CN112492597B - Authentication method and device - Google Patents

Abstract

Translated fromChinese

本申请公开了一种认证方法及装置，涉及物联网技术领域。该认证方法包括：响应于认证服务节点发送的认证请求，与终端建立网络连接；接收终端发送的认证标识，并根据认证标识和预存认证信息获取第一网络地址；根据网络连接的源网络地址信息，获得第二网络地址；根据第一网络地址和第二网络地址对终端进行认证，获得认证结果；将认证结果发送至认证服务节点，以供认证服务节点根据认证结果确定是否允许终端的访问操作，可以避免在终端预置密码或认证证书，从而以较低成本实现对终端的安全认证。

The application discloses an authentication method and device, which relate to the technical field of the Internet of Things. The authentication method includes: responding to the authentication request sent by the authentication service node, establishing a network connection with the terminal; receiving the authentication identifier sent by the terminal, and obtaining the first network address according to the authentication identifier and pre-stored authentication information; according to the source network address information of the network connection , obtain the second network address; authenticate the terminal according to the first network address and the second network address, and obtain the authentication result; send the authentication result to the authentication service node, so that the authentication service node can determine whether to allow the access operation of the terminal according to the authentication result , it can avoid pre-setting passwords or authentication certificates in the terminal, so as to realize the security authentication of the terminal at a lower cost.

Description

Translated fromChinese

一种认证方法及装置An authentication method and device

技术领域technical field

本申请涉及物联网技术领域，具体涉及一种认证方法及装置。This application relates to the technical field of the Internet of Things, and in particular to an authentication method and device.

背景技术Background technique

随着物联网技术的发展，物联网安全问题也日益受到重视。保障物联网安全的一个重要环节是在终端访问物联网服务器时，服务器对终端的合法性进行认证，以避免非法终端接入物联网。由于终端与物联网服务器的通信无人工参与，因此，其认证方法有别于互联网领域的认证方法。目前，物联网领域主要采用预置密码或者预置数字证书的方式来进行认证。即，在终端出厂之前或者安装终端之前，在终端中预置认证密码或者数字证书，并在物联网服务器上保存同样的密码或者同根证书。在终端与物联网服务器通信之前，两者通过预置的密码或数字证书来完成单向认证或者双向认证。但是，在终端中预置密码或者数字证书，对终端生产环境的安全性提出更高要求，同时，在物联网服务器保存密码和数字证书，对服务器的安全性也提出更高要求。要满足上述要求，势必导致终端的生产成本和使用成本大幅提高。With the development of Internet of Things technology, Internet of Things security issues are also receiving increasing attention. An important part of ensuring the security of the Internet of Things is that when the terminal accesses the Internet of Things server, the server authenticates the legitimacy of the terminal to prevent illegal terminals from accessing the Internet of Things. Since there is no manual participation in the communication between the terminal and the server of the Internet of Things, its authentication method is different from that in the Internet field. At present, in the field of the Internet of Things, a pre-set password or a pre-set digital certificate is mainly used for authentication. That is, before the terminal leaves the factory or before the terminal is installed, the authentication password or digital certificate is preset in the terminal, and the same password or the same root certificate is saved on the IoT server. Before the terminal communicates with the IoT server, the two complete one-way authentication or two-way authentication through a preset password or digital certificate. However, presetting passwords or digital certificates in the terminal puts forward higher requirements for the security of the terminal production environment. At the same time, storing passwords and digital certificates in the IoT server also puts forward higher requirements for the security of the server. To meet the above requirements will inevitably lead to a significant increase in the production cost and use cost of the terminal.

因此，如何以较低成本实现对物联网终端的安全认证，成为本领域亟待解决的问题。Therefore, how to realize the security authentication of the IoT terminal at a lower cost has become an urgent problem to be solved in this field.

发明内容Contents of the invention

为此，本申请提供一种认证方法及装置，以解决采用预置密码或数据证书的认证方法导致终端的生产成本和使用成本较高的问题。For this reason, the present application provides an authentication method and device to solve the problem of high production cost and use cost of the terminal caused by the authentication method using a preset password or a data certificate.

为了实现上述目的，本申请第一方面提供一种认证方法，该认证方法包括：In order to achieve the above purpose, the first aspect of this application provides an authentication method, the authentication method includes:

响应于认证服务节点发送的认证请求，与终端建立网络连接；Establishing a network connection with the terminal in response to the authentication request sent by the authentication service node;

接收终端发送的认证标识，并根据认证标识和预存认证信息获取第一网络地址；receiving the authentication identifier sent by the terminal, and obtaining the first network address according to the authentication identifier and pre-stored authentication information;

根据网络连接的源网络地址信息，获得第二网络地址；Obtain a second network address according to the source network address information of the network connection;

根据第一网络地址和第二网络地址对终端进行认证，获得认证结果；Authenticating the terminal according to the first network address and the second network address, and obtaining an authentication result;

将认证结果发送至认证服务节点，以供认证服务节点根据认证结果确定是否允许终端的访问操作。The authentication result is sent to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.

进一步地，预存认证信息为认证代理节点基于认证请求预先存储的信息。Further, the pre-stored authentication information is information pre-stored by the authentication proxy node based on the authentication request.

进一步地，认证请求包括终端的用户识别卡的标识、第一网络地址和认证标识；其中，第一网络地址为终端的网络地址，认证标识为认证服务节点针对本次认证操作生成的标识。Further, the authentication request includes the identifier of the user identification card of the terminal, the first network address, and the authentication identifier; wherein, the first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for this authentication operation.

进一步地，认证标识包括时间戳标识、随机数标识、计数器标识中的一种或多种。Further, the authentication identifier includes one or more of a timestamp identifier, a random number identifier, and a counter identifier.

进一步地，响应于认证服务节点发送的认证请求，与终端建立网络连接，包括：Further, in response to the authentication request sent by the authentication service node, establishing a network connection with the terminal includes:

根据用户识别卡的标识，获取用户识别卡的国际移动台综合业务数字网码；According to the identification of the subscriber identification card, obtain the digital network code of the international mobile station integrated service of the subscriber identification card;

根据用户识别卡的国际移动台综合业务数字网码，向终端发送认证连接信息，以供终端根据认证连接信息与认证代理节点建立网络连接；其中，认证连接信息包括卡认证应用的标识、认证代理节点的网络地址和认证标识，卡认证应用为具有解析认证连接信息以获取认证代理节点的网络地址和认证标识的功能的应用程序。According to the ISDN code of the subscriber identification card, the authentication connection information is sent to the terminal, so that the terminal can establish a network connection with the authentication agent node according to the authentication connection information; wherein, the authentication connection information includes the identification of the card authentication application, the authentication agent The network address and authentication identifier of the node, and the card authentication application is an application program with the function of parsing the authentication connection information to obtain the network address and authentication identifier of the authentication proxy node.

进一步地，根据用户识别卡的标识，获取用户识别卡的国际移动台综合业务数字网码，包括：Further, according to the identification of the subscriber identity card, obtain the digital network code of the international mobile station integrated service of the subscriber identity card, including:

根据用户识别卡的标识，确定用户识别卡的归属运营商；According to the identification of the subscriber identification card, determine the operator of the subscriber identification card;

通过归属运营商获取用户识别卡的国际移动台综合业务数字网码。Obtain the IMS Integrated Services Digital Network Code of the Subscriber Identity Card through the home operator.

进一步地，根据用户识别卡的国际移动台综合业务数字网码，向终端发送认证连接信息，包括：Further, send authentication connection information to the terminal according to the International Mobile Station Integrated Services Digital Network Code of the subscriber identity card, including:

将认证连接信息发送至短信网关，以供短信网关根据用户识别卡的国际移动台综合业务数字网码，将认证连接信息发送至终端。The authentication connection information is sent to the short message gateway, so that the short message gateway sends the authentication connection information to the terminal according to the IMS digital network code of the subscriber identification card.

进一步地，根据第一网络地址和第二网络地址对终端进行认证，获得认证结果，包括：Further, the terminal is authenticated according to the first network address and the second network address, and an authentication result is obtained, including:

比较第一网络地址和第二网络地址；comparing the first network address and the second network address;

在第一网络地址与第二网络地址一致的情况下，获得终端通过认证的认证结果；Obtaining an authentication result that the terminal has passed the authentication when the first network address is consistent with the second network address;

在第一网络地址与第二网络地址不一致的情况下，获得终端未通过认证的认证结果。If the first network address is inconsistent with the second network address, an authentication result that the terminal fails the authentication is obtained.

为了实现上述目的，本申请第二方面提供一种认证装置，该认证装置包括：In order to achieve the above purpose, the second aspect of the present application provides an authentication device, which includes:

连接模块，用于响应于认证服务节点发送的认证请求，与终端建立网络连接；A connection module, configured to establish a network connection with the terminal in response to the authentication request sent by the authentication service node;

接收模块，用于接收终端发送的认证标识；A receiving module, configured to receive the authentication identifier sent by the terminal;

第一获取模块，用于根据认证标识和预存认证信息获取第一网络地址；The first obtaining module is used to obtain the first network address according to the authentication identification and pre-stored authentication information;

第二获取模块，用于根据网络连接的源网络地址信息，获得第二网络地址；The second obtaining module is used to obtain the second network address according to the source network address information of the network connection;

认证模块，用于根据第一网络地址和第二网络地址对终端进行认证，获得认证结果；An authentication module, configured to authenticate the terminal according to the first network address and the second network address, and obtain an authentication result;

发送模块，用于将认证结果发送至认证服务节点，以供认证服务节点根据认证结果确定是否允许终端的访问操作。The sending module is configured to send the authentication result to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.

进一步地，认证模块，包括：Further, the authentication module includes:

比较单元，用于比较第一网络地址和第二网络地址；a comparing unit, configured to compare the first network address and the second network address;

获取单元，用于在第一网络地址与第二网络地址一致的情况下，获得终端通过认证的认证结果，在第一网络地址与第二网络地址不一致的情况下，获得终端未通过认证的认证结果。An acquisition unit, configured to obtain an authentication result that the terminal has passed the authentication when the first network address is consistent with the second network address, and obtain an authentication result that the terminal has not passed the authentication when the first network address is inconsistent with the second network address result.

本申请具有如下优点：This application has the following advantages:

本申请提供的认证方法，响应于认证服务节点发送的认证请求，与终端建立网络连接；接收终端发送的认证标识，并根据认证标识和预存认证信息获取第一网络地址；根据网络连接的源网络地址信息，获得第二网络地址；根据第一网络地址和第二网络地址对终端进行认证，获得认证结果；将认证结果发送至认证服务节点，以供认证服务节点根据认证结果确定是否允许终端的访问操作，可以避免在终端预置密码或认证证书，从而以较低成本实现对终端的安全认证。The authentication method provided by this application establishes a network connection with the terminal in response to the authentication request sent by the authentication service node; receives the authentication ID sent by the terminal, and obtains the first network address according to the authentication ID and pre-stored authentication information; according to the source network of the network connection Address information to obtain a second network address; authenticate the terminal according to the first network address and the second network address to obtain an authentication result; send the authentication result to the authentication service node for the authentication service node to determine whether to allow the terminal based on the authentication result Access operations can avoid presetting passwords or authentication certificates on the terminal, thereby achieving security authentication on the terminal at a lower cost.

附图说明Description of drawings

附图是用来提供对本申请的进一步理解，并且构成说明书的一部分，与下面的具体实施方式一起用于解释本申请，但并不构成对本申请的限制。The accompanying drawings are used to provide a further understanding of the present application, and constitute a part of the description, together with the following specific embodiments, are used to explain the present application, but do not constitute a limitation to the present application.

图1为本申请实施例提供的一种认证系统的组成方框图；FIG. 1 is a block diagram of an authentication system provided by an embodiment of the present application;

图2为本申请实施例提供的一种认证方法的流程图；FIG. 2 is a flow chart of an authentication method provided by an embodiment of the present application;

图3为本申请实施例提供的另一种认证方法的流程图；Fig. 3 is a flow chart of another authentication method provided by the embodiment of the present application;

图4为本申请实施例提供的一种认证系统的工作流程图；Fig. 4 is a working flow chart of an authentication system provided by the embodiment of the present application;

图5为本申请实施例提供的一种认证装置的原理框图。Fig. 5 is a functional block diagram of an authentication device provided by an embodiment of the present application.

具体实施方式Detailed ways

以下结合附图对本申请的具体实施方式进行详细说明。应当理解的是，此处所描述的具体实施方式仅用于说明和解释本申请，并不用于限制本申请。The specific implementation manners of the present application will be described in detail below in conjunction with the accompanying drawings. It should be understood that the specific implementations described here are only used to illustrate and explain the present application, and are not intended to limit the present application.

物联网(Internet of Things，简称IoT)即“万物相连的互联网”，是在互联网基础上进行延伸和扩展的网络，物联网将各种信息传感设备与互联网结合起来形成的一个巨大网络，从而实现在任何时间、任何地点，人、机、物的互联互通。目前，物联网技术已经广泛应用于能源、交通、家居和医疗等行业。随着物联网技术发展，物联网安全受到广泛关注。The Internet of Things (IoT) is the "Internet of Everything Connected", which is a network that extends and expands on the basis of the Internet. The Internet of Things combines various information sensing devices with the Internet to form a huge network. Realize the interconnection of people, machines and things at any time and any place. At present, IoT technology has been widely used in industries such as energy, transportation, home furnishing and medical care. With the development of IoT technology, IoT security has received extensive attention.

当前的物联网安全保障机制中，主要通过对待接入物联网服务器的终端进行身份认证，以确保只有安全合法的终端能访问物联网服务器。与互联网领域不同，物联网领域中终端与物联网服务器之间的通信无人工参与，其对应的认证方法也与互联网领域的认证方法不同。现有技术中，一般通过在终端和物联网服务器预置密码或数字证书的方式实现单向认证或双向认证。但是，在终端中预置密码或者数字证书，对终端生产环境的安全性提出更高要求，同时，在物联网服务器保存密码和数字证书，对服务器的安全性也提出更高要求。要满足上述要求，势必导致终端的生产成本和使用成本大幅提高。In the current security mechanism of the Internet of Things, identity authentication is mainly performed on terminals to be connected to the Internet of Things server to ensure that only safe and legal terminals can access the Internet of Things server. Different from the Internet field, there is no human participation in the communication between the terminal and the Internet of Things server in the Internet of Things field, and the corresponding authentication method is also different from that in the Internet field. In the prior art, one-way authentication or two-way authentication is generally implemented by presetting passwords or digital certificates on terminals and IoT servers. However, presetting passwords or digital certificates in the terminal puts forward higher requirements for the security of the terminal production environment. At the same time, storing passwords and digital certificates in the IoT server also puts forward higher requirements for the security of the server. To meet the above requirements will inevitably lead to a significant increase in the production cost and use cost of the terminal.

有鉴于此，本申请提出一种认证方法及装置，认证代理节点通过两种相对独立的方式获取待认证终端的网络地址，比较这两个网络地址是否一致，并根据比较结果确定终端是否通过认证，可以避免在终端和服务器预置密码和数字证书，从而可以以较低成本实现对终端的安全认证。In view of this, this application proposes an authentication method and device. The authentication proxy node obtains the network address of the terminal to be authenticated in two relatively independent ways, compares whether the two network addresses are consistent, and determines whether the terminal has passed the authentication according to the comparison result. , it can avoid presetting passwords and digital certificates on terminals and servers, so that security authentication on terminals can be realized at a lower cost.

图1是本申请实施例提供的一种认证系统的组成方框图。如图1所示，该认证系统包括：认证服务器11、认证代理12和终端13。FIG. 1 is a block diagram of an authentication system provided by an embodiment of the present application. As shown in FIG. 1 , the authentication system includes: an authentication server 11 , an authentication agent 12 and a terminal 13 .

其中，认证服务器11为物联网中具有身份认证功能的服务器，其分别与认证代理12和终端13通信连接。在一些具体实现中，认证服务器11与认证代理12共同对终端13进行身份认证。认证代理12是实现代理性质身份认证的功能实体，其分别与认证服务器11和终端13通信连接(认证代理12在接收到认证请求之后才与终端13建立通信连接)。终端13为待接入物联网的终端设备，其通过认证服务器11和认证代理12进行身份认证。Wherein, the authentication server 11 is a server with an identity authentication function in the Internet of Things, which is respectively connected to the authentication agent 12 and the terminal 13 in communication. In some specific implementations, the authentication server 11 and the authentication agent 12 jointly perform identity authentication on the terminal 13 . The authentication agent 12 is a functional entity that implements agent-like identity authentication, and is respectively connected to the authentication server 11 and the terminal 13 in communication (the authentication agent 12 establishes a communication connection with the terminal 13 after receiving an authentication request). The terminal 13 is a terminal device to be connected to the Internet of Things, and its identity is authenticated through the authentication server 11 and the authentication agent 12 .

在一个具体实现中，终端13需要访问物联网时，认证服务器11向认证代理12发送认证请求，认证代理12接收认证请求之后，与终端13建立网络连接，并分别根据预存认证信息以及认证代理12与终端13的网络连接获取终端对应的两个网络地址，通过比较两个网络地址是否一致获得对终端的认证结果，并将认证结果发送至认证服务器11。认证服务器11接收认证结果，并根据认证结果确定是否允许终端13访问物联网。In a specific implementation, when the terminal 13 needs to access the Internet of Things, the authentication server 11 sends an authentication request to the authentication agent 12, and the authentication agent 12 establishes a network connection with the terminal 13 after receiving the authentication request, and respectively according to the pre-stored authentication information and the authentication agent 12 The network connection with the terminal 13 obtains two network addresses corresponding to the terminal, and obtains an authentication result for the terminal by comparing whether the two network addresses are consistent, and sends the authentication result to the authentication server 11 . The authentication server 11 receives the authentication result, and determines whether to allow the terminal 13 to access the Internet of Things according to the authentication result.

本申请的第一方面提供一种认证方法。图2是本申请实施例提供的一种认证方法的流程图，该认证方法可以应用于认证代理节点。如图2所示，该认证方法包括如下步骤：The first aspect of the present application provides an authentication method. Fig. 2 is a flowchart of an authentication method provided by an embodiment of the present application, and the authentication method can be applied to an authentication proxy node. As shown in Figure 2, the authentication method includes the following steps:

步骤S201，响应于认证服务节点发送的认证请求，与终端建立网络连接。Step S201, in response to the authentication request sent by the authentication service node, establish a network connection with the terminal.

其中，认证服务节点是对认证服务器的抽象描述，认证代理节点是对认证代理的抽象描述。可以理解的是，认证请求中应包括用于识别终端的标识信息，以供认证代理节点根据认证请求可以唯一确定终端，并与终端建立网络连接。Among them, the authentication service node is an abstract description of the authentication server, and the authentication agent node is an abstract description of the authentication agent. It can be understood that the authentication request should include identification information for identifying the terminal, so that the authentication proxy node can uniquely determine the terminal according to the authentication request and establish a network connection with the terminal.

在一些实施例中，认证请求包括终端的用户识别卡(Subscriber IdentityModule，SIM)的标识、第一网络地址和认证标识。其中，第一网络地址为终端的网络地址，认证标识为认证服务节点针对本次认证操作生成的标识。在一些具体实现中，认证标识包括时间戳标识和/或随机数标识和/或计数器标识。In some embodiments, the authentication request includes an identifier of a Subscriber Identity Module (SIM) of the terminal, a first network address, and an authentication identifier. Wherein, the first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for this authentication operation. In some specific implementations, the authentication identifier includes a timestamp identifier and/or a random number identifier and/or a counter identifier.

需要说明的是，认证标识为针对某一次特定认证操作设置的标识，使得认证标识的使用范围和使用权限得以限制。一旦认证标识超出使用范围或使用权限，认证标识即成为无效标识，从而可以在一定程度上保障认证过程的安全性以及认证结果的准确性。It should be noted that the authentication logo is an identifier set for a specific authentication operation, so that the use scope and usage authority of the authentication logo are limited. Once the certification mark exceeds the scope of use or use authority, the certification mark becomes an invalid mark, which can guarantee the security of the certification process and the accuracy of the certification results to a certain extent.

在第一个实施方式中，当终端存在接入物联网的需求时，终端启动认证操作。具体地，终端安装的物联网应用客户端读取SIM卡的标识ICCID(Integrate Circuit CardIdentity，集成电路卡识别码)，同时读取终端在接入移动通信网络时分配的IP地址，其中，该IP地址即第一网络地址。终端将ICCID和第一网络地址发送至认证服务节点。认证服务节点接收终端发送的ICCID和第一网络地址，针对本次认证过程生成对应的认证标识，并基于ICCID、第一网络地址和认证标识生成认证请求，然后将认证请求发送至认证代理节点。认证代理节点接收认证请求，并与终端建立网络连接。In the first embodiment, when the terminal needs to access the Internet of Things, the terminal starts an authentication operation. Specifically, the Internet of Things application client installed on the terminal reads the ICCID (Integrate Circuit Card Identity) of the SIM card, and at the same time reads the IP address assigned by the terminal when it accesses the mobile communication network, where the IP The address is the first network address. The terminal sends the ICCID and the first network address to the authentication service node. The authentication service node receives the ICCID and the first network address sent by the terminal, generates a corresponding authentication identifier for this authentication process, and generates an authentication request based on the ICCID, the first network address and the authentication identifier, and then sends the authentication request to the authentication proxy node. The authentication proxy node receives the authentication request and establishes a network connection with the terminal.

在第二个实施方式中，认证服务节点预存终端的硬件标识与ICCID的映射关系。当终端存在接入物联网的需求时，终端将硬件标识和第一网络地址发送至认证服务节点。认证服务节点接收终端发送的硬件标识和第一网络地址，依据硬件标识和预存的硬件标识与ICCID的映射关系，获得终端对应的ICCID，针对本次认证过程生成对应的认证标识，并基于ICCID、第一网络地址和认证标识生成认证请求，然后将认证请求发送至认证代理节点。认证代理节点接收认证请求，并与终端建立网络连接。In the second implementation manner, the authentication service node pre-stores the mapping relationship between the hardware identifier of the terminal and the ICCID. When the terminal needs to access the Internet of Things, the terminal sends the hardware identification and the first network address to the authentication service node. The authentication service node receives the hardware identifier and the first network address sent by the terminal, obtains the ICCID corresponding to the terminal according to the mapping relationship between the hardware identifier and the pre-stored hardware identifier and ICCID, and generates a corresponding authentication identifier for this authentication process, and based on the ICCID, The first network address and the authentication identifier generate an authentication request, and then send the authentication request to the authentication proxy node. The authentication proxy node receives the authentication request and establishes a network connection with the terminal.

其中，认证代理节点与终端建立网络连接可以通过短信网关实现。Wherein, establishing a network connection between the authentication proxy node and the terminal can be realized through a short message gateway.

在一个实施方式中，认证代理节点根据SIM卡的标识ICCID，获取SIM卡的MSISDN(Mobile Subscriber International ISDN/PSTN number，国际移动台综合业务数字网码)。在一个具体实现中，认证代理节点根据ICCID，确定SIM卡的归属运营商，并通过归属运营商的BSS系统(Business Support System，业务支撑系统)获取SIM卡的MSISDN。In one embodiment, the authentication proxy node obtains the MSISDN (Mobile Subscriber International ISDN/PSTN number, International Mobile Station Integrated Services Digital Network Code) of the SIM card according to the ICCID of the SIM card. In a specific implementation, the authentication proxy node determines the home operator of the SIM card according to the ICCID, and obtains the MSISDN of the SIM card through the home operator's BSS system (Business Support System, business support system).

获取SIM卡的MSISDN之后，认证代理节点基于卡认证应用的标识、认证代理节点的网络地址和认证标识生成认证连接信息，并将认证连接信息发送至短信网关，短信网关接收认证连接信息之后，根据SIM卡的MSISDN将认证连接信息转发至终端。其中，卡认证应用为具有解析认证连接信息以获取认证代理节点的网络地址和认证标识的功能的应用程序。After obtaining the MSISDN of the SIM card, the authentication proxy node generates authentication connection information based on the identification of the card authentication application, the network address of the authentication proxy node, and the authentication identification, and sends the authentication connection information to the SMS gateway. After the SMS gateway receives the authentication connection information, according to The MSISDN of the SIM card forwards the authentication connection information to the terminal. Wherein, the card authentication application is an application program having the function of analyzing the authentication connection information to obtain the network address of the authentication proxy node and the authentication identifier.

终端接收认证连接信息，根据认证连接信息中的卡认证应用的标识确定对应的卡认证应用，通过该卡认证应用解析认证连接信息，获得认证代理节点的网络地址和认证标识，并基于认证代理节点的网络地址与认证代理节点建立网络连接。The terminal receives the authentication connection information, determines the corresponding card authentication application according to the identification of the card authentication application in the authentication connection information, parses the authentication connection information through the card authentication application, obtains the network address and authentication identifier of the authentication agent node, and based on the authentication agent node network address to establish a network connection with the authentication proxy node.

需要说明的是，以上对于认证连接信息的发送方式仅是举例说明，可根据实际情况进行具体设定，其他未说明的是认证连接信息的发送方式也在本申请的保护范围之内，在此不再赘述。It should be noted that the sending method of the authentication connection information above is only an example, and can be set according to the actual situation. Other things not described are that the sending method of the authentication connection information is also within the scope of protection of this application, hereby No longer.

步骤S202，接收终端发送的认证标识，并根据认证标识和预存认证信息获取第一网络地址。Step S202, receiving the authentication identifier sent by the terminal, and obtaining the first network address according to the authentication identifier and pre-stored authentication information.

其中，预存认证信息是认证代理节点接收认证请求后，根据认证请求预先存储的信息。在一些具体实现中，认证请求包括终端的SIM卡的标识、第一网络地址和认证标识。认证代理节点接收认证请求之后，保存认证请求中的认证标识与第一网络地址，以在对终端进行认证时，可以根据认证标识确定与之对应的终端的网络地址(即第一网络地址)。Wherein, the pre-stored authentication information is information pre-stored according to the authentication request after the authentication proxy node receives the authentication request. In some specific implementations, the authentication request includes the identifier of the SIM card of the terminal, the first network address, and the authentication identifier. After the authentication proxy node receives the authentication request, it saves the authentication identifier and the first network address in the authentication request, so that when authenticating the terminal, it can determine the corresponding terminal's network address (namely the first network address) according to the authentication identifier.

在一个实施方式中，认证代理节点接收终端发送的认证标识，基于认证标识，并根据预存认证信息中认证标识与第一网络地址的映射关系，确定第一网络地址。In one embodiment, the authentication proxy node receives the authentication identifier sent by the terminal, and determines the first network address based on the authentication identifier and according to the mapping relationship between the authentication identifier and the first network address in the pre-stored authentication information.

步骤S203，根据网络连接的源网络地址信息，获得第二网络地址。Step S203, obtaining a second network address according to the source network address information of the network connection.

其中，源网络地址信息包括但不限于源IP(Internet Protocol，互联网协议)地址。该源IP地址即为与认证代理节点建立网络连接的终端的当前实际网络地址，也即第二网络地址。在一些具体实现中，源网络地址信息为四元组形式，包括源IP地址、源端口、目的IP地址和目的端口。其中，源IP地址为终端对应的网络地址，源端口为终端对应的网络端口，目的IP地址为认证代理节点对应的网络地址，目的端口为认证代理节点对应的网络端口。Wherein, the source network address information includes but not limited to a source IP (Internet Protocol, Internet Protocol) address. The source IP address is the current actual network address of the terminal establishing a network connection with the authentication proxy node, that is, the second network address. In some specific implementations, the source network address information is in the form of a quaternion, including a source IP address, a source port, a destination IP address, and a destination port. Wherein, the source IP address is the network address corresponding to the terminal, the source port is the network port corresponding to the terminal, the destination IP address is the network address corresponding to the authentication proxy node, and the destination port is the network port corresponding to the authentication proxy node.

具体地，认证代理节点获取第一网络地址之后，为保障当前与其建立网络连接的终端是第一网络地址对应的终端，认证代理节点获取当前网络连接的源网络地址信息，并根据源网络地址信息获取第二网络地址，以比较第一网络地址与第二网络地址是否相同，并根据比较结果确定两个网络地址对应的终端是否为同一终端。Specifically, after the authentication proxy node obtains the first network address, in order to ensure that the terminal currently establishing a network connection with it is the terminal corresponding to the first network address, the authentication proxy node obtains the source network address information of the current network connection, and according to the source network address information Obtain the second network address to compare whether the first network address is the same as the second network address, and determine whether the terminals corresponding to the two network addresses are the same terminal according to the comparison result.

在一个实施方式中，认证代理节点通过采集工具获取当前网络连接的四元组信息，四元组信息包括源IP地址、源端口、目的IP地址和目的端口。其中，源IP地址即为第二网络地址。In one embodiment, the authentication proxy node obtains the four-tuple information of the current network connection through the acquisition tool, and the four-tuple information includes source IP address, source port, destination IP address and destination port. Wherein, the source IP address is the second network address.

需要说明的是，以上对于第二网络地址的获取方式仅是举例说明，可根据实际情况进行具体设定，其他未说明的是第二网络地址的获取方式也在本申请的保护范围之内，在此不再赘述。It should be noted that the above method of obtaining the second network address is only an example, and can be specifically set according to the actual situation. Other things not described are that the method of obtaining the second network address is also within the scope of protection of this application. I won't repeat them here.

步骤S204，根据第一网络地址和第二网络地址对终端进行认证，获得认证结果。In step S204, the terminal is authenticated according to the first network address and the second network address, and an authentication result is obtained.

第一网络地址为认证代理节点根据预存信息获取的终端的网络地址，第二网络地址为认证代理节点根据当前网络连接获取的终端的网络地址，当两个网络地址相同时，可以证明终端的身份为真实的身份，即终端通过了认证代理节点的身份认证。The first network address is the network address of the terminal obtained by the authentication proxy node according to the pre-stored information, and the second network address is the network address of the terminal obtained by the authentication proxy node according to the current network connection. When the two network addresses are the same, the identity of the terminal can be proved is the real identity, that is, the terminal has passed the identity authentication of the authentication proxy node.

在一个实施方式中，认证代理节点比较第一网络地址和第二网络地址是否一致。在第一网络地址与第二网络地址一致的情况下，认证代理节点确定终端的身份为真实可信的身份，并获得终端通过认证的认证结果；在第一网络地址与第二网络地址不一致的情况下，认证代理节点确定终端的身份不是真实可信的身份，并获得终端未通过认证的认证结果。In one embodiment, the authentication proxy node compares whether the first network address is consistent with the second network address. In the case that the first network address is consistent with the second network address, the authentication proxy node determines that the identity of the terminal is a true and credible identity, and obtains the authentication result that the terminal has passed the authentication; if the first network address is inconsistent with the second network address In this case, the authentication proxy node determines that the identity of the terminal is not a real and credible identity, and obtains an authentication result that the terminal has not passed the authentication.

步骤S205，将认证结果发送至认证服务节点，以供认证服务节点根据认证结果确定是否允许终端的访问操作。Step S205, sending the authentication result to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.

认证服务节点需根据认证代理节点的认证结果确定是否允许终端的访问操作。The authentication service node needs to determine whether to allow the access operation of the terminal according to the authentication result of the authentication proxy node.

在一个实施方式中，认证代理节点将认证结果发送至认证服务节点。认证服务节点接收认证结果。当认证结果为终端通过认证时，认证服务节点允许终端进行访问操作；当认证结果为终端未通过认证时，认证服务节点禁止终端的访问操作。In one embodiment, the authentication proxy node sends the authentication result to the authentication service node. The authentication service node receives the authentication result. When the authentication result is that the terminal is authenticated, the authentication service node allows the terminal to perform access operations; when the authentication result is that the terminal fails authentication, the authentication service node prohibits the terminal from accessing operations.

图3是本申请实施例提供的另一种认证方法的流程图，该认证方法可以应用于认证代理节点。如图3所示，该认证方法包括如下步骤：Fig. 3 is a flow chart of another authentication method provided by the embodiment of the present application, and the authentication method can be applied to an authentication proxy node. As shown in Figure 3, the authentication method includes the following steps:

步骤S301，响应于认证服务节点发送的认证请求，根据认证请求中用户识别卡的标识，确定用户识别卡的归属运营商。Step S301, in response to the authentication request sent by the authentication service node, determine the home operator of the subscriber identity card according to the identity of the subscriber identity card in the authentication request.

在一些具体实现中，认证请求包括终端的SIM标识、第一网络地址和认证标识。其中，第一网络地址为终端的网络地址，认证标识为认证服务节点针对本次认证操作生成的标识。In some specific implementations, the authentication request includes the SIM identifier of the terminal, the first network address, and the authentication identifier. Wherein, the first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for this authentication operation.

认证代理节点接收并响应认证服务节点发送的认证请求，根据认证请求中的SIM卡标识，确定SIM卡的归属运营商。The authentication proxy node receives and responds to the authentication request sent by the authentication service node, and determines the owner operator of the SIM card according to the SIM card identification in the authentication request.

步骤S302，通过归属运营商获取用户识别卡的国际移动台综合业务数字网码。Step S302, obtain the ISDN of the subscriber identification card through the home operator.

其中，国际移动台综合业务数字网码可以唯一标识移动台号码，即通过国际移动台综合业务数字网码可以将信息发送至指定终端或指定用户。Among them, the ISDN code can uniquely identify the mobile station number, that is, information can be sent to a designated terminal or a designated user through the ISDN code.

在一个实施方式中，认证代理节点通过归属运营商的BSS系统获取SIM卡的MSISDN。In one embodiment, the authentication proxy node obtains the MSISDN of the SIM card through the BSS system of the home operator.

步骤S303，将认证连接信息发送至短信网关，以供短信网关根据用户识别卡的国际移动台综合业务数字网码将认证连接信息发送至终端。Step S303, sending the authentication connection information to the SMS gateway, so that the SMS gateway can send the authentication connection information to the terminal according to the IMSIS digital network code of the subscriber identification card.

在一个实施方式中，认证代理节点基于卡认证应用的标识、认证代理节点的网络地址和认证标识生成认证连接信息，并将认证连接信息发送至短信网关，短信网关接收认证连接信息之后，根据SIM卡的MSISDN将认证连接信息转发至终端。其中，卡认证应用为具有解析认证连接信息以获取认证代理节点的网络地址和认证标识的功能的应用程序。In one embodiment, the authentication proxy node generates authentication connection information based on the identification of the card authentication application, the network address of the authentication proxy node, and the authentication identification, and sends the authentication connection information to the SMS gateway. After the SMS gateway receives the authentication connection information, it The MSISDN of the card forwards the authentication connection information to the terminal. Wherein, the card authentication application is an application program having the function of analyzing the authentication connection information to obtain the network address of the authentication proxy node and the authentication identifier.

终端接收认证连接信息，根据认证连接信息中的卡认证应用的标识确定对应的卡认证应用，通过该卡认证应用解析认证连接信息，从而获得认证代理节点的网络地址和认证标识，并基于认证代理节点的网络地址与认证代理节点建立网络连接。The terminal receives the authentication connection information, determines the corresponding card authentication application according to the identification of the card authentication application in the authentication connection information, and parses the authentication connection information through the card authentication application to obtain the network address and authentication identifier of the authentication agent node, and based on the authentication agent The network address of the node establishes a network connection with the authentication proxy node.

步骤S304，接收终端发送的认证标识，并根据认证标识和预存认证信息获取第一网络地址。Step S304, receiving the authentication identifier sent by the terminal, and obtaining the first network address according to the authentication identifier and pre-stored authentication information.

步骤S305，根据网络连接的源网络地址信息，获得第二网络地址。Step S305, obtaining a second network address according to the source network address information of the network connection.

步骤S306，根据第一网络地址和第二网络地址对终端进行认证，获得认证结果。In step S306, the terminal is authenticated according to the first network address and the second network address, and an authentication result is obtained.

步骤S307，将认证结果发送至认证服务节点，以供认证服务节点根据认证结果确定是否允许终端的访问操作。Step S307, sending the authentication result to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.

本实施例中的步骤S304～步骤S307与本申请上一实施例中步骤S202～步骤S205的内容相同，在此不再赘述。Steps S304 to S307 in this embodiment are the same as steps S202 to S205 in the previous embodiment of the present application, and will not be repeated here.

本申请实施例提供的认证方法，通过预存认证信息和当前网络连接信息两种相对独立的信息获取渠道获取终端对应的网络地址，并比较通过两个信息获取渠道获取的网络地址是否相同来判断终端是否通过认证，无需在终端和服务器预置密码和数字证书，从而可以以较低成本实现对终端的安全认证。The authentication method provided in the embodiment of this application obtains the network address corresponding to the terminal through two relatively independent information acquisition channels of pre-stored authentication information and current network connection information, and compares whether the network addresses obtained through the two information acquisition channels are the same to determine the terminal Whether the authentication is passed or not, there is no need to preset passwords and digital certificates on the terminal and server, so that the security authentication of the terminal can be realized at a low cost.

图4是本申请实施例提供的一种认证系统的工作流程图。如图4所示，该认证系统包括终端41、认证服务节点42和认证代理节点43。Fig. 4 is a work flow chart of an authentication system provided by an embodiment of the present application. As shown in FIG. 4 , the authentication system includes a terminal 41 , anauthentication service node 42 and anauthentication proxy node 43 .

该认证系统的工作流程包括如下步骤：The workflow of the authentication system includes the following steps:

步骤S401，终端41向认证服务节点42发送用户识别卡的标识和第一网络地址。In step S401, the terminal 41 sends the ID of the subscriber identity card and the first network address to theauthentication service node 42.

步骤S402，认证服务节点42接收终端41发送的用户识别卡的标识和第一网络地址，针对本次认证操作生成对应的认证标识，并基于用户识别卡的标识、第一网络地址和认证标识生成认证请求。Step S402, theauthentication service node 42 receives the identification of the user identification card and the first network address sent by the terminal 41, generates a corresponding authentication identification for this authentication operation, and generates an authentication identification based on the identification of the user identification card, the first network address and the authentication identification. Authentication request.

步骤S403，认证服务节点42将认证请求发送至认证代理节点43。Step S403 , theauthentication service node 42 sends the authentication request to theauthentication proxy node 43 .

步骤S404，认证代理节点43接收并响应认证请求，根据认证请求中用户识别卡的标识，确定用户识别卡的归属运营商，并通过归属运营商获取用户识别卡的国际移动台综合业务数字网码。Step S404, theauthentication proxy node 43 receives and responds to the authentication request, determines the owner operator of the subscriber identity card according to the identifier of the subscriber identity card in the authentication request, and obtains the ISDN code of the subscriber identity card through the home operator .

步骤S405，认证代理节点43根据用户识别卡的国际移动台综合业务数字网码将认证连接信息发送至终端41。Step S405, theauthentication proxy node 43 sends the authentication connection information to the terminal 41 according to the ISDN code of the subscriber identity card.

步骤S406，终端41接收认证连接信息，解析认证连接信息获得认证代理节点的网络地址，根据认证代理节点的网络地址与认证代理节点43建立网络连接。Step S406, the terminal 41 receives the authentication connection information, analyzes the authentication connection information to obtain the network address of the authentication proxy node, and establishes a network connection with theauthentication proxy node 43 according to the network address of the authentication proxy node.

步骤S407，终端41向认证代理节点43发送认证标识。In step S407, the terminal 41 sends the authentication identifier to theauthentication proxy node 43.

步骤S408，认证代理节点43接收终端41发送的认证标识，并根据认证标识和预存认证信息获取第一网络地址。Step S408, theauthentication proxy node 43 receives the authentication identifier sent by the terminal 41, and obtains the first network address according to the authentication identifier and pre-stored authentication information.

步骤S409，认证代理节点43根据网络连接的源网络地址信息，获得第二网络地址。Step S409, theauthentication proxy node 43 obtains the second network address according to the source network address information of the network connection.

步骤S410，认证代理节点43根据第一网络地址和第二网络地址对终端41进行认证，获得认证结果。In step S410, theauthentication proxy node 43 authenticates the terminal 41 according to the first network address and the second network address, and obtains an authentication result.

步骤S411，认证代理节点43将认证结果发送至认证服务节点42。Step S411 , theauthentication proxy node 43 sends the authentication result to theauthentication service node 42 .

步骤S412，认证服务节点42接收认证代理节点43发送的认证结果，并根据认证结果确定是否允许终端41的访问操作。In step S412, theauthentication service node 42 receives the authentication result sent by theauthentication proxy node 43, and determines whether to allow the access operation of the terminal 41 according to the authentication result.

上面各种方法的步骤划分，只是为了描述清楚，实现时可以合并为一个步骤或者对某些步骤进行拆分，分解为多个步骤，只要包括相同的逻辑关系，都在本专利的保护范围内；对算法中或者流程中添加无关紧要的修改或者引入无关紧要的设计，但不改变其算法和流程的核心设计都在该专利的保护范围内。The step division of the above various methods is only for the sake of clarity of description. During implementation, it can be combined into one step or some steps can be split and decomposed into multiple steps. As long as they include the same logical relationship, they are all within the scope of protection of this patent. ; Adding insignificant modifications or introducing insignificant designs to the algorithm or process, but not changing the core design of the algorithm and process are all within the scope of protection of this patent.

本申请的第二方面提供一种认证装置。图5是本申请实施例提供的一种认证装置的原理框图。如图5所示，该认证装置包括：连接模块501、接收模块502、第一获取模块53、第二获取模块504、认证模块505和发送模块506。A second aspect of the present application provides an authentication device. Fig. 5 is a functional block diagram of an authentication device provided by an embodiment of the present application. As shown in FIG. 5 , the authentication device includes: a connection module 501 , a receiving module 502 , a first obtaining module 53 , a second obtaining module 504 , an authentication module 505 and a sending module 506 .

连接模块501，用于响应于认证服务节点发送的认证请求，与终端建立网络连接。The connection module 501 is configured to establish a network connection with the terminal in response to the authentication request sent by the authentication service node.

其中，认证请求应包括用于识别终端的标识信息，以供认证代理节点根据认证请求可以唯一确定终端，并与终端建立网络连接。在一些实施例中，认证请求包括终端的用户识别卡的标识、第一网络地址和认证标识。其中，第一网络地址为终端的网络地址，认证标识为认证服务节点针对本次认证操作生成的标识。在一些具体实现中，认证标识包括时间戳标识和/或随机数标识和/或计数器标识。Wherein, the authentication request should include identification information for identifying the terminal, so that the authentication proxy node can uniquely determine the terminal according to the authentication request, and establish a network connection with the terminal. In some embodiments, the authentication request includes the identifier of the subscriber identity card of the terminal, the first network address and the authentication identifier. Wherein, the first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for this authentication operation. In some specific implementations, the authentication identifier includes a timestamp identifier and/or a random number identifier and/or a counter identifier.

在第一个实施方式中，当终端存在接入物联网的需求时，终端启动认证操作。具体地，终端安装的物联网应用客户端读取SIM卡的标识ICCID，同时读取终端在接入移动通信网络时分配的IP地址，其中，该IP地址即第一网络地址。终端将ICCID和第一网络地址发送至认证服务节点。认证服务节点接收终端发送的ICCID和第一网络地址，针对本次认证过程生成对应的认证标识，并基于ICCID、第一网络地址和认证标识生成认证请求，然后将认证请求发送至认证代理节点。认证代理节点接收认证请求，并通过连接模块501与终端建立网络连接。In the first embodiment, when the terminal needs to access the Internet of Things, the terminal starts an authentication operation. Specifically, the Internet of Things application client installed on the terminal reads the ICCID of the SIM card, and at the same time reads the IP address assigned by the terminal when accessing the mobile communication network, where the IP address is the first network address. The terminal sends the ICCID and the first network address to the authentication service node. The authentication service node receives the ICCID and the first network address sent by the terminal, generates a corresponding authentication identifier for this authentication process, and generates an authentication request based on the ICCID, the first network address and the authentication identifier, and then sends the authentication request to the authentication proxy node. The authentication proxy node receives the authentication request, and establishes a network connection with the terminal through the connection module 501 .

在第二个实施方式中，认证服务节点预存终端的硬件标识与ICCID的映射关系。当终端存在接入物联网的需求时，终端将硬件标识和第一网络地址发送至认证服务节点。认证服务节点接收终端发送的硬件标识和第一网络地址，依据硬件标识和预存的硬件标识与ICCID的映射关系，获得终端对应的ICCID，针对本次认证过程生成对应的认证标识，并基于ICCID、第一网络地址和认证标识生成认证请求，然后将认证请求发送至认证代理节点。认证代理节点接收认证请求，并通过连接模块501与终端建立网络连接。In the second implementation manner, the authentication service node pre-stores the mapping relationship between the hardware identifier of the terminal and the ICCID. When the terminal needs to access the Internet of Things, the terminal sends the hardware identification and the first network address to the authentication service node. The authentication service node receives the hardware identifier and the first network address sent by the terminal, obtains the ICCID corresponding to the terminal according to the mapping relationship between the hardware identifier and the pre-stored hardware identifier and ICCID, and generates a corresponding authentication identifier for this authentication process, and based on the ICCID, The first network address and the authentication identifier generate an authentication request, and then send the authentication request to the authentication proxy node. The authentication proxy node receives the authentication request, and establishes a network connection with the terminal through the connection module 501 .

在一个具体实现中，认证代理节点通过连接模块501与终端建立网络连接，包括：In a specific implementation, the authentication proxy node establishes a network connection with the terminal through the connection module 501, including:

认证代理节点根据SIM卡的标识ICCID，获取SIM卡的MSISDN。在一个具体实现中，认证代理节点根据ICCID，确定SIM卡的归属运营商，并通过归属运营商的BSS系统获取SIM卡的MSISDN。The authentication proxy node obtains the MSISDN of the SIM card according to the ICCID of the SIM card. In a specific implementation, the authentication proxy node determines the home operator of the SIM card according to the ICCID, and obtains the MSISDN of the SIM card through the BSS system of the home operator.

获取SIM卡的MSISDN之后，认证代理节点基于卡认证应用的标识、认证代理节点的网络地址和认证标识生成认证连接信息，并将认证连接信息发送至短信网关，短信网关接收认证连接信息之后，根据SIM卡的MSISDN将认证连接信息转发至终端。其中，卡认证应用为具有解析认证连接信息以获取认证代理节点的网络地址和认证标识的功能的应用程序。After obtaining the MSISDN of the SIM card, the authentication proxy node generates authentication connection information based on the identification of the card authentication application, the network address of the authentication proxy node, and the authentication identification, and sends the authentication connection information to the SMS gateway. After the SMS gateway receives the authentication connection information, according to The MSISDN of the SIM card forwards the authentication connection information to the terminal. Wherein, the card authentication application is an application program having the function of analyzing the authentication connection information to obtain the network address of the authentication proxy node and the authentication identifier.

终端接收认证连接信息，根据认证连接信息中的卡认证应用的标识确定对应的卡认证应用，通过该卡认证应用解析认证连接信息，获得认证代理节点的网络地址和认证标识，并基于认证代理节点的网络地址与认证代理节点建立网络连接。The terminal receives the authentication connection information, determines the corresponding card authentication application according to the identification of the card authentication application in the authentication connection information, parses the authentication connection information through the card authentication application, obtains the network address and authentication identifier of the authentication agent node, and based on the authentication agent node network address to establish a network connection with the authentication proxy node.

需要说明的是，以上对于认证连接信息的发送方式仅是举例说明，可根据实际情况进行具体设定，其他未说明的是认证连接信息的发送方式也在本申请的保护范围之内，在此不再赘述。It should be noted that the sending method of the authentication connection information above is only an example, and can be set according to the actual situation. Other things not described are that the sending method of the authentication connection information is also within the scope of protection of this application, hereby No longer.

接收模块502，用于接收终端发送的认证标识。The receiving module 502 is configured to receive the authentication identifier sent by the terminal.

接收模块502为具有信息接收功能的模块。在本实施例中，接收模块接收终端发送的认证标识。其中，认证标识为认证服务节点生成并发送至认证代理节点的信息。在一些具体实现中，认证代理节点将认证标识打包至认证连接信息，并通过短信网关将认证连接信息发送至终端。终端接收认证连接信息，基于认证连接信息获得认证标识。The receiving module 502 is a module with information receiving function. In this embodiment, the receiving module receives the authentication identifier sent by the terminal. Wherein, the authentication identifier is information generated by the authentication service node and sent to the authentication proxy node. In some specific implementations, the authentication proxy node packs the authentication identifier into the authentication connection information, and sends the authentication connection information to the terminal through the short message gateway. The terminal receives the authentication connection information, and obtains the authentication identifier based on the authentication connection information.

第一获取模块503，用于根据认证标识和预存认证信息获取第一网络地址。The first acquiring module 503 is configured to acquire the first network address according to the authentication identifier and pre-stored authentication information.

其中，预存认证信息是认证代理节点接收认证请求后，根据认证请求预先存储的信息。在一些具体实现中，认证请求包括终端的SIM卡的标识、第一网络地址和认证标识。认证代理节点接收认证请求之后，保存认证请求中的认证标识与第一网络地址，以在对终端进行认证时，可以根据认证标识确定与之对应的终端的网络地址(即第一网络地址)。Wherein, the pre-stored authentication information is information pre-stored according to the authentication request after the authentication proxy node receives the authentication request. In some specific implementations, the authentication request includes the identifier of the SIM card of the terminal, the first network address, and the authentication identifier. After the authentication proxy node receives the authentication request, it saves the authentication identifier and the first network address in the authentication request, so that when authenticating the terminal, it can determine the corresponding terminal's network address (namely the first network address) according to the authentication identifier.

在一个实施方式中，认证代理节点接收终端发送的认证标识后，基于认证标识和预存认证信息中认证标识与第一网络地址的映射关系，通过第一获取模块503获得第一网络地址。In one embodiment, after receiving the authentication identifier sent by the terminal, the authentication proxy node obtains the first network address through the first acquisition module 503 based on the authentication identifier and the mapping relationship between the authentication identifier and the first network address in the pre-stored authentication information.

第二获取模块504，用于根据网络连接的源网络地址信息，获得第二网络地址。The second obtaining module 504 is configured to obtain the second network address according to the source network address information of the network connection.

其中，源网络地址信息包括但不限于源IP地址。该源IP地址即为与认证代理节点建立网络连接的终端的当前实际网络地址，也即第二网络地址。Wherein, the source network address information includes but not limited to the source IP address. The source IP address is the current actual network address of the terminal establishing a network connection with the authentication proxy node, that is, the second network address.

认证代理节点获取第一网络地址之后，为保障当前与其建立网络连接的终端是第一网络地址对应的终端，认证代理节点获取当前网络连接的源网络地址信息，并根据源网络地址信息获取第二网络地址，以比较第一网络地址与第二网络地址是否相同，并根据比较结果确定两个网络地址对应的终端是否为同一终端。After the authentication proxy node obtains the first network address, in order to ensure that the terminal currently establishing a network connection with it is the terminal corresponding to the first network address, the authentication proxy node obtains the source network address information of the current network connection, and obtains the second network address information according to the source network address information. The network address is used to compare whether the first network address is the same as the second network address, and determine whether the terminals corresponding to the two network addresses are the same terminal according to the comparison result.

在一个实施方式中，认证代理节点通过采集工具获取当前网络连接的四元组信息，并通过第二获取模块504获得第二网络地址。其中，四元组信息包括源IP地址、源端口、目的IP地址和目的端口，第二网络地址即为源IP地址。In one embodiment, the authentication proxy node obtains the four-tuple information of the current network connection through the collection tool, and obtains the second network address through the second obtaining module 504 . Wherein, the four-tuple information includes source IP address, source port, destination IP address and destination port, and the second network address is the source IP address.

认证模块505，用于根据第一网络地址和第二网络地址对终端进行认证，获得认证结果。An authentication module 505, configured to authenticate the terminal according to the first network address and the second network address, and obtain an authentication result.

第一网络地址为认证代理节点根据预存信息获取的终端的网络地址，第二网络地址为认证代理节点根据当前网络连接获取的终端的网络地址，当两个网络地址相同时，可以证明终端的身份为真实的身份，即终端通过了认证代理节点的身份认证。The first network address is the network address of the terminal obtained by the authentication proxy node according to the pre-stored information, and the second network address is the network address of the terminal obtained by the authentication proxy node according to the current network connection. When the two network addresses are the same, the identity of the terminal can be proved is the real identity, that is, the terminal has passed the identity authentication of the authentication proxy node.

在一个实施方式中，认证代理节点通过认证模块505比较第一网络地址和第二网络地址是否一致。在第一网络地址与第二网络地址一致的情况下，认证代理节点确定终端的身份为真实可信的身份，并获得终端通过认证的认证结果；在第一网络地址与第二网络地址不一致的情况下，认证代理节点确定终端的身份不是真实可信的身份，并获得终端未通过认证的认证结果。In one embodiment, the authentication proxy node uses the authentication module 505 to compare whether the first network address is consistent with the second network address. In the case that the first network address is consistent with the second network address, the authentication proxy node determines that the identity of the terminal is a true and credible identity, and obtains the authentication result that the terminal has passed the authentication; if the first network address is inconsistent with the second network address In this case, the authentication proxy node determines that the identity of the terminal is not a real and credible identity, and obtains an authentication result that the terminal has not passed the authentication.

发送模块506，用于将认证结果发送至认证服务节点，以供认证服务节点根据认证结果确定是否允许终端的访问操作。The sending module 506 is configured to send the authentication result to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result.

认证服务节点需根据认证代理节点的认证结果确定是否允许终端的访问操作。The authentication service node needs to determine whether to allow the access operation of the terminal according to the authentication result of the authentication proxy node.

在一个实施方式中，认证代理节点通过发送模块506将认证结果发送至认证服务节点。认证服务节点接收认证结果。当认证结果为终端通过认证时，认证服务节点允许终端进行访问操作；当认证结果为终端未通过认证时，认证服务节点禁止终端的访问操作。In one embodiment, the authentication proxy node sends the authentication result to the authentication service node through the sending module 506 . The authentication service node receives the authentication result. When the authentication result is that the terminal is authenticated, the authentication service node allows the terminal to perform access operations; when the authentication result is that the terminal fails authentication, the authentication service node prohibits the terminal from accessing operations.

值得一提的是，本实施方式中所涉及到的各模块均为逻辑模块，在实际应用中，一个逻辑单元可以是一个物理单元，也可以是一个物理单元的一部分，还可以以多个物理单元的组合实现。此外，为了突出本申请的创新部分，本实施方式中并没有将与解决本申请所提出的技术问题关系不太密切的单元引入，但这并不表明本实施方式中不存在其它的单元。It is worth mentioning that all the modules involved in this embodiment are logical modules. In practical applications, a logical unit can be a physical unit, or a part of a physical unit, or multiple physical units. Combination of units. In addition, in order to highlight the innovative part of the present application, units that are not closely related to solving the technical problems proposed in the present application are not introduced in this embodiment, but this does not mean that there are no other units in this embodiment.

可以理解的是，以上实施方式仅仅是为了说明本申请的原理而采用的示例性实施方式，然而本申请并不局限于此。对于本领域内的普通技术人员而言，在不脱离本申请的精神和实质的情况下，可以做出各种变型和改进，这些变型和改进也视为本申请的保护范围。It can be understood that the above implementations are only exemplary implementations adopted to illustrate the principles of the present application, but the present application is not limited thereto. For those skilled in the art, various modifications and improvements can be made without departing from the spirit and essence of the application, and these modifications and improvements are also regarded as the protection scope of the application.

Claims (7)

Translated fromChinese

1.一种认证方法，其特征在于，包括：1. An authentication method, characterized in that, comprising:响应于认证服务节点发送的认证请求，与终端建立网络连接；Establishing a network connection with the terminal in response to the authentication request sent by the authentication service node;接收所述终端发送的认证标识，并根据所述认证标识和预存认证信息获取第一网络地址；receiving the authentication identifier sent by the terminal, and acquiring a first network address according to the authentication identifier and pre-stored authentication information;根据所述网络连接的源网络地址信息，获得第二网络地址；Obtain a second network address according to the source network address information of the network connection;根据所述第一网络地址和所述第二网络地址对所述终端进行认证，获得认证结果；Authenticating the terminal according to the first network address and the second network address, and obtaining an authentication result;将所述认证结果发送至所述认证服务节点，以供所述认证服务节点根据所述认证结果确定是否允许所述终端的访问操作；sending the authentication result to the authentication service node, so that the authentication service node determines whether to allow the access operation of the terminal according to the authentication result;其中，所述预存认证信息为认证代理节点基于所述认证请求预先存储的信息；所述认证请求包括所述终端的用户识别卡的标识、所述第一网络地址和所述认证标识；所述第一网络地址为所述终端的网络地址，所述认证标识为所述认证服务节点针对本次认证操作生成的标识；所述认证标识包括时间戳标识、随机数标识、计数器标识中的一种或多种。Wherein, the pre-stored authentication information is the information pre-stored by the authentication proxy node based on the authentication request; the authentication request includes the identifier of the user identification card of the terminal, the first network address and the authentication identifier; the The first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for this authentication operation; the authentication identifier includes one of a timestamp identifier, a random number identifier, and a counter identifier or more.2.根据权利要求1所述的认证方法，其特征在于，所述响应于认证服务节点发送的认证请求，与终端建立网络连接，包括：2. The authentication method according to claim 1, wherein said establishing a network connection with the terminal in response to the authentication request sent by the authentication service node comprises:根据所述用户识别卡的标识，获取所述用户识别卡的国际移动台综合业务数字网码；According to the identification of the subscriber identification card, obtain the international mobile station integrated service digital network code of the subscriber identification card;根据所述用户识别卡的国际移动台综合业务数字网码，向所述终端发送认证连接信息，以供所述终端根据所述认证连接信息与所述认证代理节点建立网络连接；其中，所述认证连接信息包括卡认证应用的标识、所述认证代理节点的网络地址和所述认证标识，所述卡认证应用为具有解析所述认证连接信息以获取所述认证代理节点的网络地址和所述认证标识的功能的应用程序。Sending authentication connection information to the terminal according to the ISDN code of the subscriber identity card, so that the terminal can establish a network connection with the authentication proxy node according to the authentication connection information; wherein, the The authentication connection information includes the identification of the card authentication application, the network address of the authentication proxy node and the authentication identification, and the card authentication application has the ability to parse the authentication connection information to obtain the network address and the authentication proxy node. An app that authenticates the functionality identified.3.根据权利要求2所述的认证方法，其特征在于，所述根据所述用户识别卡的标识，获取所述用户识别卡的国际移动台综合业务数字网码，包括：3. authentication method according to claim 2, is characterized in that, described according to the mark of described subscriber identity card, obtains the international mobile station integrated service digital network code of described subscriber identity card, comprises:根据所述用户识别卡的标识，确定所述用户识别卡的归属运营商；determining the operator of the subscriber identity card according to the identifier of the subscriber identity card;通过所述归属运营商获取所述用户识别卡的国际移动台综合业务数字网码。Obtaining the ISDN of the subscriber identity card through the home operator.4.根据权利要求2所述的认证方法，其特征在于，所述根据所述用户识别卡的国际移动台综合业务数字网码，向所述终端发送认证连接信息，包括：4. The authentication method according to claim 2, wherein the sending of authentication connection information to the terminal according to the ISDN code of the subscriber identity card comprises:将所述认证连接信息发送至短信网关，以供所述短信网关根据所述用户识别卡的国际移动台综合业务数字网码将所述认证连接信息发送至所述终端。Sending the authentication connection information to the short message gateway for the short message gateway to send the authentication connection information to the terminal according to the ISDN code of the subscriber identity card.5.根据权利要求1所述的认证方法，其特征在于，所述根据所述第一网络地址和所述第二网络地址对所述终端进行认证，获得认证结果，包括：5. The authentication method according to claim 1, wherein the authenticating the terminal according to the first network address and the second network address to obtain an authentication result comprises:比较所述第一网络地址和所述第二网络地址；comparing the first network address and the second network address;在所述第一网络地址与所述第二网络地址一致的情况下，获得终端通过认证的所述认证结果；If the first network address is consistent with the second network address, obtain the authentication result that the terminal has passed the authentication;在所述第一网络地址与所述第二网络地址不一致的情况下，获得终端未通过认证的所述认证结果。If the first network address is inconsistent with the second network address, the authentication result that the terminal fails the authentication is obtained.6.一种认证装置，其特征在于，包括：6. An authentication device, characterized in that it comprises:连接模块，用于响应于认证服务节点发送的认证请求，与终端建立网络连接；A connection module, configured to establish a network connection with the terminal in response to the authentication request sent by the authentication service node;接收模块，用于接收所述终端发送的认证标识；a receiving module, configured to receive the authentication identifier sent by the terminal;第一获取模块，用于根据所述认证标识和预存认证信息获取第一网络地址；A first acquiring module, configured to acquire a first network address according to the authentication identifier and pre-stored authentication information;第二获取模块，用于根据所述网络连接的源网络地址信息，获得第二网络地址；A second obtaining module, configured to obtain a second network address according to the source network address information of the network connection;认证模块，用于根据所述第一网络地址和所述第二网络地址对所述终端进行认证，获得认证结果；An authentication module, configured to authenticate the terminal according to the first network address and the second network address, and obtain an authentication result;发送模块，用于将所述认证结果发送至所述认证服务节点，以供所述认证服务节点根据所述认证结果确定是否允许所述终端的访问操作；a sending module, configured to send the authentication result to the authentication service node, so that the authentication service node can determine whether to allow the access operation of the terminal according to the authentication result;其中，所述预存认证信息为认证代理节点基于所述认证请求预先存储的信息；所述认证请求包括所述终端的用户识别卡的标识、所述第一网络地址和所述认证标识；所述第一网络地址为所述终端的网络地址，所述认证标识为所述认证服务节点针对本次认证操作生成的标识；所述认证标识包括时间戳标识、随机数标识、计数器标识中的一种或多种。Wherein, the pre-stored authentication information is the information pre-stored by the authentication proxy node based on the authentication request; the authentication request includes the identifier of the user identification card of the terminal, the first network address and the authentication identifier; the The first network address is the network address of the terminal, and the authentication identifier is an identifier generated by the authentication service node for this authentication operation; the authentication identifier includes one of a timestamp identifier, a random number identifier, and a counter identifier or more.7.根据权利要求6所述的认证装置，其特征在于，所述认证模块，包括：7. The authentication device according to claim 6, wherein the authentication module comprises:比较单元，用于比较所述第一网络地址和所述第二网络地址；a comparison unit, configured to compare the first network address with the second network address;获取单元，用于在所述第一网络地址与所述第二网络地址一致的情况下，获得终端通过认证的所述认证结果，在所述第一网络地址与所述第二网络地址不一致的情况下，获得终端未通过认证的所述认证结果。An obtaining unit, configured to obtain the authentication result that the terminal has passed the authentication if the first network address is consistent with the second network address, and if the first network address is inconsistent with the second network address In this case, the authentication result that the terminal fails to pass the authentication is obtained.

Images