Security access control method, apparatus, device, and computer program product
By using a super SIM card to encrypt, sign, and decrypt authentication messages to generate an accessible list, the problem of low intranet security in traditional network architectures is solved, thereby improving the security and reliability of identity authentication.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA MOBILE FINANCIAL TECHNOLOGY CO LTD
- Filing Date
- 2025-01-03
- Publication Date
- 2026-07-03
AI Technical Summary
In traditional network architectures, intranet security is low. Malicious users or attackers can penetrate the intranet through various means, exploit vulnerabilities to move laterally, expand the attack range, steal sensitive data, or disrupt critical business operations. Traditional perimeter protection models are unable to keep up with the rapid changes in the network environment.
The authentication message is encrypted and signed by the Super SIM card to generate a single-packet authentication request. The gateway and control terminal are used to decrypt and verify the signature to obtain the access list and control the user's access permissions to the target application.
It enhances the security and reliability of identity authentication, ensures the encrypted transmission of user information and the accuracy of access control, and prevents lateral movement by malicious users.
Smart Images

Figure CN122339697A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of IT security technology, and in particular to secure access control methods, devices, equipment and computer program products. Background Technology
[0002] Currently, mainstream network security architectures primarily focus on protecting the network boundary. This architecture revolves around the network boundary, which is considered the first and most crucial line of defense against external threats. A "connect first, authenticate later" model is generally adopted. Any device or user that crosses the physical or logical boundary and passes authentication is considered a trusted entity, free to move within the internal network and access various resources. In this model, network security is simplified to boundary security. Firewalls, Web Application Firewalls (WAFs), and other security devices are deployed at the boundary, using pre-defined access control lists (ACLs) and complex rule sets to filter and retain malicious traffic.
[0003] With the rapid development of technologies such as big data and cloud computing, the complexity and dynamism of the network environment have increased dramatically, posing unprecedented challenges to traditional perimeter protection models. Network boundaries are no longer clearly defined, but have become blurred and changeable, with significantly increased mobility of devices, users, and data. This change makes traditional "one-size-fits-all" security strategies ineffective, as even the most granular access control policies struggle to keep pace with the rapid changes in the network environment.
[0004] The traditional assumption that "the intranet is secure" in network architecture is no longer valid. With the widespread adoption of remote and mobile work, and the extensive use of IoT devices, the intranet is no longer a closed and controllable environment. Malicious users or attackers can infiltrate the intranet through various means, exploiting vulnerabilities or improper configurations to move laterally, expand their attack scope, and even steal sensitive data or disrupt critical business operations. Therefore, there is an urgent need to develop a method to improve the security and reliability of identity authentication.
[0005] The above content is only used to help understand the technical solution of this application and does not represent an admission that the above content is prior art. Summary of the Invention
[0006] The main purpose of this application is to provide a secure access control method, apparatus, device, and computer program product, which aims to solve the technical problem of low security when accessing applications from a terminal.
[0007] To achieve the above objectives, this application proposes a secure access control method, which is applied to a user terminal and includes:
[0008] The first authentication message is encrypted and signed using the Super SIM card to obtain the encrypted signature message of the first authentication message;
[0009] A single-packet authentication request is generated based on the encrypted signature message. The single-packet authentication request is forwarded to the control terminal through the gateway. The control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user. The accessible list is then forwarded to the user terminal through the gateway.
[0010] Receive the accessible list forwarded by the gateway, and access the target application through the gateway based on the accessible list.
[0011] In one embodiment, the step of encrypting and signing the first authentication message using a Super SIM card to obtain an encrypted signature message for the first authentication message includes:
[0012] The first authentication message is obtained by concatenating the initial authentication message and the first random number using the Super SIM card;
[0013] The first authentication message is encrypted using the first encryption algorithm to obtain the first encrypted message of the first authentication message.
[0014] The first message digest of the first authentication message is obtained by performing a digest calculation on the first authentication message using a second encryption algorithm.
[0015] The first authentication message and the first message digest are signed using the second private key to obtain the first message signature;
[0016] An encrypted signature message is formed based on the first encrypted message, the first message digest, and the first message signature, which constitutes the first authentication message.
[0017] In one embodiment, the step of encrypting and signing the first authentication message using a Super SIM card to obtain an encrypted signature message of the first authentication message further includes:
[0018] Obtain the target user's user information and the Super SIM card's card identifier;
[0019] The first public key and the second private key of the first authentication message are generated using a third encryption algorithm;
[0020] Based on the user information and card identifier, a third key for the first authentication message is generated using a first encryption algorithm;
[0021] The second private key and the third key are written into the super SIM card, and the second private key and the third key are used to encrypt and sign the first authentication message;
[0022] The first public key and the third key are sent to the control terminal. The first public key and the third key are used to decrypt and verify the encrypted signature message in the single packet authentication request.
[0023] In one embodiment, the step of receiving the accessible list forwarded by the gateway and accessing the target application through the gateway based on the accessible list includes:
[0024] Receive the accessible list sent by the gateway;
[0025] Based on the accessible list, an application access command is generated and sent to the gateway. The gateway parses the command, determines the corresponding target application, opens the target port of the target application, and connects to the target application through the target port.
[0026] In one embodiment, the method is applied to a gateway, and the method includes:
[0027] In response to a single-packet authentication request sent by a user terminal, the initial port of the gateway is closed, and the single-packet authentication request is sent to the control terminal, so that the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user, and sends the accessible list to the gateway.
[0028] The gateway receives the accessible list sent by the control terminal and forwards it to the user terminal, so that the user terminal can access the target application through the gateway based on the accessible list.
[0029] In one embodiment, the step of accessing the target application through the gateway based on the accessible list includes:
[0030] Receive an application access instruction sent by the user terminal, wherein the application access instruction is generated by the user terminal based on the accessible list;
[0031] Parse the application access command to determine the target application corresponding to the application access command;
[0032] Open the target port of the target application and connect to the target application through the target port.
[0033] In one embodiment, the method is applied to a control terminal, and the method includes:
[0034] The system receives a single-packet authentication request sent by the gateway. The single-packet authentication request is generated by the user terminal encrypting and signing the first authentication message through the Super SIM card to obtain an encrypted signature message of the first authentication message, and then generating the system based on the encrypted signature message.
[0035] The encrypted signature message in the single-packet authentication request is decrypted and verified to obtain the target user's accessible list. The accessible list is then forwarded to the user terminal through the gateway, so that the user terminal can access the target application through the gateway based on the accessible list.
[0036] In one embodiment, the step of decrypting and verifying the encrypted signature message in the single-packet authentication request to obtain the target user's accessible list includes:
[0037] The encrypted signature message is decrypted using the first public key. When decryption is successful, an intermediate decryption message of the encrypted signature message is generated.
[0038] The intermediate decryption message is decrypted again using a third key to generate a second decryption message of the encrypted signature message;
[0039] The second encrypted message is digested by the second encryption algorithm to obtain the second message digest of the encrypted signature message. If the second message digest is equal to the first message digest, the decryption and signature verification of the encrypted signature message is successful.
[0040] When the decryption and signature verification of the encrypted signature message is successful, the second decrypted message is used for permission verification to obtain the target user's accessible list.
[0041] Furthermore, to achieve the above objectives, this application also proposes a secure access control device, which includes:
[0042] The encryption signature module is used to encrypt and sign the first authentication message through the Super SIM card to obtain the encrypted signature message of the first authentication message;
[0043] The request generation module is used to generate a single-packet authentication request based on the encrypted signature message, forward the single-packet authentication request to the control terminal through the gateway, and the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user. The accessible list is then forwarded to the user terminal through the gateway.
[0044] The connection access module is used to receive the accessible list forwarded by the gateway, and access the target application through the gateway based on the accessible list.
[0045] In addition, to achieve the above objectives, this application also proposes a secure access control device, the device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the secure access control method as described above.
[0046] In addition, to achieve the above objectives, this application also proposes a storage medium, which is a computer-readable storage medium, on which a computer program is stored, and which, when executed by a processor, implements the steps of the secure access control method described above.
[0047] In addition, to achieve the above objectives, this application also provides a computer program product, which includes a computer program that, when executed by a processor, implements the steps of the secure access control method described above.
[0048] One or more technical solutions proposed in this application have at least the following technical effects:
[0049] This application proposes a secure access control method, apparatus, device, and computer program product. It encrypts and signs a first authentication message using a super SIM card to obtain an encrypted signature message. Based on the encrypted signature message, a single-packet authentication request is generated and forwarded to a control terminal via a gateway. The control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain an accessible list for the target user. This accessible list is then forwarded to the user terminal via the gateway. The user terminal receives the accessible list forwarded by the gateway and accesses the target application based on the accessible list through the gateway. By authenticating user information based on a single-packet authentication request and establishing a connection only after successful verification, the security and reliability of identity authentication are improved. Attached Figure Description
[0050] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0051] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0052] Figure 1 This is a flowchart illustrating an embodiment of the secure access control method of this application.
[0053] Figure 2 Example diagram of a card writing instruction provided in an embodiment of the security access control method of this application;
[0054] Figure 3 A flowchart for generating a key is provided for an embodiment of the secure access control method of this application;
[0055] Figure 4 A simplified flowchart of the secure access control method provided in the embodiments of this application;
[0056] Figure 5 This is a schematic diagram of the module structure of the secure access control device according to an embodiment of this application;
[0057] Figure 6 This is a schematic diagram of the device structure of the hardware operating environment involved in the secure access control method in the embodiments of this application.
[0058] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation
[0059] It should be understood that the specific embodiments described herein are merely illustrative of the technical solutions of this application and are not intended to limit this application.
[0060] To better understand the technical solution of this application, a detailed description will be provided below in conjunction with the accompanying drawings and specific implementation methods.
[0061] The main solution of this application embodiment is as follows: First, the first authentication message is encrypted and signed using a Super SIM card to obtain an encrypted signature message for the first authentication message; a single-packet authentication request is generated based on the encrypted signature message; the single-packet authentication request is forwarded to the control terminal through a gateway; the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user; the accessible list is forwarded to the user terminal through a gateway; the accessible list forwarded by the gateway is received; and the target application is accessed through the gateway based on the accessible list.
[0062] In this embodiment, for ease of description, the following description will focus on the identification of the security access control device as the executing entity.
[0063] Currently, mainstream network security architectures primarily focus on protecting the network boundary. This architecture revolves around the network boundary, which is considered the first and most crucial line of defense against external threats. A "connect first, authenticate later" model is generally adopted. Any device or user that crosses the physical or logical boundary and passes authentication is considered a trusted entity, free to move within the internal network and access various resources. In this model, network security is simplified to boundary security. Firewalls, Web Application Firewalls (WAFs), and other security devices are deployed at the boundary, using pre-defined access control lists (ACLs) and complex rule sets to filter and retain malicious traffic.
[0064] With the rapid development of technologies such as big data and cloud computing, the complexity and dynamism of the network environment have increased dramatically, posing unprecedented challenges to traditional perimeter protection models. Network boundaries are no longer clearly defined, but have become blurred and changeable, with significantly increased mobility of devices, users, and data. This change makes traditional "one-size-fits-all" security strategies ineffective, as even the most granular access control policies struggle to keep pace with the rapid changes in the network environment.
[0065] The traditional assumption that "the intranet is secure" in network architecture is no longer valid. With the widespread adoption of remote and mobile work, and the extensive use of IoT devices, the intranet is no longer a closed and controllable environment. Malicious users or attackers can infiltrate the intranet through various means, exploiting vulnerabilities or improper configurations to move laterally, expand their attack scope, and even steal sensitive data or disrupt critical business operations. Therefore, there is an urgent need to develop a method to improve the security and reliability of identity authentication.
[0066] This application provides a solution that first authenticates the user's information based on a single-packet authentication request, and then allows connection access after successful verification, thereby improving the security and reliability of identity authentication.
[0067] It should be noted that the executing entity in this embodiment can be a computing service device with data processing, network communication, and program execution functions, such as a tablet computer, personal computer, or mobile phone, or an electronic device or security access control device capable of performing the above functions. The following description uses a security access control device as an example to illustrate this embodiment and the subsequent embodiments.
[0068] Based on this, embodiments of this application provide a secure access control method, referring to... Figure 1 , Figure 1 This is a flowchart illustrating the first embodiment of the secure access control method of this application.
[0069] In this embodiment, the secure access control method is applied to a user terminal, and the method includes steps S11 to S13:
[0070] Step S11: Encrypt and sign the first authentication message using the Super SIM card to obtain the encrypted signature message of the first authentication message.
[0071] It should be noted that a user terminal refers to a device that interacts directly with the user, such as a smartphone, tablet, or dedicated hardware terminal. In this application, the user terminal can collect user information (such as username, password, device ID, timestamp) and the SEID of the Super SIM card.
[0072] Additionally, it should be noted that a Super SIM card is a type of SIM card that integrates more security features.
[0073] Specifically, the first authentication message is obtained by concatenating the initial authentication message and the first random number using the Super SIM card; the first authentication message is encrypted using the first encryption algorithm to obtain the first encrypted message of the first authentication message; the first message digest of the first authentication message is obtained by calculating the digest of the first authentication message using the second encryption algorithm; the first authentication message and the first message digest are signed using the second private key to obtain the first message signature; and the encrypted signature message of the first authentication message is constructed based on the first encrypted message, the first message digest, and the first message signature.
[0074] More specifically, the terminal transmits user information to the SIM card through the SIM card channel. The SIM card encrypts and signs the user information using an agreed algorithm, and then responds to the terminal. The user information authentication signature APDU instructions are shown in Table 1:
[0075] APDU head Command (hex) meaning CLA 0x00 Indicates the security level of the instruction. INS 0xCB Instruction Code P1 00 Command parameter 1 P2 00 Command parameter 2 data xx Specific data required to execute instructions Lc xx Length of command data Le xx Expected length of response data to be received
[0076] Table 1
[0077] Here, CLA represents the security level of the instruction. INS represents the operation or command to be executed; different INS values represent different instruction functions, such as reading a binary file or updating a record. P1 is used to provide additional parameters or options to support INS instructions; P2 is similar to P1, providing additional parameters or options. Lc is the command data length, used to specify the length of the instruction data field. Le refers to the length of the response data that the receiver expects to receive. data is the command data, containing the specific data required to execute the instruction.
[0078] Please refer to Table 2 for the data format of the data command in Table 1:
[0079] Fields length value M / O User Information 0x40 User Information M Padding 0~16 Encryption padding M MAC 0x04 MAC value M
[0080] Table 2
[0081] In this context, M / O represents required / optional data, where M indicates that the data is required and O indicates that the data is optional.
[0082] Step S12: Generate a single-packet authentication request based on the encrypted signature message, forward the single-packet authentication request to the control terminal through the gateway, and have the control terminal decrypt and verify the encrypted signature message in the single-packet authentication request to obtain the target user's accessible list. Then, forward the accessible list to the user terminal through the gateway.
[0083] It should be noted that the gateway is located between the user terminal and the backend server, and is responsible for forwarding requests and responses, enforcing some security policies, and controlling the ports accessed by the terminal.
[0084] Additionally, it should be noted that the control center is responsible for processing authentication requests from the gateway, verifying the user's identity and permissions; if the verification is successful, the control center issues an access token to the user and returns the verification result and a list of the user's authorized access permissions to the gateway.
[0085] Additionally, it's important to note that a Single Packet Authentication Request (SPA) is a special data packet sent by the client to the server. This packet contains encrypted information for authentication. Through SPA technology, the client can prove its identity and gain access to the server without exposing excessive information. The technical principles of SPA SPA primarily include encryption (SPA uses strong encryption algorithms (such as AES or RSA) to protect authentication information and ensure packet security), minimizing information exposure (by sending only a single encrypted data packet, SPA minimizes the amount of information exposed on the network, reducing the risk of malicious analysis), timestamps, and one-time tokens (to prevent replay attacks, SPA SPA SPA typically includes timestamps and / or one-time tokens to ensure the uniqueness of each data packet). The structure and format of an SPA SPA typically include encrypted authentication information, a timestamp, a one-time token, and a client identifier.
[0086] Specifically, after the Super SIM card encrypts and signs the first authentication message, it sends the encrypted and signed message to the user terminal (hereinafter referred to as "terminal"). The terminal receives the encrypted and signed message from the Super SIM card through the SIM card channel and constructs an SPA single-packet authentication request based on the encrypted and signed message. The terminal configures the relevant parameters of the UDP protocol, including the destination address (the IP address of the gateway), the destination port (the UDP port that the gateway listens on), the source address (the IP address of the terminal), and the source port (the UDP port selected by the terminal). The terminal encapsulates the SPA single-packet authentication request into a UDP data packet and sends it to the gateway through the network, thus initiating SPA single-packet authentication to the gateway through the UDP protocol.
[0087] Step S13: Receive the accessible list forwarded by the gateway, and access the target application through the gateway based on the accessible list.
[0088] It should be noted that the target application refers to the backend service or software program that the user wants to access through the terminal.
[0089] Additionally, it's important to note that the accessible list refers to the list of resources or applications that a user is authorized to access after being verified by the control center. This list typically contains detailed information about all resources or applications that a user can access based on their identity and permissions. It helps the control center, gateway, and endpoint work together to achieve precise control and management of user access permissions.
[0090] Specifically, the system receives an accessible list sent by the gateway; generates an application access instruction based on the accessible list, and sends the application access instruction to the gateway. The gateway parses the instruction to determine the corresponding target application, opens the target port of the target application, and connects to the target application through the target port.
[0091] This embodiment improves the security and reliability of identity authentication by first authenticating the user's information based on a single packet authentication request, and then allowing connection access only after successful verification.
[0092] Based on the above implementation scheme, in one feasible implementation, the step of encrypting and signing the first authentication message using the Super SIM card to obtain the encrypted signature message of the first authentication message includes S21 to S25:
[0093] Step S21: The first authentication message is obtained by concatenating the initial authentication message and the first random number using the Super SIM card.
[0094] It should be noted that the initial authentication message consists of user information such as username, password, device ID, timestamp, and SEID of the Super SIM card.
[0095] Additionally, it should be noted that the first random number refers to a number randomly generated by the Super SIM card application.
[0096] Specifically, the terminal obtains user information such as username, password, device ID, timestamp, and Super SIM card SEID as an initial authentication message, and sends the initial authentication message to the Super SIM card. The SIM card then concatenates the initial authentication message with a first random number to obtain the first authentication message. For example, after the SIM card obtains the initial authentication message, the card application generates a random number X, and concatenates the random number X with the username, password, device ID, timestamp, SEID, etc., from the initial authentication message to obtain the first authentication message C.
[0097] Step S22: The first authentication message is encrypted using the first encryption algorithm to obtain the first encrypted message of the first authentication message.
[0098] It should be noted that the first encryption algorithm refers to the SM4 algorithm.
[0099] Specifically, the first authentication message is encrypted using the SM4 encryption algorithm based on the third key to obtain the first encrypted message. The encryption process is represented as: C1 = SM4(C, K3), where C1 is the first encrypted message, C is the first authentication message, K3 is the third key, and SM4 refers to the SM4 algorithm.
[0100] Step S23: Calculate the digest of the first authentication message using the second encryption algorithm to obtain the first message digest of the first authentication message.
[0101] It should be noted that the second encryption algorithm refers to the SM3 algorithm.
[0102] Specifically, the first authentication message C is digested using the SM3 algorithm to obtain the first message digest H, which is used to verify the integrity of the first authentication message during transmission.
[0103] Step S24: Sign the first authentication message and the first message digest using the second private key to obtain the first message signature.
[0104] Specifically, the first authentication message C and the first message digest H are signed using the second private key K2 to obtain the first message signature S. The first message signature S is used to verify the authenticity and origin of the first authentication message.
[0105] Step S25: Construct an encrypted signature message for the first authentication message based on the first encrypted message, the first message digest, and the first message signature.
[0106] Specifically, an encrypted signature message for the first authentication message is constructed based on the first encrypted message, the first message digest, and the first message signature. The encrypted signature message is used as data to be returned to the terminal. The encrypted signature message (first encrypted message C1, first message digest H, and first message signature S) is sent to the terminal using the card-machine channel between the super SIM card and the terminal (such as SIM card interface, APDU command, etc.).
[0107] This embodiment improves data encryption security by generating random numbers as message random factors and superimposing a super SIM identifier as an authentication factor through the above scheme.
[0108] Based on the above implementation scheme, in one feasible implementation, before the step of encrypting and signing the first authentication message using the Super SIM card to obtain the encrypted signature message of the first authentication message, steps S31 to S35 are further included:
[0109] Step S31: Obtain the target user's user information and the Super SIM card's card identifier.
[0110] It should be noted that the target user's user information includes, but is not limited to, username and password; the card identifier of the Super SIM card refers to SEID, which is a 10-byte hexadecimal string composed of factors such as year, card manufacturer, and version, and ensures that each card is unique.
[0111] Specifically, the terminal app initiates a card reading request to the Super SIM card through the SIM card channel. This request is used to obtain the Super SIM card's unique identifier, SEID. Upon receiving the request, the Super SIM card sends the SEID to the terminal through the SIM card channel. The terminal obtains user information, including but not limited to username and password. The terminal then uploads the user information and SEID to the user management platform via HTTPS encryption. The user management platform verifies the user's legitimacy. If verification is successful, the platform uploads the user information and SEID to the cryptography platform to apply for a key for the user. The cryptography platform then generates a key for the user.
[0112] Step S32: Generate the first public key and the second private key for the first authentication message using the third encryption algorithm.
[0113] It should be noted that the third encryption algorithm refers to the SM2 algorithm. The SM2 algorithm is a public-key cryptography algorithm based on elliptic curve cryptography (ECC). The core of the SM2 algorithm is the elliptic curve equation y² = x² / 2. 3 The public and private keys are generated by multiplying the base point G by the incrementing operation d + ax + b. The private key d is a secret integer, and the public key P is obtained by multiplying the private key by the base point G, i.e., P = dG. The first public key and the second private key are an asymmetric key pair generated based on the SM2 algorithm.
[0114] Specifically, an asymmetric key pair (first public key K1 and second private key K2) is generated based on the SM2 algorithm and used for signing and verifying the first authentication message.
[0115] Step S33: Based on the user information and card identifier, generate a third key for the first authentication message using a first encryption algorithm.
[0116] It should be noted that the first encryption algorithm refers to the SM4 algorithm, a symmetric encryption algorithm. The SM4 algorithm has a block size and key length of 128 bits (16 bytes), meaning the plaintext is divided into 128-bit blocks, and each block is then encrypted. The SM4 algorithm mainly consists of two modules: an encryption / decryption module and a key expansion module. The operations included in these modules are XOR, shift transformation, and box transformation. The 128-bit plaintext data is encrypted using the SM4 algorithm to output 128-bit encrypted data. The entire encryption / decryption process requires 32 rounds of non-linear iteration. In each round, the input 128-bit plaintext is divided into four 32-bit groups, and a series of operations are performed to obtain a new state. These operations include XOR, box transformation, and shift transformation. After the 32nd round, the four 32-bit states are output as the encrypted ciphertext. The decryption process is similar to the encryption process, but the order of the round keys is reversed.
[0117] Specifically, based on the SM4 algorithm, the username and SEID are used as scattering factors to generate the third key for SPA single-packet authentication session data encryption. For example, based on the SM4 algorithm, the third key is generated using the username "user" and SEID as scattering factors, specifically: K3 = SM4(user, SEID), where K3 refers to the third key, "user" refers to the username, and SEID refers to the card identifier of the Super SIM card.
[0118] Step S34: Write the second private key and the third key into the super SIM card. The second private key and the third key are used to encrypt and sign the first authentication message.
[0119] Specifically, the second private key K2 and the third key K3 are written into the Super SIM card through an encrypted channel. The second private key K2 and the third key K3 are used to perform a tensile encrypted signature on the first authentication message on the Super SIM card.
[0120] More specifically, the process of writing the key to the Super SIM card is as follows: The terminal box and SIM card establish a BIP channel. Through the BIP channel, the asymmetric key generated by the cryptographic platform (first public key K1, second private key K2) and the third key K3 generated by the SM4 algorithm are written to the card storage area of the Super SIM card. The data personalization APDU instructions are shown in Table 3.
[0121] APDU head Command (hex) meaning CLA 0x80 Indicates the security level of the instruction. INS 0xCC Instruction Code P1 00 Command parameter 1 P2 00 Command parameter 2 data xx Specific data required to execute instructions Lc xx Length of command data Le xx Expected length of response data to be received
[0122] Table 3
[0123] Here, CLA represents the security level of the instruction, with 0x80 indicating encryption at security level 01. INS represents the operation or command to be executed; different INS values represent different instruction functions, such as reading a binary file or updating a record. P1 provides additional parameters or options to support INS instructions; P2 is similar to P1, providing additional parameters or options. Lc is the command data length, used to specify the length of the instruction data field. Le refers to the length of the response data the receiver expects to receive. data is the command data, containing the specific data required to execute the instruction.
[0124] Please refer to Table 4 for the data format of the data command in Table 1:
[0125]
[0126]
[0127] Table 4
[0128] Among them, M / O indicates mandatory / optional, M means the data is mandatory, and O means the data is optional. The plaintext of the SM2 public key refers to the plaintext of the first public key; the plaintext of the SM2 private key refers to the plaintext of the second private key; the plaintext of the SM4 key refers to the plaintext of the third key.
[0129] For better understanding, please refer to Figure 2 , Figure 2 Figure 0000339 is an example diagram of the instruction format for writing the generated key into the SIM card. In Figure 2 the plaintexts of the SM2 public key (the first public key), the SM2 private key (the second private key), and the SM4 key (the third key) are illustrated. The plaintext of the first public key is represented by red numbers, the second private key by green numbers, and the third key by orange numbers. The specific values of the instructions in Table 3 are concatenated with the plaintexts of the three keys, and the write card instruction is obtained by adding the Padding and MAC placeholders generated according to the specific situation: 80CC0000<public key><private key><SM4 key> <padding> <mac>,like Figure 2 The instructions for writing to the card are shown.
[0130] Step S35: Send the first public key and the third key to the control terminal. The first public key and the third key are used to decrypt and verify the encrypted signature message in the single packet authentication request.
[0131] Specifically, the first public key K1 and the third key K3 are sent to the control terminal. The first public key K1 and the third key K3 are used to decrypt and verify the encrypted signature message in the single packet authentication request data.
[0132] For better understanding, please refer to Figure 3 , Figure 3 A flowchart for generating a key provided in this application embodiment:
[0133] First, the terminal (user terminal) initiates a key request and obtains user information from the user management module. Then, the terminal requests the SIM card to provide its unique identifier (SEID), and the SIM card responds and returns the SEID to the terminal.
[0134] Then, after obtaining the SEID, the terminal uploads the user information and SEID to the user management module. The user management module is responsible for verifying the validity of the user information. Once the user information is verified, the user management module sends the user information and SEID to the cryptographic platform to request the generation of a key pair, including a public key (first public key K1) and a private key (second private key K2).
[0135] Finally, upon receiving the key generation request, the cryptographic platform generates a unique asymmetric key pair for the user and returns the key information to the user management module. Upon receiving the key information, the user management module saves the public key K1 and the data key (third key K3), and simultaneously writes the user's private key K2 and the data key K3 into the SIM card for subsequent secure communication and data protection.
[0136] Based on the above implementation scheme, in one feasible implementation, the step of receiving the accessible list forwarded by the gateway and accessing the target application through the gateway based on the accessible list includes S41 to S42:
[0137] Step S41: Receive the accessible list sent by the gateway.
[0138] Specifically, the terminal receives the accessible list returned by the gateway, parses this information, and displays a list of accessible applications to the user. This list is usually a graphical interface, where the user can initiate an access request to a specific application by clicking or selecting it.
[0139] Step S42: Generate an application access instruction based on the accessible list, and send the application access instruction to the gateway. The gateway parses the instruction to determine the corresponding target application, opens the target port of the target application, and connects to the target application through the target port.
[0140] It should be noted that the application access command is based on the user's selection operation on the terminal interface based on the accessible list. The command is generated in response to the user's selection operation and is used to access the target application in the accessible list.
[0141] Specifically, the user views the accessible list displayed on the terminal and selects the desired application. Based on the user's selection, the terminal establishes an HTTPS request connection with the gateway, carrying a user token (as authentication credentials), and sends an application access instruction to the gateway. The HTTPS connection ensures the security of data transmission, preventing data theft or tampering during transmission. The gateway receives the application access instruction from the terminal, parses the user token and requested application information carried in the request, and determines the selected target application and its corresponding target port. The gateway verifies the validity of the user token; if the user token is valid, the gateway opens the target port corresponding to the target application, allowing the user's request to pass through.
[0142] Furthermore, the gateway forwards the request to the corresponding target application based on the request content (such as the request URL, parameters, etc.). The target application performs the corresponding operation based on the request content and generates a response. After processing the request, the target application generates response data, which can be any form of data such as text, images, or videos, and returns the response data to the gateway. After receiving the response content returned by the business application, the gateway encapsulates it into an HTTPS response packet; the gateway returns the response packet to the terminal through the established HTTPS connection; the terminal parses the response packet, extracts the response data, and then displays it to the user.
[0143] This embodiment, through the above-described scheme, places the control terminal after the gateway as the policy control center, thereby alleviating the service pressure on the gateway and improving the overall authentication efficiency and system reliability.
[0144] Based on the above implementation scheme, in one feasible implementation, the method is applied to a gateway, and the method includes steps S51 to S52:
[0145] Step S51: In response to the single-packet authentication request sent by the user terminal, the initial port of the gateway is closed, and the single-packet authentication request is sent to the control terminal, so that the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user, and sends the accessible list to the gateway.
[0146] Specifically, the gateway listens for and receives single-packet authentication requests from user terminals. These requests contain encrypted signature messages and are used to verify the user's identity and permissions. Upon receiving a single-packet authentication request, the gateway temporarily closes all ports and forwards the request to the control terminal. Upon receiving the authentication request, the control terminal uses a pre-defined decryption algorithm and key to decrypt and verify the encrypted signature message. If the decryption and verification are successful, the control terminal extracts user information, terminal ID, and the SEID information of the Super SIM card from the decrypted message. Based on the user information, it obtains the accessible list and generates an access token for the user. This access token contains the user's identity and permission information. The control terminal then sends the accessible list, the user token, and the decryption and verification result to the gateway.
[0147] Step S52: Receive the accessible list sent by the control terminal and forward it to the user terminal, so that the user terminal can access the target application through the gateway based on the accessible list.
[0148] Specifically, the gateway receives the accessible list, user token, and decryption verification result returned by the control terminal, and forwards this information to the user terminal. Upon receiving the accessible list, the terminal displays it to the user, who then selects the desired application. Based on the user's selection, the terminal establishes a TCP-based HTTPS request connection with the gateway, carrying the user token (as authentication credentials), and sends an application access command to the gateway. The gateway receives the application access command sent by the user terminal, which is generated by the user terminal based on the accessible list; parses the application access command to determine the target application corresponding to it; opens the target port of the target application, and connects to access the target application through the target port.
[0149] Based on the above implementation scheme, in one feasible implementation, the step of accessing the target application through the gateway based on the accessible list includes S61 to S63:
[0150] Step S61: Receive an application access instruction sent by the user terminal, wherein the application access instruction is generated by the user terminal based on the accessible list.
[0151] Specifically, the gateway continuously listens to user terminals and receives application access commands from them. Upon receiving a request, the gateway may need to verify its legitimacy, such as checking whether the request originates from a legitimate user terminal and whether the request format is correct. Based on the accessible list displayed on the terminal, the user selects the target application they wish to access. The terminal, according to the user's selection, sends an application access command to the gateway, carrying the user's token and specifying the target application the user wants to access.
[0152] Step S62: Parse the application access instruction and determine the target application corresponding to the application access instruction.
[0153] Specifically, the gateway parses the received application access command to extract key information. Based on the extracted information, the gateway searches its internal application list or database for the corresponding target application to determine the application the user wants to access. After determining the target application, the gateway finds the target port for that application.
[0154] Step S63: Open the target port of the target application and access the target application through the target port.
[0155] Specifically, after the gateway receives a single-packet authentication request from the user terminal, it closes all ports of the gateway. Therefore, after determining the target port of the target application, it opens the target port, and the gateway will establish a connection with the target application through the target port to access it.
[0156] Based on the above implementation scheme, in one feasible implementation, the method is applied to a control terminal, and the method includes steps S71 to S72:
[0157] Step S71: Receive a single-packet authentication request sent by the gateway. The single-packet authentication request is generated by the user terminal encrypting and signing the first authentication message through the super SIM card to obtain an encrypted signature message of the first authentication message, and generating the authentication message based on the encrypted signature message.
[0158] Specifically, the control terminal continuously listens for requests sent by the gateway and receives single-packet authentication requests from the gateway. The single-packet authentication request is generated by the user terminal encrypting and signing the first authentication message using the Super SIM card to obtain an encrypted signature message for the first authentication message, and then generating the authentication service based on the encrypted signature message.
[0159] Step S72: Decrypt and verify the encrypted signature message in the single packet authentication request to obtain the target user's accessible list. Then, forward the accessible list to the user terminal through the gateway so that the user terminal can access the target application through the gateway based on the accessible list.
[0160] Specifically, from the received single-packet authentication request, the control terminal extracts the encrypted signature message. The encrypted signature message is decrypted using a first public key. If decryption is successful, an intermediate decrypted message is generated. The intermediate decrypted message is then decrypted again using a third key to generate a second decrypted message. A digest is calculated from the second decrypted message using a second encryption algorithm to obtain a second message digest of the encrypted signature message. If the second message digest and the first message digest are equal, the decryption verification of the encrypted signature message passes. When the decryption verification of the encrypted signature message passes, permission verification is performed on the second decrypted message to obtain the target user's accessible list. The accessible list is forwarded to the user terminal through a gateway, enabling the user terminal to access the target application through the gateway based on the accessible list.
[0161] Based on the above implementation scheme, in one feasible implementation, the step of decrypting and verifying the encrypted signature message in the single-packet authentication request to obtain the target user's accessible list includes S81 to S84:
[0162] Step S81: Decrypt the encrypted signature message using the first public key. When decryption is successful, generate an intermediate decryption message for the encrypted signature message.
[0163] Specifically, the control terminal decrypts the encrypted signature message in the single-packet authentication request using the first public key K1. If decryption fails, it indicates that the verification has failed, and the verification result is sent to the gateway. If decryption succeeds, an intermediate decryption message of the encrypted signature message is generated, and the next verification step is performed.
[0164] Step S82: The intermediate decryption message is decrypted again using the third key to generate the second decryption message of the encrypted signature message.
[0165] Specifically, the intermediate decrypted message is decrypted again using the third key K3 to obtain the second decrypted message C2.
[0166] Step S83: Calculate the digest of the second decrypted message using the second encryption algorithm to obtain the second message digest of the encrypted signature message. If the second message digest is equal to the first message digest, the decryption and signature verification of the encrypted signature message is successful.
[0167] Specifically, the message content of the second decryption message C2 is digested using the SM3 algorithm (the second encryption algorithm) to obtain the second message digest H1. This second message digest is then compared with the first message digest. If the second message digest H1 and the first message digest H are equal (i.e., H1 = H), the decryption verification of the encrypted signature message passes. If H1 ≠ H, it indicates that the decryption verification of the encrypted signature message fails, the verification fails, and the control end sends the verification result to the gateway.
[0168] Step S84: When the decryption verification of the encrypted signature message passes, the second decrypted message is subjected to permission verification to obtain the target user's accessible list.
[0169] Specifically, when the encrypted signature message passes decryption verification, user information, terminal ID, and the SEID of the Super SIM card are extracted from the second decrypted message. The user information is verified to determine its authenticity and accuracy, and then the target user's access list is extracted. An access token is generated for the verified target user, containing key information such as user identity information, a list of accessible permissions, and the token's validity period.
[0170] For a better understanding, please refer to Figure 4 , Figure 4 A simplified flowchart of the secure access control method provided in the embodiments of this application:
[0171] First, the terminal (user terminal) acquires user information and terminal information, then encrypts and signs the data via the SIM card. The SM4 algorithm and key K3 are used to encrypt the data, and the SM3 algorithm is used to calculate the message digest to ensure data integrity. The encrypted and signed authentication message is packaged and sent through the UP interface for SPA (SIM Card Authentication) authentication.
[0172] Then, upon receiving an SPA message, the gateway closes all ports and only responds to specific SPA messages. The message is then uploaded to the control center (control terminal), where it decrypts the message using public key K1 and calculates the message digest again using the SM3 algorithm to verify its consistency. If the verification passes, the control center checks the user's permissions and sends the verification result and permission information back to the gateway.
[0173] Finally, after receiving the verification result, the gateway will open the corresponding port, allowing secure TCP connection requests. Upon receiving the gateway's verification result and authorization information, the terminal will establish an access connection and open the corresponding port according to the access request. Finally, the application will return the request result to the terminal, completing the entire authentication and data transmission process.
[0174] It should be noted that the above examples are only for understanding this application and do not constitute a limitation on the secure access control method of this application. Any simple modifications based on this technical concept are within the protection scope of this application.
[0175] This application also provides a secure access control device; please refer to... Figure 5 The secure access control device includes:
[0176] The encryption signature module 501 is used to encrypt and sign the first authentication message through the super SIM card to obtain the encrypted signature message of the first authentication message;
[0177] The request generation module 502 is used to generate a single-packet authentication request based on the encrypted signature message, forward the single-packet authentication request to the control terminal through the gateway, and the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user. The accessible list is then forwarded to the user terminal through the gateway.
[0178] The connection access module 503 is used to receive the accessible list forwarded by the gateway, and access the target application through the gateway based on the accessible list.
[0179] The secure access control device provided in this application, employing the secure access control method described in the above embodiments, can solve the technical problem of low security when a terminal accesses an application. Compared with the prior art, the beneficial effects of the secure access control device provided in this application are the same as those of the secure access control method described in the above embodiments, and other technical features in the secure access control device are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.
[0180] This application provides a secure access control device, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, which are executed by the at least one processor to enable the at least one processor to perform the secure access control method in Embodiment 1 above.
[0181] The following is for reference. Figure 6 This document illustrates a structural diagram of a secure access control device suitable for implementing embodiments of this application. The secure access control device in these embodiments may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (Personal Digital Assistants), PADs (Portable Application Description), PMPs (Portable Media Players), and in-vehicle terminals (e.g., in-vehicle navigation terminals), as well as fixed terminals such as digital TVs and desktop computers. Figure 6 The security access control device shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.
[0182] like Figure 6 As shown, the security access control device may include a processing unit 1001 (e.g., a central processing unit, a graphics processing unit, etc.), which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access memory (RAM) 1004. The RAM 1004 also stores various programs and data required for the operation of the security access control device. The processing unit 1001, ROM 1002, and RAM 1004 are interconnected via a bus 1005. An input / output (I / O) interface 1006 is also connected to the bus. Typically, the following systems can be connected to the I / O interface 1006: input devices 1007 including, for example, touchscreens, touchpads, keyboards, mice, image sensors, microphones, accelerometers, gyroscopes, etc.; output devices 1008 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 1003 including, for example, magnetic tapes, hard disks, etc.; and communication devices 1009. Communication device 1009 allows the security access control device to communicate wirelessly or wiredly with other devices to exchange data. While the figures show security access control devices with various systems, it should be understood that implementation or possession of all the systems shown is not required. More or fewer systems may be implemented alternatively.
[0183] Specifically, according to the embodiments disclosed in this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments disclosed in this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from storage device 1003, or installed from ROM 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of the embodiments disclosed in this application.
[0184] The secure access control device provided in this application, employing the secure access control method described in the above embodiments, can solve the technical problem of low security when a terminal accesses an application. Compared with the prior art, the beneficial effects of the secure access control device provided in this application are the same as those of the secure access control method described in the above embodiments, and other technical features of this secure access control device are the same as those disclosed in the method of the previous embodiment, and will not be repeated here.
[0185] It should be understood that the various parts disclosed in this application can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics can be combined in any suitable manner in one or more embodiments or examples.
[0186] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
[0187] This application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon, the computer-readable program instructions being used to execute the security access control method described in the above embodiments.
[0188] The computer-readable storage medium provided in this application may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, system, or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (Radio Frequency), etc., or any suitable combination thereof.
[0189] The aforementioned computer-readable storage medium may be included in a secure access control device; or it may exist independently and not be assembled into a secure access control device.
[0190] The aforementioned computer-readable storage medium carries one or more programs. When these programs are executed by a secure access control device, the secure access control device: encrypts and signs a first authentication message using a super SIM card to obtain an encrypted signature message for the first authentication message; generates a single-packet authentication request based on the encrypted signature message; forwards the single-packet authentication request to a control terminal via a gateway; the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain an accessible list for the target user; forwards the accessible list to the user terminal via a gateway; receives the accessible list forwarded by the gateway; and accesses the target application via the gateway based on the accessible list.
[0191] Computer program code for performing the operations of this application can be written in one or more programming languages or a combination thereof, including object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as "C" or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0192] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0193] The modules described in the embodiments of this application can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.
[0194] The readable storage medium provided in this application is a computer-readable storage medium that stores computer-readable program instructions (i.e., a computer program) for executing the above-described secure access control method, thereby solving the technical problem of low security when a terminal accesses an application. Compared with the prior art, the beneficial effects of the computer-readable storage medium provided in this application are the same as those of the secure access control method provided in the above embodiments, and will not be repeated here.
[0195] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the security access control method described above.
[0196] The computer program product provided in this application can solve the technical problem of low security when a terminal accesses an application. Compared with the prior art, the beneficial effects of the computer program product provided in this application are the same as those of the secure access control method provided in the above embodiments, and will not be repeated here.
[0197] The above description is only a part of the embodiments of this application and does not limit the patent scope of this application. All equivalent structural transformations made under the technical concept of this application and using the contents of the specification and drawings of this application, or direct / indirect applications in other related technical fields, are included in the patent protection scope of this application.< / mac> < / padding>
Claims
1. A secure access control method, characterized in that, The method is applied to a user terminal, and the method includes: The first authentication message is encrypted and signed using the Super SIM card to obtain the encrypted signature message of the first authentication message; A single-packet authentication request is generated based on the encrypted signature message. The single-packet authentication request is forwarded to the control terminal through the gateway. The control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user. The accessible list is then forwarded to the user terminal through the gateway. Receive the accessible list forwarded by the gateway, and access the target application through the gateway based on the accessible list.
2. The method as described in claim 1, characterized in that, The step of encrypting and signing the first authentication message using the Super SIM card to obtain the encrypted signature message of the first authentication message includes: The first authentication message is obtained by concatenating the initial authentication message and the first random number using the Super SIM card; The first authentication message is encrypted using the first encryption algorithm to obtain the first encrypted message of the first authentication message. The first message digest of the first authentication message is obtained by performing a digest calculation on the first authentication message using a second encryption algorithm. The first authentication message and the first message digest are signed using the second private key to obtain the first message signature; An encrypted signature message is formed based on the first encrypted message, the first message digest, and the first message signature, which constitutes the first authentication message.
3. The method as described in claim 1, characterized in that, Before the step of encrypting and signing the first authentication message using the Super SIM card to obtain the encrypted signature message of the first authentication message, the method further includes: Obtain the target user's user information and the Super SIM card's card identifier; The first public key and the second private key of the first authentication message are generated using a third encryption algorithm; Based on the user information and card identifier, a third key for the first authentication message is generated using a first encryption algorithm; The second private key and the third key are written into the super SIM card, and the second private key and the third key are used to encrypt and sign the first authentication message; The first public key and the third key are sent to the control terminal. The first public key and the third key are used to decrypt and verify the encrypted signature message in the single packet authentication request.
4. The method as described in claim 1, characterized in that, The step of receiving the accessible list forwarded by the gateway and accessing the target application through the gateway based on the accessible list includes: Receive the accessible list sent by the gateway; Based on the accessible list, an application access command is generated and sent to the gateway. The gateway parses the command, determines the corresponding target application, opens the target port of the target application, and connects to the target application through the target port.
5. A secure access control method, characterized in that, The method is applied to a gateway, and the method includes: In response to a single-packet authentication request sent by a user terminal, the initial port of the gateway is closed, and the single-packet authentication request is sent to the control terminal, so that the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user, and sends the accessible list to the gateway. The gateway receives the accessible list sent by the control terminal and forwards it to the user terminal, so that the user terminal can access the target application through the gateway based on the accessible list.
6. The method as described in claim 5, characterized in that, The step of accessing the target application through the gateway based on the accessible list includes: Receive an application access instruction sent by the user terminal, wherein the application access instruction is generated by the user terminal based on the accessible list; Parse the application access command to determine the target application corresponding to the application access command; Open the target port of the target application and connect to the target application through the target port.
7. A secure access control method, characterized in that, The method is applied to a control terminal, and the method includes: The system receives a single-packet authentication request sent by the gateway. The single-packet authentication request is generated by the user terminal encrypting and signing the first authentication message through the Super SIM card to obtain an encrypted signature message of the first authentication message, and then generating the system based on the encrypted signature message. The encrypted signature message in the single-packet authentication request is decrypted and verified to obtain the target user's accessible list. The accessible list is then forwarded to the user terminal through the gateway, so that the user terminal can access the target application through the gateway based on the accessible list.
8. The method as described in claim 7, characterized in that, The step of decrypting and verifying the encrypted signature message in the single-packet authentication request to obtain the target user's accessible list includes: The encrypted signature message is decrypted using the first public key. When decryption is successful, an intermediate decryption message of the encrypted signature message is generated. The intermediate decryption message is decrypted again using a third key to generate a second decryption message of the encrypted signature message; The second encrypted message is digested by the second encryption algorithm to obtain the second message digest of the encrypted signature message. If the second message digest is equal to the first message digest, the decryption and signature verification of the encrypted signature message is successful. When the decryption and signature verification of the encrypted signature message is successful, the second decrypted message is used for permission verification to obtain the target user's accessible list.
9. A secure access control device, characterized in that, The device includes: The encryption signature module is used to encrypt and sign the first authentication message through the Super SIM card to obtain the encrypted signature message of the first authentication message; The request generation module is used to generate a single-packet authentication request based on the encrypted signature message, forward the single-packet authentication request to the control terminal through the gateway, and the control terminal decrypts and verifies the encrypted signature message in the single-packet authentication request to obtain the accessible list of the target user. The accessible list is then forwarded to the user terminal through the gateway. The connection access module is used to receive the accessible list forwarded by the gateway, and access the target application through the gateway based on the accessible list.
10. A secure access control device, characterized in that, The device includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the secure access control method as described in any one of claims 1 to 8.
11. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the steps of the secure access control method as described in any one of claims 1 to 8.