CN101286849A

CN101286849A - Authentication system and method of a third party based on engagement arithmetic

Info

Publication number: CN101286849A
Application number: CNA2008101147065A
Authority: CN
Inventors: 任少华
Original assignee: Individual
Current assignee: Individual
Priority date: 2008-06-11
Filing date: 2008-06-11
Publication date: 2008-10-15

Abstract

The invention adopts a system and a method which are based on an agreed algorithm and used for a third party authentication, aiming at solving the safety and convenience problems of logging in the network resource for the internet users. The system and the method of the invention realize the authenticate form service providers to the user side through the intermediary side by the agreed algorithm and have the advantages of being safe, high efficient and convenient.

Description

Third party's Verification System and method based on engagement arithmetic

Technical field

The present invention relates to a kind of third party's Verification System and method based on engagement arithmetic.

Background technology

The resource that the Internet provides and the quantity of service are very huge and increase swift and violent, the Internet has become the main channel that people obtain information resources and information service, many internet resources and service request user login and verify, but the mode of various difficult note of the log-on message of user on different web sites and simple user name encrypted code also exists the too low problem of fail safe.

By third-party intermediary method is a kind of effective way that overcomes the above problems, but all there are some defectives in the solution that existing third party authenticates, as: dangerous, use is not convenient or the like.

Summary of the invention

The present invention adopts a kind of third party's Verification System and method based on engagement arithmetic, solves above-mentioned problem.

The present invention realizes like this, a kind of third party's Verification System and method based on engagement arithmetic, wherein, comprise the user side, service side and party intermediary, described three parts is connected in the Internet, the user side is in service specified or resource by energy access service side after authenticating, the service square tube is crossed party intermediary the user side is authenticated, it is characterized in that: the user side has the ignorant engagement arithmetic X of other user, party intermediary has the corresponding engagement arithmetic Y with this user side's engagement arithmetic X, engagement arithmetic X is identical or different with corresponding engagement arithmetic Y, user side's engagement arithmetic X is stored in user side's terminal or is stored in the removable peripheral hardware of user side that can be connected with user side's terminal, wherein, engagement arithmetic X and corresponding engagement arithmetic Y can finish the following calculating that is complementary for twice, when an engagement arithmetic X or Y calculate information B to information A, corresponding engagement arithmetic Y of this engagement arithmetic X or Y or X can or calculate this information A and also obtain this information B, perhaps this information B is calculated this information A, thereby perhaps this information A is calculated with this information B and verified that this information B is that this engagement arithmetic X or Y calculate this information A generation, the described calculating of carrying out with engagement arithmetic X is being carried out on user side's terminal or on the removable peripheral hardware of user side, the described calculating of carrying out with engagement arithmetic Y is carried out in party intermediary, wherein, when the user side when service side request inserts, party intermediary, service side and user side generate information A for a moment, party intermediary, service side, the user side can transmit and finish the described calculating that is complementary for twice to the relevant information of described information A or B, party intermediary or the meeting of service side are as authentication---by being compared or calculate, the information that obtains judges whether authentication is passed through, connect in the verification process each, can carry out the transmission of the relevant information of information A or B without party intermediary between service side and the user side, also can carry out the transmission of the relevant information of information A or B between service side and the party intermediary without the user side, whether the relevant information of described information A or B could compare or calculate two information of verifying with the relevant information of out of Memory A or B relevant information A or B is identical, connect in the verification process each, authentication can obtain the relevant information of the relevant information of two information A or two information B and verify whether the relevant information A or the B of these two information is identical, authentication can obtain an information A and an information B and verify whether this information B is to calculate this information A by engagement arithmetic X or Y to produce, only the result of checking just can be sure more than under the situation that the calculating that is complementary for described twice is all correctly finished, and only just can pass through in checking result user side's when being sure connection authentication, the user side will allow the user side to insert service specified or resource by connecting service side, authentication back.

Wherein, the relevant information of described information A or information A itself, or the information (A1) that generates accordingly with information A, or calculate the information (Am, An) that produces with ad hoc fashion by information A or A1, or be used to calculate the information that produces information A, and, the relevant information of described information B or information B itself, or calculate the information (Bm, Bn) of generation with ad hoc fashion by information B.

Wherein, party intermediary or service side also can start timer in each connection verification process, if specified message is not received by party intermediary or service side in the time that limits, party intermediary or service side will the aborts authentication processes and will fail to user side's authentication so.

Wherein, the user side also can send the connection authentication request to the side of service or party intermediary before other step of perhaps described connection authentication, perhaps also comprises the connection authentication request that the user side sends to the side of service or party intermediary in the information that is sent for the first time by the user side in described connection authentication.

Wherein, described engagement arithmetic is based on the cryptographic algorithm of key or decipherment algorithm, wherein, be calculated as cryptographic calculation with engagement arithmetic X or Y to what information A was carried out, be calculated as decrypt operation with engagement arithmetic X or Y to what information B carried out, wherein, include key XKEY among the engagement arithmetic X, include key YKEY among the engagement arithmetic Y, wherein, perhaps engagement arithmetic is thereby that symmetric cryptography decipherment algorithm XKEY is identical with corresponding YKEY, thereby perhaps engagement arithmetic is that asymmetric encryption decipherment algorithm XKEY is different with corresponding YKEY.

Wherein, information A is that a symmetric cryptographic key or information A and A1 are a pair of asymmetric cryptographic key, described be complementary for twice be calculated as the encryption and decryption computing, information A can be transmitted by this encryption and decryption computing in connecting verification process, is connected by understanding with information A or set up encryption communication with A1 as key with information A between between user side so and the party intermediary or user side and the service side if connect authentication.

Wherein, a user side has 2 engagement arithmetic X: cryptographic algorithm X1 and decipherment algorithm X2, party intermediary also has 2 engagement arithmetic Y corresponding to each user side: decipherment algorithm Y1 and cryptographic algorithm Y2, wherein, X1 corresponding to Y1 X2 corresponding to Y2, wherein, X1 and X2 have common key XKEY, Y1 and Y2 have its key YKEY together, wherein, XKEY and YKEY are the keys of same symmetric cryptography when engagement arithmetic is the symmetric cryptography decipherment algorithm, and XKEY and YKEY are the keys of a pair of asymmetric encryption when engagement arithmetic is the asymmetric encryption decipherment algorithm.

Wherein, this engagement arithmetic is stored on the removable peripheral hardware of user side, this removable peripheral hardware and user side's terminal are by the communication that is connected of wired or wireless mode, described removable peripheral hardware has the IC chip, and described user side carries out on this removable peripheral hardware the calculating that information A or information B carry out with engagement arithmetic X.

Wherein, when party intermediary or service side's generation information A, each information A all can't be known by inference or information A produces at random by previous information A, perhaps, when the user side establishes the generation information A, the authorization information that comprises this information A rise time in this information A, the authorization information of party intermediary or service side this rise time in can information extraction A with rise time of determining information A whether in the scope of appointment, party intermediary or service side will the aborts authentication processes and will fail to user side's authentication if the rise time of information A has exceeded the scope of appointment.

Wherein, connect authentication by can to allow connection or port access service specified or resource from user side's terminal, this connection or port be described service side to service side, back with the user side between that port of passing through of the transmission carried out or be connected without the relevant information of the information A of party intermediary or B.

Wherein, before carrying out described connection authentication, the user side has passed through the once authentication of party intermediary or service side and has set up connection.

Wherein, described three parts is undertaken by the side of service the transmission of the relevant information of information A or B, wherein, party intermediary and user side respectively with the mutual transmission information in service side, the information transmission between party intermediary and the user side is also finished by the side of service.

Wherein, when the user side when service side request inserts, its concrete scheme that connects authentication is following cited one of them:

1) party intermediary generates information A, service side is as authentication, wherein, party intermediary can generate information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side also can obtain information B with engagement arithmetic X computing information A, service side will receive or two information B, perhaps information B and Bm, perhaps information Bm and Bn, wherein information Bm or Bn are that user side or party intermediary are calculated generation, whether service side is identical with the relevant information B of two information that checking obtains, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

2) party intermediary generates information A, service side is as authentication, wherein, party intermediary can generate information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side can obtain information A with engagement arithmetic X computing information B, service side will receive or two information A, perhaps information A and Am, perhaps information A m and An, wherein information A m or An are that user side or party intermediary are calculated generation, whether service side is identical with the relevant information A of two information that checking obtains, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

3) party intermediary generates a pair of information A and information A 1, service side is as authentication, wherein, party intermediary generates information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side obtains information A with engagement arithmetic X computing information B, information A 1 and A or information A 1 and Am or information A and Am will receive in service side, wherein information A m is that user side or party intermediary are calculated generation, whether service side is identical with the relevant information A of two information that checking obtains, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

4) party intermediary generates information A, party intermediary is as authentication, wherein, party intermediary generates information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side also obtains information B with engagement arithmetic X computing information A, party intermediary will be received an information B or Bm, wherein information Bm is calculated by user side or service side and produces, party intermediary will verify whether the information B that oneself generates and the information B that is correlated with of information B that receives or Bm are identical, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

5) party intermediary generates information A, party intermediary is as authentication, wherein, party intermediary generates information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side also obtains information A with engagement arithmetic X computing information B, party intermediary will be received an information A or Am, wherein information A m calculates generation by the user side, party intermediary will verify whether the information A that oneself generates and the information A of being correlated with of information A of receiving or Am are identical, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

6) party intermediary generates a pair of information A and information A 1, party intermediary is as authentication, party intermediary generates information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side obtains information A with engagement arithmetic X computing information B, party intermediary will be received information A m, wherein information A m is that generation is calculated by user side or service side, whether the relevant information A of party intermediary authorization information A1 and the information A m that receives is identical, if the checking result is sure, so party intermediary notification service side authenticate by and service side permission user side insert service specified or resource;

7) party intermediary generates information A, party intermediary is as authentication, wherein, the user side can obtain information B with engagement arithmetic X computing information A, party intermediary will obtain this information B, and party intermediary can be calculated this information B with the engagement arithmetic Y of this user side's correspondence and obtain information A, and whether the information A that the party intermediary checking generates oneself is identical with the information A that calculates from information B, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

8) party intermediary generates information A, party intermediary is as authentication, wherein, the user side can obtain information B with engagement arithmetic X computing information A, party intermediary will obtain this information B, party intermediary can calculate whether the information B that checking receive is to calculate the own information A that generates by engagement arithmetic X to produce with the engagement arithmetic Y of this user side's correspondence, if the checking result is sure, authenticate so by and also notification service side permission user side insert service specified or resource;

9) service side generates information A, service side is as authentication, party intermediary obtains information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side obtains information A with engagement arithmetic X computing information B, an information A or Am will receive in service side, wherein information A m is that the user side calculates generation, whether information A that the checking of service side generates oneself and the relevant information A of information A of receiving or Am are identical, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

10) service side generates a pair of information A and information A 1, service side is as authentication, party intermediary generates information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side obtains information A with engagement arithmetic X computing information B, information A m will receive in service side, wherein information A m is that the user side calculates generation, whether the relevant information A of the side of service authorization information Am is identical with the information A that oneself generates, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

11) service side generates information A, service side is as authentication, party intermediary obtains information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side obtains information B with engagement arithmetic X computing information A, service side will receive or two information B, perhaps information B and Bm, perhaps information Bm and Bn, wherein information Bm or Bn are produced by user side or party intermediary imputation, whether the relevant information B of two information that the checking of service side is received is identical, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

12) service side generates information A, service side is as authentication, the user side obtains information B with engagement arithmetic X computing information A, party intermediary obtains information A with the engagement arithmetic Y computing information B of this user side's correspondence, an information A or Am will receive in service side, wherein information A m is calculated by party intermediary and produces, whether information A that the checking of service side generates oneself and the relevant information A of information A of receiving or Am are identical, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

13) service side generates a pair of information A and information A 1, service side is as authentication, the user side generates information B with engagement arithmetic X computing information A, party intermediary obtains information A with the engagement arithmetic Y computing information B of this user side's correspondence, information A m will receive in service side, wherein information A m is that party intermediary is calculated generation, whether the relevant information A of the side of service authorization information A1 and information A m is identical, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

14) service side generates information A, party intermediary is as authentication, wherein, party intermediary generates information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side also obtains information B with engagement arithmetic X computing information A, party intermediary obtains two information B or information B and Bm, wherein information Bm is calculated by user side or service side and produces, whether party intermediary is identical with the relevant information B of two information that checking obtains, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

15) service side generates information A, party intermediary is as authentication, the user side obtains information B with engagement arithmetic X computing information A, party intermediary obtains information A with the engagement arithmetic Y computing information B of this user side's correspondence, party intermediary obtains two information A or information A and Am, wherein information A m is calculated by user side or service side and produces, whether the relevant information A of two information that the party intermediary checking obtains is identical, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

16) service side generates information A, party intermediary is as authentication, the user side obtains information B with engagement arithmetic X computing information A, party intermediary obtains information A and information B, whether the information B that the party intermediary checking obtains is to produce with the information A that engagement arithmetic X calculates, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

17) service side generates a pair of information A and information A 1, party intermediary is as authentication, the user side generates information B with engagement arithmetic X computing information A, party intermediary obtains information A with the engagement arithmetic Y computing information B of this user side's correspondence, party intermediary obtains information A and A1 or information A and Am, wherein information A m is that generation is calculated by service side, whether the relevant information A of two information that the party intermediary checking obtains is identical, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

18) service side generates information A, party intermediary is as authentication, party intermediary obtains information B with the engagement arithmetic Y computing information A of this user side's correspondence, the user side obtains information A with engagement arithmetic X computing information B, party intermediary obtains two information A or information A and Am, wherein information A m is calculated by user side or service side and produces, whether two information A of party intermediary checking are identical or whether the information A of being correlated with of information A and information A m is identical, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

19) user side generates information A, service side is as authentication, wherein, the user side obtains information B with engagement arithmetic X computing information A, party intermediary generates information A with the engagement arithmetic Y computing information B of this user side's correspondence, receive or two information A service side, perhaps information A and Am, perhaps information A m and An, wherein information A m or An are calculated by user side or party intermediary and produce, whether the relevant information A of two information that the checking of service side is received is identical, if the result of checking is sure, authenticate so by and also service side permission user side insert service specified or resource;

20) user side generates a pair of information A and information A 1, service side is as authentication, wherein, the user side obtains information B with engagement arithmetic X computing information A, party intermediary generates information A with the engagement arithmetic Y computing information B of this user side's correspondence, information A 1 and A or information A and Am or information A 1 and Am receive in service side, wherein information A m is calculated by user side or party intermediary and produces, whether the relevant information A of two information that the checking of service side is received is identical, if the result of checking is sure, authenticate so by and also service side permission user side insert service specified or resource;

21) user side generates information A, service side is as authentication, wherein, the user side also obtains information B with engagement arithmetic X computing information A, party intermediary generates information B with the engagement arithmetic Y computing information A of this user side's correspondence, receive or two information B service side, perhaps information B and Bm, perhaps information Bm and Bn, wherein information Bm or Bn are produced by user side or party intermediary imputation, whether the relevant information B of two information that the checking of service side is received is identical, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource;

22) user side generates information A, party intermediary is as authentication, the user side obtains information B with engagement arithmetic X computing information A, party intermediary obtains information A with the engagement arithmetic Y computing information B of this user side's correspondence, party intermediary obtains two information B or information B and Bm, information Bm is calculated by user side or service side and produces, whether the relevant information B of two information B of party intermediary checking or information B and Bm is identical, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

23) user side side generates information A, party intermediary is as authentication, the user side obtains information B with engagement arithmetic X computing information A, party intermediary obtains information A with the engagement arithmetic Y computing information B of this user side's correspondence, party intermediary obtains two information A or information A and Am, information A m is calculated by user side or service side and produces, whether the relevant information A of two information A of party intermediary checking or information A and Am is identical, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

24) user side side generates information A, party intermediary is as authentication, the user side obtains information B with engagement arithmetic X computing information A, party intermediary obtains this information A and B, party intermediary verifies whether this information B calculates this information A with engagement arithmetic X and calculate generation, if the checking result is sure, authenticate so by and also notification service side allow the user side to insert service specified or resource;

25) user side side generates a pair of information A and information A 1, party intermediary is as authentication, the user side obtains information B with engagement arithmetic X computing information A, party intermediary obtains information A with the engagement arithmetic Y computing information B of this user side's correspondence, party intermediary obtains information A and A1 or information A and Am, information A m is calculated by user side or service side and produces, whether the relevant information A of two information that the party intermediary checking is received is identical, if the checking result is sure, authenticate so by and also service side permission user side insert service specified or resource.

Wherein, user side's engagement arithmetic is mutually different or has randomness.

Wherein, below enumerate the specific implementation of the described information A 1 of a few example explanations, Am, An:

1. Am is the long-pending of A and big prime number: authentication will be verified information A m and the information A that obtains, information A is one 1024 a big prime number, information A m is that a side be multiply by the long-pending of another 1024 prime numbers at random with information A, authentication with this information A m divided by this information A, if aliquot then verify that the result is sure;

2. DES key A and enciphered message Am: authentication will be verified information A m and the information A that obtains, information A is a DES key A, one side with key A certain content is encrypted or digital signature obtains information A m, authentication verifies with key A decryption information Am or to digital signature, if decrypted result is identical with certain content or digital signature correctly then verify that the result is sure;

3. the Am and the An that produce of same Hash function: authentication will verify whether an information A m and an information A n are consistent, information A m and information A n be two sides respectively with identical one-way hash function to the information A result calculated, if authentication comparative information Am and information A n are identical then explanation checking result is sure;

4. highest common divisor is all Am and the An of A: authentication will verify whether an information A m and an information A n are consistent, wherein, information A is one 1024 a integer, set L is the prime factor set of information A, set M and set N are two prime number set, set L, set M and set N three are mutually disjointed, information A m is the continued product of 100 random numbers among information A and the set M, information A n is the continued product of 100 random numbers among information A and the set N, information A m and information A n are calculated by two sides respectively and produce and mail to as third-party authentication, authentication is asked the greatest common divisor of information A m and information A n, if this common divisor is 1024, think that then the relevant information A of information A m and information A n is identical, just say that also the checking result is sure;

5. unsymmetrical key information A and A1: information A and information A 1 are respectively in a pair of asymmetric cryptographic key, information A m is that a side encrypts certain content with information A or digital signature is calculated generation, authentication is decrypted or verifies this digital signature with 1 couple of information A m that receives of information A, if decrypted result is identical with certain content or digital signature is correct, thereby then the relevant information A of information A m and information A 1 is that identical checking result is sure;

6. reciprocal matrix information A and A1: information A and information A 1 are the reciprocal matrix of a pair of 1024*1024, authentication multiplies each other information A and information A 1, if the result is a unit matrix, then information A is thereby that identical checking result is sure with the relevant information A of information A 1, wherein, the relevant information A of information A still is an information A itself.

Wherein, the example of the specific implementation of Bm, Bn with above for example in 1., 3., 4. identical, the A in the example, Am and An are replaced the example that just obtains about information Bm, Bn with B, Bm and Bn respectively.

Wherein, the concrete mode that removable peripheral hardware is connected in terminal is wired connection or wireless connections, as: the data wire of USB interface, bluetooth wireless interface, infrared connection or the like.

Wherein, removable outer can being connected with different terminal of user side by wired or wireless interface.Wherein, the terminal that is connected with the removable peripheral hardware of user side is exactly user side's terminal.

Wherein, described engagement arithmetic can also be one-way function of one-way hash function, digital digest algorithm, Digital Signature Algorithm, band parameter or the like.

Wherein, the user side also can authenticate the side of service by party intermediary in the same way, that is: terminal and service side are connected step performed in the verification process and exchange above, and terminal just can be finished authentication to the side of service.

Wherein, information A is instant that generate or generate in advance and obtain immediately by a side.

Wherein, the process of described connection authentication should be to be finished by computer network by the program of moving on described three method, systems.

Wherein, service can be to be to provide the server system of resource and service by the Internet to the user side, as various websites etc.Service side also can be other user's on the internet a terminal, after described user side's authentication is passed through, described user side's terminal will be allowed access to the service specified or the resource of this other user's terminal, and for example: the present invention can be used in the instant communicating system two user terminals and sets up the handshake procedure of two point-to-point connections of terminal room.

Wherein, the resource of the appointment of service side or service can be that file resource, browser service, multimedia resource or service, audio frequency and video connect, service, search service, online account operate services, on-net transactions or the like are talked with in instant messaging.For service side, concrete example is as: online game operator, online forum, immediate communication tool service provider, resource downloading website, Web bank, Online Store, insert the terminal or the like of instantaneous communication system (as MSN).

Wherein, party intermediary is to carry out the computer system that the third party authenticates on the internet.

Wherein, user side's terminal, the side of service and party intermediary are the equipment with computer function, as: PC, mobile phone, server, server farm etc.

Wherein, the user side has user identification code (APID) in the service method, system, and the user side also has user identification code (AUID) in the party intermediary system, and there are corresponding relation in APID and AUID.Wherein, this corresponding relation is grasped by service method, system or party intermediary system.Wherein, the sequence formed by any symbol of described user identification code.For example: APID and AUID can be user name or the service side and party intermediary sequence number for user side generation of user side in service side and party intermediary.And for example: AUID can be APID+ service party name or address.

Wherein, between the side of service and the party intermediary or between party intermediary and the terminal or the letter of the communication between the side of service and user side road can be encrypted, as the connection of adopting the SSL mode to set up.

Wherein, before carrying out described connection authentication, the user side has passed through party intermediary or service side and has once authenticated and set up connection.Current authentication can be by landing password mode or undertaken by the mode of described engagement arithmetic, can prevent that the malice outburst from landing problems such as request.

Wherein, when authentication was verified two relevant information of information A (or B), the calculating of this checking was to carry out after the calculating that is complementary for described twice---the relevant information A (or B) of verifying these two information is identical; And when authentication is verified information A and B, thereby the calculating of this checking is to finish together by the latter in the calculating that is complementary for described twice---party intermediary is calculated this information A and B with the engagement arithmetic Y of user side's correspondence and is verified that this information B is that this user side calculates this information A with engagement arithmetic X and produces.

Wherein, the present invention can realize by the execution in step of ssl protocol in specific implementation.

Wherein, engagement arithmetic X and Y are generated simultaneously by party intermediary or user side, and party intermediary or user side send engagement arithmetic X or Y or distribute with network removable peripheral hardware after generation mode passes to corresponding user side.Wherein, engagement arithmetic X and Y can just generate and finish transmission before the user side asks to insert, and also can ask to insert the back the user side and generate and transmit.For example: party intermediary is manufactured the calculated USB flash disk that comprises encryption key and is distributed to the user and at the PKI of system stores correspondence; User terminal was downloaded engagement arithmetic X from party intermediary when the user side registered in party intermediary; The user side after successfully logining party intermediary at every turn, and the user side will set up SSL with party intermediary and be connected, and what encrypt connection among the SSL is exactly engagement arithmetic based on the master key enciphering and deciphering algorithm; Or the like.

The present invention adopts the mode based on the engagement arithmetic of user side and party intermediary to make the service square tube cross party intermediary the user side is authenticated, and authentication method is reliable, safe, convenient.

Description of drawings

Fig. 1 a to Figure 25 c is respectively that the typical information that has a scheme of same numbers sequence number with accompanying drawing in 25 kinds of schemes cited in the above summary of the invention is transmitted schematic diagram, for example,

Fig. 1 a, Fig. 1 b and Fig. 1 c are schemes 1 in the summary of the invention) information transmit schematic diagram,

Figure 25 a, Figure 25 b and Figure 25 c are schemes 25 in the summary of the invention) information transmit schematic diagram,

Wherein, shown in the drawings is a part of mode of intelligence transmission of corresponding scheme, and in other words, the mode of intelligence transmission of described scheme is not limited to several shown in the respective figure,

Figure 26 is the system architecture diagram of a kind of specific implementation of the present invention.

Embodiment

The present invention can adopt different implementations according to different needs, below chooses several illustrating.

In addition, at Figure of description with hereinafter can represent the flow process of specific embodiment in the symbolism mode:

" s "-service side, " a "-party intermediary, " u "-user side;

Step before and after ", "-expression comma can be carried out continuously;

"; Step before and after the "-expression branch can not be carried out continuously, also must carry out other step in the middle of two steps;

" ↑ A "-generation information A, " ↑ A﹠amp; A1 "-generation information A and A1;

" A → B "-obtain information B with engagement arithmetic computing information A, same " B → A " in addition;

" A → Am "-generate information A m with ad hoc fashion computing information A, same " B → Bm ", " A1 → Am " " A → An " in addition;

" XA=B " obtains information B with engagement arithmetic X computing information A, same " XB=A ", " YA=B ", " YB=A " in addition;

" A → a "-information A is sent to party intermediary (a), same " Am → s ", " B → u " or the like in addition;

Whether " A ⊙ B "-authorization information B is that information A is calculated generation with engagement arithmetic;

Whether the relevant information A of two information of " A ⊙ Am "-checking is identical, same " A ⊙ A " in addition, " A ⊙ A1 ", " B ⊙ Bm " or the like.

For example, s (↑ A﹠amp; A1, A1 → Am, A1 → a, A → u) expression: service side generates information A and A1, and service side generates information A m with ad hoc fashion computing information A1, and service side sends to party intermediary with information A m, and service side sends to the user side with information B.

Again for example, and a (↑ A, YA=B, A → s, B → u) expression: party intermediary generates information A, and party intermediary obtains information B with engagement arithmetic Y computing information A, and party intermediary sends to service side with information A, and party intermediary sends to the user side with information B.

Again for example, (B → a) expression: the user side obtains information B with engagement arithmetic X computing information A to u, and the user side generates information A m with ad hoc fashion computing information A, and the user side sends to party intermediary with information B for XA=B, A → Am.

Also for example, whether two information A that s (A ⊙ A) expression service side face card obtains are identical, information A that the checking of s (A ⊙ A1) expression service side obtains and the relevant information A of A1 are identical, and the information A whether the information B that the checking of a (A ⊙ B) expression party intermediary obtains obtains is with engagement arithmetic calculating generation.

Embodiment 1

Embodiment 1 connects certificate scheme 1 in the above summary of the invention) one of specific implementation (a) referring to Fig. 1.In an embodiment, information A is a random sequence, engagement arithmetic is based on the summary cryptographic algorithm of RSA and SHA, user side's terminal can obtain RSA key and the SHA digest algorithm (the summary cryptographic algorithm that RSA and SHA form is exactly engagement arithmetic X) that party intermediary presets when the user side registered in party intermediary, and party intermediary has RSA key identical with the user side and SHA digest algorithm (engagement arithmetic Y and X are identical) accordingly.

The concrete steps of present embodiment are: request inserts user side's terminal to service side, service side sends to party intermediary with this user side's APID, party intermediary obtains this user side's AUID according to address, service side and APID, party intermediary obtains the key and the digest algorithm of this user side's correspondence according to AUID, party intermediary generates a random sequence (information A) and encrypts with the key of correspondence with the digital digest of the digest algorithm computing information A of this user side's correspondence again and obtains information B, party intermediary sends to service side to information A and B, service side sends to the user side with information A, user side's terminal also can be calculated this information A (random sequence) generation summary secret value information B with key and the SHA hash function of oneself, user side's terminal mails to service side to information B by a port, service side connects in the verification process can start timer, if service side has received in fixed time limit that two information B just continue following steps with regard to the aborts authentication process, authentication is passed through if contrast two information B in service side are identical, can allow port access service side service specified or resource from this user side's terminal in authentication by service side, back.(a) referring to Fig. 1

Fig. 1 a flow process: a (↑ A, YA=B, A → s, B → s), s (A → u), u (XA=B, B → s), s (B ⊙ B).

Fig. 1 b flow process: a (↑ A, YA=B, A → u, B → s), u (XA=B, B → s), s (B ⊙ B).

Embodiment 2

Embodiment 2 is based in the above summary of the invention the 2nd) plant one of specific implementation of connecting authentication procedure (a) referring to Fig. 2.In an embodiment, information A is an AES encryption key, engagement arithmetic is the rsa encryption decipherment algorithm, and the user side has party intermediary and manufactures the USB peripheral hardware of distributing, and the user side has a RSA private key on the USB peripheral hardware and the side of service also has and the corresponding RSA PKI of user side's private key.

The concrete steps of present embodiment are: request inserts user terminal to service side, service side sends to party intermediary with user side APID, party intermediary finds user side AUID according to user side APID and service square mark, party intermediary finds the RSA PKI of user side's correspondence with user side AUID, party intermediary generates an AES key (information A), party intermediary obtains enciphered message (A obtains information B with engagement arithmetic Y computing information) with the RSA public key encryption AES key of user side's correspondence, party intermediary sends to service side with AES key and enciphered message (information A and B), service side sends to user side's terminal with information B, user side's terminal is transferred to user side USB peripheral hardware with enciphered message (information B), user side USB peripheral hardware with RSA private key decrypt encrypted information to AES key (B obtains information A with engagement arithmetic X computing information), user side USB peripheral hardware is transferred to user side's terminal with AES key, user side's terminal is encrypted agreement content with this AES key (information A) and is obtained information A m, this agreement content can comprise user side's title, the authenticating party title, address, the side of service, request access service number, rise time mark or the like, user side's terminal sends to service side with information A m by port P, service side is decrypted (information A of authorization information A and Am correspondence is identical) with the AES key of receiving to information A m, user's authentication is passed through if decryption content meets the requirements, and service side will allow the port P of user side's terminal to insert requested service or resource.

Fig. 2 a flow process: a (↑ A, YA=B, B → s, A → s), s (B → u), u (XB=A, A → Am, Am → s), s (A ⊙ Am).

Fig. 2 b flow process: a (↑ A, YA=B, A → s, B → u), u (XB=A, A → s), s (A ⊙ A).

Embodiment 3

Embodiment 3 connects certificate scheme 9 in the above summary of the invention) one of specific implementation (a) referring to Fig. 9.In an embodiment, information A is 128 a random sequence, engagement arithmetic is the rsa encryption decipherment algorithm, the user side has the removable IC of the USB interface that party intermediary distributes, storing user side's rsa encryption private key that party intermediary is provided with on this IC, party intermediary has the RSA PKI (system architecture referring to Figure 26) corresponding with this user side's private key.

The concrete steps of present embodiment are: user side's terminal sends the request of access to service side, user name and land password, service side checking user name and land that password is errorless will to continue following steps, service side generates one 128 random sequence (information A), service side sends to party intermediary with information A and user side APID, party intermediary obtains user identification code AUID according to APID and service party name, party intermediary according to AUID obtain the RSA PKI corresponding with this user side and with enciphered message A obtain information B (engagement arithmetic Y is a RSA cryptographic algorithms), party intermediary sends to service side with information B and APID, the service root is issued corresponding user side's terminal to information B according to user side APID, user side's terminal sends to information B on the removable IC of the user side who is connected with terminal by USB interface again, this removable IC obtains information A (engagement arithmetic X is the RSA decipherment algorithm) with user side RSA private key decryption information B, removable IC sends to user side's terminal with information A, user side's terminal sends to service side with information A and user identification code APID by a port P, the service root obtains the information A (random sequence) of this user side's correspondence that one's own side generates according to APID and it and the information A of receiving is compared, if it is identical then illustrate that the calculating that party intermediary and user side carry out is complementary, the user side has just passed through authentication under and the situation that other condition also meets correct in checking, and service side correspondingly can allow the port P from user side's terminal to be linked into institute's requested service or resource (referring to Fig. 9 a).

In above concrete steps, described other condition for example: device when service side can start timing after generating information A, have only when service side receives that the time of another information A is not exceeded schedule time scope, to authenticate and could pass through.

Fig. 9 a flow process: s (↑ A, A → a), a (YA=B, B → s), s (B → u), u (XB=A, A → s), s (A ⊙ A).

Fig. 9 b flow process: s (↑ A, A → a), a (YA=B, B → u), u (XB=A, A → Am, Am → s), s (A ⊙ Am).

Embodiment 4

Embodiment 4 connects certificate scheme 10 in the above summary of the invention) one of specific implementation (a) referring to Figure 10.In an embodiment, information A is a rsa encryption private key, engagement arithmetic is an ECC encrypting and decrypting algorithm, the user side has the removable IC of the USB interface that party intermediary distributes, storing the user side ECC encryption key that party intermediary is provided with on this IC, party intermediary has the ECC PKI corresponding with this user side's private key.

The concrete steps of present embodiment are: request inserts user side's terminal to service side, service side generates a pair of RSA key, and (private key is an information A, PKI is an information A 1), service side sends to party intermediary with this RSA private key (information A), party intermediary obtains information B (engagement arithmetic Y is the ECC cryptographic algorithm) with the ECC public key encryption information A of this user side's correspondence, party intermediary sends to user side's terminal with information B through service side, user side's terminal sends to information B on the removable IC of the user side who is connected with terminal by USB interface again, this removable IC obtains information A (engagement arithmetic X is the ECC decipherment algorithm) with ECC private key decryption information B, removable IC sends to user side's terminal with RSA private key (information A), user side's terminal is carried out digital signature with this RSA private key and MD5 function to agreement content, this agreement content can comprise user side's title, the authenticating party title, address, the side of service, request access service number, rise time mark or the like, this agreement content and digital signature thereof are exactly information A m, terminal sends to service side with information A m and user side's title by a port P, whether the service root is correct with the digital signature of the RSA PKI (information A 1) of correspondence and identical this agreement content of MD5 function validates according to user side's title, if correct would illustrate this to RSA PKI and private key be complementary (promptly this information A be exactly this information A 1 relevant information A in other words the relevant information A of information A and A1 be identical), the user side has just passed through authentication under and the situation that other condition also meets correct in checking, and service side correspondingly can allow the port P from user side's terminal to be linked into institute's requested service or resource (referring to Figure 10 a).

In above concrete steps, described other condition is for example: service side can extract the rise time mark in the agreement content, have only and when not overshoot time range of agreement content, authenticate and to pass through, perhaps, service side's meeting review engagement format of content, have only the correct format authentication to pass through, or the like.

In above concrete steps, after the user side is by authentication, service side and user side can transmit enciphered message to (information A and A1) with this RSA key, and for example: both sides exchange a DES key by rsa encryption, and set up the coded communication connection again with this DES key.

Figure 10 a flow process: s (↑ A﹠amp; A1, A → a), a (YA=B, B → s), s (B → u), u (XB=A, A → Am, Am → s), s (A1 ⊙ Am).

In the present embodiment, also can realize connecting in the above summary of the invention certificate scheme 13 simultaneously): wherein, the user side has engagement arithmetic X1 and X2, and X1 is a decipherment algorithm, and X2 is a cryptographic algorithm, X1 and X2 are based on same ECC private key, party intermediary has engagement arithmetic Y1 and Y2, and Y1 is a cryptographic algorithm, and Y2 is a decipherment algorithm, Y1 and Y2 be based on the ECC PKI of this user side's correspondence, like this can be with implementation 10) and scheme 13) (referring to accompanying drawing 13a and following Figure 13 a flow process).

Figure 13 a flow process: s (↑ A﹠amp; A1, A → u), u (XA=B, B → s), s (B → a), a (YB=A, A → Am, Am → s), s (A1 ⊙ Am).

Embodiment 5

Embodiment 5 connects certificate scheme 15 in the above summary of the invention) one of specific implementation (a) referring to Figure 15.In an embodiment, engagement arithmetic is the enciphering and deciphering algorithm based on master key that SSL connects.

The concrete steps of present embodiment are: the user side at first lands party intermediary with username and password, if land success so party intermediary just initiate SSL and connect to the user side, the SSL successful connection is set up the back user side and is all had identical master key (the encryption and decryption algorithm based on this master key is respectively engagement arithmetic X and Y) with party intermediary, request connects the user side to service side, service side generates random information (information A) and sends to the user side, the user side connects by SSL information A is sent to party intermediary (wherein the encryption and decryption computing is respectively the calculating that twice of engagement arithmetic is complementary), party intermediary sends to service side again to the information A of receiving, service side can contrast generation information A and receive information A, if identical the authentication pass through.

Figure 15 a flow process: s (↑ A, A → u), u (XA=B, B → a), a (B → A, A → s), s (A ⊙ A).

Embodiment 6

Embodiment 6 connects certificate scheme 24 in the above summary of the invention) one of specific implementation (a) referring to Figure 24.In an embodiment, engagement arithmetic is the Digital Signature Algorithm that is made of together SHA and RSA, and user side's terminal has party intermediary default SHA and RSA private key, and party intermediary has SHA identical with the user side and the RSA PKI corresponding with this user side's private key.

The concrete steps of present embodiment are: user side's terminal generates information A, this information A is by a random sequence, the information rise time, user side APID, AUID, the service square mark, compositions such as request service identifiers, user side's terminal is calculated generation digital signature (information B) with SHA and the RSA private key that has to information A, user side's terminal sends to service side with information A and B by port P, service side sends to party intermediary with information A and B, party intermediary is information B with the SHA of this user side's correspondence and the digital signature of DSA public key verifications information A, if the checking result be sure and also information A in not out of date user's so of information rise time authentication pass through, authenticating party notification service side authentication result---user side authenticates by, service side and will allow the port P of user side's terminal to insert requested service.

Figure 24 a flow process: u (↑ A, XA=B, A → s, B → s), s (A → a, B → a), a (A ⊙ B, notice → s).

Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those skilled in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.

Claims

1, a kind of third party's Verification System and method based on engagement arithmetic, wherein, comprise the user side, service side and party intermediary, described three parts is connected in the Internet, the user side is in service specified or resource by energy access service side after authenticating, the service square tube is crossed party intermediary the user side is authenticated, it is characterized in that: the user side has the ignorant engagement arithmetic X of other user, party intermediary has the corresponding engagement arithmetic Y with this user side's engagement arithmetic X, engagement arithmetic X is identical or different with corresponding engagement arithmetic Y, user side's engagement arithmetic X is stored in user side's terminal or is stored in the removable peripheral hardware of user side that can be connected with user side's terminal, wherein, engagement arithmetic X and corresponding engagement arithmetic Y can finish the following calculating that is complementary for twice, when an engagement arithmetic X or Y calculate information B to information A, corresponding engagement arithmetic Y of this engagement arithmetic X or Y or X can or calculate this information A and also obtain this information B, perhaps this information B is calculated this information A, thereby perhaps this information A is calculated with this information B and verified that this information B is that this engagement arithmetic X or Y calculate this information A generation, the described calculating of carrying out with engagement arithmetic X is being carried out on user side's terminal or on the removable peripheral hardware of user side, the described calculating of carrying out with engagement arithmetic Y is carried out in party intermediary, wherein, when the user side when service side request inserts, party intermediary, service side and user side generate information A for a moment, party intermediary, service side, the user side can transmit and finish the described calculating that is complementary for twice to the relevant information of described information A or B, party intermediary or the meeting of service side are as authentication---by being compared or calculate, the information that obtains judges whether authentication is passed through, connect in the verification process each, can carry out the transmission of the relevant information of information A or B without party intermediary between service side and the user side, also can carry out the transmission of the relevant information of information A or B between service side and the party intermediary without the user side, whether the relevant information of described information A or B could compare or calculate two information of verifying with the relevant information of out of Memory A or B relevant information A or B is identical, connect in the verification process each, authentication can obtain the relevant information of the relevant information of two information A or two information B and verify whether the relevant information A or the B of these two information is identical, authentication can obtain an information A and an information B and verify whether this information B is to calculate this information A by engagement arithmetic X or Y to produce, only the result of checking just can be sure more than under the situation that the calculating that is complementary for described twice is all correctly finished, and only just can pass through in checking result user side's when being sure connection authentication, the user side will allow the user side to insert service specified or resource by connecting service side, authentication back.

2, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, the relevant information of described information A or information A itself, or the information (A1) that generates accordingly with information A, or calculate the information (Am, An) that produces with ad hoc fashion by information A or A1, or be used to calculate the information that produces information A, and, the relevant information of described information B or information B itself, or calculate the information (Bm, Bn) of generation with ad hoc fashion by information B.

3, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, party intermediary or service side also can start timer in each connection verification process, if specified message is not received by party intermediary or service side in the time that limits, party intermediary or service side will the aborts authentication processes and will fail to user side's authentication so.

4, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, the user side also can send the connection authentication request to the side of service or party intermediary before other step of perhaps described connection authentication, perhaps also comprises the connection authentication request that the user side sends to the side of service or party intermediary in the information that is sent for the first time by the user side in described connection authentication.

5,1 described third party's Verification System and method as requested based on engagement arithmetic, it is characterized in that, described engagement arithmetic is based on the cryptographic algorithm of key or decipherment algorithm, wherein, be calculated as cryptographic calculation with engagement arithmetic X or Y to what information A was carried out, be calculated as decrypt operation with engagement arithmetic X or Y to what information B carried out, wherein, include key XKEY among the engagement arithmetic X, include key YKEY among the engagement arithmetic Y, wherein, thereby perhaps engagement arithmetic is that symmetric cryptography decipherment algorithm XKEY is identical with corresponding YKEY, thereby perhaps engagement arithmetic is that asymmetric encryption decipherment algorithm XKEY is different with corresponding YKEY.

6, third party's Verification System and method based on engagement arithmetic according to claim 5, it is characterized in that, information A is that a symmetric cryptographic key or information A and A1 are a pair of asymmetric cryptographic key, described be complementary for twice be calculated as the encryption and decryption computing, information A can be transmitted by this encryption and decryption computing in connecting verification process, is connected by understanding with information A or set up encryption communication with A1 as key with information A between between user side so and the party intermediary or user side and the service side if connect authentication.

7, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, a user side has 2 engagement arithmetic X: cryptographic algorithm X1 and decipherment algorithm X2, party intermediary also has 2 engagement arithmetic Y corresponding to each user side: decipherment algorithm Y1 and cryptographic algorithm Y2, wherein, X1 corresponding to Y1 X2 corresponding to Y2, wherein, X1 and X2 have common key XKEY, Y1 and Y2 have its key YKEY together, wherein, XKEY and YKEY are the keys of same symmetric cryptography when engagement arithmetic is the symmetric cryptography decipherment algorithm, and XKEY and YKEY are the keys of a pair of asymmetric encryption when engagement arithmetic is the asymmetric encryption decipherment algorithm.

8, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, this engagement arithmetic is stored on the removable peripheral hardware of user side, this removable peripheral hardware and user side's terminal are by the communication that is connected of wired or wireless mode, described removable peripheral hardware has the IC chip, and described user side carries out on this removable peripheral hardware the calculating that information A or information B carry out with engagement arithmetic X.

9, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, when party intermediary or service side's generation information A, each information A all can't be known by inference or information A produces at random by previous information A, perhaps, when the user side establishes the generation information A, the authorization information that comprises this information A rise time in this information A, the authorization information of party intermediary or service side this rise time in can information extraction A with rise time of determining information A whether in the scope of appointment, party intermediary or service side will the aborts authentication processes and will fail to user side's authentication if the rise time of information A has exceeded the scope of appointment.

10, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, connect authentication by can to allow connection or port access service specified or resource from user side's terminal, this connection or port be described service side to service side, back with the user side between that port of passing through of the transmission carried out or be connected without the relevant information of the information A of party intermediary or B.

11, third party's Verification System and method based on engagement arithmetic according to claim 1 is characterized in that, before carrying out described connection authentication, the user side has passed through the once authentication of party intermediary or service side and set up connection.

12, third party's Verification System and method based on engagement arithmetic according to claim 1, it is characterized in that, described three parts is undertaken by the side of service the transmission of the relevant information of information A or B, wherein, party intermediary and user side respectively with the mutual transmission information in service side, the information transmission between party intermediary and the user side is also finished by the side of service.

13, third party's Verification System and method based on engagement arithmetic according to claim 1 is characterized in that, when the user side when service side request inserts, its concrete scheme that connects authentication is following cited one of them: