such as a CPU (Central Processing Unit), or an ASIC (Application Specific Integrated Circuit).
  • a general-purpose integrated circuit such as a CPU (Central Processing Unit), or an ASIC (Application Specific Integrated Circuit).
  • the modules or units in the terminal in this embodiment of the present application may be combined, divided, and deleted according to actual needs.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiments of the present application provide an authentication method and server, and an access control device, said method comprising the following steps: a server receiving a resource access request and first signature sent by an access control device, said first signature being generated by the access control device using a stored temporary key to encrypt a resource access request; the server obtaining the stored temporary key allocated to the access control device, and using the temporary key to encrypt the resource access request to generate first verification data; if the first signature is consistent with the first verification data, then the server authenticating the resource access request; if the result of authentication of the resource access request is successful authentication, then the server processing the resource access request.

Description

鉴权方法及服务器、访问控制装置Authentication method, server, access control device
本申请要求于2017年02月07日提交中国专利局、申请号为201710067062.8、发明名称为“一种鉴权方法及服务器、访问控制装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application filed on Dec. 7, 2017, the Chinese Patent Application No. 201710067062.8, entitled "An authentication method and server, access control device", the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本申请涉及信息安全技术领域,尤其涉及一种鉴权方法及服务器、访问控制装置。The present application relates to the field of information security technologies, and in particular, to an authentication method, a server, and an access control device.
背景技术Background technique
随着云计算技术的日益普及和大量应用,云计算在实现服务的高可用性、处理能力的可扩展性等方面的优势越来越多的被业界认可。云服务供应商可以为用户提供大量的云服务或称为云产品。云服务所基于的云资源可以通过一个管理平台进行管理。其中,在云服务的鉴权体系中,用户可以通过云服务管理平台访问云资源,然而并非各个用户都具备访问云资源的资格,因此需要对访问用户进行鉴权,以确定该用户是否有访问权限。With the increasing popularity and a large number of applications of cloud computing technologies, cloud computing has become more and more recognized by the industry in terms of achieving high availability of services and scalability of processing capabilities. Cloud service providers can provide users with a large number of cloud services or cloud products. The cloud resources on which the cloud services are based can be managed through a management platform. In the cloud service authentication system, users can access cloud resources through the cloud service management platform. However, not all users have the right to access cloud resources. Therefore, the access user needs to be authenticated to determine whether the user has access. Permissions.
发明内容Summary of the invention
本申请实施例提供一种鉴权方法及服务器、访问控制装置,通过采用临时密钥生成签名以进行鉴权的方式,能够避免固有私钥被泄露的风险,保证了固有私钥的安全性。The embodiment of the present invention provides an authentication method, a server, and an access control device. By using a temporary key to generate a signature for authentication, the risk of the inherent private key being compromised can be avoided, and the security of the inherent private key is ensured.
本申请实施例提供了一种鉴权方法,包括:An embodiment of the present application provides an authentication method, including:
服务器接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving, by the server, a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
所述服务器获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Obtaining, by the server, the temporary key allocated for the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
若所述第一签名与所述第一验证数据匹配一致,则所述服务器对所述资源访问请求进行鉴权;If the first signature matches the first verification data, the server authenticates the resource access request;
若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。If the authentication result of the resource access request is authentication, the server processes the resource access request.
本申请实施例提供了一种鉴权方法,包括:An embodiment of the present application provides an authentication method, including:
访问控制装置接收用户发起的资源访问请求;The access control device receives the resource access request initiated by the user;
所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;The access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device;
所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。The access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
本申请实施例提供了一种服务器,包括:处理器和存储器,所述存储器上存储有计算机可读指令,所述计算机可读指令由所述处理器执行以完成以下操作:An embodiment of the present application provides a server, including: a processor and a memory, where the computer stores readable instructions, where the computer readable instructions are executed by the processor to complete the following operations:
接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Acquiring the stored temporary key allocated to the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
若所述第一签名与所述第一验证数据匹配一致,则对所述资源访问请求进行鉴权;And if the first signature matches the first verification data, the resource access request is authenticated;
若所述资源访问请求的鉴权结果为鉴权通过,则对所述资源访问请求进行处理。And if the authentication result of the resource access request is an authentication pass, the resource access request is processed.
本申请实施例提供了一种访问控制装置,包括:处理器和存储器,所述存储器上存储有计算机可读指令,所述计算机可读指令由所述处理器执行以完成以下操作:An embodiment of the present application provides an access control apparatus, including: a processor and a memory, where the computer stores computer readable instructions that are executed by the processor to perform the following operations:
接收用户发起的资源访问请求;Receiving a resource access request initiated by a user;
采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;Encrypting the resource access request by using the stored temporary key to generate a first signature, the temporary key being previously allocated by the server for the access control device;
将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Sending the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
本申请实施例提供了一种鉴权方法,用于服务器上,所述服务器包括处理器和存储器,所述方法包括步骤:The embodiment of the present application provides an authentication method for a server, where the server includes a processor and a memory, and the method includes the following steps:
服务器接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving, by the server, a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
所述服务器获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Obtaining, by the server, the temporary key allocated for the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
若所述第一签名与所述第一验证数据匹配一致,则所述服务器对所述资源访问请求进行鉴权;If the first signature matches the first verification data, the server authenticates the resource access request;
若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。If the authentication result of the resource access request is authentication, the server processes the resource access request.
本申请实施例提供了一种鉴权方法,用于访问控制装置上,所述访问控制装置包括处理器和存储器,所述方法包括:The embodiment of the present application provides an authentication method for accessing a control device, where the access control device includes a processor and a memory, and the method includes:
访问控制装置接收用户发起的资源访问请求;The access control device receives the resource access request initiated by the user;
所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;The access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device;
所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。The access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
本申请实施例提供了一种非易失性存储介质,其中存储有计算机可读指令,所述计算机可读指令可以由处理器执行以完成如下操作:Embodiments of the present application provide a non-volatile storage medium in which computer readable instructions are stored, which may be executed by a processor to perform the following operations:
接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Acquiring the stored temporary key allocated to the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
若所述第一签名与所述第一验证数据匹配一致,则对所述资源访问请求进行鉴权;And if the first signature matches the first verification data, the resource access request is authenticated;
若所述资源访问请求的鉴权结果为鉴权通过,则对所述资源访问请求进行处理。And if the authentication result of the resource access request is an authentication pass, the resource access request is processed.
本申请实施例提供了一种非易失性存储介质,其中存储有计算机可读指令,所述计算机可读指令可以由处理器执行以完成如下操作:Embodiments of the present application provide a non-volatile storage medium in which computer readable instructions are stored, which may be executed by a processor to perform the following operations:
接收用户发起的资源访问请求;Receiving a resource access request initiated by a user;
采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;Encrypting the resource access request by using the stored temporary key to generate a first signature, the temporary key being previously allocated by the server for the access control device;
将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Sending the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
附图简要说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only It is some embodiments of the present application.
图1是本申请实施例提供的一种鉴权方法的应用环境示意图;1 is a schematic diagram of an application environment of an authentication method provided by an embodiment of the present application;
图2a是本申请实施例提供的一种鉴权方法的流程示意图;2a is a schematic flowchart of an authentication method provided by an embodiment of the present application;
图2b是本申请实施例提供的另一种鉴权方法的流程示意图;2b is a schematic flowchart of another authentication method provided by an embodiment of the present application;
图3是本申请实施例提供的另一种鉴权方法的流程示意图;3 is a schematic flowchart of another authentication method provided by an embodiment of the present application;
图4是本申请实施例提供的一种鉴权方法示例图;4 is a diagram showing an example of an authentication method provided by an embodiment of the present application;
图5是本申请实施例提供的一种服务器的结构示意图;FIG. 5 is a schematic structural diagram of a server according to an embodiment of the present disclosure;
图6是本申请实施例提供的一种访问控制装置的结构示意图;6 is a schematic structural diagram of an access control apparatus according to an embodiment of the present application;
图7是本申请实施例提供的另一种服务器的结构示意图;FIG. 7 is a schematic structural diagram of another server according to an embodiment of the present disclosure;
图8是本申请实施例提供的另一种访问控制装置的结构示意图。FIG. 8 is a schematic structural diagram of another access control apparatus according to an embodiment of the present application.
实施本发明的方式Mode for carrying out the invention
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有付出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the drawings in the embodiments of the present application. It is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
需要说明的是,在本申请实施例中使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。另外,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是还可以包括没有列出的步骤或单元,或还可以包括对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terminology used in the embodiments of the present application is for the purpose of describing the specific embodiments, and is not intended to limit the application. The singular forms "a", "the", and "the" It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items. In addition, the terms "first", "second", "third", and "fourth" and the like in the specification and claims of the present application and the above drawings are used to distinguish different objects, and are not used to describe specific order. Furthermore, the terms "comprises" and "comprising" and "comprising" are intended to cover a non-exclusive inclusion. For example, a process, method, system, product, or device that comprises a series of steps or units is not limited to the listed steps or units, but may also include steps or units not listed, or may also include Other steps or units inherent to the method, product or device.
在一些技术方案中,云服务管理平台需要将用户访问云资源的访问请求生成签名,并将签名和访问请求发送至云服务管理平台对应的服务器,以使服务器对签名进行验证,若验证通过对访问请求进行鉴权,进而确定鉴权结果,而云服务管理平台中的签名是根据用户的固有私钥对访问请求进行加密生成的,由于用户的固有私钥是服务器所保存的,在云服务管理平台需要生成签名的时候,会直接向服务器获取用户的固有私钥,这样在固有私钥传输的过程中,容易造成固有私钥被泄露的风险,降低了用户的固有私钥传输的安全性。In some technical solutions, the cloud service management platform needs to generate a signature for the access request of the user to access the cloud resource, and send the signature and the access request to the server corresponding to the cloud service management platform, so that the server verifies the signature, if the verification passes The access request is authenticated to determine the authentication result, and the signature in the cloud service management platform is generated by encrypting the access request according to the user's inherent private key, because the user's inherent private key is saved by the server, and the cloud service is When the management platform needs to generate a signature, it will directly obtain the user's inherent private key from the server, so that in the process of transmitting the inherent private key, the inherent private key is easily exposed, and the security of the user's inherent private key transmission is reduced. .
本申请实施例提供了一种鉴权方法及服务器、访问控制装置,可以降低用户密钥泄露的风险,提高了鉴权系统的整体安全性。The embodiment of the present application provides an authentication method, a server, and an access control device, which can reduce the risk of user key leakage and improve the overall security of the authentication system.
请参见图1,为本申请实施例提供的一种鉴权方法的应用环境示意图。其中包括客户端101、服务器102。其中,客户端101。客户端101与服务器102可 以通过网络进行通信。FIG. 1 is a schematic diagram of an application environment of an authentication method according to an embodiment of the present application. These include the client 101 and the server 102. Among them, the client 101. Client 101 and server 102 can communicate over a network.
本申请实施例涉及的访问控制装置可以是任何具备通信和存储功能的设备,例如,计算机、手机电脑等等;或者,所述访问控制装置的功能还可以在任何具备通信和存储功能的设备中实现,例如图1的客户端101或者是服务器102。客户端101可以是任何一种能够实现智能输入输出的设备,例如计算机,也可以是其它具有上述结构的设备。访问控制装置接收用户发起的资源访问请求;所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。The access control device according to the embodiment of the present application may be any device having communication and storage functions, such as a computer, a mobile phone computer, etc.; or the function of the access control device may be in any device having communication and storage functions. Implementation, such as client 101 of FIG. 1 or server 102. The client 101 can be any device capable of implementing intelligent input and output, such as a computer, or other devices having the above structure. The access control device receives the user-initiated resource access request; the access control device encrypts the resource access request by using the stored temporary key to generate a first signature, where the temporary key is previously controlled by the server for the access control Assigned by the device; the access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
图1所涉及的服务器102可以为分配密钥并能够对资源访问请求进行鉴权等的后台设备,本申请实施例对此不做限定。服务器可以与云服务供应商的其他设备一起,提供例如,计算、存储、数据库、视频、安全、网络、内容分发网络(CDN)与加速、大数据、人工智能(AI)等服务。服务器接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;所述服务器获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;若所述第一签名与所述第一验证数据匹配一致,则所述服务器对所述资源访问请求进行鉴权;若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。The server 102 involved in FIG. 1 may be a background device that allocates a key and can authenticate a resource access request, etc., which is not limited in this embodiment of the present application. The server can provide services such as computing, storage, database, video, security, network, content distribution network (CDN) and acceleration, big data, artificial intelligence (AI), etc., along with other devices of the cloud service provider. Receiving, by the server, a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request; a temporary key allocated by the access control device, and encrypting the resource access request by using the temporary key to generate first verification data; if the first signature matches the first verification data, the The server authenticates the resource access request; if the authentication result of the resource access request is authentication, the server processes the resource access request.
请参见图2a,为本申请实施例提供的一种鉴权方法的流程示意图。如图2a所示,本申请实施例的所述方法是由服务器执行的,可以包括以下步骤101-步骤104。FIG. 2 is a schematic flowchart of an authentication method according to an embodiment of the present application. As shown in FIG. 2a, the method in the embodiment of the present application is performed by a server, and may include the following steps 101-104.
101,服务器接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的。101. The server receives a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request.
服务器中的应用程序编程接口(API)会对每个资源访问请求进行身份验证, 即每个资源访问请求都需要在公共请求参数中包含签名信息(Signature)以验证请求者身份。具体的,服务器接收访问控制装置发送的资源访问请求和第一签名。其中所述第一签名是由所述访问控制装置生成的,具体是采用存储的临时密钥对所述资源访问请求加密生成的。The application programming interface (API) in the server authenticates each resource access request, that is, each resource access request needs to include signature information (Signature) in the public request parameter to verify the identity of the requester. Specifically, the server receives the resource access request and the first signature sent by the access control device. The first signature is generated by the access control device, and is specifically generated by encrypting the resource access request by using a stored temporary key.
其中,所述临时密钥可以是由所述服务器为所述访问控制装置分配的。所述临时密钥存在一定的时效性,即所述临时密钥在一定时间范围内有效且在其他时间范围内失效。所述临时密钥例如为密钥Key。所述服务器在为所述访问控制装置分配临时密钥时,可以同时分配一个密钥ID,用于标识访问控制装置的身份,服务器可以对某个密钥ID配置可以调用API的权限。密钥ID可明文网络传输。访问控制装置在将资源访问请求和第一签名发送给服务器时,可以同时发送密钥ID。临时密钥还可以包括会话标记(Token)。The temporary key may be allocated by the server for the access control device. The temporary key has a certain timeliness, that is, the temporary key is valid within a certain time range and fails in other time ranges. The temporary key is, for example, a key Key. When the server allocates a temporary key to the access control device, the server may simultaneously allocate a key ID for identifying the identity of the access control device, and the server may configure a certain key ID to invoke the API. The key ID can be transmitted over the clear text network. The access control device can simultaneously transmit the key ID when transmitting the resource access request and the first signature to the server. The temporary key can also include a session token (Token).
在一个示例中,所述服务器与所述访问控制装置约定一种预设加密算法,所述访问控制装置是按照预设加密算法,采用临时密钥对所述资源访问请求进行加密,生成第一签名。所述预设加密算法例如可以为数据加密标准(Data Encryption Standard,DES)、国际数据加密算法(International Data Encryption Algorithm,IDEA)等。In an example, the server and the access control device stipulate a preset encryption algorithm, and the access control device encrypts the resource access request by using a temporary key according to a preset encryption algorithm to generate a first signature. The preset encryption algorithm may be, for example, a Data Encryption Standard (DES), an International Data Encryption Algorithm (IDEA), or the like.
所述资源访问请求是用户向服务器请求访问目标访问资源的请求。资源访问请求例如包括用户标识、目标访问资源的信息和对所述目标访问资源的目标操作方式。其中,用户标识是用于标记对目标访问资源执行目标操作方式的用户的,例如为用户的账号。在用户有多个账号的情况下,可以包括用户的根账号和子账号。所述目标访问资源例如可以为所述服务器中的某一个文件、数据等等,所述目标操作方式可以为读取指令(read)、删除指令(delete)、写入指令(write)等等,本申请实施例对目标操作方式的包含方式不做限定。另外,目标访问资源还可以为云服务器资源、数据库、虚拟私有云(VPC)等。用户可以使用云服务器提供的API对云服务器进行相关操作:如创建、更改带宽、重启等。创建操作例如是创建一个按量计费的云服务器。重启操作例如是重启 一个或多个云服务器。更改带宽操作例如是更改云服务器的带宽。The resource access request is a request by a user to request a server to access a target access resource. The resource access request includes, for example, a user identification, information of a target access resource, and a target operation mode of accessing the resource to the target. The user identifier is used to mark a user who performs a target operation mode on the target access resource, for example, a user account. In the case where the user has multiple accounts, the user's root account and sub-account may be included. The target access resource may be, for example, a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like. The manner in which the target operation mode is included in the embodiment of the present application is not limited. In addition, the target access resources may also be cloud server resources, databases, virtual private clouds (VPCs), and the like. Users can use the API provided by the cloud server to perform related operations on the cloud server: such as creating, changing bandwidth, restarting, and so on. The creation operation is, for example, to create a volume-based cloud server. The restart operation is, for example, restarting one or more cloud servers. Changing the bandwidth operation is, for example, changing the bandwidth of the cloud server.
102,所述服务器获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据。102. The server acquires the stored temporary key allocated to the access control device, and encrypts the resource access request by using the temporary key to generate first verification data.
具体的,所述服务器获取存储的为所述访问控制装置分配的临时密钥,其中,所述服务器存储的临时密钥与所述访问控制装置相对应的,且在同一个时刻,与所述访问控制装置对应的临时密钥只有一个。所述服务器可以将所述临时密钥与所述访问控制装置的装置标识进行对应保存,进一步,所述访问控制装置除了发送资源访问请求和第一签名之外,还可以一并携带访问控制装置的装置标识,例如,密钥ID,这样在所述服务器接收到资源访问请求、第一签名和装置标识之后,所述服务器查找与装置标识密钥ID对应的临时密钥,即,密钥Key。进一步的,所述服务器采用存储的临时密钥对所述资源访问请求进行加密,生成第一验证数据。所述第一验证数据用于与接收到的第一签名进行比对,以确定访问控制装置是否合法。Specifically, the server acquires the stored temporary key allocated to the access control device, where the temporary key stored by the server corresponds to the access control device, and at the same time, There is only one temporary key corresponding to the access control device. The server may save the temporary key and the device identifier of the access control device, and further, the access control device may carry the access control device together with the resource access request and the first signature. Device identifier, for example, a key ID, such that after the server receives the resource access request, the first signature, and the device identifier, the server searches for a temporary key corresponding to the device identification key ID, ie, the key Key . Further, the server encrypts the resource access request by using a stored temporary key to generate first verification data. The first verification data is used to compare with the received first signature to determine whether the access control device is legitimate.
103,若所述第一签名与所述第一验证数据匹配一致,则所述服务器对所述资源访问请求进行鉴权。103. If the first signature matches the first verification data, the server authenticates the resource access request.
具体的,所述服务器将接收到的第一签名和生成的第一验证数据进行匹配,若所述第一签名与所述第一验证数据匹配一致,则所述服务器确定所述访问控制装置合法,并对所述资源访问请求进行鉴权。Specifically, the server matches the received first signature with the generated first verification data, and if the first signature matches the first verification data, the server determines that the access control device is legal. And authenticating the resource access request.
若所述第一签名与所述第一验证数据匹配不一致,则所述服务器确定所述访问控制装置不合法,也不会对所述资源访问请求进行鉴权。所述服务器可以向所述访问控制装置发送表示访问控制装置验证不通过的通知消息。If the first signature is inconsistent with the first verification data, the server determines that the access control device is invalid, and does not authenticate the resource access request. The server may transmit a notification message to the access control device indicating that the access control device fails to pass the verification.
所述服务器对所述资源访问请求进行鉴权的具体过程可以为所述服务器获取与所述用户标识对应的可访问资源和对所述可访问资源的可操作方式。所述服务器判断所述可访问资源中是否存在所述目标访问资源;若存在所述目标访问资源,则所述服务器判断对所述目标访问资源的可操作方式中是否存在所述目标操作方式;若存在所述目标操作方式,则所述服务器确定所述资源访问请 求的鉴权结果为鉴权通过。若所述可访问资源中不存在所述目标访问资源,或者所述可操作方式中不存在所述目标操作方法,则所述服务器确定所述资源访问请求的鉴权结果为鉴权不通过,这种情况下,所述服务器可以向所述访问控制装置发送无法执行所述资源访问请求的通知消息。The specific process of the server for authenticating the resource access request may obtain, by the server, an accessible resource corresponding to the user identifier and an operable manner for the accessible resource. Determining, by the server, whether the target access resource exists in the accessible resource; if the target access resource exists, the server determining whether the target operation mode exists in an operable manner of the target access resource; If the target operation mode exists, the server determines that the authentication result of the resource access request is an authentication pass. If the target access method does not exist in the accessible resource, or the target operation method does not exist in the operable mode, the server determines that the authentication result of the resource access request is that the authentication fails. In this case, the server may send a notification message to the access control device that the resource access request cannot be performed.
104,若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。104. If the authentication result of the resource access request is authentication, the server processes the resource access request.
具体的,若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。所述服务器按照所述资源访问请求中的目标操作方式对目标访问资源进行处理,在处理完成之后,所述服务器可以将处理结果反馈至所述访问控制装置,以使所述用户获知针对所述资源访问请求的处理结果。Specifically, if the authentication result of the resource access request is authentication, the server processes the resource access request. The server processes the target access resource according to the target operation mode in the resource access request, and after the process is completed, the server may feed back the processing result to the access control device, so that the user knows that the The result of processing the resource access request.
在本申请实施例中,服务器接收访问控制装置发送的资源访问请求和第一签名,第一签名是访问控制装置采用存储的临时密钥对资源访问请求加密生成的;服务器采用存储的为访问控制装置分配的临时密钥对资源访问请求进行加密,生成第一验证数据;若第一签名与第一验证数据匹配一致,则服务器对资源访问请求进行鉴权;若为鉴权通过,则服务器对资源访问请求进行处理。在鉴权过程中,待验证的签名是采用临时密钥生成的,这样使得服务器无需传输固有密钥,因此避免了固有私钥被泄露的风险,进而保证了固有私钥的安全性。In the embodiment of the present application, the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control. The temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed. In the authentication process, the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
请参见图2b,为本申请实施例提供了另一种鉴权方法的流程示意图。如图2b所示,本申请实施例的所述方法是由访问控制装置执行的,可以包括以下步骤201-步骤203。访问控制装置可以是在客户端侧,也可以在服务器侧。Referring to FIG. 2b, a schematic flowchart of another authentication method is provided in the embodiment of the present application. As shown in FIG. 2b, the method in the embodiment of the present application is performed by the access control device, and may include the following steps 201-203. The access control device can be on the client side or on the server side.
201,访问控制装置接收用户发起的资源访问请求。201. The access control device receives a resource access request initiated by the user.
具体的,所述访问控制装置接收用户发起的请求访问目标访问资源的资源访问请求,用户可以通过访问控制装置提供的访问控制平台或者页面发起资源访问请求。进一步,用户是在访问控制平台或页面中通过用户名、登录密码登录成功之后,才能发起资源访问请求。Specifically, the access control device receives a resource access request initiated by the user to access the target access resource, and the user may initiate a resource access request by using an access control platform or page provided by the access control device. Further, the user can initiate a resource access request after successfully logging in through the user name and login password in the access control platform or page.
所述资源访问请求是用户向服务器请求访问目标访问资源的请求。资源访 问请求例如包括用户标识、目标访问资源的信息和对所述目标访问资源的目标操作方式。其中,用户标识是用于标记对目标访问资源执行目标操作方式的用户的,例如为用户的账号。在用户有多个账号的情况下,可以包括用户的根账号和子账号。所述目标访问资源例如可以为所述服务器中的某一个文件、数据等等,所述目标操作方式可以为读取指令(read)、删除指令(delete)、写入指令(write)等等,本申请实施例对目标操作方式的包含方式不做限定。另外,目标访问资源还可以为云服务器资源、数据库、虚拟私有云(VPC)等。用户可以使用云服务器提供的API对云服务器进行相关操作:如创建、更改带宽、重启等。创建操作例如是创建一个按量计费的云服务器。重启操作例如是重启一个或多个云服务器。更改带宽操作例如是更改云服务器的带宽。The resource access request is a request by a user to request a server to access a target access resource. The resource access request includes, for example, a user identification, information of a target access resource, and a target operation mode of accessing the resource to the target. The user identifier is used to mark a user who performs a target operation mode on the target access resource, for example, a user account. In the case where the user has multiple accounts, the user's root account and sub-account may be included. The target access resource may be, for example, a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like. The manner in which the target operation mode is included in the embodiment of the present application is not limited. In addition, the target access resources may also be cloud server resources, databases, virtual private clouds (VPCs), and the like. Users can use the API provided by the cloud server to perform related operations on the cloud server: such as creating, changing bandwidth, restarting, and so on. The creation operation is, for example, to create a volume-based cloud server. The restart operation is, for example, restarting one or more cloud servers. Changing the bandwidth operation is, for example, changing the bandwidth of the cloud server.
202,所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的。202. The access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device.
具体的,所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名。其中,所述临时密钥是由所述服务器为所述访问控制装置分配的,可以理解的是,所述临时密钥存在一定的时效性,即所述临时密钥在一定时间范围内有效且在其他时间范围内失效。所述临时密钥例如为密钥Key。所述服务器在为所述访问控制装置分配临时密钥时,可以同时分配一个密钥ID,用于标识访问控制装置的身份,服务器可以对某个密钥ID配置可以调用API的权限。密钥ID可明文网络传输。访问控制装置在将资源访问请求和第一签名发送给服务器时,可以同时发送密钥ID。临时密钥还可以包括会话标记(Token)。Specifically, the access control device encrypts the resource access request by using a stored temporary key to generate a first signature. The temporary key is allocated by the server to the access control device. It can be understood that the temporary key has a certain time validity, that is, the temporary key is valid within a certain time range. Invalid in other time frames. The temporary key is, for example, a key Key. When the server allocates a temporary key to the access control device, the server may simultaneously allocate a key ID for identifying the identity of the access control device, and the server may configure a certain key ID to invoke the API. The key ID can be transmitted over the clear text network. The access control device can simultaneously transmit the key ID when transmitting the resource access request and the first signature to the server. The temporary key can also include a session token (Token).
在一个示例中,所述服务器与所述访问控制装置约定一种预设加密算法,所述访问控制装置是按照预设加密算法,采用临时密钥对所述资源访问请求进行加密,生成第一签名。所述预设加密算法例如可以为DES、IDEA等。In an example, the server and the access control device stipulate a preset encryption algorithm, and the access control device encrypts the resource access request by using a temporary key according to a preset encryption algorithm to generate a first signature. The preset encryption algorithm may be, for example, DES, IDEA, or the like.
203,所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。203. The access control apparatus sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
具体的,所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Specifically, the access control device sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
所述访问控制装置除了发送资源访问请求和第一签名之外,还可以一并携带访问控制装置的装置标识,即,密钥ID,这样在所述服务器接收到资源访问请求、第一签名和装置标识之后,所述服务器查找与装置标识密钥ID对应的临时密钥,即密钥Key,所述服务器在查找到与装置标识对应的临时密钥之后,生成第一验证数据以完成鉴权。In addition to transmitting the resource access request and the first signature, the access control device may further carry the device identifier of the access control device, that is, the key ID, so that the resource access request, the first signature, and the server are received at the server. After the device is identified, the server searches for a temporary key corresponding to the device identification key ID, that is, a key Key, and after the server finds the temporary key corresponding to the device identifier, generates the first verification data to complete the authentication. .
在本申请实施例中,访问控制装置对接收到的资源访问请求采用临时密钥进行加密,生成第一签名,临时密钥是由服务器预先为访问控制装置分配的,将资源访问请求和第一签名发送至服务器,以使服务器对资源访问请求进行鉴权,这样无需获取用户的固有私钥,避免了固有私钥被泄露的风险,进而保证了固有私钥的安全性。In the embodiment of the present application, the access control device encrypts the received resource access request by using a temporary key to generate a first signature, and the temporary key is previously allocated by the server for the access control device, and the resource access request and the first The signature is sent to the server, so that the server authenticates the resource access request, so that the inherent private key of the user is not needed, and the risk of the inherent private key being compromised is avoided, thereby ensuring the security of the inherent private key.
请参见图3,为本申请实施例提供了另一种鉴权方法的流程示意图。如图3所示,本申请实施例的所述方法是由服务器和访问控制装置共同执行的,可以包括以下步骤301-步骤314。FIG. 3 is a schematic flowchart diagram of another authentication method according to an embodiment of the present application. As shown in FIG. 3, the method in the embodiment of the present application is performed by a server and an access control device, and may include the following steps 301-314.
301,访问控制装置接收用户发起的资源访问请求。301. The access control device receives a resource access request initiated by a user.
具体的,所述访问控制装置接收用户发起的请求访问目标访问资源的资源访问请求,例如,用户可以通过访问控制装置提供的访问控制平台或者页面发起资源访问请求。进一步,例如,用户是在访问控制平台或页面中通过用户名、登录密码登录成功之后,才能发起资源访问请求。Specifically, the access control device receives a resource access request initiated by the user to request access to the target access resource. For example, the user may initiate a resource access request by using an access control platform or a page provided by the access control device. Further, for example, the user can initiate a resource access request after successfully logging in through the user name and login password in the access control platform or page.
所述资源访问请求例如包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。其中,用户标识是用于标记对目标访问资源执行目标操作方式的用户的。例如,所述目标访问资源例如可以为所述服务器中的某一个文件、数据等等,所述目标操作方式可以为读取指令(read)、删除指令(delete)、写入指令(write)等等,本申请实施例对目标操作方式的包含方式不做限定。The resource access request includes, for example, a user identifier, a target access resource, and a target operation mode for accessing the resource to the target. The user identifier is used to mark the user who performs the target operation mode on the target access resource. For example, the target access resource may be, for example, a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like. The embodiment of the present application does not limit the manner in which the target operation mode is included.
302,所述访问控制装置采用固定密钥对所述资源访问请求进行加密,生成 第二签名,所述固定密钥是由服务器为所述访问控制装置分配的。302. The access control device encrypts the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device.
具体的,所述访问控制装置采用固定密钥对所述资源访问请求进行加密,生成第二签名。其中,所述固定密钥是由服务器为所述访问控制装置分配的,且所述固定密钥与所述访问控制装置一一对应。Specifically, the access control device encrypts the resource access request by using a fixed key to generate a second signature. The fixed key is allocated by the server for the access control device, and the fixed key is in one-to-one correspondence with the access control device.
在一个示例中,在所述服务器为所述访问控制装置分配固定密钥之后,将所述固定密钥发送至所述访问控制装置,所述访问控制装置接收到所述固定密钥之后,将所述固定密钥保存,在所述访问控制装置需要向所述服务器发送临时密钥获取请求的情况下,获取存储的固定密钥,并采用固定密钥对所述资源访问请求进行加密,生成第二签名。In one example, after the server assigns a fixed key to the access control device, the fixed key is sent to the access control device, and after receiving the fixed key, the access control device will The fixed key is saved, and when the access control device needs to send a temporary key acquisition request to the server, acquiring the stored fixed key, and encrypting the resource access request by using a fixed key to generate Second signature.
303,所述访问控制装置向所述服务器发送临时密钥获取请求。303. The access control device sends a temporary key acquisition request to the server.
具体的,所述访问控制装置向所述服务器发送临时密钥获取请求,所述临时密钥获取请求携带所述资源访问请求和所述第二签名,以使所述服务器对所述第二签名验证通过之后为所述访问控制装置分配临时密钥。Specifically, the access control device sends a temporary key acquisition request to the server, where the temporary key acquisition request carries the resource access request and the second signature, so that the server pairs the second signature The temporary key is assigned to the access control device after the verification is passed.
所述服务器和所述访问控制装置可以共同约定对于临时密钥获取请求中第二签名所采用的加密算法,以使所述服务器在接收到临时密钥获取请求之后,能够确定出第二签名所采用的加密算法。The server and the access control device may jointly agree on an encryption algorithm used for the second signature in the temporary key acquisition request, so that the server can determine the second signature after receiving the temporary key acquisition request. The encryption algorithm used.
304,服务器接收访问控制装置发送的临时密钥获取请求。304. The server receives a temporary key acquisition request sent by the access control device.
具体的,所述服务器接收访问控制装置发送的临时密钥获取请求,所述临时密钥获取请求携带资源访问请求和第二签名。Specifically, the server receives a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries a resource access request and a second signature.
进一步的,所述临时密钥获取请求中还可以携带所述访问控制装置的装置标识,以使所述服务器在接收到所述临时密钥获取请求之后,确定与所述装置标识对应的固定密钥。Further, the temporary key acquisition request may further carry the device identifier of the access control device, so that the server determines, after receiving the temporary key acquisition request, a fixed density corresponding to the device identifier. key.
305,所述服务器获取为所述访问控制装置分配的固定密钥,并采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据。305. The server acquires a fixed key allocated to the access control apparatus, and encrypts the resource access request by using the fixed key to generate second verification data.
具体的,所述服务器获取为所述访问控制装置分配的固定密钥。例如,所述服务器可以根据临时密钥获取请求中携带的装置标识,查找与所述装置标识 对应的固定密钥,并采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据。Specifically, the server acquires a fixed key allocated for the access control device. For example, the server may search for a fixed key corresponding to the device identifier according to the device identifier carried in the temporary key acquisition request, and encrypt the resource access request by using the fixed key to generate a second verification. data.
进一步的,所述服务器加密生成第二验证数据所采用的加密算法与所述访问控制装置生成第二签名所采用的加密算法相同。Further, the encryption algorithm used by the server to generate the second verification data is the same as the encryption algorithm used by the access control device to generate the second signature.
306,若所述第二签名与所述第二验证数据匹配一致,则所述服务器为所述访问控制装置分配临时密钥。306. If the second signature matches the second verification data, the server allocates a temporary key to the access control device.
具体的,若所述第二签名与所述第二验证数据匹配一致,则所述服务器为所述访问控制装置分配临时密钥。所述临时密钥可以存在一定的时效性,即所述临时密钥在一定时间范围内有效且在其他时间范围内失效。Specifically, if the second signature matches the second verification data, the server allocates a temporary key to the access control device. The temporary key may have a certain timeliness, that is, the temporary key is valid within a certain time range and fails in other time ranges.
若所述第二签名与所述第二验证数据匹配不一致,则所述服务器不分配临时密钥,还可以向所述访问控制装置发送因验证失败而无法分配临时密钥的通知消息。If the second signature does not match the second verification data, the server does not allocate a temporary key, and may also send a notification message to the access control device that the temporary key cannot be allocated due to the verification failure.
307,所述服务器将所述临时密钥存储并发送至所述访问控制装置。307. The server stores and sends the temporary key to the access control device.
具体的,所述服务器将分配的临时密钥进行存储,以确定是所述访问控制装置的临时密钥。所述服务器可以将所述临时密钥与所述访问控制装置的装置标识进行关联存储,并记录所述临时密钥的有效时长,当超过记录的有效时长之后,可将该临时密钥删除。Specifically, the server stores the allocated temporary key to determine a temporary key of the access control device. The server may store the temporary key in association with the device identifier of the access control device, and record the effective duration of the temporary key. After the valid duration of the record is exceeded, the temporary key may be deleted.
308,所述访问控制装置接收所述服务器分配的所述临时密钥,并存储所述临时密钥。308. The access control device receives the temporary key allocated by the server, and stores the temporary key.
309,所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名。309. The access control device encrypts the resource access request by using a stored temporary key to generate a first signature.
310,所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器。310. The access control device sends the resource access request and the first signature to the server.
具体的,所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Specifically, the access control device sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
所述访问控制装置除了发送资源访问请求和第一签名之外,还可以一并携 带访问控制装置的装置标识,这样在所述服务器接收到资源访问请求、第一签名和装置标识之后,所述服务器查找与装置标识对应的临时密钥,所述服务器在查找到与装置标识对应的临时密钥之后,生成第一验证数据以完成鉴权。The access control device may further carry the device identifier of the access control device, in addition to the resource access request and the first signature, after the server receives the resource access request, the first signature, and the device identifier, The server searches for a temporary key corresponding to the device identifier, and after the server finds the temporary key corresponding to the device identifier, generates the first verification data to complete the authentication.
311,服务器接收访问控制装置发送的资源访问请求和第一签名。311. The server receives the resource access request and the first signature sent by the access control device.
具体的,服务器接收访问控制装置发送的资源访问请求和第一签名。其中所述第一签名是由所述访问控制装置生成的,具体是采用存储的临时密钥对所述资源访问请求加密生成的。Specifically, the server receives the resource access request and the first signature sent by the access control device. The first signature is generated by the access control device, and is specifically generated by encrypting the resource access request by using a stored temporary key.
312,所述服务器获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据。312. The server acquires the stored temporary key allocated to the access control device, and encrypts the resource access request by using the temporary key to generate first verification data.
具体的,所述服务器获取存储的为所述访问控制装置分配的临时密钥,其中,所述服务器存储的临时密钥与所述访问控制装置相对应的,且在同一个时刻,与所述访问控制装置对应的临时密钥只有一个。Specifically, the server acquires the stored temporary key allocated to the access control device, where the temporary key stored by the server corresponds to the access control device, and at the same time, There is only one temporary key corresponding to the access control device.
进一步的,所述服务器接收到资源访问请求、第一签名和装置标识之后,所述服务器查找与装置标识对应的临时密钥。Further, after the server receives the resource access request, the first signature, and the device identifier, the server searches for a temporary key corresponding to the device identifier.
进一步的,所述服务器采用存储的临时密钥对所述资源访问请求进行加密,生成第一验证数据。所述第一验证数据用于与接收到的第一签名进行比对,以确定访问控制装置是否合法。Further, the server encrypts the resource access request by using a stored temporary key to generate first verification data. The first verification data is used to compare with the received first signature to determine whether the access control device is legitimate.
进一步的,所述服务器加密生成第一验证数据所采用的加密算法与所述访问控制装置生成第一签名所采用的加密算法相同。Further, the encryption algorithm used by the server to generate the first verification data is the same as the encryption algorithm used by the access control device to generate the first signature.
若所述服务器由于时效性删掉了该临时密钥,即使接收到所述访问控制装置发送的临时密钥获取请求,也无法对访问控制装置的第一签名进行验证,使得无法验证,并向所述访问控制装置发送临时密钥已失效的通知消息。If the server deletes the temporary key due to timeliness, even if the temporary key acquisition request sent by the access control device is received, the first signature of the access control device cannot be verified, so that the verification cannot be performed. The access control device transmits a notification message that the temporary key has expired.
313,若所述第一签名与所述第一验证数据匹配一致,则所述服务器对所述资源访问请求进行鉴权。313. If the first signature matches the first verification data, the server authenticates the resource access request.
具体的,所述服务器将接收到的第一签名和生成的第一验证数据进行匹配,若所述第一签名与所述第一验证数据匹配一致,则所述服务器确定所述访问控 制装置合法,并对所述资源访问请求进行鉴权。Specifically, the server matches the received first signature with the generated first verification data, and if the first signature matches the first verification data, the server determines that the access control device is legal. And authenticating the resource access request.
若所述第一签名与所述第一验证数据匹配不一致,则所述服务器确定所述访问控制装置不合法,也不会对所述资源访问请求进行鉴权。所述服务器可以向所述访问控制装置发送表示访问控制装置验证不通过的通知消息。If the first signature is inconsistent with the first verification data, the server determines that the access control device is invalid, and does not authenticate the resource access request. The server may transmit a notification message to the access control device indicating that the access control device fails to pass the verification.
所述服务器对所述资源访问请求进行鉴权的具体过程可以为所述服务器获取与所述用户标识对应的可访问资源和对所述可访问资源的可操作方式;所述服务器判断所述可访问资源中是否存在所述目标访问资源;若存在所述目标访问资源,则所述服务器判断对所述目标访问资源的可操作方式中是否存在所述目标操作方式;若存在所述目标操作方式,则所述服务器确定所述资源访问请求的鉴权结果为鉴权通过。若所述可访问资源中不存在所述目标访问资源,或者所述可操作方式中不存在所述目标操作方法,则所述服务器确定所述资源访问请求的鉴权结果为鉴权不通过,这种情况下,所述服务器可以向所述访问控制装置发送无法执行所述资源访问请求的通知消息。The specific process of the server for authenticating the resource access request may obtain, by the server, an accessible resource corresponding to the user identifier and an operable manner for the accessible resource; the server determines that the Whether the target access resource exists in the access resource; if the target access resource exists, the server determines whether the target operation mode exists in an operable manner of the target access resource; if the target operation mode exists And determining, by the server, that the authentication result of the resource access request is an authentication pass. If the target access method does not exist in the accessible resource, or the target operation method does not exist in the operable mode, the server determines that the authentication result of the resource access request is that the authentication fails. In this case, the server may send a notification message to the access control device that the resource access request cannot be performed.
314,若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。314. If the authentication result of the resource access request is authentication, the server processes the resource access request.
具体的,若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。所述服务器按照所述资源访问请求中的目标操作方式对目标访问资源进行处理,在处理完成之后,所述服务器可以将处理结果反馈至所述访问控制装置,以使所述用户获知针对所述资源访问请求的处理结果。Specifically, if the authentication result of the resource access request is authentication, the server processes the resource access request. The server processes the target access resource according to the target operation mode in the resource access request, and after the process is completed, the server may feed back the processing result to the access control device, so that the user knows that the The result of processing the resource access request.
在本申请实施例中,服务器接收访问控制装置发送的资源访问请求和第一签名,第一签名是访问控制装置采用存储的临时密钥对资源访问请求加密生成的;服务器采用存储的为访问控制装置分配的临时密钥对资源访问请求进行加密,生成第一验证数据;若第一签名与第一验证数据匹配一致,则服务器对资源访问请求进行鉴权;若为鉴权通过,则服务器对资源访问请求进行处理。在鉴权过程中,待验证的签名是采用临时密钥生成的,这样使得服务器无需传输固有密钥,因此避免了固有私钥被泄露的风险,进而保证了固有私钥的安全性。In the embodiment of the present application, the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control. The temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed. In the authentication process, the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
在本申请实施例中,服务器先对访问控制装置进行验证,在验证通过的情况下,服务器分配临时密钥,并将临时密钥发送至访问控制装置,访问控制装置采用临时密钥对资源访问请求加密生成第一签名,服务器在接收到访问控制装置发送第一签名之后再次进行验证和鉴权。在鉴权过程中,待验证的第一签名是采用临时密钥生成的,这样使得服务器无需传输固有密钥,因此避免了固有私钥被泄露的风险,保证了固有私钥的安全性,另外,通过对访问控制装置的验证和对用户的身份验证双重验证的方式,也保证了鉴权的准确性。In the embodiment of the present application, the server first verifies the access control device. When the verification passes, the server allocates a temporary key, and sends the temporary key to the access control device, and the access control device uses the temporary key to access the resource. The request for encryption generates a first signature, and the server performs verification and authentication again after receiving the first signature sent by the access control device. In the authentication process, the first signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, and ensuring the security of the inherent private key. The accuracy of authentication is also ensured by means of verification of the access control device and verification of the identity of the user.
图3所示实施例中与图2a、2b类似的步骤可以参考图2a、2b的相关描述。The steps in the embodiment shown in Figure 3 that are similar to Figures 2a, 2b can be referred to the related description of Figures 2a, 2b.
请参见图4,为本申请实施例提供的一种鉴权方法示例图,以便于进一步理解本申请记载的技术方案。如图4所示,鉴权方法是由客户端1和服务器2共同完成的,其中,客户端1中有访问控制平台,服务器2包括鉴权服务模块、密钥服务模块、资源访问请求处理模块。这些可以分别对应于服务器所具备的各个功能。FIG. 4 is a schematic diagram of an authentication method provided by an embodiment of the present application, so as to further understand the technical solutions described in the present application. As shown in FIG. 4, the authentication method is jointly performed by the client 1 and the server 2, wherein the client 1 has an access control platform, and the server 2 includes an authentication service module, a key service module, and a resource access request processing module. . These can correspond to the various functions that the server has.
访问控制平台可以接收用户发起的资源访问请求,并采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制平台分配的;所述访问控制平台在生成第一签名之后,将所述资源访问请求和所述第一签名发送至所述服务器。服务器中的鉴权服务模块接收访问控制平台发送的资源访问请求和第一签名,鉴权服务模块从密钥服务模块获取存储的为所述访问控制平台分配的临时密钥,鉴权服务模块采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;鉴权服务模块将第一签名与第一验证数据进行匹配,若所述第一签名与所述第一验证数据匹配一致,则接着对所述资源访问请求进行鉴权;若鉴权服务模块对所述资源访问请求的鉴权结果为鉴权通过,则触发资源访问请求处理模块对所述资源访问请求进行处理。The access control platform may receive a resource access request initiated by the user, and encrypt the resource access request by using the stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control platform. The access control platform sends the resource access request and the first signature to the server after generating the first signature. The authentication service module in the server receives the resource access request and the first signature sent by the access control platform, and the authentication service module obtains the stored temporary key allocated for the access control platform from the key service module, and the authentication service module adopts The temporary key encrypts the resource access request to generate first verification data; the authentication service module matches the first signature with the first verification data, if the first signature matches the first verification data If the authentication service module authenticates the resource access request, the resource access request processing module is triggered to process the resource access request.
所述访问控制平台采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名之前,还可以采用固定密钥对所述资源访问请求进行加密,生成第 二签名,所述固定密钥是由服务器为所述访问控制平台分配的;所述访问控制平台向所述服务器发送临时密钥获取请求,所述临时密钥获取请求携带所述资源访问请求和所述第二签名,以使所述服务器对所述第二签名验证通过之后为所述访问控制平台分配临时密钥;服务器中的鉴权服务模块接收访问控制平台发送的临时密钥获取请求;鉴权服务模块从密钥服务模块获取为所述访问控制平台分配的固定密钥,鉴权服务模块采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据;若所述第二签名与所述第二验证数据匹配一致,则所述鉴权服务模块为所述访问控制平台分配临时密钥,将所述临时密钥存储在密钥服务模块,并将所述临时密钥发送至所述访问控制平台。所述访问控制平台接收所述服务器分配的所述临时密钥,并存储所述临时密钥。The access control platform encrypts the resource access request by using the stored temporary key. Before generating the first signature, the resource access request may be encrypted by using a fixed key to generate a second signature. The key is allocated by the server for the access control platform; the access control platform sends a temporary key acquisition request to the server, where the temporary key acquisition request carries the resource access request and the second signature, And causing the server to allocate a temporary key to the access control platform after the second signature verification is passed; the authentication service module in the server receives the temporary key acquisition request sent by the access control platform; the authentication service module slave key The service module acquires a fixed key allocated to the access control platform, and the authentication service module encrypts the resource access request by using the fixed key to generate second verification data; if the second signature and the first If the verification data matches consistently, the authentication service module allocates a temporary key to the access control platform, and the The time key is stored in the key service module and the temporary key is sent to the access control platform. The access control platform receives the temporary key allocated by the server and stores the temporary key.
密钥服务模块可以包括临时密钥存储模块和固定密钥存储模块,以分别存储临时密钥和固定密钥。The key service module may include a temporary key storage module and a fixed key storage module to store the temporary key and the fixed key, respectively.
鉴权服务模块可以包括权限库,该权限库保存了各个不同用户的可访问资源和对可访问资源的操作方式。The authentication service module can include a rights library that maintains the accessible resources of various users and the manner in which the resources are accessible.
需要说明的是,图4所示的鉴权服务模块、密钥服务模块、资源访问请求处理模块是逻辑上的功能性说明。图2a、2b和图3所示实施例中涉及的服务器可以通过图4所示的各个模块执行相应的方法步骤。图2a、2b和图3所示实施例中访问控制装置可以通过图4所示的访问控制平台执行相应的方法步骤。服务器2中的鉴权服务模块、密钥服务模块、资源访问请求处理模块可以分别部署于同一物理机上,或者部署同一个物理机的不同虚拟机中,或者部署不同的物理机中,本申请实施例对此不做限定。It should be noted that the authentication service module, the key service module, and the resource access request processing module shown in FIG. 4 are logical functional descriptions. The servers involved in the embodiment shown in Figures 2a, 2b and 3 can perform the corresponding method steps by means of the various modules shown in Figure 4. The access control device of the embodiment shown in Figures 2a, 2b and 3 can perform the corresponding method steps through the access control platform shown in Figure 4. The authentication service module, the key service module, and the resource access request processing module in the server 2 may be respectively deployed on the same physical machine, or deployed in different virtual machines of the same physical machine, or deployed in different physical machines. This example does not limit this.
请参见图5,为本申请实施例提供了一种服务器的结构示意图。如图5所示,本申请实施例的所述服务器10可以包括:数据接收单元11、第一生成单元12、请求鉴权单元13和请求处理单元14。所述服务器10还可以包括请求接收单元15、第二生成单元16和密钥分配单元17。FIG. 5 is a schematic structural diagram of a server according to an embodiment of the present application. As shown in FIG. 5, the server 10 of the embodiment of the present application may include: a data receiving unit 11, a first generating unit 12, a request authentication unit 13, and a request processing unit 14. The server 10 may further include a request receiving unit 15, a second generating unit 16, and a key assigning unit 17.
数据接收单元11,用于接收访问控制装置发送的资源访问请求和第一签名, 所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的。The data receiving unit 11 is configured to receive a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request.
具体的,所述数据接收单元11接收访问控制装置发送的资源访问请求和第一签名。其中所述第一签名是由所述访问控制装置生成的,具体是采用存储的临时密钥对所述资源访问请求加密生成的。Specifically, the data receiving unit 11 receives the resource access request and the first signature sent by the access control device. The first signature is generated by the access control device, and is specifically generated by encrypting the resource access request by using a stored temporary key.
其中,所述临时密钥是由所述服务器10为所述访问控制装置分配的,可以理解的是,所述临时密钥存在一定的时效性,即所述临时密钥在一定时间范围内有效且在其他时间范围内失效。The temporary key is allocated by the server 10 for the access control device. It can be understood that the temporary key has a certain time limit, that is, the temporary key is valid within a certain time range. And expires in other time frames.
可行的方案中,所述服务器10与所述访问控制装置约定一种预设加密算法,所述访问控制装置是按照预设加密算法,采用临时密钥对所述资源访问请求进行加密,生成第一签名。所述预设加密算法例如可以为DES、IDEA等。In a feasible solution, the server 10 and the access control device stipulate a preset encryption algorithm, and the access control device encrypts the resource access request by using a temporary key according to a preset encryption algorithm to generate a first A signature. The preset encryption algorithm may be, for example, DES, IDEA, or the like.
所述资源访问请求可以包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。其中,用户标识是用于标记对目标访问资源执行目标操作方式的用户的。例如,所述目标访问资源可以为所述服务器10中的某一个文件、数据等等,所述目标操作方式可以为读取指令(read)、删除指令(delete)、写入指令(write)等等,本申请实施例对目标操作方式的包含方式不做限定。The resource access request may include a user identifier, a target access resource, and a target operation mode for accessing the resource to the target. The user identifier is used to mark the user who performs the target operation mode on the target access resource. For example, the target access resource may be a file, data, or the like in the server 10. The target operation mode may be a read instruction, a delete instruction, a write instruction, or the like. The embodiment of the present application does not limit the manner in which the target operation mode is included.
第一生成单元12,用于获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据。The first generating unit 12 is configured to obtain the stored temporary key allocated to the access control device, and encrypt the resource access request by using the temporary key to generate first verification data.
具体的,所述第一生成单元12获取存储的为所述访问控制装置分配的临时密钥,其中,所述服务器10存储的临时密钥与所述访问控制装置相对应的,且在同一个时刻,与所述访问控制装置对应的临时密钥只有一个。所述服务器10可以将所述临时密钥与所述访问控制装置的装置标识进行对应保存,进一步,所述访问控制装置除了发送资源访问请求和第一签名之外,还可以一并携带访问控制装置的装置标识,这样在所述数据接收单元11接收到资源访问请求、第一签名和装置标识之后,所述第一生成单元12查找与装置标识对应的临时密钥。Specifically, the first generating unit 12 acquires the stored temporary key allocated to the access control device, where the temporary key stored by the server 10 corresponds to the access control device, and is in the same At the moment, there is only one temporary key corresponding to the access control device. The server 10 may save the temporary key and the device identifier of the access control device, and further, the access control device may carry the access control together with the resource access request and the first signature. The device identifier of the device, such that after the data receiving unit 11 receives the resource access request, the first signature, and the device identifier, the first generating unit 12 searches for a temporary key corresponding to the device identifier.
进一步的,所述服务器10采用存储的临时密钥对所述资源访问请求进行加 密,生成第一验证数据。所述第一验证数据用于与接收到的第一签名进行比对,以确定访问控制装置是否合法。Further, the server 10 encrypts the resource access request by using the stored temporary key to generate first verification data. The first verification data is used to compare with the received first signature to determine whether the access control device is legitimate.
请求鉴权单元13,用于若所述第一签名与所述第一验证数据匹配一致,则对所述资源访问请求进行鉴权。The request authentication unit 13 is configured to authenticate the resource access request if the first signature matches the first verification data.
具体的,所述请求鉴权单元13将接收到的第一签名和生成的第一验证数据进行匹配,若所述第一签名与所述第一验证数据匹配一致,则所述服务器10确定所述访问控制装置合法,并对所述资源访问请求进行鉴权。Specifically, the request authentication unit 13 matches the received first signature with the generated first verification data, and if the first signature matches the first verification data, the server 10 determines the location. The access control device is legal and authenticates the resource access request.
若所述第一签名与所述第一验证数据匹配不一致,则所述服务器10确定所述访问控制装置不合法,也不会对所述资源访问请求进行鉴权。所述服务器10可以向所述访问控制装置发送表示访问控制装置验证不通过的通知消息。If the first signature is inconsistent with the first verification data, the server 10 determines that the access control device is invalid and does not authenticate the resource access request. The server 10 may transmit a notification message to the access control device indicating that the access control device fails to pass the verification.
所述请求鉴权单元13包括信息获取子单元、第一判断子单元和第二判断子单元和结果确定子单元。The request authentication unit 13 includes an information acquisition subunit, a first judgment subunit, and a second judgment subunit, and a result determination subunit.
信息获取子单元,用于获取与所述用户标识对应的可访问资源和对所述可访问资源的可操作方式。And an information obtaining subunit, configured to acquire an accessible resource corresponding to the user identifier and an operable manner of the accessible resource.
第一判断子单元,用于判断所述可访问资源中是否存在所述目标访问资源。The first determining subunit is configured to determine whether the target access resource exists in the accessible resource.
第二判断子单元,用于若所述第一判断子单元判断所述可访问资源中存在所述目标访问资源,则判断对所述目标访问资源的可操作方式中是否存在所述目标操作方式。a second determining subunit, configured to determine whether the target operating mode exists in an operable mode of the target access resource if the first determining subunit determines that the target access resource exists in the accessible resource .
结果确定子单元,用于若所述第二判断子单元判断对所述目标访问资源的可操作方式中存在所述目标操作方式,则确定所述资源访问请求的鉴权结果为鉴权通过。And a result determining sub-unit, configured to determine that the authentication result of the resource access request is an authentication pass if the second determining sub-unit determines that the target operating mode exists in an operable manner for accessing the target resource.
请求处理单元14,用于若所述资源访问请求的鉴权结果为鉴权通过,则对所述资源访问请求进行处理。The request processing unit 14 is configured to process the resource access request if the authentication result of the resource access request is the authentication pass.
具体的,若所述资源访问请求的鉴权结果为鉴权通过,则所述请求处理单元14对所述资源访问请求进行处理。所述服务器10按照所述资源访问请求中的目标操作方式对目标访问资源进行处理,在处理完成之后,所述服务器10可 以将处理结果反馈至所述访问控制装置,以使所述用户获知针对所述资源访问请求的处理结果。Specifically, if the authentication result of the resource access request is authentication, the request processing unit 14 processes the resource access request. The server 10 processes the target access resource according to the target operation mode in the resource access request, and after the process is completed, the server 10 may feed back the processing result to the access control device, so that the user knows The processing result of the resource access request.
所述服务器10在执行所述数据接收单元11之前,还可以执行请求接收单元15、第二生成单元16和密钥分配单元17。The server 10 may further execute the request receiving unit 15, the second generating unit 16, and the key assigning unit 17 before executing the data receiving unit 11.
所述请求接收单元15,用于接收访问控制装置发送的临时密钥获取请求,所述临时密钥获取请求携带资源访问请求和第二签名。The request receiving unit 15 is configured to receive a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries a resource access request and a second signature.
第二生成单元16,用于获取为所述访问控制装置分配的固定密钥,并采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据。The second generating unit 16 is configured to acquire a fixed key allocated to the access control device, and encrypt the resource access request by using the fixed key to generate second verification data.
密钥分配单元17,用于若所述第二签名与所述第二验证数据匹配一致,则所述服务器10为所述访问控制装置分配临时密钥,将所述临时密钥存储并发送至所述访问控制装置。The key distribution unit 17 is configured to: if the second signature matches the second verification data, the server 10 allocates a temporary key to the access control device, and stores and sends the temporary key to The access control device.
需要说明的是,请求接收单元15、第二生成单元16和密钥分配单元17的具体实现方式可以参见图3所示实施例详细描述,在此不再赘述。It should be noted that the specific implementation manners of the request receiving unit 15, the second generating unit 16, and the key allocating unit 17 can be described in detail in the embodiment shown in FIG. 3, and details are not described herein again.
在本申请实施例中,服务器接收访问控制装置发送的资源访问请求和第一签名,第一签名是访问控制装置采用存储的临时密钥对资源访问请求加密生成的;服务器采用存储的为访问控制装置分配的临时密钥对资源访问请求进行加密,生成第一验证数据;若第一签名与第一验证数据匹配一致,则服务器对资源访问请求进行鉴权;若为鉴权通过,则服务器对资源访问请求进行处理。在鉴权过程中,待验证的签名是采用临时密钥生成的,这样使得服务器无需传输固有密钥,因此避免了固有私钥被泄露的风险,进而保证了固有私钥的安全性。In the embodiment of the present application, the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control. The temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed. In the authentication process, the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
请参见图6,为本申请实施例提供了一种访问控制装置的结构示意图。如图6所示,本申请实施例的所述访问控制装置20可以包括:请求接收单元21、第一生成单元22和数据发送单元23。所述访问控制装置20还可以包括第二生成单元24、请求发送单元25和密钥接收单元26。Referring to FIG. 6, a schematic structural diagram of an access control apparatus according to an embodiment of the present application is provided. As shown in FIG. 6, the access control apparatus 20 of the embodiment of the present application may include a request receiving unit 21, a first generating unit 22, and a data transmitting unit 23. The access control device 20 may further include a second generating unit 24, a request transmitting unit 25, and a key receiving unit 26.
请求接收单元21,用于接收用户发起的资源访问请求。The request receiving unit 21 is configured to receive a resource access request initiated by the user.
具体的,所述请求接收单元21接收用户发起的资源访问请求,例如,用户 可以通过访问控制装置20提供的访问控制平台或者页面发起资源访问请求。进一步,用户可以是在访问控制平台或页面中通过用户名、登录密码登录成功之后,才能发起资源访问请求。Specifically, the request receiving unit 21 receives a resource access request initiated by the user. For example, the user may initiate a resource access request by using an access control platform or a page provided by the access control device 20. Further, the user can initiate a resource access request after successfully logging in through the user name and login password in the access control platform or page.
所述资源访问请求例如包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。其中,用户标识是用于标记对目标访问资源执行目标操作方式的用户的。例如,所述目标访问资源可以为所述服务器中的某一个文件、数据等等,所述目标操作方式可以为读取指令(read)、删除指令(delete)、写入指令(write)等等,本申请实施例对目标操作方式的包含方式不做限定。The resource access request includes, for example, a user identifier, a target access resource, and a target operation mode for accessing the resource to the target. The user identifier is used to mark the user who performs the target operation mode on the target access resource. For example, the target access resource may be a file, data, or the like in the server, and the target operation mode may be a read instruction, a delete instruction, a write instruction, or the like. The embodiment of the present application does not limit the manner in which the target operation mode is included.
第一生成单元22,用于采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置20分配的。The first generating unit 22 is configured to encrypt the resource access request by using the stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device 20.
具体的,所述第一生成单元22采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名。其中,所述临时密钥是由所述服务器为所述访问控制装置20分配的,可以理解的是,所述临时密钥存在一定的时效性,即所述临时密钥在一定时间范围内有效且在其他时间范围内失效。Specifically, the first generating unit 22 encrypts the resource access request by using the stored temporary key to generate a first signature. The temporary key is allocated by the server to the access control device 20. It can be understood that the temporary key has a certain timeliness, that is, the temporary key is valid within a certain time range. And expires in other time frames.
可行的方案中,所述服务器与所述访问控制装置20约定一种预设加密算法,所述访问控制装置20是按照预设加密算法,采用临时密钥对所述资源访问请求进行加密,生成第一签名。所述预设加密算法例如可以为DES、IDEA等。In a feasible solution, the server and the access control device 20 agree on a preset encryption algorithm, and the access control device 20 encrypts the resource access request by using a temporary key according to a preset encryption algorithm. First signature. The preset encryption algorithm may be, for example, DES, IDEA, or the like.
数据发送单元23,用于将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。The data sending unit 23 is configured to send the resource access request and the first signature to the server, so that the server authenticates the resource access request.
具体的,所述数据发送单元23将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Specifically, the data sending unit 23 sends the resource access request and the first signature to the server, so that the server authenticates the resource access request.
所述数据发送单元23除了发送资源访问请求和第一签名之外,还一并携带访问控制装置20的装置标识,这样在所述服务器接收到资源访问请求、第一签名和装置标识之后,所述服务器查找与装置标识对应的临时密钥,所述服务器在查找到与装置标识对应的临时密钥之后,生成第一验证数据以完成鉴权。The data sending unit 23 carries the device identifier of the access control device 20 in addition to the resource access request and the first signature, so that after the server receives the resource access request, the first signature, and the device identifier, The server searches for a temporary key corresponding to the device identifier, and after the server finds the temporary key corresponding to the device identifier, generates the first verification data to complete the authentication.
所述访问控制装置20在执行请求接收单元21之后且执行第一生成单元22 之前,还可以执行第二生成单元24、请求发送单元25和密钥接收单元26。The access control device 20 may further execute the second generation unit 24, the request transmission unit 25, and the key reception unit 26 after executing the request reception unit 21 and before executing the first generation unit 22.
第二生成单元24,用于采用固定密钥对所述资源访问请求进行加密,生成第二签名,所述固定密钥是由服务器为所述访问控制装置20分配的。The second generating unit 24 is configured to encrypt the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device 20.
请求发送单元25,用于向所述服务器发送临时密钥获取请求,所述临时密钥获取请求携带所述资源访问请求和所述第二签名,以使所述服务器对所述第二签名验证通过之后为所述访问控制装置20分配临时密钥。a request sending unit 25, configured to send a temporary key acquisition request to the server, where the temporary key acquisition request carries the resource access request and the second signature, so that the server verifies the second signature The temporary key is then assigned to the access control device 20.
密钥接收单元26,用于接收所述服务器分配的所述临时密钥,并存储所述临时密钥。The key receiving unit 26 is configured to receive the temporary key allocated by the server, and store the temporary key.
所述密钥接收单元26,还用于接收所述服务器为所述访问控制装置20分配的固有密钥,并存储所述固有密钥。The key receiving unit 26 is further configured to receive an inherent key allocated by the server for the access control device 20, and store the unique key.
需要说明的是,第二生成单元24、请求发送单元25和密钥接收单元26的具体实现方式可以参见图3所示实施例详细描述,在此不再赘述。It should be noted that the specific implementation manners of the second generating unit 24, the request sending unit 25, and the key receiving unit 26 may be described in detail in the embodiment shown in FIG. 3, and details are not described herein again.
在本申请实施例中,访问控制装置对接收到的资源访问请求采用临时密钥进行加密,生成第一签名,临时密钥是由服务器预先为访问控制装置分配的,将资源访问请求和第一签名发送至服务器,以使服务器对资源访问请求进行鉴权,这样无需获取用户的固有私钥,避免了固有私钥被泄露的风险,进而保证了固有私钥的安全性。In the embodiment of the present application, the access control device encrypts the received resource access request by using a temporary key to generate a first signature, and the temporary key is previously allocated by the server for the access control device, and the resource access request and the first The signature is sent to the server, so that the server authenticates the resource access request, so that the inherent private key of the user is not needed, and the risk of the inherent private key being compromised is avoided, thereby ensuring the security of the inherent private key.
请参见图7,为本申请实施例提供了另一种服务器的结构示意图。如图7所示,所述服务器1000可以包括:至少一个处理器1001,例如CPU,至少一个网络接口1004,存储器1005,至少一个通信总线1002。网络接口1004例如可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。存储器1005例如还可以是至少一个位于远离前述处理器1001的存储装置。其中,通信总线1002用于实现这些组件之间的连接通信。FIG. 7 is a schematic structural diagram of another server according to an embodiment of the present application. As shown in FIG. 7, the server 1000 may include at least one processor 1001, such as a CPU, at least one network interface 1004, a memory 1005, and at least one communication bus 1002. Network interface 1004 can include, for example, a standard wired interface, a wireless interface (such as a WI-FI interface). The memory 1005 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory. The memory 1005 may also be, for example, at least one storage device located remotely from the aforementioned processor 1001. Among them, the communication bus 1002 is used to implement connection communication between these components.
所述服务器1000可以包括用户接口1003,其中,用户接口1003可以包括显示屏(Display)、键盘(Keyboard)。如图7所示,作为一种计算机存储介质 的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及鉴权应用程序。The server 1000 can include a user interface 1003, wherein the user interface 1003 can include a display, a keyboard. As shown in FIG. 7, an operating system, a network communication module, a user interface module, and an authentication application may be included in the memory 1005 as a computer storage medium.
在图7所示的服务器1000中,网络接口1004主要用于与访问控制装置交互数据,例如,资源访问请求、第一签名、临时密钥获取请求等数据;而处理器1001可以用于调用存储器1005中存储的鉴权应用程序,并具体执行以下操作:In the server 1000 shown in FIG. 7, the network interface 1004 is mainly used to exchange data with the access control device, for example, a resource access request, a first signature, a temporary key acquisition request, and the like; and the processor 1001 can be used to call the memory. The authentication application stored in 1005, and specifically performs the following operations:
接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Acquiring the stored temporary key allocated to the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
若所述第一签名与所述第一验证数据匹配一致,则对所述资源访问请求进行鉴权;And if the first signature matches the first verification data, the resource access request is authenticated;
若所述资源访问请求的鉴权结果为鉴权通过,则对所述资源访问请求进行处理。And if the authentication result of the resource access request is an authentication pass, the resource access request is processed.
在一个可能的实施例中,所述处理器1001执行接收所述访问控制装置发送的资源访问请求和第一签名之前,还执行:In a possible embodiment, before the processor 1001 performs the resource access request and the first signature sent by the access control device, the processor 1001 further performs:
服务器接收访问控制装置发送的临时密钥获取请求,所述临时密钥获取请求携带资源访问请求和第二签名;Receiving, by the server, a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries the resource access request and the second signature;
所述服务器获取为所述访问控制装置分配的固定密钥,并采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据;Obtaining, by the server, a fixed key allocated by the access control device, and encrypting the resource access request by using the fixed key to generate second verification data;
若所述第二签名与所述第二验证数据匹配一致,则所述服务器为所述访问控制装置分配临时密钥,将所述临时密钥存储并发送至所述访问控制装置。And if the second signature matches the second verification data, the server allocates a temporary key to the access control device, and stores and sends the temporary key to the access control device.
在一个可能的实施例中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。In a possible embodiment, the resource access request includes a user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
在一个可能的实施例中,所述处理器1001执行对所述资源访问请求进行鉴权,具体执行:In a possible embodiment, the processor 1001 performs an authentication on the resource access request, and specifically executes:
获取与所述用户标识对应的可访问资源和对所述可访问资源的可操作方式;Obtaining an accessible resource corresponding to the user identifier and an operable manner of the accessible resource;
判断所述可访问资源中是否存在所述目标访问资源;Determining whether the target access resource exists in the accessible resource;
若存在所述目标访问资源,则判断对所述目标访问资源的可操作方式中是否存在所述目标操作方式;If the target access resource exists, determining whether the target operation mode exists in an operable manner of accessing the resource to the target;
若存在所述目标操作方式,则确定所述资源访问请求的鉴权结果为鉴权通过。If the target operation mode exists, determining that the authentication result of the resource access request is an authentication pass.
需要说明的是,本申请实施例所描述的处理器1001所执行的步骤可根据上述图2a、2b、图3、图4所示方法实施例中的方法具体实现,此处不再赘述。It should be noted that the steps performed by the processor 1001 in the embodiment of the present application may be specifically implemented according to the method in the foregoing method embodiment shown in FIG. 2a, 2b, FIG. 3, and FIG. 4, and details are not described herein again.
在本申请实施例中,服务器接收访问控制装置发送的资源访问请求和第一签名,第一签名是访问控制装置采用存储的临时密钥对资源访问请求加密生成的;服务器采用存储的为访问控制装置分配的临时密钥对资源访问请求进行加密,生成第一验证数据;若第一签名与第一验证数据匹配一致,则服务器对资源访问请求进行鉴权;若为鉴权通过,则服务器对资源访问请求进行处理。在鉴权过程中,待验证的签名是采用临时密钥生成的,这样使得服务器无需传输固有密钥,因此避免了固有私钥被泄露的风险,进而保证了固有私钥的安全性。In the embodiment of the present application, the server receives the resource access request and the first signature sent by the access control device, where the first signature is generated by the access control device using the stored temporary key to encrypt the resource access request; and the server adopts the stored access control. The temporary key allocated by the device encrypts the resource access request to generate the first verification data. If the first signature matches the first verification data, the server authenticates the resource access request; if the authentication is passed, the server pairs Resource access requests are processed. In the authentication process, the signature to be verified is generated by using a temporary key, so that the server does not need to transmit the inherent key, thereby avoiding the risk of the inherent private key being leaked, thereby ensuring the security of the inherent private key.
请参见图8,为本申请实施例提供了另一种访问控制装置的结构示意图。如图8所示,所述访问控制装置2000可以包括:至少一个处理器2001,例如CPU,至少一个网络接口2004,用户接口2003,存储器2005,至少一个通信总线2002。其中,通信总线2002用于实现这些组件之间的连接通信。其中,用户接口2003可以包括显示屏(Display)、键盘(Keyboard)。网络接口2004可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器2005可以是高速RAM存储器,也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。存储器2005还可以是至少一个位于远离前述处理器2001的存储装置。如图8所示,作为一种计算机存储介质的存储器2005中可以包括操作系统、网络通信模块、用户接口模块以及鉴权应用程序。FIG. 8 is a schematic structural diagram of another access control apparatus according to an embodiment of the present application. As shown in FIG. 8, the access control device 2000 may include at least one processor 2001, such as a CPU, at least one network interface 2004, a user interface 2003, a memory 2005, and at least one communication bus 2002. Among them, the communication bus 2002 is used to implement connection communication between these components. The user interface 2003 may include a display and a keyboard. Network interface 2004 may include a standard wired interface, a wireless interface (such as a WI-FI interface). The memory 2005 may be a high speed RAM memory or a non-volatile memory such as at least one disk memory. The memory 2005 can also be at least one storage device located remotely from the aforementioned processor 2001. As shown in FIG. 8, an operating system, a network communication module, a user interface module, and an authentication application may be included in the memory 2005 as a computer storage medium.
在图8所示的访问控制装置2000中,用户接口2003主要用于为用户提供输入的接口,获取用户发送的资源操作请求,网络接口2004主要用于与访问控制装置交互数据,例如,资源访问请求、第一签名、临时密钥获取请求等数据; 而处理器2001可以用于调用存储器2005中存储的鉴权应用程序,并具体执行以下操作:In the access control device 2000 shown in FIG. 8, the user interface 2003 is mainly used to provide an input interface for the user, and obtains a resource operation request sent by the user. The network interface 2004 is mainly used to exchange data with the access control device, for example, resource access. The request, the first signature, the temporary key acquisition request, and the like; and the processor 2001 can be used to invoke the authentication application stored in the memory 2005, and specifically perform the following operations:
接收用户发起的资源访问请求;Receiving a resource access request initiated by a user;
采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;Encrypting the resource access request by using the stored temporary key to generate a first signature, the temporary key being previously allocated by the server for the access control device;
将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Sending the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
在一个可能的实施例中,所述处理器2001执行采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名之前,还执行:In a possible embodiment, the processor 2001 performs encryption on the resource access request by using the stored temporary key, and before executing the first signature, performing:
采用固定密钥对所述资源访问请求进行加密,生成第二签名,所述固定密钥是由服务器为所述访问控制装置分配的;Encrypting the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device;
向所述服务器发送临时密钥获取请求,所述临时密钥获取请求携带所述资源访问请求和所述第二签名,以使所述服务器对所述第二签名验证通过之后为所述访问控制装置分配临时密钥;Sending a temporary key acquisition request to the server, the temporary key acquisition request carrying the resource access request and the second signature, so that the server passes the second signature after verifying the access control The device allocates a temporary key;
接收所述服务器分配的所述临时密钥,并存储所述临时密钥。Receiving the temporary key allocated by the server, and storing the temporary key.
在一个可能的实施例中,所述处理器2001执行访问控制装置采用固定密钥对所述资源访问请求进行加密,生成第二签名之前,还包括:In a possible embodiment, the processor 2001 performs an access control device to encrypt the resource access request by using a fixed key. Before generating the second signature, the method further includes:
接收所述服务器为所述访问控制装置分配的固有密钥,并存储所述固有密钥。Receiving an inherent key assigned by the server to the access control device, and storing the unique key.
在一个可能的实施例中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。In a possible embodiment, the resource access request includes a user identifier, a target access resource, and a target operation mode for accessing the resource to the target.
需要说明的是,本申请实施例所描述的处理器2001所执行的步骤可根据上述图2a、2b、图3、图4所示方法实施例中的方法具体实现,此处不再赘述。It should be noted that the steps performed by the processor 2001 described in the embodiment of the present application may be specifically implemented according to the method in the foregoing method embodiment shown in FIG. 2a, 2b, FIG. 3, and FIG. 4, and details are not described herein again.
在本申请实施例中,访问控制装置对接收到的资源访问请求采用临时密钥进行加密,生成第一签名,临时密钥是由服务器预先为访问控制装置分配的,将资源访问请求和第一签名发送至服务器,以使服务器对资源访问请求进行鉴权,这样无需获取用户的固有私钥,避免了固有私钥被泄露的风险,进而保证 了固有私钥的安全性。In the embodiment of the present application, the access control device encrypts the received resource access request by using a temporary key to generate a first signature, and the temporary key is previously allocated by the server for the access control device, and the resource access request and the first The signature is sent to the server, so that the server authenticates the resource access request, so that the inherent private key of the user is not needed, and the risk of the inherent private key being compromised is avoided, thereby ensuring the security of the inherent private key.
本申请实施例中所述模块或单元,可以通过通用集成电路,例如CPU(Central Processing Unit,中央处理器),或通过ASIC(Application Specific Integrated Circuit,专用集成电路)来实现。The module or unit in the embodiment of the present application may be implemented by a general-purpose integrated circuit, such as a CPU (Central Processing Unit), or an ASIC (Application Specific Integrated Circuit).
本申请实施例方法中的步骤可以根据实际需要进行顺序调整、合并和删减。The steps in the method of the embodiment of the present application may be sequentially adjusted, merged, and deleted according to actual needs.
本申请实施例终端中的模块或单元可以根据实际需要进行合并、划分和删减。The modules or units in the terminal in this embodiment of the present application may be combined, divided, and deleted according to actual needs.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the foregoing embodiments can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上所揭露的仅为本申请较佳实施例而已,当然不能以此来限定本申请之权利范围,因此依本申请权利要求所作的等同变化,仍属本申请所涵盖的范围。以上所揭露的仅为本申请较佳实施例而已,当然不能以此来限定本申请之权利范围,因此依本申请权利要求所作的等同变化,仍属本申请所涵盖的范围。The above is only the preferred embodiment of the present application, and the scope of the application is not limited thereto, and the equivalent changes made in the claims of the present application are still within the scope of the present application. The above is only the preferred embodiment of the present application, and the scope of the application is not limited thereto, and the equivalent changes made in the claims of the present application are still within the scope of the present application.

Claims (26)

  1. 一种鉴权方法,包括:An authentication method includes:
    服务器接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving, by the server, a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
    所述服务器获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Obtaining, by the server, the temporary key allocated for the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
    若所述第一签名与所述第一验证数据匹配一致,则所述服务器对所述资源访问请求进行鉴权;If the first signature matches the first verification data, the server authenticates the resource access request;
    若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。If the authentication result of the resource access request is authentication, the server processes the resource access request.
  2. 根据权利要求1所述的方法,其中,所述服务器接收所述访问控制装置发送的资源访问请求和第一签名之前,还包括:The method according to claim 1, wherein before the server receives the resource access request and the first signature sent by the access control device, the method further includes:
    服务器接收访问控制装置发送的临时密钥获取请求,所述临时密钥获取请求携带资源访问请求和第二签名;Receiving, by the server, a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries the resource access request and the second signature;
    所述服务器获取为所述访问控制装置分配的固定密钥,并采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据;Obtaining, by the server, a fixed key allocated by the access control device, and encrypting the resource access request by using the fixed key to generate second verification data;
    若所述第二签名与所述第二验证数据匹配一致,则所述服务器为所述访问控制装置分配临时密钥,将所述临时密钥存储并发送至所述访问控制装置。And if the second signature matches the second verification data, the server allocates a temporary key to the access control device, and stores and sends the temporary key to the access control device.
  3. 根据权利要求1或2所述的方法,其中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。The method of claim 1 or 2, wherein the resource access request comprises a user identification, a target access resource, and a target mode of operation for the target access resource.
  4. 根据权利要求3所述的方法,其中,所述服务器对所述资源访问请求进行鉴权,包括:The method of claim 3, wherein the server authenticating the resource access request comprises:
    所述服务器获取与所述用户标识对应的可访问资源和对所述可访问资源的可操作方式;Obtaining, by the server, an accessible resource corresponding to the user identifier and an operable manner for the accessible resource;
    所述服务器判断所述可访问资源中是否存在所述目标访问资源;Determining, by the server, whether the target access resource exists in the accessible resource;
    若存在所述目标访问资源,则所述服务器判断对所述目标访问资源的可操作方式中是否存在所述目标操作方式;If the target access resource exists, the server determines whether the target operation mode exists in an operable manner of accessing the resource to the target;
    若存在所述目标操作方式,则所述服务器确定所述资源访问请求的鉴权结果为鉴权通过。If the target operation mode exists, the server determines that the authentication result of the resource access request is an authentication pass.
  5. 一种鉴权方法,包括:An authentication method includes:
    访问控制装置接收用户发起的资源访问请求;The access control device receives the resource access request initiated by the user;
    所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;The access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device;
    所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。The access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
  6. 根据权利要求5所述的方法,其中,所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名之前,还包括:The method according to claim 5, wherein the access control device encrypts the resource access request by using the stored temporary key, and before generating the first signature, the method further includes:
    所述访问控制装置采用固定密钥对所述资源访问请求进行加密,生成第二签名,所述固定密钥是由服务器为所述访问控制装置分配的;The access control device encrypts the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device;
    所述访问控制装置向所述服务器发送临时密钥获取请求,所述临时密钥获取请求携带所述资源访问请求和所述第二签名,以使所述服务器对所述第二签名验证通过之后为所述访问控制装置分配临时密钥;The access control device sends a temporary key acquisition request to the server, the temporary key acquisition request carrying the resource access request and the second signature, so that after the server verifies the second signature Assigning a temporary key to the access control device;
    所述访问控制装置接收所述服务器分配的所述临时密钥,并存储所述临时密钥。The access control device receives the temporary key allocated by the server and stores the temporary key.
  7. 根据权利要求6所述的方法,其中,所述访问控制装置采用固定密钥对所述资源访问请求进行加密,生成第二签名之前,还包括:The method according to claim 6, wherein the access control device encrypts the resource access request by using a fixed key, and before generating the second signature, the method further includes:
    所述访问控制装置接收所述服务器为所述访问控制装置分配的固有密钥,并存储所述固有密钥。The access control device receives an inherent key assigned by the server to the access control device and stores the unique key.
  8. 根据权利要求5-7任一项所述的方法,其中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。The method of any of claims 5-7, wherein the resource access request comprises a user identification, a target access resource, and a target mode of operation for the target access resource.
  9. 一种服务器,包括:处理器和存储器,所述存储器上存储有计算机可读指令,所述计算机可读指令由所述处理器执行以完成以下操作:A server comprising: a processor and a memory, the computer having stored thereon computer readable instructions, the computer readable instructions being executed by the processor to:
    接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
    获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Acquiring the stored temporary key allocated to the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
    若所述第一签名与所述第一验证数据匹配一致,则对所述资源访问请求进行鉴权;And if the first signature matches the first verification data, the resource access request is authenticated;
    若所述资源访问请求的鉴权结果为鉴权通过,则对所述资源访问请求进行处理。And if the authentication result of the resource access request is an authentication pass, the resource access request is processed.
  10. 根据权利要求9所述的服务器,其中,所述计算机可读指令由所述处理器执行以进一步完成以下操作:The server of claim 9 wherein said computer readable instructions are executed by said processor to further perform the following operations:
    接收访问控制装置发送的临时密钥获取请求,所述临时密钥获取请求携带资源访问请求和第二签名;Receiving a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries a resource access request and a second signature;
    获取为所述访问控制装置分配的固定密钥,并采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据;Obtaining a fixed key allocated to the access control device, and encrypting the resource access request by using the fixed key to generate second verification data;
    若所述第二签名与所述第二验证数据匹配一致,则所述服务器为所述访问控制装置分配临时密钥,将所述临时密钥存储并发送至所述访问控制装置。And if the second signature matches the second verification data, the server allocates a temporary key to the access control device, and stores and sends the temporary key to the access control device.
  11. 根据权利要求9或10所述的服务器,其中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。The server according to claim 9 or 10, wherein the resource access request comprises a user identification, a target access resource, and a target operation mode for accessing the resource to the target.
  12. 根据权利要求11所述的服务器,其中,所述对所述资源访问请求进行鉴权包括:The server according to claim 11, wherein said authenticating said resource access request comprises:
    获取与所述用户标识对应的可访问资源和对所述可访问资源的可操作方式;Obtaining an accessible resource corresponding to the user identifier and an operable manner of the accessible resource;
    判断所述可访问资源中是否存在所述目标访问资源;Determining whether the target access resource exists in the accessible resource;
    若所述第一判断子单元判断所述可访问资源中存在所述目标访问资源,则判断对所述目标访问资源的可操作方式中是否存在所述目标操作方式;If the first determining subunit determines that the target access resource exists in the accessible resource, determining whether the target operating mode exists in an operable manner of the target accessing resource;
    若所述第二判断子单元判断对所述目标访问资源的可操作方式中存在所述目标操作方式,则确定所述资源访问请求的鉴权结果为鉴权通过。If the second determining subunit determines that the target operating mode exists in the operable mode of the target access resource, determining that the authentication result of the resource access request is the authentication pass.
  13. 一种访问控制装置,包括:处理器和存储器,所述存储器上存储有计算机可读指令,所述计算机可读指令由所述处理器执行以完成以下操作:An access control apparatus comprising: a processor and a memory, the memory storing computer readable instructions, the computer readable instructions being executed by the processor to:
    接收用户发起的资源访问请求;Receiving a resource access request initiated by a user;
    采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;Encrypting the resource access request by using the stored temporary key to generate a first signature, the temporary key being previously allocated by the server for the access control device;
    将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Sending the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
  14. 根据权利要求13所述的访问控制装置,其中,在采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名之前,所述计算机可读指令由所述处理器执行以进一步完成以下操作:The access control device of claim 13, wherein the computer readable instructions are executed by the processor to further complete the encrypting the resource access request with a stored temporary key to generate a first signature The following operations:
    采用固定密钥对所述资源访问请求进行加密,生成第二签名,所述固定密钥是由服务器为所述访问控制装置分配的;Encrypting the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device;
    向所述服务器发送临时密钥获取请求,所述临时密钥获取请求携带所述资源访问请求和所述第二签名,以使所述服务器对所述第二签名验证通过之后为所述访问控制装置分配临时密钥;Sending a temporary key acquisition request to the server, the temporary key acquisition request carrying the resource access request and the second signature, so that the server passes the second signature after verifying the access control The device allocates a temporary key;
    接收所述服务器分配的所述临时密钥,并存储所述临时密钥。Receiving the temporary key allocated by the server, and storing the temporary key.
  15. 根据权利要求14所述的访问控制装置,其中,在采用固定密钥对所述资源访问请求进行加密,生成第二签名之前,所述计算机可读指令由所述处理器执行以进一步完成以下操作:The access control device according to claim 14, wherein said computer readable instructions are executed by said processor to further perform the following operations before encrypting said resource access request with a fixed key to generate a second signature :
    接收所述服务器为所述访问控制装置分配的固有密钥,并存储所述固有密钥。Receiving an inherent key assigned by the server to the access control device, and storing the unique key.
  16. 根据权利要求13-15任一项所述的访问控制装置,其中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。The access control apparatus according to any one of claims 13 to 15, wherein the resource access request includes a user identification, a target access resource, and a target operation mode for accessing the resource to the target.
  17. 一种鉴权方法,用于服务器上,所述服务器包括处理器和存储器,所述方法包括步骤:An authentication method for a server, the server comprising a processor and a memory, the method comprising the steps of:
    服务器接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving, by the server, a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
    所述服务器获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Obtaining, by the server, the temporary key allocated for the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
    若所述第一签名与所述第一验证数据匹配一致,则所述服务器对所述资源访问请求进行鉴权;If the first signature matches the first verification data, the server authenticates the resource access request;
    若所述资源访问请求的鉴权结果为鉴权通过,则所述服务器对所述资源访问请求进行处理。If the authentication result of the resource access request is authentication, the server processes the resource access request.
  18. 根据权利要求17所述的方法,其中,所述服务器接收所述访问控制装置发送的资源访问请求和第一签名之前,还包括:The method according to claim 17, wherein before the server receives the resource access request and the first signature sent by the access control device, the method further includes:
    服务器接收访问控制装置发送的临时密钥获取请求,所述临时密钥获取请求携带资源访问请求和第二签名;Receiving, by the server, a temporary key acquisition request sent by the access control device, where the temporary key acquisition request carries the resource access request and the second signature;
    所述服务器获取为所述访问控制装置分配的固定密钥,并采用所述固定密钥对所述资源访问请求进行加密,生成第二验证数据;Obtaining, by the server, a fixed key allocated by the access control device, and encrypting the resource access request by using the fixed key to generate second verification data;
    若所述第二签名与所述第二验证数据匹配一致,则所述服务器为所述访问控制装置分配临时密钥,将所述临时密钥存储并发送至所述访问控制装置。And if the second signature matches the second verification data, the server allocates a temporary key to the access control device, and stores and sends the temporary key to the access control device.
  19. 根据权利要求17或18所述的方法,其中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。The method of claim 17 or 18, wherein the resource access request comprises a user identification, a target access resource, and a target mode of operation for accessing the resource to the target.
  20. 根据权利要求19所述的方法,其中,所述服务器对所述资源访问请求进行鉴权,包括:The method of claim 19, wherein the server authenticating the resource access request comprises:
    所述服务器获取与所述用户标识对应的可访问资源和对所述可访问资源的可操作方式;Obtaining, by the server, an accessible resource corresponding to the user identifier and an operable manner for the accessible resource;
    所述服务器判断所述可访问资源中是否存在所述目标访问资源;Determining, by the server, whether the target access resource exists in the accessible resource;
    若存在所述目标访问资源,则所述服务器判断对所述目标访问资源的可操作方式中是否存在所述目标操作方式;If the target access resource exists, the server determines whether the target operation mode exists in an operable manner of accessing the resource to the target;
    若存在所述目标操作方式,则所述服务器确定所述资源访问请求的鉴权结果为鉴权通过。If the target operation mode exists, the server determines that the authentication result of the resource access request is an authentication pass.
  21. 一种鉴权方法,用于访问控制装置上,所述访问控制装置包括处理器和存储器,其中,所述方法包括:An authentication method for accessing a control device, the access control device comprising a processor and a memory, wherein the method comprises:
    访问控制装置接收用户发起的资源访问请求;The access control device receives the resource access request initiated by the user;
    所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;The access control device encrypts the resource access request by using a stored temporary key to generate a first signature, where the temporary key is previously allocated by the server for the access control device;
    所述访问控制装置将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。The access control device sends the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
  22. 根据权利要求21所述的方法,其中,所述访问控制装置采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名之前,还包括:The method according to claim 21, wherein the access control device encrypts the resource access request by using the stored temporary key, and before generating the first signature, the method further includes:
    所述访问控制装置采用固定密钥对所述资源访问请求进行加密,生成第二签名,所述固定密钥是由服务器为所述访问控制装置分配的;The access control device encrypts the resource access request by using a fixed key to generate a second signature, where the fixed key is allocated by the server for the access control device;
    所述访问控制装置向所述服务器发送临时密钥获取请求,所述临时密钥获取请求携带所述资源访问请求和所述第二签名,以使所述服务器对所述第二签名验证通过之后为所述访问控制装置分配临时密钥;The access control device sends a temporary key acquisition request to the server, the temporary key acquisition request carrying the resource access request and the second signature, so that after the server verifies the second signature Assigning a temporary key to the access control device;
    所述访问控制装置接收所述服务器分配的所述临时密钥,并存储所述临时密钥。The access control device receives the temporary key allocated by the server and stores the temporary key.
  23. 根据权利要求22所述的方法,其中,所述访问控制装置采用固定密钥对所述资源访问请求进行加密,生成第二签名之前,还包括:The method according to claim 22, wherein the access control device encrypts the resource access request by using a fixed key, and before generating the second signature, the method further includes:
    所述访问控制装置接收所述服务器为所述访问控制装置分配的固有密钥,并存储所述固有密钥。The access control device receives an inherent key assigned by the server to the access control device and stores the unique key.
  24. 根据权利要求21-23任一项所述的方法,其中,所述资源访问请求包括用户标识、目标访问资源和对所述目标访问资源的目标操作方式。The method of any of claims 21-23, wherein the resource access request comprises a user identification, a target access resource, and a target mode of operation for the target access resource.
  25. 一种非易失性存储介质,其中存储有计算机可读指令,所述计算机可读指令可以由处理器执行以完成如下操作:A non-volatile storage medium having stored therein computer readable instructions executable by a processor to perform the following operations:
    接收访问控制装置发送的资源访问请求和第一签名,所述第一签名是所述访问控制装置采用存储的临时密钥对所述资源访问请求加密生成的;Receiving a resource access request and a first signature sent by the access control device, where the first signature is generated by the access control device by using the stored temporary key to encrypt the resource access request;
    获取存储的为所述访问控制装置分配的临时密钥,并采用所述临时密钥对所述资源访问请求进行加密,生成第一验证数据;Acquiring the stored temporary key allocated to the access control device, and encrypting the resource access request by using the temporary key to generate first verification data;
    若所述第一签名与所述第一验证数据匹配一致,则对所述资源访问请求进行鉴权;And if the first signature matches the first verification data, the resource access request is authenticated;
    若所述资源访问请求的鉴权结果为鉴权通过,则对所述资源访问请求进行处理。And if the authentication result of the resource access request is an authentication pass, the resource access request is processed.
  26. 一种非易失性存储介质,其中存储有计算机可读指令,所述计算机可读指令可以由处理器执行以完成如下操作:A non-volatile storage medium having stored therein computer readable instructions executable by a processor to perform the following operations:
    接收用户发起的资源访问请求;Receiving a resource access request initiated by a user;
    采用存储的临时密钥对所述资源访问请求进行加密,生成第一签名,所述临时密钥是由服务器预先为所述访问控制装置分配的;Encrypting the resource access request by using the stored temporary key to generate a first signature, the temporary key being previously allocated by the server for the access control device;
    将所述资源访问请求和所述第一签名发送至所述服务器,以使所述服务器对所述资源访问请求进行鉴权。Sending the resource access request and the first signature to the server to enable the server to authenticate the resource access request.
PCT/CN2018/075201 2017-02-07 2018-02-05 Authentication method and server, and access control device WO2018145605A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710067062.8A CN106657152B (en) 2017-02-07 2017-02-07 Authentication method, server and access control device
CN201710067062.8 2017-02-07

Publications (1)

Publication Number Publication Date
WO2018145605A1 true WO2018145605A1 (en) 2018-08-16

Family

ID=58844634

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/075201 WO2018145605A1 (en) 2017-02-07 2018-02-05 Authentication method and server, and access control device

Country Status (2)

Country Link
CN (1) CN106657152B (en)
WO (1) WO2018145605A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657152B (en) * 2017-02-07 2021-05-28 腾讯科技(深圳)有限公司 Authentication method, server and access control device
CN107241357A (en) * 2017-07-27 2017-10-10 郑州云海信息技术有限公司 User access control method and apparatus in cloud computing system
CN109600337B (en) * 2017-09-30 2020-12-15 腾讯科技(深圳)有限公司 Resource processing method, device, system and computer readable medium
CN108322462A (en) * 2018-01-31 2018-07-24 北京车和家信息技术有限公司 A kind of method of safety verification, the method and relevant device for asking safety verification
CN108965284A (en) * 2018-07-06 2018-12-07 佛山市灏金赢科技有限公司 A kind of information processing method and device by cryptographic acess
CN109327456A (en) * 2018-11-06 2019-02-12 北京知道创宇信息技术有限公司 A kind of cluster method for authenticating, clustered node and the electronic equipment of decentralization
CN110263574B (en) * 2019-06-06 2024-08-27 深圳前海微众银行股份有限公司 Data management method, device, system and readable storage medium
CN111159097A (en) * 2019-12-09 2020-05-15 中山大学 On-chip access protection system and method
CN111935094B (en) * 2020-07-14 2022-06-03 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium
CN112039674B (en) * 2020-08-06 2021-07-20 珠海格力电器股份有限公司 Central control system access and signature identification generation method and device and storage medium
CN114254332B (en) * 2020-09-21 2024-10-29 中移物联网有限公司 Resource authorization method and device, electronic equipment and readable storage medium
CN112434315B (en) * 2020-11-20 2022-09-20 湖南快乐阳光互动娱乐传媒有限公司 Attachment access method, server and access terminal
CN113194090B (en) * 2021-04-28 2023-04-18 招商证券股份有限公司 Authentication method, authentication device, terminal device and computer readable storage medium
CN113536365B (en) * 2021-06-07 2022-10-28 北京字跳网络技术有限公司 File access method, device, equipment and medium
CN113438242B (en) * 2021-06-25 2023-08-29 广西三方大供应链技术服务有限公司 Service authentication method, device and storage medium
CN114006762B (en) * 2021-11-01 2024-03-12 明珠数字科技股份有限公司 Method, system and storage medium for security verification among multiple servers
CN114595437B (en) * 2022-05-09 2022-09-30 荣耀终端有限公司 Access control method, electronic device, and computer-readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790678A (en) * 2012-07-11 2012-11-21 飞天诚信科技股份有限公司 Authentication method and system
CN103166757A (en) * 2011-12-19 2013-06-19 卓望数码技术(深圳)有限公司 Method and system capable of dynamically protecting user private data
CN103701611A (en) * 2013-12-30 2014-04-02 天地融科技股份有限公司 Method for accessing and uploading data in data storage system
CN105681030A (en) * 2015-12-31 2016-06-15 腾讯科技(深圳)有限公司 Key management system, method and device
CN106657152A (en) * 2017-02-07 2017-05-10 腾讯科技(深圳)有限公司 Authentication method, server and access control device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102299791B (en) * 2008-08-28 2014-12-24 华为技术有限公司 Autonomous management method, system and equipment for public key certificate
CN102196423B (en) * 2010-03-04 2016-07-06 腾讯科技(深圳)有限公司 A kind of safety data transferring method and system
CN102510333B (en) * 2011-09-30 2014-07-30 飞天诚信科技股份有限公司 Authorization method and system
CN102984252B (en) * 2012-11-26 2015-04-08 中国科学院信息工程研究所 Cloud resource access control method based on dynamic cross-domain security token
CN104168267B (en) * 2014-07-23 2018-02-02 中国科学院信息工程研究所 A kind of identity identifying method of access SIP security protection video monitoring systems
CN104753953A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Access control system
CN105007279B (en) * 2015-08-04 2018-11-27 北京百度网讯科技有限公司 Authentication method and Verification System
CN106230813B (en) * 2016-07-29 2019-08-02 宇龙计算机通信科技(深圳)有限公司 Method for authenticating, authentication device and terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103166757A (en) * 2011-12-19 2013-06-19 卓望数码技术(深圳)有限公司 Method and system capable of dynamically protecting user private data
CN102790678A (en) * 2012-07-11 2012-11-21 飞天诚信科技股份有限公司 Authentication method and system
CN103701611A (en) * 2013-12-30 2014-04-02 天地融科技股份有限公司 Method for accessing and uploading data in data storage system
CN105681030A (en) * 2015-12-31 2016-06-15 腾讯科技(深圳)有限公司 Key management system, method and device
CN106657152A (en) * 2017-02-07 2017-05-10 腾讯科技(深圳)有限公司 Authentication method, server and access control device

Also Published As

Publication number Publication date
CN106657152A (en) 2017-05-10
CN106657152B (en) 2021-05-28

Similar Documents

Publication Publication Date Title
WO2018145605A1 (en) Authentication method and server, and access control device
US10122707B2 (en) User impersonation/delegation in a token-based authentication system
CN110582768B (en) Apparatus and method for providing secure database access
CN105187362B (en) Method and device for connection authentication between desktop cloud client and server
WO2022262078A1 (en) Access control method based on zero-trust security, and device and storage medium
US9401909B2 (en) System for and method of providing single sign-on (SSO) capability in an application publishing environment
US20180324170A1 (en) Method and apparatus for allocating device identifiers
KR101265873B1 (en) Distributed Single Signing Service Method
EP3750095A1 (en) Fast smart card logon
CN108880822B (en) An identity authentication method, device, system, and an intelligent wireless device
US9654462B2 (en) Late binding authentication
CN112559993B (en) Identity authentication method, device and system and electronic equipment
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
US20180205745A1 (en) System, method and computer program product for access authentication
JP2017535877A (en) Conditional login promotion
CN111447220B (en) Authentication information management method, server of application system and computer storage medium
CN110069909B (en) Method and device for login of third-party system without secret
WO2017016252A1 (en) Token generation and authentication method, and authentication server
EP3697053B1 (en) Accessing encrypted user data at a multi-tenant hosted cloud service
WO2019140790A1 (en) Service tracking method and apparatus, terminal device, and storage medium
TW201638822A (en) Process identity authentication method and device
WO2022246997A1 (en) Service processing method and apparatus, server, and storage medium
JP2024501752A (en) Attribute-based cryptographic keys as keying material for keyed hash message authentication codes User authentication and authorization
CN111460410A (en) Server login method, apparatus, system and computer-readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18751007

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18751007

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载