Search

CN-121262017-B - Identity authentication method based on physical isolation gateway and related equipment

CN121262017BCN 121262017 BCN121262017 BCN 121262017BCN-121262017-B

Abstract

The application relates to an identity authentication method based on a physical isolation gateway and related equipment. The method is applied to a physical isolation gateway system comprising a user management subsystem, an identity authentication subsystem and an authority control subsystem which are respectively deployed on different servers, and comprises the steps of verifying user identities based on the identity authentication subsystem, generating a gateway token and sending the gateway token to a client when the identity authentication passes, verifying the validity of the gateway token based on an access request comprising the gateway token sent by the client according to the identity authentication subsystem, determining user authorities when the validity verification passes, establishing a secure tunnel according to the user authorities through the authority control subsystem, receiving a service request sent by the client through the secure tunnel through the authority control subsystem, sending the service request to a corresponding service system, and sending response information fed back by the service system to the client through the secure tunnel. The method achieves the effect of improving the network security and reliability.

Inventors

  • ZHANG YONG
  • ZHANG BIN
  • LI JIGUO

Assignees

  • 北京时代亿信科技股份有限公司

Dates

Publication Date
20260505
Application Date
20251205

Claims (7)

  1. 1. The identity authentication method based on the physical isolation gateway is characterized by being applied to a physical isolation gateway system, wherein the physical isolation gateway system comprises a user management subsystem, an identity authentication subsystem and a right control subsystem which are respectively arranged on different servers, the servers corresponding to the subsystems are physically isolated and are connected through a network, and the method comprises the following steps: Responding to the starting of a client, dialing and measuring a gateway address of an intranet based on an ICMP protocol, if the connection is successful, indicating that the client is in an intranet office scene, determining that an authentication scheme of the client is a user name password authentication scheme, and if the connection is failed, indicating that the client is in an extranet office scene, determining that the authentication scheme of the client is a smart card authentication scheme; Verifying the identity of the user according to an authentication request sent by the client based on the identity authentication subsystem, generating a gateway token and sending the gateway token to the client under the condition that the identity authentication is passed; The authentication subsystem generates a first random number after receiving an authentication request sent by the client, and sends the first random number to the client so that the client returns a user name and a first ciphertext to the authentication subsystem through the authority control subsystem; the identity authentication subsystem acquires the user password from the user management subsystem according to the received user name, processes the first random number and the user password by adopting the first encryption algorithm to acquire a second ciphertext, and verifies whether the second ciphertext is consistent with the received first ciphertext or not, and if so, the identity authentication is passed; The authentication subsystem acquires a second random number from a signature verification server after receiving an authentication request sent by the client, records an event number, encrypts the second random number by using a server private key to obtain a third ciphertext, and sends the third ciphertext to the client so that the client returns a signature certificate comprising a fourth ciphertext and a signature public key to the authentication subsystem; the fourth ciphertext is obtained by encrypting the second random number through a signature private key in the smart card after the client decrypts the third ciphertext by using a server public key to obtain the second random number; the identity authentication subsystem obtains the second random number from the signature verification server based on the event number, decrypts the fourth ciphertext based on a signature public key in the signature certificate to obtain a third random number, verifies whether the third random number is consistent with the second random number, and if so, passes the identity authentication; verifying the validity of a gateway token according to an access request comprising the gateway token sent by a client based on the identity authentication subsystem, determining user permission according to the identity authentication subsystem and the user management subsystem under the condition that the validity verification is passed, and establishing a secure tunnel between the client and the permission control subsystem according to the user permission through the permission control subsystem; and receiving a service request sent by the client through the secure tunnel by the authority control subsystem, sending the service request to a corresponding service system, and sending response information fed back by the service system to the client through the secure tunnel.
  2. 2. The method according to claim 1, wherein the method further comprises: Responding to an authentication request sent by a client, forwarding the authentication request to an identity authentication subsystem based on the authority control subsystem, verifying the identity of a user based on the authentication request through the identity authentication subsystem, generating a gateway token under the condition that the identity verification is passed, and sending the gateway token to the client through the authority control subsystem, wherein the gateway token comprises the identity of the user, the use times and the use time limit; Responding to an access request comprising the gateway token sent by a client, forwarding the authentication request to the identity authentication subsystem based on the authority control subsystem, verifying the validity of the gateway token through the identity authentication subsystem, and under the condition that the validity verification is passed, acquiring user authority corresponding to the access request from the user management subsystem by the identity authentication subsystem, and establishing a secure tunnel between the client and the authority control subsystem based on the authority control subsystem according to the user authority; and receiving a service request sent by the client through the secure tunnel by the authority control subsystem, sending the service request to a corresponding service system, and sending response information fed back by the service system to the client through the secure tunnel.
  3. 3. The method of claim 1, wherein the server with any subsystem deployed is a cluster server, the cluster server includes a primary server and at least one standby server, the server further has an intrusion detection system and/or an intrusion prevention system deployed thereon, and the method further comprises: and when the intrusion detection system and/or the intrusion prevention system detect that the main server has exposure risk, switching a target subsystem running in the main server to a standby server in the cluster server to run.
  4. 4. The method according to claim 1, wherein the method further comprises: The authority control subsystem receives an encrypted service request sent by the client through the secure tunnel, decrypts the encrypted service request to obtain a plaintext service request, sends the plaintext service request to the service system and receives returned response information; and encrypting the response information to obtain encrypted response information, and transmitting the encrypted response information to the client through the secure tunnel.
  5. 5. A physical isolation gateway system is characterized by comprising a network environment evaluation module deployed at a client, a user management subsystem, an identity authentication subsystem and a right control subsystem which are respectively deployed at different servers, wherein the servers corresponding to the subsystems are physically isolated and connected through a network, The network environment evaluation module is used for responding to the starting of the client and dialing and measuring the gateway address of the intranet based on the ICMP protocol, if the connection is successful, the client is indicated to be in the intranet office scene, and the authentication scheme of the client is determined to be a user name password authentication scheme; The identity authentication subsystem is used for verifying the identity of a user according to an authentication request sent by a client, generating a gateway token and sending the gateway token to the client under the condition that the identity authentication is passed; The identity authentication subsystem is further used for verifying the identity of the user based on the user name password authentication scheme, wherein the identity authentication subsystem generates a first random number after receiving an authentication request sent by the client, and sends the first random number to the client so that the client returns a user name and a first ciphertext to the identity authentication subsystem through the authority control subsystem, the first ciphertext is obtained by processing the first random number and the user password by the client through a first encryption algorithm, the identity authentication subsystem obtains the user password from the user management subsystem according to the received user name, processes the first random number and the user password through the first encryption algorithm to obtain a second ciphertext, and verifies whether the second ciphertext is consistent with the received first ciphertext, and if so, the identity authentication is passed; the identity authentication subsystem is further used for verifying the identity of the user based on the smart card authentication scheme, wherein after receiving an authentication request sent by the client, the identity authentication subsystem acquires a second random number from a signature verification server, records an event number, encrypts the second random number by using a server private key to obtain a third ciphertext, and sends the third ciphertext to the client so that the client returns a signature certificate comprising a fourth ciphertext and a signature public key to the identity authentication subsystem; the fourth ciphertext is obtained by encrypting the second random number through a signature private key in the smart card after the client decrypts the third ciphertext by using a server public key to obtain the second random number; the identity authentication subsystem obtains the second random number from the signature verification server based on the event number, decrypts the fourth ciphertext based on a signature public key in the signature certificate to obtain a third random number, verifies whether the third random number is consistent with the second random number, and if so, passes the identity authentication; the user management subsystem is used for responding to the request of the identity authentication subsystem to confirm the user authority; And the authority control subsystem is used for verifying the validity of the gateway token, and under the condition that the validity verification is passed, a secure tunnel between the client and the authority control subsystem is established by the authority control subsystem according to the user authority, the service request sent by the client through the secure tunnel is sent to the service system, and the response information fed back by the service system is sent to the client through the secure tunnel.
  6. 6. An electronic device comprising a processor and a memory storing a program, characterized in that the program comprises instructions which, when executed by the processor, cause the processor to perform the method according to any one of claims 1 to 4.
  7. 7. A non-transitory machine readable medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 4.

Description

Identity authentication method based on physical isolation gateway and related equipment Technical Field The application relates to the technical field of gateway authentication, in particular to an identity authentication method based on a physical isolation gateway and related equipment. Background Authentication gateways play a vital role in the field of network security, the main function of which is to verify the identity of a user and to grant him access to specific network resources (such as a service system), thereby ensuring the security and reliability of the network. The authentication gateway in the related art generally concentrates user management, authentication and authority enforcement on one gateway device. This centralized architecture, while simplifying the system design, creates serious safety hazards due to the existence of a single point of failure. Since the gateway device must be exposed externally to provide services, it inevitably becomes the primary target of an attacker. Once the gateway device is breached, an attacker may not only obtain the sensitive information of the user (such as a user name, password, permission level, etc.), but may also tamper with the authentication logic or permission configuration, resulting in a crash of the security line of the entire network, causing significant loss. In view of the above problems in the related art, no effective solution has been proposed at present. Disclosure of Invention The identity authentication method and the related equipment based on the physical isolation gateway at least solve the problems of poor network security and reliability caused by the fact that the identity authentication gateway system adopting a centralized architecture in the related technology has larger potential safety hazard. In order to solve the above problems, an aspect of the embodiments of the present invention provides an identity authentication method based on a physical isolation gateway, which is applied to a physical isolation gateway system, where the physical isolation gateway system includes a user management subsystem, an identity authentication subsystem and a rights control subsystem which are respectively disposed on different servers, and the servers corresponding to the subsystems are physically isolated and connected through a network, where the method includes: verifying the user identity according to an authentication request sent by the client based on the identity authentication subsystem, generating a gateway token and sending the gateway token to the client under the condition that the identity authentication is passed; Verifying the validity of the gateway token according to an access request comprising the gateway token sent by the client based on the identity authentication subsystem, determining user permission according to the identity authentication subsystem and the user management subsystem under the condition that the validity verification is passed, and establishing a security tunnel between the client and the permission control subsystem according to the user permission through the permission control subsystem; And receiving the service request sent by the client through the secure tunnel by the authority control subsystem, sending the service request to the corresponding service system, and sending response information fed back by the service system to the client through the secure tunnel. In some of these embodiments, the method further comprises: responding to an authentication request sent by a client, forwarding the authentication request to an identity authentication subsystem based on a permission control subsystem, verifying the identity of a user based on the authentication request through the identity authentication subsystem, generating a gateway token under the condition that the identity verification is passed, and sending the gateway token to the client through the permission control subsystem, wherein the gateway token comprises the identity of the user, the use times and the use time limit; Responding to an access request comprising a gateway token sent by a client, forwarding an authentication request to an identity authentication subsystem based on an authority control subsystem, verifying the validity of the gateway token through the identity authentication subsystem, acquiring user authority corresponding to the access request from a user management subsystem by the identity authentication subsystem under the condition that the validity verification is passed, and establishing a secure tunnel between the client and the authority control subsystem according to the user authority based on the authority control subsystem; And receiving the service request sent by the client through the secure tunnel by the authority control subsystem, sending the service request to the corresponding service system, and sending response information fed back by the service system to the client through the secure tunnel.