阅读说明：本技术 基于二维码的安全认证方法、装置及存储介质 (Security authentication method and device based on two-dimensional code and storage medium ) 是由 杨舜同 于 2021-06-29 设计创作，主要内容包括：本公开提供一种基于二维码的安全认证方法、装置及存储介质,用于解决二维码登录认证过程不能满足更高安全性需求的技术问题。本公开技术方案利用二维码的特性及纠错机制,在不破坏纠错能力的前提下将登录验证码携带在二维码中,服务端使用伪随机发生器基于用户名和密码生成的种子生成映射位置序列,根据映射位置序列将登录验证码写入二维码中。扫描器使用与服务端一致的映射位置序列生成方法在本地生成映射位置序列并根据映射位置序列从二维码中读取登录验证码。服务端验证通过客户端发送上来的登录验证码是否与本端的一致,从而实现安全登录认证。本公开技术方案可应用于服务端与扫描器网络隔离的应用场景中,能够提高登录认证过程的安全性。(The disclosure provides a security authentication method, a security authentication device and a storage medium based on a two-dimensional code, which are used for solving the technical problem that the login authentication process of the two-dimensional code cannot meet the requirement of higher security. According to the technical scheme, the login verification code is carried in the two-dimensional code on the premise that the error correction capability is not damaged by utilizing the characteristics and the error correction mechanism of the two-dimensional code, the server side uses the pseudo-random generator to generate a mapping position sequence based on the seeds generated by the user name and the password, and the login verification code is written into the two-dimensional code according to the mapping position sequence. The scanner locally generates a mapping position sequence by using a mapping position sequence generation method consistent with the server side and reads the login verification code from the two-dimensional code according to the mapping position sequence. The server side verifies whether the login verification code sent by the client side is consistent with that of the home side, and therefore safe login authentication is achieved. The technical scheme disclosed by the invention can be applied to an application scene that the server side is isolated from the scanner network, and the safety of the login authentication process can be improved.)

1. A security authentication method based on two-dimension codes is characterized in that the method is applied to a server side in an application scene of network isolation of a two-dimension code scanner and the server side, and the method comprises the following steps:

generating two-dimensional code label information based on the unique identification information of the server side, and generating an information block of the two-dimensional code based on the generated two-dimensional code label information;

after a login request sent by a client is received, a user password is obtained from an authentication database according to a user name carried in the request, and a seed of a pseudorandom generator is generated based on the user name and the password;

generating a mapping position sequence for writing a login verification code in a two-dimensional code by using a pseudo-random generator based on the seed;

writing the login verification code generated by the server into the two-dimensional code based on the mapping position sequence;

and sending the two-dimensional code written with the login verification code to the client.

2. The method of claim 1, further comprising:

when an authentication request which is sent by a client and carries a login verification code is received, whether the login verification code generated by the server is consistent with the login verification code in the authentication request is judged, and when the login verification code is consistent with the login verification code in the authentication request, authentication success information is authorized and fed back to the client.

3. The method of claim 1, wherein after the login authentication code generated by the server based on the sequence of mapped locations, the method further comprises:

and generating a mask for the two-dimensional code added with the login verification code through calculation, and performing mask processing on the two-dimensional code added with the login verification code by using the generated mask.

4. The method of claim 1, wherein generating the sequence of mapping positions comprises:

determining the maximum bit width C of a check code carrying a login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level;

randomly selecting C blocks from the information blocks of the two-dimensional code by using a pseudo-random number generator based on the seeds, and expanding the selected C blocks to generate an initial position sequence consisting of C-8 elements with a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

generating the sequence of mapped positions using a pseudorandom number generator to obfuscate elements in the sequence of initial positions based on the seed.

5. A security authentication method based on two-dimension codes is characterized in that the method is applied to a client in an application scene of a two-dimension code scanner and a server which are isolated by a network, and the method comprises the following steps:

sending a login request carrying a user name to a server side through a login page;

receiving a two-dimensional code which is sent by a server and carries a login verification code, and displaying the two-dimensional code;

and sending an authentication request carrying the login verification code generated by the scanner to the server.

6. A security authentication method based on two-dimension codes is characterized in that the method is applied to a scanner in an application scene of two-dimension code scanners and network isolation of a server side, and the method comprises the following steps:

scanning a two-dimensional code carrying a login verification code displayed on a client interface;

generating a seed of a pseudo-random generator based on a user name and a password input by a user;

generating a mapping position sequence for reading a login verification code from a two-dimensional code by using a pseudo-random generator based on the seed;

and reading and displaying the login verification code from the two-dimensional code based on the mapping position sequence.

7. The method of claim 6, wherein generating the sequence of mapping positions comprises:

determining the maximum bit width C of a check code carrying a login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level;

randomly selecting C blocks in the information blocks of the two-dimensional code by adopting a pseudo-random number generator consistent with the server based on the seeds, and expanding the selected C blocks to generate an initial position sequence consisting of C-8 elements in a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

generating the sequence of mapped positions using a pseudorandom number generator to obfuscate elements in the sequence of initial positions based on the seed.

8. A security authentication device based on two-dimensional codes is applied to a server side in an application scene of two-dimensional code scanners and the network isolation of the server side, and the device comprises:

the mapping sequence generation module is used for acquiring a user password from an authentication database according to a user name carried in a login request sent by a client, and generating a seed of the pseudorandom generator based on the user name and the password; generating a mapping position sequence used for writing a login verification code in a two-dimensional code by using a pseudo-random generator based on the seed;

the login verification code generation module is used for generating a login verification code;

the two-dimensional code generating module is used for generating two-dimensional code label information based on the unique identification information of the server and generating an information block of the two-dimensional code based on the generated two-dimensional code label information; writing the login verification code into a two-dimensional code based on the mapping position sequence;

and the receiving and sending module is used for receiving the login request sent by the client and sending the two-dimensional code written with the login verification code to the client.

9. The apparatus of claim 8, wherein the mapping sequence generating module comprises:

the seed generation unit is used for acquiring a user password from the authentication database according to a user name carried in a login request sent by the client and generating a seed of the pseudorandom generator based on the user name and the password;

the bit width determining unit is used for determining the maximum bit width C of the check code carrying the login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level;

the initial sequence generating unit is used for randomly selecting C blocks from the information blocks of the two-dimensional code by using a pseudo-random number generator based on the seeds, expanding the selected C blocks and generating an initial position sequence consisting of C-8 elements with a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

a mapping sequence generating unit configured to generate the mapping position sequence by obfuscating elements in the initial position sequence using a pseudo-random number generator based on the seed.

10. The utility model provides a two-dimensional code scanner, its characterized in that, this two-dimensional code scanner is applied to in the application scenario of two-dimensional code scanner and server's network isolation, and this two-dimensional code scanner includes:

the code scanning unit is used for scanning the two-dimensional code which is displayed on the client interface and carries the login verification code;

a seed generation unit for generating a seed of the pseudorandom generator based on a user name and a password input by a user;

a mapping sequence generating unit for generating a mapping position sequence for reading the login verification code from the two-dimensional code by using a pseudo random generator based on the seed;

and the verification code reading unit is used for reading and displaying the login verification code from the two-dimensional code based on the mapping position sequence.

11. The two-dimensional code scanner according to claim 10, wherein the mapping sequence generating unit includes:

the bit width determining unit is used for determining the maximum bit width C of the check code carrying the login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level;

the initial sequence generation unit is used for randomly selecting C blocks in the information block of the two-dimensional code by adopting a pseudo-random number generator consistent with the server based on the seeds, expanding the selected C blocks and generating an initial position sequence consisting of C-8 elements in a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

a mapping sequence generating unit configured to generate the mapping position sequence by obfuscating elements in the initial position sequence using a pseudo-random number generator based on the seed.

12. A storage medium on which a computer program is stored which, when being executed by a processor, carries out the method steps of any one of claims 1 to 7.

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a security authentication method and apparatus based on a two-dimensional code, and a storage medium.

Background

Barcode technology has been spread over a decade since its introduction, and barcode applications have been spreading from the management of commodities represented by supermarkets and convenience stores to industries such as transportation and manufacturing, and have been responsible for the construction of various information systems. Nowadays, a large number of services provide a mode of scanning bar codes for login authentication, and the method is convenient and safe.

A common code scanning login scheme needs to have a computer host server and a mobile terminal (such as a mobile phone) at the same time, after the mobile terminal scans a code, a user name and a password upwd are input to log in, a universal unique identification code uuid is generated and transmitted to a server program, and the server skips after authentication to successfully log in. The scheme needs the direct communication between the mobile terminal and the server side, and is not suitable for a back-end storage environment with higher safety requirements.

Disclosure of Invention

In view of this, the present disclosure provides a security authentication method, device and storage medium based on a two-dimensional code, which are used to solve the technical problem that a two-dimensional code login authentication process cannot meet the requirement of higher security.

Fig. 1 is a security authentication method based on a two-dimensional code, which is provided in an embodiment of the present disclosure and is applied to a server in an application scenario in which a two-dimensional code scanner and the server are isolated from each other by a network, where the method includes:

step 101, generating two-dimensional code label information based on the unique identification information of the server side, and generating an information block of a two-dimensional code based on the generated two-dimensional code label information;

step 102, after receiving a login request sent by a client, acquiring a user password from an authentication database according to a user name carried in the request, and generating a seed of a pseudorandom generator based on the user name and the password;

103, generating a mapping position sequence for writing a login verification code in the two-dimensional code by using a pseudo-random generator based on the generated seed;

104, writing the login verification code generated by the server into the two-dimensional code based on the mapping position sequence;

and 105, sending the two-dimensional code written with the login verification code to the client.

Further, the method further comprises: when an authentication request which is sent by a client and carries a login verification code is received, whether the login verification code generated by the server is consistent with the login verification code in the authentication request is judged, and when the login verification code is consistent with the login verification code in the authentication request, authentication success information is authorized and fed back to the client.

Further, after the login verification code generated by the server based on the mapping position sequence, the method further includes: and generating a mask for the two-dimensional code added with the login verification code through calculation, and performing mask processing on the two-dimensional code added with the login verification code by using the generated mask.

Further, the step of generating the sequence of mapping positions comprises:

determining the maximum bit width C of a check code carrying a login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level;

randomly selecting C blocks from the information blocks of the two-dimensional code by using a pseudo-random number generator based on the seeds, and expanding the selected C blocks to generate an initial position sequence consisting of C-8 elements with a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

generating the sequence of mapped positions using a pseudorandom number generator to obfuscate elements in the sequence of initial positions based on the seed.

On the other hand, the embodiment of the present disclosure also provides a security authentication method based on a two-dimensional code, which is applied to a client in an application scenario in which a two-dimensional code scanner and a server are isolated from each other by a network, and the method includes:

sending a login request carrying a user name to a server side through a login page;

receiving a two-dimensional code which is sent by a server and carries a login verification code, and displaying the two-dimensional code;

and sending an authentication request carrying the login verification code generated by the scanner to the server.

On the other hand, the embodiment of the present disclosure also provides a security authentication method based on a two-dimensional code, which is applied to a scanner in an application scenario where a two-dimensional code scanner and a server are isolated from each other by a network, and the method includes:

scanning a two-dimensional code carrying a login verification code displayed on a client interface;

generating a seed of a pseudo-random generator based on a user name and a password input by a user;

generating a mapping position sequence for reading a login verification code from a two-dimensional code by using a pseudo-random generator based on the seed;

and reading and displaying the login verification code from the two-dimensional code based on the mapping position sequence.

Further, the step of generating the sequence of mapping positions comprises:

determining the maximum bit width C of a check code carrying a login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level, and is consistent with C determined when the server generates the mapping position sequence;

randomly selecting C blocks in the information blocks of the two-dimensional code by adopting a pseudo-random number generator consistent with the server based on the seeds, and expanding the selected C blocks to generate an initial position sequence consisting of C-8 elements in a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

generating the sequence of mapped positions using a pseudorandom number generator to obfuscate elements in the sequence of initial positions based on the seed.

Fig. 2 is a schematic structural diagram of a two-dimensional code-based security authentication device provided in an embodiment of the present disclosure, and each functional module in the device 200 may be implemented by software, hardware, or a combination of software and hardware. When a plurality of hardware devices implement the technical solution of the present disclosure together, since the purpose of mutual cooperation among the hardware devices is to achieve the purpose of the present invention together, and the action and the processing result of one party determine the execution timing of the action of the other party and the result that can be obtained, it can be considered that the execution main bodies have mutual cooperation relationship, and the execution main bodies have mutual command and control relationship. The device 200 is applied to a server in an application scenario in which a two-dimensional code scanner is isolated from a network of the server, and the device 200 includes:

a mapping sequence generation module 201, configured to obtain a user password from an authentication database according to a user name carried in a login request sent by a client, and generate a seed of a pseudorandom generator based on the user name and the password; generating a mapping position sequence used for writing a login verification code in a two-dimensional code by using a pseudo-random generator based on the seed;

a login verification code generation module 202, configured to generate a login verification code;

the two-dimensional code generating module 203 is configured to generate two-dimensional code tag information based on the unique identification information of the server, and generate an information block of a two-dimensional code based on the generated two-dimensional code tag information; writing the login verification code into a two-dimensional code based on the mapping position sequence;

the transceiver module 204 is configured to receive a login request sent by the client, and send the two-dimensional code written with the login verification code to the client.

Further, the mapping sequence generating module 201 includes:

the seed generation unit is used for acquiring a user password from the authentication database according to a user name carried in a login request sent by the client and generating a seed of the pseudorandom generator based on the user name and the password;

the bit width determining unit is used for determining the maximum bit width C of the check code carrying the login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level;

the initial sequence generating unit is used for randomly selecting C blocks from the information blocks of the two-dimensional code by using a pseudo-random number generator based on the seeds, expanding the selected C blocks and generating an initial position sequence consisting of C-8 elements with a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

a mapping sequence generating unit configured to generate the mapping position sequence by obfuscating elements in the initial position sequence using a pseudo-random number generator based on the seed.

On the other hand, the present disclosure further provides a two-dimensional code scanner, where the two-dimensional code scanner is applied to an application scenario in which a network of the two-dimensional code scanner and a network of a server are isolated, and the two-dimensional code scanner includes:

the code scanning unit is used for scanning the two-dimensional code which is displayed on the client interface and carries the login verification code;

a seed generation unit for generating a seed of the pseudorandom generator based on a user name and a password input by a user;

a mapping sequence generating unit for generating a mapping position sequence for reading the login verification code from the two-dimensional code by using a pseudo random generator based on the seed;

and the verification code reading unit is used for reading and displaying the login verification code from the two-dimensional code based on the mapping position sequence.

Further, the two-dimensional code scanner mapping sequence generating unit includes:

(1) the bit width determining unit is used for determining the maximum bit width C of the check code carrying the login verification code according to the version and the error correction level of the used two-dimensional code; c is not more than the maximum error correction character number supported by the two-dimensional code version and the error correction level, and is consistent with C determined when the server generates the mapping position sequence;

(2) the initial sequence generation unit is used for randomly selecting C blocks in the information block of the two-dimensional code by adopting a pseudo-random number generator consistent with the server based on the seeds, expanding the selected C blocks and generating an initial position sequence consisting of C-8 elements in a format of [ a, b ], wherein a is used for indicating the serial number of the information block; b is used for indicating the sequence number of the corresponding bit in the information block;

(3) a mapping sequence generating unit configured to generate the mapping position sequence by obfuscating elements in the initial position sequence using a pseudo-random number generator based on the seed.

According to the technical scheme, the login verification code is carried in the two-dimensional code on the premise that the error correction capability is not damaged by utilizing the characteristics and the error correction mechanism of the two-dimensional code, the server side uses the pseudo-random generator to generate a mapping position sequence based on the seeds generated by the user name and the password, and the login verification code is written into the two-dimensional code according to the mapping position sequence. The scanner locally generates a mapping position sequence by using a mapping position sequence generation method consistent with the server side and reads the login verification code from the two-dimensional code according to the mapping position sequence. The server side verifies whether the login verification code sent by the client side is consistent with that of the home side, and therefore safe login authentication is achieved. The technical scheme disclosed by the invention can be applied to an application scene that the server side is isolated from the scanner network, and the safety of the login authentication process can be improved.

Drawings

In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present disclosure or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present disclosure.

Fig. 1 is a security authentication method based on a two-dimensional code according to an embodiment of the present disclosure;

fig. 2 is a schematic structural diagram of a two-dimensional code-based security authentication device according to an embodiment of the present disclosure;

fig. 3 is a flowchart illustrating a server-side procedure of a security authentication method based on two-dimensional codes according to an embodiment of the present disclosure;

FIG. 4 is a schematic structural diagram of a QR code;

fig. 5 is a flowchart illustrating steps of a client of a two-dimensional code security authentication method according to an embodiment of the present disclosure;

fig. 6 is a schematic structural diagram of an electronic device capable of implementing a two-dimensional code security authentication method according to an embodiment of the present disclosure.

Detailed Description

The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the embodiments of the present disclosure. As used in the embodiments of the present disclosure, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The term "and/or" as used in this disclosure is meant to encompass any and all possible combinations of one or more of the associated listed items.

It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information in the embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of embodiments of the present disclosure. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".

The general idea of the technical scheme is to utilize the characteristics of the two-dimensional code and an error correction mechanism of an error correction code to carry the login verification code in the two-dimensional code on the premise of not destroying the error correction capability, so that the login verification code in the two-dimensional code can be obtained through a scanner while the label content in the two-dimensional code is obtained through normal scanning of the two-dimensional code, and quick authentication and login are realized. By adopting the technical scheme, the existing scanner cannot distinguish the two-dimension code provided by the disclosure from the common two-dimension code, and even if an attacker knows that the two-dimension code provided by the disclosure contains the login verification code key, the technical scheme still can ensure the security of the two-dimension code authentication.

In an application scenario where the client is separated from the scanner, the process of performing fast login authentication by applying the technical scheme of the present disclosure may be: the user enters a login page after inputting a service access website at the client, and after the user inputs a user name at the login page and presses a login key, the client sends a login request to the server. After receiving a login request of a client, a server generates a two-dimensional code containing a login verification code according to a user name carried in the login request and a two-dimensional code generating step of the server, sends the generated two-dimensional code to the client to be displayed in a login page of the client, simultaneously displays a login verification code input window on the login page, and waits for a user to input the login verification code. After a user scans a two-dimensional code by using a scanner (such as a mobile phone), the user is required to input a user name and a password, the scanner locally generates a mapping position sequence LN of a login verification code based on the user name and the password input by the user in the same way as a server side, the login verification code in the two-dimensional code is read through the LN and displayed on the scanner, after the user inputs the login verification code in a login verification code input window of a login interface and then logs in a key, a client side sends a login verification request to the server side, the request carries a hash value of the login verification code, the server side checks the login verification code after receiving the request, and if the verification is passed, the authentication is successful. With the popularization of intelligent devices, in an application scenario in which a client accessing a service and a scanner are the same physical device, a user can directly invoke a scanning component on a local machine to scan on the local machine, so that a login verification code in a two-dimensional code is obtained through the scanning component, other processes are similar, and redundant description is not repeated in the disclosure.

Fig. 3 is a flowchart illustrating a server-side step of a security authentication method based on a two-dimensional code according to an embodiment of the present disclosure. The two-dimensional code in the embodiment of fig. 3 is implemented by using a Quick Response (QR) code, and the QR code is formed by two square modules of white and black, which represent numbers 0 and 1. The QR code standard provides 40 QR versions and can code various data, wherein the version 1 has the minimum capacity and the version 40 has the maximum capacity. The version used by the user depends on the amount of data encoded in letters, numbers, binary, chinese characters, or combinations thereof, and the level of error correction. The QR code may be error-corrected using an error correction code (RS) code. The RS code has four error correction levels of L, M, Q and H, can correct 30% of errors at most, has good reliability, and can correctly read data even if part of the RS code is dirty or damaged.

The step flow shown in fig. 3 is applied to the server, and the specific implementation steps are described as follows:

step 301, generating QR code label information based on the unique identification information of the distributed storage cluster;

in this embodiment, the type of the adopted two-dimensional code is a quick response code QR, the server is a distributed storage cluster, and information capable of uniquely identifying the distributed storage cluster, such as a name, a domain name, a virtual IP address, and the like of the distributed storage cluster, may be used to generate QR code tag information. The generated OR code label information can be encoded to generate a corresponding QR code, and the generated QR code can be scanned by a scanner to obtain QR code label information.

Step 302, based on the predetermined QR code version and the error correction level, generating a corresponding data block and an error correction block by using the generated QR code label information, thereby confirming the data part of the QR code;

the data block is used for bearing the content of the label information, and the error correction block is calculated based on the data block without the login verification code and is used for correcting error data in the two-dimensional code. The present disclosure collectively refers to data blocks and error correction blocks as information blocks.

The idea of the present disclosure is to scatter the login check code (abbreviated as key) in the QR code on the premise of not destroying the error correction capability of the QR code, so that which QR code version and error correction level are specifically used can be selected according to the length of the login verification code that needs to be ensured. For example, if the number of the login verification code is 4 bits, the QR code version and the error correction level satisfy at least a condition that error information larger than 4 bits in the QR code can be corrected.

Usually, in the process of creating the QR code, a MASK type (the MASK is used for balancing the distribution of the black and white blocks of the QR code) is calculated according to a data filling condition, and since the login verification code needs to be added before the MASK processing, the QR code in the step is firstly generated until the data block and the error correction block, the MASK type is not calculated firstly, and the MASK type is calculated after the login verification code is added, so that the balance of the black and white blocks after the login verification code key is put in is ensured.

311, after receiving a login request sent by a client, a server acquires a user password from an authentication database according to a user name carried in the request, and generates a seed of a pseudorandom generator based on the user name and the password;

in this disclosure, the user name carried in the request by the client should be understood as a unique identifier of the user, such as an account number registered by the user, a mobile phone number of the user, and the like. At the server side, user information such as a user name and a password is stored in an authentication database at the time of user registration.

The present disclosure uses a pseudo-random number generator to assist in mapping a server-generated logon validation code into a data block. The present disclosure does not limit the kind of pseudo-random number generator used, in this embodiment a Linear Feedback Shift Register (LFSR) type pseudo-random number generator is used. The quality of the randomness of the pseudo-random sequence generated by this type of pseudo-random generator depends largely on the period of the shift register, such as the metson rotation algorithm used by python, which uses 19937 stages of linear feedback shift registers. Since the pseudo-random sequences generated by the pseudo-random generator using the same seed are also the same, a unique seed is generated according to the user name and the password input by the user, and a unique pseudo-random Sequence can be obtained, so that a unique mapping position Sequence (LN) can be obtained.

The method for generating the seed of the pseudorandom generator may be various, for example, in an embodiment of the present disclosure, a user name and a password are spliced together, and hash calculation is performed on the spliced user name and password to obtain the seed of the pseudorandom generator.

Step 312, generating a mapping position sequence LN for writing the login verification code in the two-dimensional code by using a pseudo-random generator based on the generated seed;

to generate the sequence of mapped positions LN, the following steps are required:

step 1: determining the maximum bit width C of a check code carrying a login verification code according to the version and the error correction level of the QR code;

for safety, the maximum bit width C of the check code should be less than or equal to the maximum number of bits of the QR code that can guarantee correct reading of the data block. For simplicity, C may be determined as the maximum number of error correction characters supported by the current QR code version and the error correction level, i.e., how many blocks of data in the two-dimensional code may be abnormally corrected by the QR code. For example, the QR code version 1 has 26 blocks of data and error correction blocks, and at most 8 blocks of data errors can be tolerated under the fault tolerance rate of the H level, that is, C is 8.

Step 2: randomly selecting C blocks from all information blocks in the QR code of the version by using a pseudo-random number generator based on the generated seeds, and expanding the selected C blocks to generate an initial position sequence;

in the step, traversal expansion is performed on the C block, and a generation initial position sequence composed of C × 8 elements in the format [ a, b ] is generated. Wherein, a is used for indicating the sequence number of the information block; and b is used for indicating the serial number of the corresponding bit in the information block, and the value range is 0-7.

For example, for a QR code of level H of version 1, C is selected to be 8, a C block is selected from all data blocks and error correction blocks of the QR code, a random class of python is used as a random generator, a seed is designated to perform pseudo-random initialization, 8 non-repeating numbers are randomly selected from the range of [1,26], and the selected 8 non-repeating numbers correspond to the positions of 8 blocks in the QR code.

Fig. 4 is a schematic structural composition diagram of a QR code, as shown in the figure, a Bit corresponding to a numeral 1 in each information block is a Most Significant Bit (MSB), each information block has 8 bits, C blocks have C × 8 bits in total, and the length is extended to C × 8 according to the array with the length C selected in the previous step, and each array element is a two-dimensional array with a [ a, b ] format. For example, 8 randomly determined blocks are [2,8,11,3,21,10,9,26], and the initial position sequence generated after spreading is as follows:

{[2,1],[2,2],[2,3],[2,4],[2,5],[2,6],[2,7],[2,8],

[8,1],[8,2],[8,3],[8,4],[8,5],[8,6],[8,7],[8,8],

...

[26,1],[26,2],[26,3],[26,4],[26,5],[26,6],[26,7],[26,8]}。

step 3: obfuscating elements in the initial position sequence using a pseudo-random number generator based on the generated seed generates a mapped position sequence LN of length C x 8.

For example, based on the seeds generated in the previous step, the initial position sequence generated in the previous step is scrambled by random type scrambling in python, { [2,1], [2,2], [2,3]. [2,8], [8,1]. the. [26,8] }, and the sequence is changed into { [11,5], [3,8], [2,1], …, [26,8], [8,1], …, [2,3] }, after being scrambled, the sequence is the mapping position sequence LN. The confusion is the exchange of element positions in a sequence, the purpose of the confusion is to ensure the safety under the condition that the algorithm is published, and as the difficulty of the sequential traversal of each block is too low, the confusion needs to be carried out to ensure the randomness of data filling.

For example, a random class in python is used for confusion, and since the random class uses a pseudo random generator, and a generated pseudo random sequence can be determined by a uniquely initialized seed, the same seed can be obtained by the same pseudo random generator. So that the same mapping position sequence LN can be obtained as long as it is guaranteed that the scanner and the server use the same pseudo-random generator and the same seed.

Step 321, the server generates a login verification code;

in order to ensure that the key values of authentication at each time are different and the hidden blasting safety of the QR code is ensured, the server side is recommended to randomly generate a login verification code key with more than 4 bits at each time, the character bit number of the login verification code is required to be less than or equal to C, and the specific bit number can be determined according to an actual scene. The login verification code generated by the server may be generated randomly or according to a preset rule, and the disclosure is not limited specifically.

After the server generates the login verification code key, the server performs hash operation on the key to generate a corresponding hash value, and waits for the verification of the client. After the user scans the two-dimensional code displayed on the login page by using the scanner, the login verification code is displayed on the scanner, and the user can log in the server to obtain corresponding service after inputting the login verification code on the login interface of the client.

Step 331, writing the login verification code into the QR code based on the mapping position sequence LN;

in order to fully utilize the redundancy of the QR code to ensure the safety, considering the situation that the bit number of the login verification code key is possibly smaller than the character bit number C which can be expressed by the LN, the key is supplemented with 0 to be as long as C under the situation that the character bit number of the key is smaller than C, and then the key fills the binary bit of the login verification code into the QR code according to the position mapped by each item [ a, b ] in the LN.

Step 332, calculating and generating a MASK MASK for the QR code written with the login verification code, and performing MASK processing on the QR code added with the login verification code by using the generated MASK to generate a final two-dimensional code;

the masking process is an optional step in this disclosure. The purpose of masking the QR code with the MASK is to make the black and white blocks of the generated final two-dimensional code more uniform.

And 333, sending the generated two-dimensional code to the client along with the login page so that the client is presented in the login page.

Fig. 5 is a flowchart illustrating a client-side step of a two-dimensional code security authentication method according to an embodiment of the present disclosure, where the step illustrates a client-side code scanning and server-side authentication process, which specifically includes:

step 501, scanning a two-dimensional code presented on a login page through a scanner, and acquiring a user name and a password through the scanner;

after a user sees the displayed two-dimensional code on a login page of the client, the two-dimensional code is scanned by using a scanner, and after the two-dimensional code is successfully identified, the scanner can be triggered to display a page requiring the user to input a user name and a password, and the user name and the password input by the user are obtained through an authentication interface.

According to the method and the device, the binding relationship between the service and the user name can be established in the scanner, the scanner can recover a correct data block through an error correcting code after scanning the two-dimensional code through the two-dimensional code, and can identify which service the user wants to log in through the correct data block, so that a history record or a list of the binding relationship between the previously bound service and the user is called out from a cache, the user can obtain the user name and the password from the history record after selecting and confirming, and therefore the trouble of inputting by the user every time is avoided.

Step 502, the scanner judges whether the user name and the password are successfully acquired, if so, step 503 is executed; otherwise, go to step 509;

and if the user name and the password are obtained, adopting the login authentication scheme provided by the disclosure, otherwise adopting other login authentication schemes.

Step 503, the scanner generates LN locally by using the obtained user name and password by using the LN generation method consistent with the service end;

step 504, the scanner reads the login verification code from the two-dimensional code according to the LN and inputs the login verification code on a login page of the client;

and the scanner reads the login verification code from the two-dimensional code according to the LN, and the login verification code key is obtained by removing the subsequently complemented 0 after decoding.

Step 505, after the user inputs the login verification code on the login page of the client, the client sends an authentication request to the server, and the request carries the hash value of the login verification code;

after receiving an authentication request sent by a client, a server acquires a hash value of a login verification code generated before the server according to a user name carried in the authentication request or a user name cached in a session, verifies whether the hash value of the login verification code carried in the authentication request is consistent with the hash value of the login verification code of the server, if so, the server passes the authentication, authorizes accessible resources to the client and sends a response message of successful authentication to the client, otherwise, sends a response message of failed authentication.

In an embodiment of the present disclosure, the request may also directly carry the login verification code, and the server also compares the login verification code with the plaintext. The purpose of comparing the login verification codes in a hash value mode is to enhance the security.

Step 506, after receiving the authentication response message, the client determines whether the authentication is successful according to the authentication result, if so, step 507 is executed, otherwise, step 508 is executed.

And 507, successfully logging in, and redirecting the page to a service page.

And step 508, when the login fails, refreshing the two-dimensional code and prompting the user that the user needs to verify again.

Step 509, after the failure of obtaining the user name and the password, it is described that a common two-dimensional code is logged in, and the unique identification information of the distributed storage cluster can be obtained from the two-dimensional code.

Besides the QR Code, the technical scheme disclosed by the invention can also use two-dimensional codes of Code49, Code16k and the like to achieve the same purpose of the invention, the specific implementation process is similar, and the details are not repeated in the disclosure.

In some application scenarios with higher security requirements, the scanner is required to be isolated from the management client of the management server, the management client and the server are both located in an intranet, and the scanner and the storage device management network are required not to be communicated with each other. According to the technical scheme, the scanner can read the check code from the two-dimensional code displayed on the client only according to the user name and the password input by the user, the scanner is not required to be connected with a server network, login authentication under the condition that the scanner and the server do not communicate can be achieved, so that the safety of the server network is guaranteed, different login verification codes used in each login authentication can be guaranteed, and low calculation complexity and high safety in the authentication process are achieved.

Fig. 6 is a schematic structural diagram of an electronic device capable of implementing a two-dimensional code security authentication method according to an embodiment of the present disclosure, where the device 600 includes: a processor 610 such as a Central Processing Unit (CPU), a communication bus 620, a communication interface 640, and a storage medium 630. Wherein the processor 610 and the storage medium 630 may communicate with each other through a communication bus 620. The storage medium 630 has stored therein a computer program that, when executed by the processor 610, performs the functions of the steps of the methods provided by the present disclosure.

The storage medium may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. In addition, the storage medium may be at least one memory device located remotely from the processor. The Processor may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), etc.; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

It should be recognized that embodiments of the present disclosure can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory memory. The method may be implemented in a computer program using standard programming techniques, including a non-transitory storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose. Further, operations of processes described by the present disclosure may be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described in this disclosure (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) executing collectively on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.

Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the disclosure may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described in this disclosure includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The disclosure also includes the computer itself when programmed according to the methods and techniques described in this disclosure.

The above description is only an example of the present disclosure and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.