Disclosure of Invention
To this end, the present invention provides a data encryption method and apparatus, device admission authentication method, apparatus and system, computing device and readable storage medium in an effort to solve or at least alleviate at least one of the problems presented above.
According to a first aspect of the present invention, there is provided a data encryption method, performed in a terminal device, comprising: collecting a unique identifier of the terminal equipment; intercepting a first EAP response message sent by the terminal equipment; modifying the user name section in the first EAP response message into new user name data to generate a second EAP response message; the new user name data adds a request access time stamp to the unique identifier and encrypts the data by a key, wherein the request access time stamp represents the time when the terminal equipment requests to access a network.
According to a second aspect of the present invention, there is provided a device admission authentication method, performed in a device authentication apparatus, comprising: receiving a RADIUS access request message sent by the intermediate connection device, wherein the RADIUS access request message comprises a second EAP response message; analyzing the RADIUS access request message to obtain new user name data; decrypting the new user name data with a key to obtain the unique identifier and the request access timestamp described in the data encryption method described above; judging whether the time represented by the request access time stamp is outside a preset time period or is larger than the current time; if yes, returning authentication failure information to the terminal equipment, otherwise: comparing the unique identifier and the request access time stamp with a data set cached in the device authentication device, wherein the data set is a set of access time stamps of legal devices and legal devices in a preset time period, judging whether the data set contains the unique identifier or not, if not, returning authentication failure information to the terminal device, otherwise: judging whether the request access time stamp is in the data set, if so, returning authentication failure information to the terminal equipment, otherwise: and judging that the equipment authentication is successful, and storing the unique identifier and the request access time stamp obtained after decryption into the data set.
Optionally, the device admission authentication method further includes: determining whether the time represented by the time stamp in the data set is within a preset time period, and if not, deleting the time stamp and the corresponding unique identifier which are not within the preset time period from the data set.
According to a third aspect of the present invention, there is provided a device admission authentication method, comprising: collecting a unique identifier of the terminal equipment through a secure client module in the terminal equipment; intercepting a first EAP response message sent by the terminal equipment; modifying the user name section in the first EAP response message into new user name data to generate a second EAP response message; the new user name data adds a request access time stamp to the unique identifier and encrypts the data by a key, wherein the request access time stamp represents the time of the terminal equipment requesting access to a network; converting the second EAP response message into a RADIUS access request message by an intermediate connection means, the RADIUS access request message comprising the second EAP response message; analyzing the RADIUS access request message sent by the intermediate connection device through the security server to obtain the new user name data; receiving the new user name data through a device authentication device; decrypting said new username data with a key to obtain said unique identifier and said request access timestamp; judging whether the time represented by the request access time stamp is outside a preset time period or is larger than the current time; if yes, returning authentication failure information to the terminal equipment, otherwise: comparing the unique identifier and the request access time stamp with a data set cached in the device authentication device, wherein the data set is a set of access time stamps of legal devices and legal devices in a preset time period, judging whether the data set contains the unique identifier or not, if not, returning authentication failure information to the terminal device, otherwise: judging whether the request access time stamp is in the data set, if so, returning authentication failure information to the terminal equipment, otherwise: and judging that the equipment authentication is successful, and storing the unique identifier and the request access time stamp obtained after decryption into the data set.
Optionally, the device admission authentication method further includes: under the condition that equipment authentication is judged to be successful, sending a message of successful authentication to a security server through an equipment authentication device; the security server sends all RADIUS access request messages from the intermediate connection device to the identity authentication service device to perform identity authentication; the security server obtains the result of the identity authentication and sends the result of the identity authentication to the intermediate connection device.
According to a fourth aspect of the present invention, there is provided a data encryption apparatus comprising: the acquisition module is used for acquiring the unique identifier of the terminal equipment; the interception module is used for intercepting a first EAP response message sent by the terminal equipment; a modification module, configured to modify a user name section in the first EAP response message into new user name data, so as to generate a second EAP response message; the new user name data adds a request access time stamp to the unique identifier and encrypts the data by a key, wherein the request access time stamp represents the time when the terminal equipment requests to access a network.
According to a fifth aspect of the present invention, there is provided a device admission authentication apparatus in which a data set, which is a set of access time stamps of legitimate devices and legitimate devices within a predetermined period of time, is cached, the device admission authentication apparatus comprising: the receiving module is used for receiving the new user name data in the data encryption method, wherein the new user name data is obtained by analyzing a RADIUS access request message sent by an intermediate connection device through a security server, the RADIUS access request message comprises a second EAP response message as described above, and the intermediate connection device is positioned between the terminal equipment and the security server; a decryption module for decrypting the new user name data with a key to obtain the unique identifier and the request access time stamp described in the data encryption method as described above; the first judging module is used for judging whether the time represented by the request access time stamp is outside a preset time period or is larger than the current time; if yes, returning authentication failure information to the terminal equipment, otherwise triggering a comparison module; the comparison module is used for comparing the unique identifier and the request access time stamp with a data set cached in the equipment authentication device, judging whether the data set contains the unique identifier or not, if not, returning authentication failure information to the terminal equipment, otherwise triggering a second judgment module; the second judging module is used for judging whether the request access time stamp is in the data set, if so, returning authentication failure information to the terminal equipment, and if not, triggering the storing module; and the storage module is used for judging that the equipment authentication is successful and storing the unique identifier and the request access time stamp obtained after decryption into the data set.
According to a sixth aspect of the present invention, there is provided a device admission authentication system comprising: terminal equipment, including safe client module, safe client module includes data encryption device, data encryption device includes: the acquisition module is used for acquiring the unique identifier of the terminal equipment; the interception module is used for intercepting a first EAP response message sent by the terminal equipment; a modification module, configured to modify a user name section in the first EAP response message into new user name data, so as to generate a second EAP response message, where the new user name data adds a request access timestamp to the unique identifier, and the data encrypted by a key, where the request access timestamp indicates a time when the terminal device requests access to a network; an intermediate connection means for converting said second EAP response message into a RADIUS message comprising said second EAP response message; the security server analyzes the RADIUS access request message sent by the intermediate connection device to obtain the new user name data; a device authentication apparatus that caches a data set that is a set of legitimate devices and access time stamps of legitimate devices within a predetermined period of time, the device authentication apparatus comprising: the receiving module is used for receiving the new user name data; a decryption module for decrypting the new user name data with a key to obtain the unique identifier and a request access timestamp; the first judging module is used for judging whether the time represented by the request access time stamp is outside a preset time period or is larger than the current time; if yes, returning authentication failure information to the terminal equipment, otherwise triggering a comparison module; the comparison module is used for comparing the unique identifier and the request access time stamp with a data set cached in the equipment authentication device, judging whether the data set contains the unique identifier or not, if not, returning authentication failure information to the terminal equipment, otherwise triggering a second judgment module; the second judging module is used for judging whether the request access time stamp is in the data set, if so, returning authentication failure information to the terminal equipment, and if not, triggering the storing module; and the storage module is used for judging that the equipment authentication is successful and storing the unique identifier and the request access time stamp obtained after decryption into the data set.
According to a seventh aspect of the present invention there is provided a computing device comprising: at least one processor and a memory storing program instructions; the program instructions, when read and executed by the processor, cause the computing device to perform the data encryption method or the device admission authentication method as described above.
According to an eighth aspect of the present invention, there is provided a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform a data encryption method or a device admission authentication method as described above.
According to the technical scheme of the invention, the problem of low safety of the existing equipment encryption technology and the equipment access authentication technology is solved, the difficulty of cracking is greatly increased, and the safety of the network is improved.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Before describing a data encryption method and a device admission authentication method according to an embodiment of the present invention, an implementation background thereof will be described. The embodiment of the invention adopts a general architecture of EAP (extensible authentication protocol, which is a set of a series of authentication modes) to transmit an actual authentication protocol, wherein PEAP+MSCHAP2, TLS, TTLS and the like are used for wireless authentication and have better security. The embodiment of the invention adopts PEAP+MSCHAP2 as an architecture example for convenience of description.
From the user perspective, the peap+mschap2 authentication process may include two phases:
The first stage is authentication initialization, in which no method is negotiated between the user and the wireless access point, server, and the user name transferred in this stage is plain text. At the end of the first phase, the user and server have negotiated successful authentication using PEAP.
The second stage is an authentication process, and all data transmitted in this stage are encrypted data by the encryption algorithm negotiated by the PEAP. The authentication method used at this stage may be MSCHAP2 (only by way of example), and the feature of MSCHAP2 authentication is that no password is transmitted, hash processing is performed on the mixture of user name+password+random number, and then the hash value is transmitted, so that a dual guarantee is formed together with TLS channel of PEAP.
The PEAP authentication itself uses plaintext to negotiate encryption parameters in the first stage; and then establishing an encryption channel, and finally authenticating in the encryption channel. The encryption method and the equipment access authentication method according to the embodiment of the invention are both executed in the first stage, and the identity authentication is executed in the second stage.
FIG. 1 shows an overall architecture diagram of a method according to one embodiment of the invention. The terminal device 110 may be a wireless terminal device (such as a mobile phone, a linux device, a windows device, etc.). The intermediate connection device 120 shown in fig. 1 may be an Access Point (AP) device of a wireless network. The terminal device is equipped with a wireless network card and is connected with a wireless Access Point (AP) device of the wireless network. If there are multiple APs, an access controller (Access Controller, AC for short) may be provided, set up an enterprise-level WPA2/WPA3 authentication on the AC, and direct its authentication server to the security server. The terminal device may also be a wired terminal device, in which case the intermediate connection means shown in fig. 1 may be a switch.
The terminal device 110 is equipped with a secure client module that can generate/collect unique identifier messages (also called sn, which can be MAC addresses or custom string information inside the institution) for the device. The secure client module or the terminal device stores a key for encryption. The secure client module modifies an Identity field in an EAP-response (EAP-response) message sent by the wireless device to sn + request access to data with a time stamp encrypted with the key. An EAP-response message is a response message that the terminal device makes in response to a request message issued by the AP or the switch. The request access time stamp indicates a time when the terminal device requests access to the network.
An EAP response (EAP-response) message sent by the terminal device 110 is converted into a RADIUS message by the intermediate connection 120, which is an access request (RADIUS access-request) message, wherein an Identity field in the EAP response (EAP-response) message corresponds to a Username field in the RADIUS access request (RADIUS access-request) message. RADIUS is a widely used AAA protocol, which is used for the most part for enterprise-level security wireless network authentication at present.
The security server 130 is a RADIUS server. The security server 130 parses the first RADIUS access request message in the PEAP authentication procedure. The security server is internally provided with a pointing module (rest module) pointing device authentication device. The pointing module sends a user name (Username) field in a first RADIUS access request message in a PEAP authentication procedure to the device authentication apparatus for device authentication.
The device authentication apparatus 140 may be a device authentication server located outside the security server, or may be a device authentication module integrated into the security server. The device authentication apparatus 140 stores a key that can be used to decrypt data encrypted by the secure client module with the key. The device authentication means is internally provided with a buffer in which the data set sn of a legitimate device is stored, the set of time stamps for authentication in a predetermined period of time of this device. If the device authentication means fails back, a reject (reject) message is returned directly to the intermediate connection means to reject the connection. If the equipment authentication device returns success, the subsequent identity authentication flow is carried out. The key held in the device authentication apparatus is the same as the key encrypted by the secure client, and is set in advance in the terminal device and the device authentication apparatus for encryption/decryption at the time of networking. The key may be a pair of a public key (provided in the terminal device) and a private key (provided in the device authentication apparatus).
The security server 130 is further internally provided with a proxy module pointing to the identity authentication device 150, which directly forwards all received RADIUS messages (i.e. all EAP response messages sent by the terminal device into RADIUS access request messages, including the first RADIUS access request message mentioned above) to the identity authentication device 150 for identity authentication after passing the device authentication, and forwards the messages of the identity authentication device to the intermediate connection device 120. The authentication device is a RADIUS server. The identity authentication device stores user name and password data of the user, and authenticates the user name and password according to the PEAP protocol. Similar to the device authentication means, the identity authentication means may be independent of the identity authentication server outside the security server or integrated in the security server.
In summary, according to the embodiment of the present invention, the Identity field in the EAP response message sent by the terminal device is modified to be the unique identifier (sn) +encrypted data of the access timestamp request of the device, the security server analyzes the RADIUS access request message authenticated in the first stage, and sends the user name field (the user name field is consistent with the content of the Identity field) to the device authentication apparatus for device authentication. The device authentication device decrypts the user name field, acquires sn and a timestamp, compares the sn with the timestamp, and realizes a wireless device access authentication scheme for preventing replay attack and falsifying requests.
The above is a general architecture description of the technical solution according to the embodiment of the present invention. The following describes specific procedures of a data encryption method and a device admission authentication method according to an embodiment of the present invention with reference to the accompanying drawings. A data encryption method performed by the terminal device is first described with reference to fig. 2, which is performed by the secure client module located in the terminal device shown in fig. 1. As shown in fig. 2, the method includes:
s210, collecting a unique identifier of the terminal equipment through a secure client module in the terminal equipment. The unique identifier may be a MAC address or custom string information within the organization, such as MAC address 00e070db4ecf.
S220, intercepting a first EAP response message sent by the terminal equipment.
S230, the user name section in the first EAP response message is modified into new user name data, so as to generate a second EAP response message, wherein the new user name data adds a request access time stamp to the unique identifier, and the data is encrypted by a secret key.
The user name field is an Identity field in the EAP response message. The time stamp is automatically generated by the terminal device and is invoked by the secure client. The time stamp may be a number, such as 20 points at 2022, 4,1, and 1648814400. Then splice sn and timestamp together with a special marker such as "uosauth" to get: 00e070db4ecfuosauth1648814400. This value that is finally obtained is then encrypted using a key. The key is stored in a secure area inside the secure client module or the terminal device, and may be a segment of a string.
In specific practice, the secure client module may be a networking authentication module (i.e. there is source code, the networking authentication module, such as the wap_supplicant program on the linux device, may be directly modified), or a kernel driver module (for a device without the source code of the networking authentication module, such as a windows device, it intercepts a network packet to be sent by the terminal device at the driver layer).
A specific procedure of a device admission authentication method according to an embodiment of the present invention, which performs device admission authentication using data encrypted by the method shown in fig. 2, and which is performed in the device authentication apparatus shown in fig. 1, will be described below with reference to fig. 3. The equipment authentication device receives new user name data obtained after the security server analyzes the RADIUS access request message, decrypts the related fields by using the key, and obtains the sn+ timestamp. Then, the device authentication apparatus determines whether the event represented by the time stamp is a time outside the predetermined period or greater than the current time. Where the current time is obtained from the server, it should theoretically be greater than the decrypted time stamp, since the data takes time to transmit over the network. If the time is outside the preset time period or is larger than the current time, the request is illegal, and the equipment authentication device directly returns authentication failure. The predetermined period of time may be, for example, 5 minutes, or other times may be set according to the service needs. Then using sn to query the cache of the device authentication means, the data in the cache is sn, the set of authentication time stamps over a predetermined period of time. The set of timestamps may be empty, indicating that no authentication has been performed for a predetermined period of time. If the sn data matched with the sn obtained by decryption is not queried, the device is illegal, and the device authentication device directly returns authentication failure. If the sn data is queried, judging whether the time stamp obtained by decryption is in the queried time stamp set, if so, indicating that the equipment is authenticated at the time, wherein the access request is a replay attack, and the equipment authentication device directly returns failure. Otherwise, judging that the equipment authentication is successful, and adding the sn+ timestamp obtained by decryption into a cache.
As shown in fig. 3, the method includes:
S310, receiving the new user name data, wherein the new user name data is obtained by analyzing a RADIUS access request message sent by an intermediate connection device by a security server, the RADIUS access request message comprises the second EAP response message, and the intermediate connection device is positioned between the terminal equipment and the security server.
S320, decrypting the new user name data by using a key to obtain the unique identifier and the request access time stamp.
S330, judging whether the time represented by the request access time stamp is outside a preset time period or is larger than the current time;
If yes, returning authentication failure information to the terminal equipment, otherwise:
S340, comparing the unique identifier and the request access time stamp with a data set cached in the device authentication device, wherein the data set is a set of access time stamps of legal devices and legal devices in a preset time period, judging whether the unique identifier is contained in the data set, if not, returning authentication failure information to the terminal device, otherwise:
S350, judging whether the request access time stamp is in the data set,
If yes, returning authentication failure information to the terminal equipment, otherwise:
s360, judging that the equipment authentication of the equipment authentication device is successful, and storing the unique identifier and the request access time stamp obtained after decryption into the data set.
In addition, the device authentication apparatus updates the cache at regular intervals and deletes expired data. The function can be automatically realized by setting the expiration time of the data through a function module inside the equipment authentication device. Thus, the method of fig. 3 may further comprise: determining whether the time represented by the time stamp in the data set is within a preset time period, and if not, deleting the time stamp and the corresponding unique identifier which are not within the preset time period from the data set. In the embodiment of the present invention, the predetermined period of time may be set to, for example, 5 minutes, or may be set to other times according to the size of the buffer.
According to the embodiment of the invention, a device access authentication method is also provided. The device admission authentication method includes the whole process of encrypting the device unique identifier and the timestamp from the secure client module to the device authentication apparatus for authentication service. Fig. 4 shows a schematic flow chart of the method. As shown in fig. 4, the method includes:
S410, collecting a unique identifier of the terminal equipment through a secure client module in the terminal equipment; intercepting a first EAP response message sent by the terminal equipment; modifying a user name section in the first EAP response message into new user name data to obtain a second EAP response message, wherein the new user name data is data obtained by adding a request access time stamp to the unique identifier and encrypting the data by using a key;
S420, converting the second EAP response message into a RADIUS access request message through an intermediate connection device, wherein the RADIUS message comprises the second EAP response message;
s430, analyzing the RADIUS access request message sent by the intermediate connection device through the security server to obtain the new user name data;
s440, receiving the new user name data through a device authentication device; decrypting said new username data with a key to obtain said unique identifier and said request access timestamp;
s450, judging whether the time represented by the request access time stamp is outside a preset time period or is larger than the current time;
If yes, returning authentication failure information to the terminal equipment, otherwise:
s460, comparing the unique identifier and the request access time stamp with a data set cached in the device authentication apparatus, wherein the data set is a set of access time stamps of legal devices and legal devices in a preset time period, judging whether the unique identifier is contained in the data set,
If not, returning authentication failure information to the terminal equipment, otherwise:
s470, determining whether the request access timestamp is within the data set,
If yes, returning authentication failure information to the terminal equipment, otherwise:
And S480, judging that the equipment authentication of the equipment authentication device is successful, and storing the unique identifier and the request access time stamp obtained after decryption into the data set.
According to the technical scheme of the embodiment of the invention, the security of the access authentication of the wireless equipment is greatly improved. Specifically, the purpose of device admission authentication is to check device sn during networking and reject unauthorized illegal device access. In terms of security, to consider that the user breaks the scheme to access the network by using the private device, the following possibilities exist in the breaking case: 1. replay attack, in which the user gets the last data by grabbing packets and then networking again. According to the technical scheme of the invention, sn and the time stamp are mixed and encrypted, and the equipment authentication device comprises a buffer memory of the time stamp, so that the data captured by the user through the capturing of the packet cannot be authenticated again. 2. Falsification of requests, where sn of a known device then falsifies the request networking on a private device. According to the technical scheme of the invention, sn and the timestamp are encrypted and then transmitted, and under the condition that an encryption algorithm cannot be cracked, the request cannot be forged.
The method shown in fig. 4 may further include: under the condition that the equipment authentication of the equipment authentication device is judged to be successful, sending a message of successful authentication to a security server through the equipment authentication device; the security server transmits all RADIUS messages (i.e. all EAP response messages sent by the terminal device are converted into RADIUS messages) from the intermediate connection device to the identity authentication service device for identity authentication; and sends the result of the identity authentication to the intermediate connection device.
The identity authentication process can adopt any existing identity authentication mode, and can authenticate the user name and the password as long as the RADIUS protocol is met.
Wherein, according to the PEAP protocol described above, in the first stage (i.e. the encryption channel establishment process), the data is plaintext transmitted, and the user name may be an anonymous user field; in the second phase, an encrypted channel has been established and data is transferred in the encrypted channel, at which point the real user name can be transferred. That is, the modified Identity field is sent to the authentication server and understood as an anonymous user field according to the protocol. Under the framework of the PEAP authentication method, although the UserName field in the RADIUS access request (access-request) message of the first stage and the second stage in the authentication flow is different, the modified Identity field can be understood as an anonymous user field, so that the Identity field is not affected by the modification of the Identity field by the secure client module; authentication can still be passed as long as the actual user name and password are correct.
The scheme mentioned in the background art does not utilize the feature of anonymous users, and is to restore the Identity field by the security server and then perform subsequent authentication, and does not perform encryption and device authentication techniques in the technical background of two-stage authentication.
According to an embodiment of the present invention, there is further provided a data encryption device, which is located in the secure client module shown in fig. 2. As shown in fig. 5, the apparatus includes:
and the acquisition module 510 is configured to acquire a unique identifier of the terminal device.
The interception module 520 intercepts a first EAP response message sent by the terminal device.
A modifying module 530, configured to modify a user name segment in the first EAP response message into new user name data, so as to generate a second EAP response message, where the new user name data is the data obtained by adding a request access timestamp to the unique identifier and encrypting the data with a key.
According to the embodiment of the invention, a device access authentication device is also provided, which is located in the device authentication device shown in fig. 1. As shown in fig. 6, the device admission authentication apparatus includes:
And a receiving module 610, configured to receive the new user name data, where the new user name data is obtained by parsing, by the security server, a RADIUS access request message sent by an intermediate connection device, where the RADIUS access request message includes the second EAP response message, and the intermediate connection device is located between the terminal device and the security server.
A decryption module 620 decrypts the new username data with the key to obtain the unique identifier and the request access timestamp.
A first judging module 630, configured to judge whether the time indicated by the request access timestamp is outside a predetermined time period or greater than a current time;
if yes, returning authentication failure information to the terminal equipment, otherwise triggering a comparison module;
A comparing module 640, configured to compare the unique identifier and the request access timestamp with a data set cached in the device authentication apparatus, where the data set is a set of access timestamps of legal devices and legal devices in a predetermined period of time, determine whether the data set contains the unique identifier, and if not, return authentication failure information to the terminal device, otherwise trigger a second determining module;
a second decision block 650, determines whether the request access timestamp is within the data set,
And if yes, returning authentication failure information to the terminal equipment, otherwise triggering a storage module.
And a storage module 660, configured to determine that the device authentication of the device authentication apparatus is successful, and store the unique identifier and the request access timestamp obtained after decryption in the data set.
In addition, the device admission authentication apparatus may include an updating module configured to determine whether a time represented by a timestamp in the dataset is within a predetermined period of time, and if not, delete the timestamp and its corresponding unique identifier that are not within the predetermined period of time from the dataset.
According to the embodiment of the invention, a device access authentication system is also provided. The system performs the entire flow including data encryption, device admission authentication services. As shown in fig. 7, the system includes:
the terminal device 710 includes a secure client module including a data encryption apparatus including: an acquisition module 7110 for acquiring a unique identifier of the terminal device; an interception module 7120 intercepts a first EAP response message sent by the terminal device; a modifying module 7130, configured to modify a user name segment in the first EAP response message into new user name data, so as to generate a second EAP response message, where the new user name data is data obtained by adding a request access timestamp to the unique identifier and encrypting the data with a key;
the intermediate connection means 720 converting said second EAP response message into a RADIUS message comprising the second EAP response message;
The security server 730 analyzes the RADIUS access request message sent by the intermediate connection device to obtain the new user name data;
A device authentication apparatus 740, the device authentication apparatus 740 being integrated within or external to a secure server and comprising a data set that is a set of access time stamps of legitimate devices and legitimate devices within a predetermined period of time, the device authentication apparatus 740 comprising: a receiving module 7410, configured to receive the new user name data. A decryption module 7420 decrypts the new username data with the key to obtain the unique identifier and the request access timestamp. A first judging module 7430, configured to judge whether the time indicated by the request access timestamp is outside a predetermined time period or greater than a current time; if yes, returning authentication failure information to the terminal equipment, otherwise triggering a comparison module; a comparing module 7440, configured to compare the unique identifier and the request access timestamp with a data set cached in the device authentication apparatus, where the data set is a set of access timestamps of legal devices and legal devices in a predetermined period of time, determine whether the data set includes the unique identifier, and if not, return authentication failure information to the terminal device, otherwise trigger a second determining module; and a second judging module 7450, for judging whether the request access time stamp is in the data set, if yes, returning authentication failure information to the terminal equipment, otherwise triggering a saving module. And a storage module 7460, configured to determine that the device authentication of the device authentication apparatus is successful, and store the unique identifier and the request access timestamp obtained after decryption in the data set.
The device admission authentication system may further include: and the identity authentication device receives the message of successful equipment authentication under the condition that the equipment authentication is successful, sends all RADIUS access request messages from the intermediate connection device to the identity authentication device to execute the identity authentication, and forwards the result of the identity authentication to the intermediate connection device.
The data encryption method and the device admission authentication method of the present invention can be executed in a computing device. The computing device may be any device having storage and computing capabilities, and may be implemented, for example, as a server, a workstation, or the like, or may be implemented as a personal configured computer such as a desktop computer, a notebook computer, or may be implemented as a terminal device such as a mobile phone, a tablet computer, an intelligent wearable device, or an internet of things device, but is not limited thereto.
FIG. 8 shows a schematic diagram of a computing device according to one embodiment of the invention. It should be noted that the computing device shown in fig. 8 is only an example, and in practice, the computing device used to implement the data encryption method and the device admission authentication method of the present invention may be any type of device, and the hardware configuration of the computing device may be the same as the computing device shown in fig. 8 or may be different from the computing device shown in fig. 8. In practice, the computing device for implementing the data encryption method and the device access authentication method of the present invention may add or delete hardware components of the computing device shown in fig. 8, and the present invention is not limited to the specific hardware configuration of the computing device.
As shown in fig. 8, the apparatus may include: processor 810, memory 820, input/output interface 830, communication interface 840 and bus 850. Wherein processor 810, memory 820, input/output interface 830, and communication interface 840 enable communication connections among each other within the device via bus 850.
The processor 810 may be implemented by a general-purpose CPU (Central Processing Unit ), a microprocessor, an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 820 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage, dynamic storage, etc. Memory 820 may store an operating system and other application programs, and when the technical solutions provided by the embodiments of the present specification are implemented in software or firmware, relevant program codes are stored in memory 820 and invoked by processor 810 for execution.
The input/output interface 830 is used for connecting with an input/output module to realize information input and output. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
The communication interface 840 is used to connect a communication module (not shown in the figure) to enable communication interaction between the device and other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 850 includes a path to transfer information between components of the device (e.g., processor 810, memory 820, input/output interface 830, and communication interface 840).
It should be noted that although the above-described device only shows processor 810, memory 820, input/output interface 830, communication interface 840, and bus 850, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
Embodiments of the present invention also provide a non-transitory readable storage medium storing instructions for causing the computing device to perform a method according to embodiments of the present invention. The readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be any method or technology for information storage. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of readable storage media include, but are not limited to: phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transitory readable storage medium.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with examples of the invention. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It should be appreciated that the teachings of the present invention as described herein may be implemented in a variety of programming languages and that the foregoing descriptions of specific languages are provided for disclosure of preferred embodiments of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in the examples. The modules in the foregoing examples may be combined into one module or may be further divided into a plurality of sub-modules.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. Furthermore, some of the embodiments are described herein as methods or combinations of method elements that may be implemented by a processor of a computer system or by other means of performing the functions. Thus, a processor with the necessary instructions for implementing the described method or method element forms a means for implementing the method or method element. Furthermore, the elements described herein of the device embodiments are examples of the following devices: the apparatus is for carrying out the functions performed by the elements for carrying out the objects of the invention.
As used herein, unless otherwise specified the use of the ordinal terms "first," "second," "third," etc., to describe a general object merely denote different instances of like objects, and are not intended to imply that the objects so described must have a given order, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of the above description, will appreciate that other embodiments are contemplated within the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter.