[go: up one dir, main page]

CN119071038A - Single sign-on method, system, device, equipment and medium based on quantum key - Google Patents

Single sign-on method, system, device, equipment and medium based on quantum key Download PDF

Info

Publication number
CN119071038A
CN119071038A CN202411101862.3A CN202411101862A CN119071038A CN 119071038 A CN119071038 A CN 119071038A CN 202411101862 A CN202411101862 A CN 202411101862A CN 119071038 A CN119071038 A CN 119071038A
Authority
CN
China
Prior art keywords
user
quantum key
token
token corresponding
service platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411101862.3A
Other languages
Chinese (zh)
Inventor
刘恒彪
米鹏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202411101862.3A priority Critical patent/CN119071038A/en
Publication of CN119071038A publication Critical patent/CN119071038A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本发明实施例提供了一种基于量子密钥的单点登录方法、系统、装置、电子设备和存储介质,方法包括在用户登录应用程序时,查询是否存在通过量子密钥加密的用户对应的令牌;若存在用户对应的令牌,则从密码服务平台获取量子密钥;根据量子密钥对令牌进行解密;采用令牌登录应用程序。本发明实施例通过量子密钥对令牌进行加密后,登录时根据量子密钥对令牌进行解密即可完成登录,无需开启主应用即可完成多个应用的单点登录,这种方式不仅极大地增强了令牌的安全性,还使得单点登录变得更加便捷高效,为用户提供了一种既安全又便利的登录体验。

The embodiments of the present invention provide a single sign-on method, system, device, electronic device and storage medium based on quantum key. The method includes querying whether there is a token corresponding to the user encrypted by quantum key when the user logs into the application; if there is a token corresponding to the user, obtaining the quantum key from the cryptographic service platform; decrypting the token according to the quantum key; and using the token to log in to the application. After the embodiment of the present invention encrypts the token by quantum key, the token can be decrypted according to the quantum key when logging in to complete the login. Single sign-on of multiple applications can be completed without opening the main application. This method not only greatly enhances the security of the token, but also makes single sign-on more convenient and efficient, providing users with a login experience that is both safe and convenient.

Description

Single sign-on method, system, device, equipment and medium based on quantum key
Technical Field
The invention relates to the technical field of quantum key application, in particular to a single sign-on method, a system, device equipment and a medium based on a quantum key.
Background
Single sign-On (SSO, single Sign-On) between multiple applications is a technique that allows a user to access multiple related applications only once. Through single sign-on, after a user logs in the main application for the first time, the system can generate a security token which can be shared among other associated applications, so that the condition that the user needs to input a user name and a password for many times is avoided.
In the existing single sign-on token storage scheme among multiple applications, permission is needed to detect whether a main application is started or not during sign-on, if so, the token is shared through inter-process communication, and most users are sensitive to the permission.
Disclosure of Invention
In view of the foregoing, embodiments of the present invention have been developed to provide a quantum key-based single sign-on method, a quantum key-based single sign-on system, and a quantum key-based single sign-on device that overcome or at least partially solve the foregoing problems.
According to a first aspect of an embodiment of the present invention, there is provided a single sign-on method based on a quantum key, the method including:
Inquiring whether a token corresponding to the user encrypted by a quantum key exists or not when the user logs in an application program;
if the token corresponding to the user exists, acquiring a quantum key from a password service platform;
Decrypting the token according to the quantum key;
and logging in the application program by adopting the token.
Optionally, the method further comprises:
If the token corresponding to the user does not exist, acquiring the token corresponding to the user from an identity authentication platform;
Obtaining a quantum key from the cryptographic service platform;
encrypting a token corresponding to the user according to the quantum key;
and storing the encrypted token corresponding to the user.
Optionally, the querying whether the token corresponding to the user encrypted by the quantum key exists includes:
And inquiring whether a token corresponding to the user exists in the shared memory.
Optionally, the storing the encrypted token corresponding to the user includes:
And storing the encrypted token corresponding to the user into the shared memory.
Optionally, the obtaining the quantum key from the cryptographic service platform includes:
Transmitting a session identifier of the user to the password service platform, wherein the session identifier is obtained according to user information of the user;
And receiving the quantum key sent by the password service platform, wherein the quantum key is obtained according to the session identifier of the user.
According to a second aspect of the present invention, there is provided a quantum key based single sign-on system comprising a user terminal, an identity authentication platform and a cryptographic service platform;
The user terminal is used for inquiring whether a token corresponding to the user encrypted by a quantum key exists or not when the user logs in an application program, acquiring the quantum key from the password service platform if the token corresponding to the user exists, decrypting the token according to the quantum key, and logging in the application program by adopting the token;
the identity authentication platform is used for sending a token corresponding to the user terminal;
the password service platform is used for sending the quantum key to the user terminal.
Optionally, the user terminal is further configured to obtain a token corresponding to the user from the identity authentication platform if the token corresponding to the user does not exist, obtain a quantum key from the cryptographic service platform, encrypt the token corresponding to the user according to the quantum key, and store the encrypted token corresponding to the user.
Optionally, the user terminal is further configured to query, in the shared memory, whether a token corresponding to the user exists.
Optionally, the user terminal is further configured to store the encrypted token corresponding to the user to the shared memory.
Optionally, the user terminal is further configured to send a session identifier of the user to the cryptographic service platform, where the session identifier is obtained according to user information of the user, receive a quantum key sent by the cryptographic service platform, and obtain the quantum key according to the session identifier of the user.
According to a third aspect of embodiments of the present invention, there is provided a quantum key based single sign-on device, the device comprising:
the first query module is used for querying whether a token corresponding to the user encrypted by the quantum key exists or not when the user logs in the application program;
The first acquisition module is used for acquiring a quantum key from the password service platform if the token corresponding to the user exists;
the first decryption module is used for decrypting the token according to the quantum key;
And the first login module is used for logging in the application program by adopting the token.
Optionally, the apparatus further includes:
The second acquisition module is used for acquiring the token corresponding to the user from the identity authentication platform if the token corresponding to the user does not exist;
The third acquisition module is used for acquiring the quantum key from the password service platform;
the first encryption module is used for encrypting the token corresponding to the user according to the quantum key;
and the first storage module is used for storing the encrypted token corresponding to the user.
Optionally, the first query module includes:
And the first inquiring sub-module is used for inquiring whether the token corresponding to the user exists in the shared memory.
Optionally, the first storage module includes:
and the first storage sub-module is used for storing the encrypted token corresponding to the user into the shared memory.
Optionally, the third obtaining module includes:
The first sending sub-module is used for sending the session identification of the user to the password service platform, wherein the session identification is obtained according to the user information of the user;
The first receiving sub-module is used for receiving the quantum key sent by the password service platform, and the quantum key is obtained according to the session identification of the user.
According to a fourth aspect of the present invention there is provided an electronic device comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, which when executed by the processor implements a quantum key based single sign-on method as described above.
According to a fifth aspect of the present invention, there is provided a computer readable storage medium, which when executed by a processor of an electronic device, causes the electronic device to perform a quantum key based single sign-on method as described above.
The technical scheme provided by the embodiment of the invention can comprise the following beneficial effects:
The embodiment of the invention provides a single sign-on method based on a quantum key, which comprises the steps of inquiring whether a token corresponding to a user encrypted by the quantum key exists or not when the user logs in an application program; if the token corresponding to the user exists, the quantum key is acquired from the password service platform, the token is decrypted according to the quantum key, and the token is adopted to log in the application program. According to the embodiment of the invention, after the token is encrypted through the quantum key, the token is decrypted according to the quantum key during login, and single sign-on of a plurality of applications can be completed without starting a main application, so that the security of the token is greatly enhanced, the single sign-on becomes more convenient and efficient, and a safe and convenient login experience is provided for a user.
Drawings
FIG. 1 is a flow chart of steps of a single sign-on method based on quantum keys provided by an embodiment of the present invention;
FIG. 2 is a flow chart of steps of another quantum key based single sign-on method provided by an embodiment of the present invention;
FIG. 3 is a timing diagram of single sign-on based on quantum keys according to an embodiment of the present invention;
FIG. 4 is a block diagram of a single sign-on system based on quantum keys according to an embodiment of the present invention;
fig. 5 is a block diagram of a single sign-on device based on quantum keys according to an embodiment of the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
One of the core concepts of the embodiments of the present invention is that single sign-On (SSO, single Sign-On) between multiple applications is a technique that allows a user to access multiple related applications only once. Through single sign-on, after a user logs in the main application for the first time, the system can generate a security token which can be shared among other associated applications, so that the condition that the user needs to input a user name and a password for many times is avoided.
The existing single sign-on token storage scheme among multiple applications needs permission to detect whether a main application is started or not, if so, the token is shared through inter-process communication, and most users are sensitive to the permission, and the operation is complex when the token is shared by multiple applications, so that the existing scheme is low in safety degree and inconvenient enough, and the credibility of the application is greatly reduced.
Therefore, after the token is encrypted through the quantum key, the token can be decrypted according to the quantum key during login, and single sign-on of a plurality of applications can be completed without starting a main application.
Referring to fig. 1, a step flow chart of a quantum key-based single sign-on method is shown, where the method specifically may include the following steps:
step 101, inquiring whether a token corresponding to a user encrypted by a quantum key exists or not when the user logs in an application program;
A token, is a type of security credential used for authentication. The token mechanism using quantum key encryption provides an additional layer of security because it relies not only on traditional cryptographic authentication, but also on the non-hackability of the quantum key. Because of the special nature of the quantum key, even if the token is intercepted, an attacker can hardly decrypt the original authentication information, so that the security of the user data is ensured.
Quantum key distribution techniques utilize quantum mechanics principles to generate and distribute keys that are theoretically indestructible, providing adequate protection even against future quantum computer attacks. When a user logs in for the first time, the system may encrypt the user's login credentials using the quantum key and store the encrypted token. Thereafter, when the user logs in again, the system checks if there is a token encrypted by the user's quantum key. If present, means that the user's credentials have been successfully authenticated before and that these credentials are securely stored. Querying whether a token corresponding to the user encrypted by a quantum key exists when the user logs in an application program can enhance security and protect privacy information of the user.
102, If a token corresponding to the user exists, acquiring a quantum key from a password service platform;
the password service platform is used for acquiring and managing the quantum key, if the token corresponding to the current user exists, the user is successfully authenticated before, the authentication state is still effective, the user can access the corresponding resources and services without logging in again, and the user can use the authority of the user in a multi-service environment in a seamless manner. And applying a quantum key to the password service platform to further enhance the security and ensure the confidentiality and the integrity in the data transmission process.
Step 103, decrypting the token according to the quantum key;
By decrypting the token using the quantum key, it is ensured that even if the token is intercepted during transmission, only the receiver having the correct quantum key can decrypt and verify the validity of the token, thereby protecting the user's sensitive information from unauthorized third parties.
And 104, logging in the application program by adopting the token.
The inquiry for the presence of a token means that the user's credentials have been successfully authenticated before and are securely stored, the quantum key is obtained from the cryptographic services platform for secure login, and the token decrypted by the quantum key is logged into the application. The system can quickly verify the identity of the user when he logs in again without the need to re-enter a password or sensitive information each time. The method can reduce the security risk caused by password leakage, can provide smoother user experience, and can protect the privacy and data security of the user by utilizing the non-hackable characteristic of the quantum key.
Referring to fig. 2, a step flow diagram of another quantum key-based single sign-on method according to an embodiment of the present invention is shown, where the method specifically may include the following steps:
step 201, when a user logs in an application program, inquiring whether a token corresponding to the user encrypted by a quantum key exists or not;
When a user logs in for the first time, the system may encrypt the user's login credentials using the quantum key and store the encrypted token. Thereafter, when the user logs in again, the system checks if there is a token encrypted by the user's quantum key. If present, means that the user's credentials have been successfully authenticated before and that these credentials are securely stored. Querying whether a token corresponding to the user encrypted by a quantum key exists when the user logs in an application program can enhance security and protect privacy information of the user.
In one embodiment, the step 201 may comprise, for example, the following sub-steps:
and S11, inquiring whether a token corresponding to the user exists in the shared memory.
Shared memory, sharedMemory, is an inter-process communication mechanism that allows one process to write data to a shared memory region, while other processes can access and modify data by mapping this region. Go to SharedMemory to query if the token corresponding to the current user exists in order to ensure that the identity state of the user can be shared between the various services or processes.
Step 202, if no token corresponding to the user exists, obtaining the token corresponding to the user from an identity authentication platform;
an authentication platform refers to a system or service for centrally managing and performing user authentication, and such a platform is commonly used in a multi-service environment to achieve unified identity management, authentication and authorization. The primary goal of the authentication platform is to ensure that only authenticated users can access a particular resource and to be able to provide consistent security policies across multiple applications and services.
If the token corresponding to the current user does not exist, this means that the user has not passed the authentication or that the previous authentication information has expired or failed. In this case, the user is required to go to the identity authentication platform to perform identity login to verify the identity of the user, update the authentication state, and issue a new token, thereby ensuring that the user is legal and has access to the requested resources, while meeting the basic requirements of information security.
Step 203, obtaining a quantum key from the cryptographic service platform;
The quantum key is obtained from the cryptographic service platform because quantum key distribution can provide theoretically unbreakable security, ensuring that the cryptographic key is not eavesdropped or duplicated by a third party.
In one embodiment, the step 203 may comprise, for example, the following sub-steps:
Step S31, a session identifier of the user is sent to the password service platform, and the session identifier is obtained according to user information of the user;
To ensure security and consistency, after the user successfully logs in, the system generates a unique session identification (session ID) according to the specific information of the user. This session identification is then sent to the cryptographic services platform for verification of the user's identity in a subsequent interaction procedure without repeating the whole login procedure. By the aid of the method, sensitive user information cannot be submitted or verified again when requested, user experience is improved, and safety of the system is enhanced.
And S32, receiving a quantum key sent by the password service platform, wherein the quantum key is obtained according to the session identification of the user.
The quantum key sent by the password service platform is received to ensure the data security and privacy protection in the communication process. Quantum keys are generated based on quantum mechanics principles for encrypting and decrypting information, which is extremely secure, because any eavesdropping attempt on the key is immediately detected and can result in a change in the key, thereby disabling an eavesdropper from obtaining the original information content. Thus, by using the quantum key, the user can be sure that their communication is not intercepted or hacked by unauthorized third parties, thereby enabling a highly secure data exchange.
Step 204, encrypting the token corresponding to the user according to the quantum key;
The token of the user is encrypted according to the quantum key to ensure the security and confidentiality of the token. In many security systems, tokens are an important component of user authentication and need to be protected from interception or tampering during transmission. Encrypting the token with the quantum key can ensure that the token cannot be interpreted even if it is intercepted by a third party during transmission, because the quantum key has unique security properties-any attempt to measure or replicate the key changes the state of the key and is perceived by the sender and receiver. In this way, even if the token is intercepted, an attacker cannot use the token to make unauthorized access, so that the identity information of the user and the security of the system are effectively protected.
And step 205, storing the encrypted token corresponding to the user.
The encrypted tokens corresponding to the users are stored to protect the security and privacy of the user data, and the fact that even if the tokens are accessed without authorization, the tokens cannot be read or abused is ensured, so that the login information and personal data of the users are protected from being threatened by an attacker.
In one embodiment, the step 205 may include, for example, the following sub-steps:
And a substep S51, storing the encrypted token corresponding to the user into the shared memory.
The encrypted token corresponding to the user is stored in the shared memory to ensure that the login state can be shared safely and efficiently among a plurality of applications. By storing the token in the shared memory, the need to re-verify the user identity each time the application switches can be avoided, thereby improving user experience and reducing server load. Meanwhile, the token encrypted by the quantum key can ensure that the content of the token cannot be cracked even if the shared memory is accessed without authorization, thereby protecting the security and privacy of user data.
Step 205 is also followed by a return to login 208 to log in the application.
Step 206, if the token corresponding to the user exists, obtaining a quantum key from a password service platform;
If the token corresponding to the current user exists, the user is successfully authenticated before, the authentication state is still valid, the user can access the corresponding resources and services without logging in again, and the user can be ensured to use the authority of the user in a multi-service environment in a seamless manner. And applying a quantum key to the password service platform to further enhance the security and ensure the confidentiality and the integrity in the data transmission process.
Step 207, decrypting the token according to the quantum key;
The token is decrypted by using the quantum key to ensure that even if the token is intercepted in the transmission process, only a receiver with the correct quantum key can decrypt and verify the validity of the token, thereby protecting the sensitive information of the user from being accessed by an unauthorized third party.
And step 208, logging in the application program by using the token.
The method comprises the steps of obtaining a quantum key from a password service platform after obtaining the token from an identity authentication platform, encrypting and storing the token to log in an application program when no token exists, and obtaining the quantum key from the password service platform for logging in the application program when the token exists, wherein the token successfully verifies the user's credentials before and safely stores the credentials, and obtaining the quantum key from the password service platform for safe logging in and decrypting the token by the quantum key.
The embodiment of the invention provides a single sign-on method based on a quantum key, which comprises the steps of inquiring whether a token corresponding to a user encrypted by the quantum key exists or not when the user logs in an application program; if the token corresponding to the user exists, the quantum key is acquired from the password service platform, the token is decrypted according to the quantum key, and the token is adopted to log in the application program. According to the embodiment of the invention, after the token is encrypted through the quantum key, the token is decrypted according to the quantum key during login, and single sign-on of a plurality of applications can be completed without starting a main application, so that the security of the token is greatly enhanced, the single sign-on becomes more convenient and efficient, and a safe and convenient login experience is provided for a user.
It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.
Referring to fig. 3, a single sign-on timing diagram based on a quantum key according to an embodiment of the present invention is shown;
in the figure, application A and application B are taken as examples, shared memory is denoted by SharedMemory, and token is denoted by token;
When logging in application a:
S1, a user opens an application A and logs in through the application A;
s2, the application A goes to SharedMemory to inquire whether a token corresponding to the current user exists;
SharedMemory, inquiring that the corresponding token of the current user does not exist, and returning an inquiry result to the application A;
S4, the application A goes to an identity authentication platform to carry out identity login;
S5, the identity authentication platform returns the logged token to the application A;
S6, applying a quantum key to the secret service platform according to the user information, specifically acquiring a session identifier according to the user information, sending the session identifier of the user to the password service platform, and generating the quantum key by the password service platform according to the session identifier of the user;
s7, the password service platform returns the quantum key to the application A;
S8, encrypting the token by the application A according to the quantum key;
s9, the application A stores the user account number and the encrypted token in SharedMemory;
s10, sharedMemory, returning the storage result to the application A;
S11, the user successfully logs in the application A;
When logging in application a:
s12, a user opens an application B and logs in through the application B;
S13, the application A goes to SharedMemory to inquire whether a token corresponding to the current user exists;
SharedMemory, inquiring that the corresponding token of the current user exists, and returning an inquiry result to the application B;
S15, applying B to apply for a quantum key to a password service platform;
s16, returning the quantum key to the application B by the password service platform;
S17, B application decrypts the token through the quantum key;
And S18, the user successfully logs in the application B.
Referring to fig. 4, a block diagram of a single sign-on system based on quantum keys according to an embodiment of the present invention is shown.
The system comprises a user terminal 401, an identity authentication platform 402 and a password service platform 403;
the user terminal 401 is used for inquiring whether a token corresponding to the user encrypted by a quantum key exists when the user logs in an application program, acquiring the quantum key from the password service platform if the token corresponding to the user exists, decrypting the token according to the quantum key, and logging in the application program by adopting the token;
Querying whether a token corresponding to the user encrypted by a quantum key exists when the user logs in an application program can enhance security and protect privacy information of the user. If the token corresponding to the current user exists, the user is successfully authenticated before, the authentication state is still valid, the user can access the corresponding resources and services without logging in again, and the user can be ensured to use the authority of the user in a multi-service environment in a seamless manner. And applying a quantum key to the password service platform to further enhance the security and ensure the confidentiality and the integrity in the data transmission process.
By decrypting the token using the quantum key, it is ensured that even if the token is intercepted during transmission, only the receiver having the correct quantum key can decrypt and verify the validity of the token, thereby protecting the user's sensitive information from unauthorized third parties. The inquiry for the presence of a token means that the user's credentials have been successfully authenticated before and are securely stored, the quantum key is obtained from the cryptographic services platform for secure login, and the token decrypted by the quantum key is logged into the application.
The identity authentication platform 402 is configured to send a token corresponding to the user terminal;
The identity authentication platform is a system responsible for verifying the identity of a user and sending an authentication token to a user terminal, ensuring that the user can safely access protected resources and services. The identity authentication platform sends the token corresponding to the user terminal, and the process ensures effective verification of the user identity and provides a basis for subsequent security access.
The cryptographic service platform 403 is configured to send the quantum key to the user terminal.
The password service platform is a platform for acquiring and managing the quantum key, and sends the quantum key to the user terminal to protect the information security of the user.
In one embodiment, the user terminal 401 is further configured to obtain a token corresponding to the user from an identity authentication platform if the token corresponding to the user does not exist, obtain a quantum key from the cryptographic service platform, encrypt the token corresponding to the user according to the quantum key, and store the encrypted token corresponding to the user.
If the token corresponding to the current user does not exist, this means that the user has not passed the authentication or that the previous authentication information has expired or failed. In this case, the user is required to go to the identity authentication platform to perform identity login to verify the identity of the user, update the authentication state, and issue a new token, thereby ensuring that the user is legal and has access to the requested resources, while meeting the basic requirements of information security. The quantum key is then obtained from the cryptographic service platform, since quantum key distribution can provide theoretically unbreakable security, ensuring that the cryptographic key is not eavesdropped or duplicated by a third party.
In many security systems, tokens are an important component of user authentication and need to be protected from interception or tampering during transmission. Encrypting the token with the quantum key can ensure that the token cannot be interpreted even if it is intercepted by a third party during transmission, because the quantum key has unique security properties-any attempt to measure or replicate the key changes the state of the key and is perceived by the sender and receiver. In this way, even if the token is intercepted, an attacker cannot use the token to make unauthorized access, so that the identity information of the user and the security of the system are effectively protected.
In one embodiment, the ue 401 is further configured to query, in the shared memory, whether a token corresponding to the user exists.
Shared memory, sharedMemory, is an inter-process communication mechanism that allows one process to write data to a shared memory region, while other processes can access and modify data by mapping this region. Go to SharedMemory to query if the token corresponding to the current user exists in order to ensure that the identity state of the user can be shared between the various services or processes.
In one embodiment, the ue 401 is further configured to store the encrypted token corresponding to the user in the shared memory.
The encrypted token corresponding to the user is stored in the shared memory to ensure that the login state can be shared safely and efficiently among a plurality of applications. By storing the token in the shared memory, the need to re-verify the user identity each time the application switches can be avoided, thereby improving user experience and reducing server load.
In one embodiment, the user terminal 401 is further configured to send a session identifier of the user to the cryptographic service platform, where the session identifier is obtained according to user information of the user, receive a quantum key sent by the cryptographic service platform, and obtain the quantum key according to the session identifier of the user.
To ensure security and consistency, after the user successfully logs in, the system generates a unique session identification (session ID) according to the specific information of the user. This session identification is then sent to the cryptographic services platform for verification of the user's identity in a subsequent interaction procedure without repeating the whole login procedure. By the aid of the method, sensitive user information cannot be submitted or verified again when requested, user experience is improved, and safety of the system is enhanced.
The quantum key sent by the password service platform is received to ensure the data security and privacy protection in the communication process. Quantum keys are generated based on quantum mechanics principles for encrypting and decrypting information, which is extremely secure, because any eavesdropping attempt on the key is immediately detected and can result in a change in the key, thereby disabling an eavesdropper from obtaining the original information content. Thus, by using the quantum key, the user can be sure that their communication is not intercepted or hacked by unauthorized third parties, thereby enabling a highly secure data exchange.
Referring to fig. 5, a block diagram of a single sign-on device based on quantum keys according to an embodiment of the present invention is shown.
A first query module 501, configured to query whether a token corresponding to a user encrypted by a quantum key exists when the user logs in an application program;
When a user logs in for the first time, the system may encrypt the user's login credentials using the quantum key and store the encrypted token. Thereafter, when the user logs in again, the system checks if there is a token encrypted by the user's quantum key. If present, means that the user's credentials have been successfully authenticated before and that these credentials are securely stored. Querying whether a token corresponding to the user encrypted by a quantum key exists when the user logs in an application program can enhance security and protect privacy information of the user.
The first obtaining module 502 is configured to obtain a quantum key from a cryptographic service platform if a token corresponding to the user exists;
If the token corresponding to the current user exists, the user is successfully authenticated before, the authentication state is still valid, the user can access the corresponding resources and services without logging in again, and the user can be ensured to use the authority of the user in a multi-service environment in a seamless manner. And applying a quantum key to the password service platform to further enhance the security and ensure the confidentiality and the integrity in the data transmission process.
A first decryption module 503, configured to decrypt the token according to the quantum key;
By decrypting the token using the quantum key, it is ensured that even if the token is intercepted during transmission, only the receiver having the correct quantum key can decrypt and verify the validity of the token, thereby protecting the user's sensitive information from unauthorized third parties.
A first login module 504, configured to login to the application program using the token.
The inquiry for the presence of a token means that the user's credentials have been successfully authenticated before and are securely stored, the quantum key is obtained from the cryptographic services platform for secure login, and the token decrypted by the quantum key is logged into the application.
In one embodiment, the apparatus further comprises:
The second acquisition module is used for acquiring the token corresponding to the user from the identity authentication platform if the token corresponding to the user does not exist;
If the token corresponding to the current user does not exist, this means that the user has not passed the authentication or that the previous authentication information has expired or failed. In this case, the user is required to go to the identity authentication platform to perform identity login to verify the identity of the user, update the authentication state, and issue a new token, thereby ensuring that the user is legal and has access to the requested resources, while meeting the basic requirements of information security.
The third acquisition module is used for acquiring the quantum key from the password service platform;
The quantum key is obtained from the cryptographic service platform because quantum key distribution can provide theoretically unbreakable security, ensuring that the cryptographic key is not eavesdropped or duplicated by a third party.
The first encryption module is used for encrypting the token corresponding to the user according to the quantum key;
The token of the user is encrypted according to the quantum key to ensure the security and confidentiality of the token. In many security systems, tokens are an important component of user authentication and need to be protected from interception or tampering during transmission. Encrypting the token with the quantum key can ensure that the token cannot be interpreted even if it is intercepted by a third party during transmission, because the quantum key has unique security properties-any attempt to measure or replicate the key changes the state of the key and is perceived by the sender and receiver. In this way, even if the token is intercepted, an attacker cannot use the token to make unauthorized access, so that the identity information of the user and the security of the system are effectively protected.
And the first storage module is used for storing the encrypted token corresponding to the user.
The encrypted tokens corresponding to the users are stored to protect the security and privacy of the user data, and the fact that even if the tokens are accessed without authorization, the tokens cannot be read or abused is ensured, so that the login information and personal data of the users are protected from being threatened by an attacker.
In one embodiment, the first query module 501 includes:
And the first inquiring sub-module is used for inquiring whether the token corresponding to the user exists in the shared memory.
Shared memory, sharedMemory, is an inter-process communication mechanism that allows one process to write data to a shared memory region, while other processes can access and modify data by mapping this region. Go to SharedMemory to query if the token corresponding to the current user exists in order to ensure that the identity state of the user can be shared between the various services or processes.
In one embodiment, the first memory module includes:
and the first storage sub-module is used for storing the encrypted token corresponding to the user into the shared memory.
The encrypted token corresponding to the user is stored in the shared memory to ensure that the login state can be shared safely and efficiently among a plurality of applications. By storing the token in the shared memory, the need to re-verify the user identity each time the application switches can be avoided, thereby improving user experience and reducing server load. Meanwhile, the token encrypted by the quantum key can ensure that the content of the token cannot be cracked even if the shared memory is accessed without authorization, thereby protecting the security and privacy of user data.
In one embodiment, the second acquisition module includes:
The first sending sub-module is used for sending the session identification of the user to the password service platform, wherein the session identification is obtained according to the user information of the user;
To ensure security and consistency, after the user successfully logs in, the system generates a unique session identification (session ID) according to the specific information of the user. This session identification is then sent to the cryptographic services platform for verification of the user's identity in a subsequent interaction procedure without repeating the whole login procedure. By the aid of the method, sensitive user information cannot be submitted or verified again when requested, user experience is improved, and safety of the system is enhanced.
The first receiving sub-module is used for receiving the quantum key sent by the password service platform, and the quantum key is obtained according to the session identification of the user.
The quantum key sent by the password service platform is received to ensure the data security and privacy protection in the communication process. Quantum keys are generated based on quantum mechanics principles for encrypting and decrypting information, which is extremely secure, because any eavesdropping attempt on the key is immediately detected and can result in a change in the key, thereby disabling an eavesdropper from obtaining the original information content. Thus, by using the quantum key, the user can be sure that their communication is not intercepted or hacked by unauthorized third parties, thereby enabling a highly secure data exchange.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
The embodiment of the invention also provides electronic equipment, which comprises:
The quantum key-based single sign-on method comprises a processor, a memory and a computer program which is stored in the memory and can run on the processor, wherein the computer program realizes all the processes of the quantum key-based single sign-on method embodiment when being executed by the processor, can achieve the same technical effects, and is not repeated here.
The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, realizes the processes of the quantum key-based single sign-on method embodiment, and can achieve the same technical effects, and in order to avoid repetition, the description is omitted here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
The principles and embodiments of the present invention have been described in detail with reference to the foregoing application of specific examples to facilitate understanding of the method and core ideas thereof, and in addition, the present invention should not be construed as being limited to the embodiments and application of the present invention as long as modifications in the spirit and scope of the invention are possible to those skilled in the art.

Claims (17)

1. A single sign-on method based on a quantum key, comprising:
Inquiring whether a token corresponding to the user encrypted by a quantum key exists or not when the user logs in an application program;
if the token corresponding to the user exists, acquiring a quantum key from a password service platform;
Decrypting the token according to the quantum key;
and logging in the application program by adopting the token.
2. The method as recited in claim 1, further comprising:
If the token corresponding to the user does not exist, acquiring the token corresponding to the user from an identity authentication platform;
Obtaining a quantum key from the cryptographic service platform;
encrypting a token corresponding to the user according to the quantum key;
and storing the encrypted token corresponding to the user.
3. The method of claim 2, wherein the querying whether the user-corresponding token encrypted by a quantum key exists comprises:
And inquiring whether a token corresponding to the user exists in the shared memory.
4. A method according to claim 3, wherein said storing the encrypted token corresponding to the user comprises:
And storing the encrypted token corresponding to the user into the shared memory.
5. The method of claim 2, wherein the obtaining the quantum key from the cryptographic services platform comprises:
Transmitting a session identifier of the user to the password service platform, wherein the session identifier is obtained according to user information of the user;
And receiving the quantum key sent by the password service platform, wherein the quantum key is obtained according to the session identifier of the user.
6. The single sign-on system based on the quantum key is characterized by comprising a user terminal, an identity authentication platform and a password service platform;
The user terminal is used for inquiring whether a token corresponding to the user encrypted by a quantum key exists or not when the user logs in an application program, acquiring the quantum key from the password service platform if the token corresponding to the user exists, decrypting the token according to the quantum key, and logging in the application program by adopting the token;
the identity authentication platform is used for sending a token corresponding to the user terminal;
the password service platform is used for sending the quantum key to the user terminal.
7. The system of claim 6, wherein the user terminal is further configured to obtain a token corresponding to the user from an identity authentication platform if the token corresponding to the user does not exist, obtain a quantum key from the cryptographic service platform, encrypt the token corresponding to the user according to the quantum key, and store the encrypted token corresponding to the user.
8. The system of claim 7, wherein the user terminal is further configured to query a shared memory for the presence of the token corresponding to the user.
9. The system of claim 8, wherein the user terminal is further configured to store the encrypted token corresponding to the user in the shared memory.
10. The system of claim 7, wherein the user terminal is further configured to send a session identifier of the user to the cryptographic service platform, the session identifier being obtained according to user information of the user, receive a quantum key sent by the cryptographic service platform, and the quantum key being obtained according to the session identifier of the user.
11. A quantum key based single sign-on device comprising:
the first query module is used for querying whether a token corresponding to the user encrypted by the quantum key exists or not when the user logs in the application program;
The first acquisition module is used for acquiring a quantum key from the password service platform if the token corresponding to the user exists;
the first decryption module is used for decrypting the token according to the quantum key;
And the first login module is used for logging in the application program by adopting the token.
12. The apparatus as recited in claim 11, further comprising:
The second acquisition module is used for acquiring the token corresponding to the user from the identity authentication platform if the token corresponding to the user does not exist;
The third acquisition module is used for acquiring the quantum key from the password service platform;
the first encryption module is used for encrypting the token corresponding to the user according to the quantum key;
and the first storage module is used for storing the encrypted token corresponding to the user.
13. The apparatus of claim 12, wherein the first query module comprises:
And the first inquiring sub-module is used for inquiring whether the token corresponding to the user exists in the shared memory.
14. The apparatus of claim 13, wherein the first storage module comprises:
and the first storage sub-module is used for storing the encrypted token corresponding to the user into the shared memory.
15. The apparatus of claim 11, wherein the third acquisition module comprises:
The first sending sub-module is used for sending the session identification of the user to the password service platform, wherein the session identification is obtained according to the user information of the user;
The first receiving sub-module is used for receiving the quantum key sent by the password service platform, and the quantum key is obtained according to the session identification of the user.
16. An electronic device comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, which when executed by the processor performs the steps of the quantum key based single sign-on method of any one of claims 1-5.
17. A computer readable storage medium, on which a computer program is stored which, when executed by a processor, implements the steps of the quantum key based single sign-on method of any one of claims 1-5.
CN202411101862.3A 2024-08-12 2024-08-12 Single sign-on method, system, device, equipment and medium based on quantum key Pending CN119071038A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411101862.3A CN119071038A (en) 2024-08-12 2024-08-12 Single sign-on method, system, device, equipment and medium based on quantum key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411101862.3A CN119071038A (en) 2024-08-12 2024-08-12 Single sign-on method, system, device, equipment and medium based on quantum key

Publications (1)

Publication Number Publication Date
CN119071038A true CN119071038A (en) 2024-12-03

Family

ID=93632767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411101862.3A Pending CN119071038A (en) 2024-08-12 2024-08-12 Single sign-on method, system, device, equipment and medium based on quantum key

Country Status (1)

Country Link
CN (1) CN119071038A (en)

Similar Documents

Publication Publication Date Title
US12003634B2 (en) Systems and methods for encrypted content management
JP5619019B2 (en) Method, system, and computer program for authentication (secondary communication channel token-based client-server authentication with a primary authenticated communication channel)
US8059818B2 (en) Accessing protected data on network storage from multiple devices
JP5860815B2 (en) System and method for enforcing computer policy
US8196186B2 (en) Security architecture for peer-to-peer storage system
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
CN106452764B (en) A method and cryptographic system for automatic update of identification private key
CN115277168B (en) Method, device and system for accessing server
EP2414983B1 (en) Secure Data System
CN101605137A (en) Safe distribution file system
US20130097427A1 (en) Soft-Token Authentication System
WO2022148182A1 (en) Key management method and related device
US20240012933A1 (en) Integration of identity access management infrastructure with zero-knowledge services
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
Das et al. A decentralized open web cryptographic standard
CN118337430A (en) System, method, device, processor and storage medium for realizing trusted transmission and reverse authorization processing for multiparty interaction data
CN114826702B (en) Database access password encryption method and device and computer equipment
CN118713833A (en) Quantum-resistant security enhancements for the Open Identity Connection Protocol
CN118802143A (en) Data transmission method, device and electronic equipment
US20240121083A1 (en) Secure restoration of private key
CN117595986A (en) Data encryption method, data decryption device and electronic equipment
Nishimura et al. Secure authentication key sharing between personal mobile devices based on owner identity
CN119071038A (en) Single sign-on method, system, device, equipment and medium based on quantum key
Zhang et al. Improved CP-ABE Algorithm Based on Identity and Access Control
JP2014081887A (en) Secure single sign-on system and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination