CN102202040B - Client authentication method and device - Google Patents

Client authentication method and device Download PDF

Info

Publication number
CN102202040B
CN102202040B CN201010135348.3A CN201010135348A CN102202040B CN 102202040 B CN102202040 B CN 102202040B CN 201010135348 A CN201010135348 A CN 201010135348A CN 102202040 B CN102202040 B CN 102202040B
Authority
CN
China
Prior art keywords
authentication
client
password
result
authentication module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010135348.3A
Other languages
Chinese (zh)
Other versions
CN102202040A (en
Inventor
郭轶尊
刘春梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201010135348.3A priority Critical patent/CN102202040B/en
Publication of CN102202040A publication Critical patent/CN102202040A/en
Application granted granted Critical
Publication of CN102202040B publication Critical patent/CN102202040B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a client authentication method and a client authentication device. The authentication of a client is finished by performing verification twice so as to avoid the probability of bypassing user identity verification due to similar structured query language (SQL) attacks; moreover, a verification password only exists in a verification module, so the probability of guessing correctly and sniffing the verification password stored in a user table is avoided.

Description

One is carried out authentication method and device to client
Technical field
The present invention relates to field of information security technology, particularly one is carried out authentication method and device to client.
Background technology
Website page is tampered the interests of greatly having damaged Government and enterprise user.Particularly contain politics and attack distorting of color, can cause serious harm to government image, enterprise is caused to immeasurable loss.Because spreading network information is fast, once website is tampered, affecting in the short time of causing to user is difficult to eliminate.
Website page is divided into static Web page and dynamic web page, static Web page refers to whenever any user's browsed web content and all immobilizes, and dynamic web page is the difference according to user, user's input presents different web page contents, and the content sources of dynamic web page is in backstage web database.Along with the rise of the technology such as CGI and PHP, ASP, JSP, the dynamic web pages such as various dynamic news, forum, BBS, ecommerce roll up, and present dynamic web page application has progressively replaced static Web page application.
To distorting of dynamic web page, be mainly that hacker uses the attack meanses such as SQL injection, utilize the leak of database server, illegally distort the authority of lifting operation database, thereby reach from database steal information or Update Table storehouse content.
Attack for fear of SQL, Database Systems (DBMS) provide the certification of user identity identification mechanism and Database Systems access rights:
So-called identification: refer to only have through the user of database mandate and checking to be only legal user, current personal identification method comprises 2 kinds of methods:
1) DBMS provides certification: user can, by submitting correct user name, password to, provide checking to visit database by DBMS.
2) operating system provides certification: user can, by submitting correct user name, password to, provide checking to visit database by OS.
In the time of the system of user's connection data storehouse, can adopt one of above-mentioned two kinds of modes or two kinds of modes client to be connected to be authenticated, to reach the object that ensures Database Systems safety simultaneously.
So-called database access authority, refers to the database manipulation scope that user can carry out.DBMS user authority list control user's operating right.Database name, table name, field name, access limit and administration authority that each user can access in subscriber authorisation table, are specified.
And SQL to attack essence be constructing SQL statement cleverly, it mixes SQL instruction in data, realizes twisting attack, or visits and conjecture by constantly smelling, thus operating data database data unlawfully.The harm that SQL attacks comprises the password of finding out database structure, obtaining keeper, changes user right, creates new user, control operation system, destroy hard disc data etc.
Visible, can not effectively prevent by the recognition methods of above-mentioned user identity and the access right control method of Database Systems the roundabout and Sniffing Attack that SQL injects.
Summary of the invention
The embodiment of the present invention provides a kind of method and apparatus that client identity is authenticated on the one hand, and a kind of method and apparatus that client access authority is authenticated is provided on the other hand, with the roundabout and Sniffing Attack that effectively prevents that SQL from injecting.
The embodiment of the present invention provides a kind of method that client identity is authenticated, and comprising:
The first authentication module receives the checking request that comprises first user name and the first authentication password from client;
Described the first authentication module is verified for the first time to described first user name and described the first authentication password, obtains the first the result;
In the time being verified for the first time described in described the first the result shows, described the first authentication module receives the second authentication password from described client;
Described first user name and described the second authentication password are sent to the second authentication module by described the first authentication module;
Described the first authentication module receives the second the result from described the second authentication module, and described the second the result is that described the second authentication module is verified rear acquisition for the second time to described first user name and described the second authentication password;
Described the second the result is sent to described client by described the first authentication module.
Wherein, the step that the first authentication module is verified for the first time to described first user name and the first authentication password comprises:
The first authentication module receives after logging request, generates random number, and described random number is sent to described client;
Described client is encrypted described random number with the PKI pk1 of self, generates the random number after encrypting, and the random number after described encryption and the first authentication password are sent to the first authentication module;
Described the first authentication module uses described the first authentication password to obtain the private key of described client, and the random number of the private key of applying described client after to described encryption is decrypted, and obtains the random number after deciphering;
Whether the random number of the more described generation of described the first authentication module is identical with the random number after described deciphering, if identical, is verified for the first time.
Wherein, the first authentication module sends to the step of the second authentication module to comprise the described first user name receiving and the second authentication password:
Described client is encrypted the second authentication password with the PKI of self, generates the second authentication password after encrypting, and the second authentication password by described first user name and after encrypting is sent to the first authentication module;
The second authentication password pw ' after described the first authentication module uses the first platform key to described encryption signs, generate the second authentication password after signature, the second authentication password after the second authentication password after described first user name, encryption and signature is sent to the second authentication module.
Wherein, the step of described the second authentication password being verified for the second time comprises:
The second authentication module uses the second authentication password after the first platform credential certifying signature, if be verified, apply the second authentication password the private key enabling decryption of encrypted of the described user side obtaining from described the first authentication module, obtain first user name and second authentication password of described client;
The second authentication module is to the 3rd authentication password of encryption of Database Systems request first user name correspondence;
Described Database Systems are searched encryption three authentication password corresponding with described first user name having recorded in this locality, described the 3rd authentication password of having encrypted is sent to the second authentication module;
The symmetric key that described the second authentication module is applied described client is decrypted described the 3rd authentication password of having encrypted, and obtains the 3rd authentication password;
Judge that whether described the second authentication password is identical with the 3rd authentication password, generate if identical the authentication result that certification is passed through, otherwise generate the unsanctioned authentication result of certification.
Wherein, described the first authentication module receives the second the result from described the second authentication module, sends to the step of described client to comprise described the second the result:
The second authentication module is applied the second platform key authentication result is signed, and obtains the authentication result after signature, and the authentication result after described signature is sent to the first authentication module;
Described the first authentication module receives after the authentication result after described signature, uses the certificate of the second platform key to verify the authentication result after signing, and after being verified, authentication result is sent to client.
Wherein, described the first authentication module and the second authentication module are positioned on identical or different physical entity.
The embodiment of the present invention also provides a kind of device that client identity is authenticated, and comprising: the first authentication module, and wherein, described the first authentication module specifically comprises:
Checking request receiving module, for receiving the checking request that comprises first user name and the first authentication password from client;
Authentication module for the first time, for described first user name and described the first authentication password are verified for the first time, obtains the first the result;
The second authentication password receiver module, in the time being verified for the first time described in described the first the result shows, receives the second authentication password from described client;
Sending module, for sending to the second authentication module by described first user name and described the second authentication password;
The result sending module, for receiving the second the result from described the second authentication module, sends to described client by described the second the result; Wherein, the result of described the second the result after to be described the second authentication module verify for the second time to described first user name and described the second authentication password.
Wherein, described authentication module for the first time comprises:
Random number generates submodule, receives after logging request for the first authentication module, generates random number, and described random number is sent to described client;
Random number receives submodule, and for receiving from the random number after the encryption of client and the first authentication password, wherein, the random number after described encryption is that the client PKI of self is encrypted rear generation to described random number;
Deciphering submodule, for using described the first authentication password to obtain the private key of described client, the random number r ' of the private key of applying described client after to described encryption is decrypted, and obtains the random number after deciphering;
Judge submodule, whether identical with the random number after described deciphering for the random number of more described generation, if identical, be verified for the first time.
Wherein, described sending module comprises:
The second authentication password receives submodule, and for receiving the second authentication password after encryption, wherein, the second authentication password after described encryption is, by the client PKI of self, the second authentication password is encrypted to rear generation;
Signature submodule, sign for the second authentication password after using the first platform key to described encryption, generate the second authentication password after signature, the second authentication password after the second authentication password after described first user name, encryption and signature is sent to the second authentication module.
Wherein, described the result sending module comprises:
The second the result receives submodule, and for receiving the authentication result after signature, wherein, the authentication result after described signature is that the second authentication module is applied after the second platform key is signed to authentication result and obtained;
The second the result sends submodule, and for receiving after the authentication result after described signature, the authentication result after using the certificate of the second platform key to described signature is verified, after being verified, authentication result is sent to client.
The embodiment of the present invention also provides a kind of method that client access authority is authenticated, and comprises authorization list is set, and described authorization list comprises the corresponding relation of user profile, the power of attorney encrypted and donor's signature, and described method also comprises:
Receive the Database Systems operation requests from client, from described request, obtain the user profile of described client;
If the user profile of obtaining is mated with the user profile of the local authorization list having recorded, obtain donor's signature according to described corresponding relation, and verify described donor's signature;
If signature verification success obtains according to described corresponding relation the power of attorney of having encrypted, encryption authorization book is decrypted to the book of obtaining the authorization;
Judge that authority corresponding to described operation requests whether in the extent of competence of described power of attorney defined, if so, pass through access authority authentication.
Wherein, described donor's signature is verified by DBA's PKI.
Wherein, after signature verification success, load described client private key, the private key of applying described client is decrypted encryption authorization book.
Wherein, after signature verification success, load before described client private key, also comprise:
Checking, from the private key password of client, if be verified, reloads the private key of described client.
Wherein, described client-side information comprises user name and host name.
The embodiment of the present invention also provides a kind of device that client access authority is authenticated, and comprising:
Setting unit, for authorization list is set, described authorization list comprises the corresponding relation of user profile, the power of attorney encrypted and donor's signature;
Client-side information acquiring unit for receiving the Database Systems operation requests from client, obtains the user profile of described client from described request;
Authentication unit, if mated with the user profile of the local authorization list having recorded for the user profile of obtaining, obtains donor's signature according to described corresponding relation, and verifies described donor's signature;
Decryption unit, if for signature verification success, obtain according to described corresponding relation the power of attorney of having encrypted, is decrypted the book of obtaining the authorization to encryption authorization book;
Authority judging unit, for judging that authority corresponding to described operation requests whether in the extent of competence of described power of attorney defined, if so, pass through access authority authentication.
Wherein, described donor's signature is verified by DBA's PKI.
Wherein, described device also comprises: loading unit, for after signature verification success, load described client private key, and the private key of applying described client is decrypted encryption authorization book.
Wherein, described device also comprises: client private key authentication unit, for after signature verification success, load before described client private key, and checking, from the private key password of client, if be verified, reloads the private key of described user side.
Wherein, described client-side information comprises user name and host name.
Visible, the application embodiment of the present invention provides a kind of method and apparatus that client identity is authenticated, thus avoid being attacked by similar SQL the possibility of walking around subscriber authentication; Have again, because authentication password only appears in authentication module TCM, avoided the possibility of being guessed, being smelt right spy in User table owing to leaving in.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the method flow diagram that client identity is authenticated according to the embodiment of the present invention one;
Fig. 2 is the process chart of checking for the first time according to the embodiment of the present invention one;
Fig. 3 is the process chart of checking for the second time according to the embodiment of the present invention one;
Fig. 4 is the method flow diagram that client identity is authenticated according to the embodiment of the present invention two;
Fig. 5 is the apparatus structure schematic diagram that client identity is authenticated according to the embodiment of the present invention one;
Fig. 6 is the method flow diagram that client access authority is authenticated according to the embodiment of the present invention three;
Fig. 7 is the flow chart that client is authorized according to the embodiment of the present invention;
Fig. 8 is according to the flow chart of the checking client access rights of the embodiment of the present invention;
Fig. 9 is the apparatus structure schematic diagram that client access authority is authenticated according to the embodiment of the present invention three.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The embodiment of the present invention in multianalysis after the dynamic web page reason and SQL injection attacks web database technology that are tampered, the authentication process itself when database user of the most easily being attacked for Web database is logined, having proposed a kind of method that client identity is authenticated based on two-stage authentication mechanism, is trusty so that be connected to the client of web database.
Referring to Fig. 1, it is the method flow diagram that client identity is authenticated according to the embodiment of the present invention one, and the present embodiment comprises:
Step 101, the first authentication module receives the checking request that comprises first user name and the first authentication password skpw from client;
Step 102, the first authentication module is verified for the first time to described first user name and described the first authentication password skpw, obtains the first the result;
Step 103, in the time being verified for the first time described in described the first the result shows, described the first authentication module receives the second authentication password from described client;
Step 104, described first user name and described the second authentication password pw are sent to the second authentication module by described the first authentication module;
Step 105, described the first authentication module receives the second the result from described the second authentication module, and described the second the result is that described the second authentication module is verified rear acquisition for the second time to described first user name and described the second authentication password pw;
Step 106, described the second the result is sent to described client by described the first authentication module.
It should be noted that, described the first authentication module and the second authentication module can be on physical entities, also can be on different physical entities, and for example the first authentication module is positioned in web server, and the second authentication module is positioned on database server.
The method that client identity is authenticated that the application embodiment of the present invention provides, thus avoid being attacked by similar SQL the possibility of walking around subscriber authentication; Have again, because authentication password only appears in authentication module, avoided the possibility of being guessed, being smelt right spy in User table owing to leaving in; In addition, prevented from being gone fishing, set up the network trust chain of end from client to web.
Below in conjunction with instantiation, the each step in Fig. 1 is elaborated again.
The applied environment of above-mentioned instantiation is as follows: treat the customer end A of login through web server and twice checking of database server, with the roundabout and Sniffing Attack that prevents that SQL from injecting.Based on this application example, specific implementation process is as follows:
First, customer end A is registered.
Concrete, suppose that customer end A needs registrar account number, thereby user name, login password (pw) and user key password (skpw) need to be set, server end is received after the registration request of customer end A, creates respectively the key of customer end A in the first credible platform module (TCM1) and the second credible platform module (TCM2).Wherein, server end comprises two servers, and one is page server (WebServer), and another is database server (DB Server), and TCM1 is positioned on page server, and TCM2 is positioned on database server.Here, database server is deposited in user (User) table after using the key of customer end A that the login password pw of client setting is encrypted, then the PKI of customer end A in TCM1 is returned to customer end A, and deposit in operating system (OS) pool of keys of this user side.In TCM1, the private key of customer end A moves in TCM2.
It should be noted that, above-mentioned TCM1, TCM2 are equivalent to respectively the first authentication module, the second authentication module in embodiment illustrated in fig. 1; Above-mentioned user key password skpw is equivalent to the first authentication password in embodiment illustrated in fig. 1; Above-mentioned login password pw is equivalent to the second authentication password in embodiment illustrated in fig. 1.That is to say, in this instantiation, a kind of specific implementation by TCM1, TCM2 as the first authentication module, the second authentication module, in actual applications, can also apply other any trusted platforms or the module a kind of specific embodiment as the first authentication module and the second authentication module, in embodiments of the present invention, do not limit the first authentication module and the second authentication module and specifically adopt which kind of trusted platform or module.
Secondly, customer end A is verified for the first time.
This process of verifying is for the first time exactly step 101~102 in embodiment illustrated in fig. 1, and specific implementation process as shown in Figure 2.
Referring to Fig. 2, it is the process chart of checking for the first time according to the embodiment of the present invention one, specifically comprises:
Step 201, customer end A receives first user name (usename) and the user key password skpw of user's input, initiates logging request to TCM1;
Step 202, TCM1 receives after logging request, generates random number r, and described random number r is sent to described customer end A;
Step 203, customer end A is encrypted random number r with the PKI pk1 of self, generates the random number r ' after encrypting, and the random number r ' after described encryption and user key password skpw are sent to TCM1;
Step 204, TCM1 uses described user key password skpw to obtain the private key SK1 of described user side, applies the random number r ' of described SK1 after to described encryption and is decrypted, and obtains the random number r after deciphering "; The random number r of more described generation and random number r after described deciphering " whether identical, if identical, be verified for the first time; If different, return to the information of authentication failed for the first time to customer end A.
So far, completed checking for the first time.After being verified for the first time, show that the TCM1 in web server has confirmed the customer end A of logining; Customer end A simultaneously; So far, set up the trust between customer end A, web server, weblication and TCM1.
Again, customer end A is verified for the second time.
This process of verifying is for the second time exactly step 103~106 in embodiment illustrated in fig. 1, and specific implementation process as shown in Figure 3.
Referring to Fig. 3, it is the process chart of checking for the second time according to the embodiment of the present invention one, specifically comprises:
Step 301, customer end A receives first user name (usename) and the login password pw of user's input;
Here also can allow user only input login password pw, and customer end A is obtained first user name from the keeping records of self, does not need user again to input first user name.
Step 302, customer end A is encrypted login password pw with the PKI pk1 of self, generates the login password pw ' after encrypting, and the login password pw ' by described first user name and after encrypting is sent to TCM1;
Step 303, login password pw ' after TCM1 uses the first platform key PEK1 to described encryption signs, generate the login password pw after signature ", the login password pw ' by described first user name, after encrypting and sign after login password pw " send to TCM2;
Above-mentioned steps 302-303 is a kind of specific implementation of step 104 in Fig. 1, has realized the first authentication module the first user name receiving and login password pw are sent to the second authentication module.
Step 304, TCM2 uses the login password pw after the first platform credential certifying signature "; if be verified, apply the login password pw ' the private key enabling decryption of encrypted of the described customer end A of obtaining from TCM1, obtain first user name and the login password pw of described customer end A.
Step 305, TCM2 is to for example the 3rd authentication password c ' of encryption of request first user name correspondence in the subscriber's meter (user table) in database of Database Systems; Database Systems are searched the encryption three authentication password c ' corresponding with described first user name having recorded in this locality, described the 3rd authentication password c ' that encrypted is sent to TCM2; Wherein, described the 3rd authentication password c ' that encrypted is that the symmetric key that the second authentication module is applied described client is encrypted and generated the 3rd authentication password c;
Step 306, the three authentication password c ' of the symmetric cryptography that TCM2 applies described customer end A after to described encryption is decrypted, and obtains the 3rd authentication password c; Afterwards, TCM2 judges that whether described login password pw is identical with the 3rd authentication password c, generates if identical the authentication result that certification is passed through, otherwise generates the unsanctioned authentication result of certification.
So far, completed the checking for the second time to customer end A.
Step 307, TCM2 applies the second platform key PEK2 authentication result result is signed, and obtains the authentication result result ' after signature, and the authentication result result ' after described signature is sent to TCM1;
Step 308, TCM1 uses the certificate of the second platform key PEK2 to verify the authentication result result ' after signing, and after being verified, authentication result result is sent to user side A.
So far, TCM2 notifies authentication result to customer end A by described TCM1.
It should be noted that, above-mentioned the first platform is the platform at TCM1 place, and above-mentioned the second platform is the platform at TCM2 place.
It should be noted that, above-mentioned checking for the first time also can be referred to as the certification of I level, by TCM1, user key password skpw has been carried out to I level and has authenticated; Above-mentioned checking for the second time also can be referred to as the certification of II level, by TCM2, login password pw has been carried out to II level and has authenticated.
Visible, twice force authentication (or being called the authentication of II level) thus avoided being attacked by similar SQL the possibility of walking around subscriber authentication; Have again, because authentication password only appears in TCM, avoided the possibility of being guessed, being smelt right spy in User table owing to leaving in; In addition, prevented from being gone fishing, set up the network trust chain of end from customer end A to web.
Referring to Fig. 4, it is the method flow diagram that client identity is authenticated according to the embodiment of the present invention two, specifically comprises:
Step 401, the second authentication module, after being verified for the first time, receives first user name and the second authentication password from the first authentication module; Wherein, described checking is for the first time the checking of the first user name from client and the first authentication module being carried out by the first authentication module;
Step 402, the second authentication module is verified for the second time to described first user name and the second authentication password pw, obtains the second the result, and described the second the result is notified to described client by described the first authentication module.
It should be noted that, the process of above-mentioned checking is for the first time identical with content described in Fig. 2, and the process of checking is identical with content described in Fig. 3 for the second time, is not described in detail here.
The embodiment of the present invention also provides a kind of device that client identity is authenticated, and referring to Fig. 5, specifically comprises: the first authentication module, and wherein, described the first authentication module specifically comprises:
Checking request receiving module 501, for receiving the checking request that comprises first user name and the first authentication password skpw from client;
Authentication module 502 for the first time, for described first user name and described the first authentication password skpw are verified for the first time, obtains the first the result;
The second authentication password receiver module 503, in the time being verified for the first time described in described the first the result shows, receives the second authentication password from described client;
Sending module 504, for sending to the second authentication module by described first user name and described the second authentication password pw;
The result sending module 505, for receiving the second the result from described the second authentication module, sends to described client by described the second the result; Wherein, described the second the result obtains after to be described the second authentication module verify for the second time to described first user name and described the second authentication password pw.
Above-mentioned authentication module for the first time 502 can specifically comprise:
Random number generates submodule, receives after logging request for the first authentication module, generates random number r, and described random number r is sent to described client;
Random number receives submodule, and for receiving the random number r ' having encrypted and the first authentication password skpw from client, wherein, the described random number r ' having encrypted is that the client PKI pk1 of self is encrypted rear generation to random number r;
Deciphering submodule, for using described the first authentication password skpw to obtain the private key SK1 of described user side, applies described SK1 the described random number r ' having encrypted is decrypted, and obtains the random number r after deciphering ";
Judge submodule, for the random number r of more described generation and random number r after described deciphering " whether identical, if identical, be verified for the first time.
Above-mentioned sending module 504 can specifically comprise:
The second authentication password receives submodule, and for receiving the second authentication password pw ' after encryption, wherein, the second authentication password pw ' after described encryption is encrypted rear generation by the client PKI pk1 of self to the second authentication password pw;
Signature submodule, sign for the second authentication password pw ' after using the first platform key PEK1 to described encryption, generate the second authentication password pw after signature ", the second authentication password pw ' by described first user name, after encrypting and sign after the second authentication password pw " send to the second authentication module.
Above-mentioned the result sending module 505 can specifically comprise:
The second the result receives submodule, and for receiving the authentication result result ' after signature, wherein, the authentication result result ' after described signature is that the second authentication module is applied after the second platform key PEK2 signs to authentication result result and obtained;
The second the result sends submodule, for receiving after the authentication result result ' after described signature, use the certificate of the second platform key PEK2 to verify the authentication result result ' after signing, after being verified, authentication result result is sent to client.
The device that client identity is authenticated that the application embodiment of the present invention provides, thus avoid being attacked by similar SQL the possibility of walking around subscriber authentication; Have again, because authentication password only appears in authentication module, avoided the possibility of being guessed, being smelt right spy in User table owing to leaving in; In addition, prevented from being gone fishing, set up the network trust chain of end from client to web.
The embodiment of the present invention in multianalysis after the dynamic web page reason and SQL injection attacks web database technology that are tampered, the authentication process itself when database user of the most easily being attacked for Web database is logined, also having proposed a kind of method that client access authority is authenticated, is trusty so that be connected to the client of web database.
Referring to Fig. 6, it is the method flow diagram that client access authority is authenticated according to the embodiment of the present invention three, and this flow process specifically comprises:
Step 601, arranges authorization list, and described authorization list comprises user profile, the power of attorney C ' that encrypts and the donor C that signs " corresponding relation, described method also comprises:
Step 602, receives the Database Systems operation requests from client, obtains the user profile of described client from described request;
Step 603, if the user profile of obtaining is mated with the user profile of the local authorization list having recorded, obtains the donor C that signs according to described corresponding relation ", and verify the described donor C that signs ";
Step 604, if signature verification success obtains according to described corresponding relation the power of attorney C ' having encrypted, is decrypted encryption authorization book C ', and book C obtains the authorization;
Step 605, judges that authority corresponding to described operation requests is whether in the extent of competence of described power of attorney defined, if so, by access authority authentication, otherwise, do not pass through access authority authentication.
It should be noted that the above-mentioned donor C that signs " verify by DBA's PKI.
It should be noted that, after signature verification success, load described client private key, the private key of applying described client is decrypted encryption authorization book C '.
It should be noted that, after signature verification success, load before described client private key, also comprise: checking, from the private key password UP of client, if be verified, reloads the private key of described client.
It should be noted that, described user profile comprises user name and host name.
It should be noted that, for the embodiment tri-shown in Fig. 6, both can after the embodiment mono-shown in Fig. 1, carry out, the existence that also can not rely on embodiment mono-is carried out separately, and in the present invention, do not limit the real-time opportunity to embodiment illustrated in fig. 6 three.
Below in conjunction with instantiation, flow process shown in Fig. 6 is elaborated again.
Suppose to be equipped with a trusted security module TCM3 on database server, store data library manager and each user's PKI (pk ') and private key (sk ').Each user has the private key password UP of oneself.DBA has private key password AP.
The power of attorney (C) is set, and it is used for describing the operating right of client executing database/table.This power of attorney (C) is the basis for estimation of access control, specifically can comprise content:
A) donor:
B) the mandate time:
C) term of validity:
D) database name:
E) table name:
F) field name:
G) tables of data operating right: allow user to the existing table of certain database read, insert, renewal, deletion action, value set is { ' select ', ' insert ', ' update ', ' delete ' }.
H) database/table administration authority: allow user to manage database or table, value set is { ' alter ', ' index ', ' create ', ' drop ' }.
Authorization list Auth_Table is set, and authorization list is the system table in Database Systems, and every record represents an authorization rule, and the structure of authorization list and content can be as shown in table 1:
Field name Username (user name) Host (host name) Cert (power of attorney) Sig (signature)
Explanation Licensee Licensee's main frame The power of attorney encrypted (C ') Donor's signature (C ")
Table 1
Referring to Fig. 7, it is the flow chart that client is authorized according to the embodiment of the present invention, specifically comprises:
Step 701, arranges power of attorney C, fills according to actual needs the particular content of the power of attorney;
Step 702 increases a record in the authorization list of database, fills in Username field and Host field;
Step 703, TCM loads the PKI of client according to Username, and applies described public key encryption power of attorney C, generates C ';
Step 704, receiving management person's private key password AP;
Step 705, judges that whether described keeper's private key password AP is correct, if incorrect, authorization failure, finishes; If correct, then perform step 706;
Step 706, application management person's private key signature C ', generates C ";
Step 707, by described C ' and C " deposit the Cert field of authorization list in, authorize successfully.
Referring to Fig. 8, it is according to the flow chart of the checking client access rights of the embodiment of the present invention, specifically comprises:
Step 801, obtains the user profile of current connection client;
Here, this user profile comprises user name and host name;
Step 802, searches matched record in the Username of authorization list field and Host field;
Step 803, judges whether to find matched record, if so, performs step 804, otherwise the access authority verification failure of this client, finishes;
Step 804, the signature of the sig field of application management person's public key verifications authorization list in TCM;
Step 805, judges that whether the signature of described sig field is correct, if correct, performs step 806, otherwise the access authority verification failure of this client, finishes;
Step 806, receives the private key password UP from described client;
Step 807, whether judgement is described correct from the private key password UP of client, if incorrect, the access authority verification of this client failure, finishes; If correct, then perform step 808;
Step 808, loads the private key of described client, applies described private key decoding C ', authorized book C;
Step 809, judges that authority corresponding to described operation requests is whether in the extent of competence of described power of attorney defined, if meet, and the access authority verification of this client success, otherwise, the access authority verification failure of this client.
It should be noted that, the authority of above-mentioned correspondence at least comprises one of following various authorities or combination in any: operating right, administration authority and Time Validity authority; Wherein operating right includes but not limited to as operations such as deletion, interpolation, inquiries; Administration authority includes but not limited to the Database Lists that can manage; Whether before the deadline Time Validity authority refers to its authority having, as whether within the scope of official hour.
So far, realized dual key protection authorization list.The dual key here comprises key and the administrator key of client.
The method that client access authority is authenticated visible, the application embodiment of the present invention provides, has improved the fail safe of authorization list, thereby has avoided being attacked by similar SQL the possibility of walking around subscriber authentication; Have again, because authentication password only appears in authentication module TCM, avoided the possibility of being guessed, being smelt right spy in User table owing to leaving in.
The embodiment of the present invention also provides a kind of device that client access authority is authenticated, and as shown in Figure 9, specifically comprises:
Setting unit 901, for authorization list is set, described authorization list comprises user profile, the power of attorney C ' that encrypts and the donor C that signs " corresponding relation;
Client-side information acquiring unit 902 for receiving the Database Systems operation requests from client, obtains the user profile of described client from described request;
Authentication unit 903, if mated with the user profile of the local authorization list having recorded for the user profile obtained, obtains the donor C that signs according to described corresponding relation ", and verify the described donor C that signs ";
Decryption unit 904, if for signature verification success, obtain according to described corresponding relation the power of attorney C ' having encrypted, is decrypted encryption authorization book C ', and book C obtains the authorization;
Authority judging unit 905, for judging that authority corresponding to described operation requests whether in the extent of competence of described power of attorney defined, if so, pass through access authority authentication.
The above-mentioned donor C that signs " verify by DBA's PKI.
Described device also comprises: loading unit, for after signature verification success, load described client private key, and the private key of applying described client is decrypted encryption authorization book C '.
Described device also comprises: client private key authentication unit, for after signature verification success, load before described client private key, and checking, from the private key password UP of user side, if be verified, reloads the private key of described user side.
Described client-side information comprises user name and host name.
The device that client access authority is authenticated visible, the application embodiment of the present invention provides, has improved the fail safe of authorization list, thereby has avoided being attacked by similar SQL the possibility of walking around subscriber authentication; Have again, because authentication password only appears in authentication module TCM, avoided the possibility of being guessed, being smelt right spy in User table owing to leaving in.
For device embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
It should be noted that, in this article, relational terms such as the first and second grades is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby the process, method, article or the equipment that make to comprise a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or be also included as the intrinsic key element of this process, method, article or equipment.The in the situation that of more restrictions not, the key element being limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
One of ordinary skill in the art will appreciate that all or part of step realizing in said method execution mode is can carry out the hardware that instruction is relevant by program to complete, described program can be stored in computer read/write memory medium, here the alleged storage medium obtaining, as: ROM/RAM, magnetic disc, CD etc.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.All any amendments of doing within the spirit and principles in the present invention, be equal to replacement, improvement etc., be all included in protection scope of the present invention.

Claims (17)

1. method client identity being authenticated, is characterized in that, comprising:
The first authentication module receives the checking request that comprises first user name and the first authentication password from client;
Described the first authentication module is verified for the first time to described first user name and described the first authentication password, obtains the first the result;
In the time being verified for the first time described in described the first the result shows, described the first authentication module receives the second authentication password from described client;
Described first user name and described the second authentication password are sent to the second authentication module by described the first authentication module;
Described the first authentication module receives the second the result from described the second authentication module, and described the second the result is that described the second authentication module is verified rear acquisition for the second time to described first user name and described the second authentication password;
Described the second the result is sent to described client by described the first authentication module;
Wherein, the first authentication module sends to the step of the second authentication module to comprise the described first user name receiving and the second authentication password:
Described client is encrypted the second authentication password with the PKI of self, generates the second authentication password after encrypting, and the second authentication password by described first user name and after encrypting is sent to the first authentication module;
The second authentication password after described the first authentication module uses the first platform key to described encryption is signed, generate the second authentication password after signature, the second authentication password after the second authentication password after described first user name, encryption and signature is sent to the second authentication module;
Wherein, the step of described the second authentication password being verified for the second time comprises:
The second authentication module uses the second authentication password after the first platform credential certifying signature, if be verified, apply the second authentication password the private key enabling decryption of encrypted of the described user side obtaining from described the first authentication module, obtain first user name and second authentication password of described client;
The second authentication module is to the 3rd authentication password of encryption of Database Systems request first user name correspondence;
Described Database Systems are searched encryption three authentication password corresponding with described first user name having recorded in this locality, described the 3rd authentication password of having encrypted is sent to the second authentication module;
The symmetric key that described the second authentication module is applied described client is decrypted described the 3rd authentication password of having encrypted, and obtains the 3rd authentication password;
Judge that whether described the second authentication password is identical with the 3rd authentication password, generate if identical the authentication result that certification is passed through, otherwise generate the unsanctioned authentication result of certification.
2. method according to claim 1, is characterized in that, the step that the first authentication module is verified for the first time to described first user name and the first authentication password comprises:
The first authentication module receives after logging request, generates random number, and described random number is sent to described client;
Described client is encrypted described random number with the PKI pk1 of self, generates the random number after encrypting, and the random number after described encryption and the first authentication password are sent to the first authentication module;
Described the first authentication module uses described the first authentication password to obtain the private key of described client, and the random number of the private key of applying described client after to described encryption is decrypted, and obtains the random number after deciphering;
Whether the random number of the more described generation of described the first authentication module is identical with the random number after described deciphering, if identical, is verified for the first time.
3. method according to claim 1, is characterized in that, described the first authentication module receives the second the result from described the second authentication module, sends to the step of described client to comprise described the second the result:
The second authentication module is applied the second platform key authentication result is signed, and obtains the authentication result after signature, and the authentication result after described signature is sent to the first authentication module;
Described the first authentication module receives after the authentication result after described signature, uses the certificate of the second platform key to verify the authentication result after signing, and after being verified, authentication result is sent to client.
4. method according to claim 1, is characterized in that, described the first authentication module and the second authentication module are positioned on identical or different physical entity.
5. device client identity being authenticated, is characterized in that, comprising: the first authentication module, and wherein, described the first authentication module specifically comprises:
Checking request receiving module, for receiving the checking request that comprises first user name and the first authentication password from client;
Authentication module for the first time, for described first user name and described the first authentication password are verified for the first time, obtains the first the result;
The second authentication password receiver module, in the time being verified for the first time described in described the first the result shows, receives the second authentication password from described client;
Sending module, for sending to the second authentication module by described first user name and described the second authentication password;
The result sending module, for receiving the second the result from described the second authentication module, sends to described client by described the second the result; Wherein, the result of described the second the result after to be described the second authentication module verify for the second time to described first user name and described the second authentication password;
Wherein, described sending module comprises:
The second authentication password receives submodule, and for receiving the second authentication password after encryption, wherein, the second authentication password after described encryption is, by the client PKI of self, the second authentication password is encrypted to rear generation;
Signature submodule, sign for the second authentication password after using the first platform key to described encryption, generate the second authentication password after signature, the second authentication password after the second authentication password after described first user name, encryption and signature is sent to the second authentication module;
Wherein, described the second authentication module is verified for the second time to described the second authentication password in the following manner:
The second authentication module uses the second authentication password after the first platform credential certifying signature, if be verified, apply the second authentication password the private key enabling decryption of encrypted of the described user side obtaining from described the first authentication module, obtain first user name and second authentication password of described client;
The second authentication module is to the 3rd authentication password of encryption of Database Systems request first user name correspondence;
Described Database Systems are searched encryption three authentication password corresponding with described first user name having recorded in this locality, described the 3rd authentication password of having encrypted is sent to the second authentication module;
The symmetric key that described the second authentication module is applied described client is decrypted described the 3rd authentication password of having encrypted, and obtains the 3rd authentication password;
Judge that whether described the second authentication password is identical with the 3rd authentication password, generate if identical the authentication result that certification is passed through, otherwise generate the unsanctioned authentication result of certification.
6. device according to claim 5, is characterized in that, described authentication module for the first time comprises:
Random number generates submodule, receives after logging request for the first authentication module, generates random number, and described random number is sent to described client;
Random number receives submodule, and for receiving from the random number after the encryption of client and the first authentication password, wherein, the random number after described encryption is that the client PKI of self is encrypted rear generation to described random number;
Deciphering submodule, for using described the first authentication password to obtain the private key of described client, the random number r ' of the private key of applying described client after to described encryption is decrypted, and obtains the random number after deciphering;
Judge submodule, whether identical with the random number after described deciphering for the random number of more described generation, if identical, be verified for the first time.
7. device according to claim 5, is characterized in that, described the result sending module comprises:
The second the result receives submodule, and for receiving the authentication result after signature, wherein, the authentication result after described signature is that the second authentication module is applied after the second platform key is signed to authentication result and obtained;
The second the result sends submodule, and for receiving after the authentication result after described signature, the authentication result after using the certificate of the second platform key to described signature is verified, after being verified, authentication result is sent to client.
8. method client access authority being authenticated, is characterized in that, comprises, client identity is authenticated, and wherein, adopts the method described in claim 1-4 any one to authenticate client identity; After to client identity authentication success, authorization list is set, described authorization list comprises the corresponding relation of user profile, the power of attorney encrypted and donor's signature, described method also comprises:
Receive the Database Systems operation requests from client, from described request, obtain the user profile of described client;
If the user profile of obtaining is mated with the user profile of the local authorization list having recorded, obtain donor's signature according to described corresponding relation, and verify described donor's signature;
If signature verification success obtains according to described corresponding relation the power of attorney of having encrypted, encryption authorization book is decrypted to the book of obtaining the authorization;
Judge that authority corresponding to described operation requests whether in the extent of competence of described power of attorney defined, if so, pass through access authority authentication.
9. method according to claim 8, is characterized in that, described donor's signature is verified by DBA's PKI.
10. method according to claim 8, is characterized in that, after signature verification success, loads described client private key, and the private key of applying described client is decrypted encryption authorization book.
11. methods according to claim 10, is characterized in that, after signature verification success, load before described client private key, also comprise:
Checking, from the private key password of client, if be verified, reloads the private key of described client.
12. methods according to claim 8, is characterized in that, described client-side information comprises user name and host name.
13. 1 kinds of devices that client access authority is authenticated, is characterized in that, comprising:
The device that client identity is authenticated as described in claim 5-7 any one, for authenticating client identity;
Setting unit, for after to client identity authentication success, authorization list being set, described authorization list comprises the corresponding relation of user profile, the power of attorney encrypted and donor's signature;
Client-side information acquiring unit for receiving the Database Systems operation requests from client, obtains the user profile of described client from described request;
Authentication unit, if mated with the user profile of the local authorization list having recorded for the user profile of obtaining, obtains donor's signature according to described corresponding relation, and verifies described donor's signature;
Decryption unit, if for signature verification success, obtain according to described corresponding relation the power of attorney of having encrypted, is decrypted the book of obtaining the authorization to encryption authorization book;
Authority judging unit, for judging that authority corresponding to described operation requests whether in the extent of competence of described power of attorney defined, if so, pass through access authority authentication.
14. devices according to claim 13, is characterized in that, described donor's signature is verified by DBA's PKI.
15. devices according to claim 13, is characterized in that, described device also comprises:
Loading unit, for after signature verification success, loads described client private key, and the private key of applying described client is decrypted encryption authorization book.
16. devices according to claim 15, is characterized in that, described device also comprises:
Client private key authentication unit, for after signature verification success, loads before described client private key, and checking, from the private key password of client, if be verified, reloads the private key of described user side.
17. devices according to claim 13, is characterized in that, described client-side information comprises user name and host name.
CN201010135348.3A 2010-03-26 2010-03-26 Client authentication method and device Active CN102202040B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010135348.3A CN102202040B (en) 2010-03-26 2010-03-26 Client authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010135348.3A CN102202040B (en) 2010-03-26 2010-03-26 Client authentication method and device

Publications (2)

Publication Number Publication Date
CN102202040A CN102202040A (en) 2011-09-28
CN102202040B true CN102202040B (en) 2014-06-04

Family

ID=44662439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010135348.3A Active CN102202040B (en) 2010-03-26 2010-03-26 Client authentication method and device

Country Status (1)

Country Link
CN (1) CN102202040B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188677A (en) * 2011-12-29 2013-07-03 中国移动通信集团北京有限公司 Client software authentication method and client software authentication device and client software authentication system
CN103297408B (en) * 2012-03-02 2016-04-06 腾讯科技(深圳)有限公司 Login method and device and terminal, the webserver
CN103327000A (en) * 2012-03-23 2013-09-25 华硕电脑股份有限公司 Authentication method and authentication system of electronic product
CN102694650B (en) * 2012-06-13 2015-03-11 苏州大学 Secret key generating method based on identity encryption
CN102983973B (en) * 2012-11-02 2018-11-30 天地融科技股份有限公司 Transaction system and method for commerce
US10491587B2 (en) 2013-10-28 2019-11-26 Singou Technology Ltd. Method and device for information system access authentication
WO2015062398A1 (en) * 2013-10-28 2015-05-07 韩子天 Access authentication method and device for information system
CN104901803A (en) * 2014-08-20 2015-09-09 易兴旺 Data interaction safety protection method based on CPK identity authentication technology
CN104378454B (en) * 2014-10-25 2018-10-12 深信服网络科技(深圳)有限公司 Obtain system, the method and apparatus of terminal name
CN104992082B (en) * 2015-08-10 2018-04-20 深圳数字电视国家工程实验室股份有限公司 Software authorization method, device and electronic equipment
CN105610772A (en) * 2015-09-15 2016-05-25 宇龙计算机通信科技(深圳)有限公司 Communication method, communication apparatus, terminal and communication system
CN105681043A (en) * 2015-12-30 2016-06-15 深圳市鼎芯无限科技有限公司 User identity double verification method and device
CN105516195B (en) * 2016-01-19 2018-11-06 上海众人网络安全技术有限公司 A kind of security certification system and its authentication method based on application platform login
CN106255108A (en) * 2016-08-31 2016-12-21 华自科技股份有限公司 Radio communication method and frequency communication devices
CN106358184A (en) * 2016-08-31 2017-01-25 天津灵创智恒软件技术有限公司 Point-to-point identity authentication method
CN108111544B (en) * 2018-02-27 2020-07-28 新华三信息安全技术有限公司 User login authentication method and device
CN108566391B (en) * 2018-03-30 2020-05-12 阿里巴巴集团控股有限公司 Login method and device for Internet of things equipment
CN108599939A (en) * 2018-04-25 2018-09-28 新华三技术有限公司 a kind of authentication method and device
CN108777675B (en) * 2018-04-26 2020-04-14 平安科技(深圳)有限公司 Electronic device, block chain-based identity authentication method, and computer storage medium
CN109286921B (en) * 2018-09-25 2021-07-02 锐达互动科技股份有限公司 Portable multi-scene teaching identity authentication method
CN109448478A (en) * 2018-12-29 2019-03-08 武汉易测云网络科技有限公司 A kind of building peace pipe personnel continue educating learning system and method
CN112883396B (en) * 2021-02-27 2022-04-08 郑州信大捷安信息技术股份有限公司 Trusted cryptographic module security management method and system
CN113422683B (en) * 2021-03-04 2023-05-26 上海数道信息科技有限公司 Edge cloud cooperative data transmission method, system, storage medium and terminal
CN113836509B (en) * 2021-09-23 2024-03-01 百度在线网络技术(北京)有限公司 Information acquisition method, device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1411224A (en) * 2001-09-29 2003-04-16 华为技术有限公司 Safe identification method of PC customer's terminal
CN1728636A (en) * 2004-07-29 2006-02-01 华为技术有限公司 Method of the attestion at client end
CN101005357A (en) * 2006-12-28 2007-07-25 北京飞天诚信科技有限公司 Method and system for updating certification key
CN101083556A (en) * 2007-07-02 2007-12-05 蔡水平 Region based layered wireless information publishing, searching and communicating application system
CN101262485A (en) * 2008-04-10 2008-09-10 华为技术有限公司 Authentication method and system, server and client
CN101431410A (en) * 2007-11-09 2009-05-13 康佳集团股份有限公司 Authentication method for network game client and server cluster

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070150744A1 (en) * 2005-12-22 2007-06-28 Cheng Siu L Dual authentications utilizing secure token chains

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1411224A (en) * 2001-09-29 2003-04-16 华为技术有限公司 Safe identification method of PC customer's terminal
CN1728636A (en) * 2004-07-29 2006-02-01 华为技术有限公司 Method of the attestion at client end
CN101005357A (en) * 2006-12-28 2007-07-25 北京飞天诚信科技有限公司 Method and system for updating certification key
CN101083556A (en) * 2007-07-02 2007-12-05 蔡水平 Region based layered wireless information publishing, searching and communicating application system
CN101431410A (en) * 2007-11-09 2009-05-13 康佳集团股份有限公司 Authentication method for network game client and server cluster
CN101262485A (en) * 2008-04-10 2008-09-10 华为技术有限公司 Authentication method and system, server and client

Also Published As

Publication number Publication date
CN102202040A (en) 2011-09-28

Similar Documents

Publication Publication Date Title
CN102202040B (en) Client authentication method and device
US11496310B2 (en) Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication
US9646161B2 (en) Relational database fingerprinting method and system
CN108964885B (en) Authentication method, device, system and storage medium
US9350548B2 (en) Two factor authentication using a protected pin-like passcode
US8589442B2 (en) Intersystem single sign-on
CN110990827A (en) Identity information verification method, server and storage medium
CN105743638B (en) Method based on B/S architecture system client authorization certifications
US20140237230A1 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
CN110149328B (en) Interface authentication method, device, equipment and computer readable storage medium
CN102217277A (en) Method and system for token-based authentication
CN102457491B (en) Dynamic identity authenticating method and system
CN109962890A (en) A kind of the authentication service device and node access, user authen method of block chain
US20130097427A1 (en) Soft-Token Authentication System
CN101321064A (en) Information system access control method and apparatus based on digital certificate technique
CN106161348A (en) A kind of method of single-sign-on, system and terminal
CN111641615A (en) Distributed identity authentication method and system based on certificate
Yu et al. A lightweight three-factor authentication protocol for digital rights management system
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN110086818B (en) Cloud file secure storage system and access control method
CN114629713A (en) Identity verification method, device and system
CN111682941B (en) Centralized identity management, distributed authentication and authorization method based on cryptography
CN115225286A (en) Application access authentication method and device
CN108345801B (en) Ciphertext database-oriented middleware dynamic user authentication method and system
CN105187398B (en) A kind of authentication recognition methods

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant