CN103178969B - A kind of service authentication method and system - Google Patents

A kind of service authentication method and system Download PDF

Info

Publication number
CN103178969B
CN103178969B CN201310132539.8A CN201310132539A CN103178969B CN 103178969 B CN103178969 B CN 103178969B CN 201310132539 A CN201310132539 A CN 201310132539A CN 103178969 B CN103178969 B CN 103178969B
Authority
CN
China
Prior art keywords
voucher
agent
terminal
operation server
proxy server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201310132539.8A
Other languages
Chinese (zh)
Other versions
CN103178969A (en
Inventor
王道谊
贾鹏
薄斐翔
陈欣
卜瑞锋
王海涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HENAN CABLE TV NETWORK GROUP CO Ltd
Original Assignee
HENAN CABLE TV NETWORK GROUP CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by HENAN CABLE TV NETWORK GROUP CO Ltd filed Critical HENAN CABLE TV NETWORK GROUP CO Ltd
Priority to CN201310132539.8A priority Critical patent/CN103178969B/en
Publication of CN103178969A publication Critical patent/CN103178969A/en
Application granted granted Critical
Publication of CN103178969B publication Critical patent/CN103178969B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a kind of service authentication method, including: Operation Server receives the Operational Visit request carrying first agent's voucher and service identification that the terminal based on Operation Server sends, first agent's voucher is that Operation Server distributes when terminal is authenticated, and when terminal is authenticated by Operation Server every time, first agent's voucher of distribution is different;Operation Server sends response message to terminal;Terminal determines second agent's voucher according to response message, and sends the agent service access request carrying second agent's voucher to proxy server;Second agent's voucher is sent to Operation Server by proxy server;The legitimacy of Operation Server checking second agent's voucher, and the result is sent to proxy server;Proxy server, according to the result, processes agent service access request.Therefore the application reduces the risk that end message is trapped and falsely uses, and improves the safety of terminal access Operation Server and proxy server.

Description

A kind of service authentication method and system
Technical field
The application relates to authentication field, particularly to a kind of service authentication method and system.
Background technology
At present, Operation Server need the terminal based on Operation Server is authenticated, when terminal closedown or standby after, terminal can be authenticated by Operation Server again.And Operation Server every pair terminal authentication is once, it is all the terminal iidentification that terminal distribution is identical, the real information of this terminal iidentification record terminal.Terminal sends Operational Visit to Operation Server each time and asks all carried terminal marks, when Operation Server receives the Operational Visit request of terminal, the legitimacy of terminal is judged according to terminal iidentification, after judging that terminal is legal, if Operation Server judges that the Operational Visit that terminal sends asks corresponding business to be the business in proxy server, Operation Server makes terminal carried terminal identification access proxy server, according to terminal iidentification, proxy server judges that whether terminal is the legal terminal of proxy server, if so, proxy server provides the terminal with service.
From said process it can be seen that terminal carried terminal mark always and real information access Operation Server and proxy server.The real information of terminal keeps equal state to be transmitted for a long time, causes that the risk that the real information of terminal is trapped and falsely uses increases, reduces the safety of terminal access Operation Server and proxy server.
Summary of the invention
For solving above-mentioned technical problem, the application provides a kind of service authentication method, to reduce the risk that end message is trapped and falsely uses, improves the safety purpose of terminal access Operation Server and proxy server, and technical scheme is as follows:
A kind of service authentication method, it is characterised in that the method includes:
Operation Server receives the Operational Visit request that the terminal based on described Operation Server sends, first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and when this terminal is authenticated by described Operation Server every time, first agent's voucher of distribution is different;
When described Operation Server according to described first agent's voucher determine described terminal be legal terminal and described Operation Server determine that described terminal orders, to proxy server, the business having described service identification corresponding according to described service identification, described Operation Server sends response message to described terminal, at least includes the reference address of business corresponding to described service identification in described response message;
Described terminal determines second agent's voucher according to described response message, and send agent service access request according to the reference address of business corresponding to described service identification to described proxy server, described agent service access request carries second agent's voucher of described terminal, and effective duration of described second agent's voucher is not more than effective duration of described first agent's voucher;
Second agent's voucher in the described agent service access request received is sent to described Operation Server by described proxy server;
Described Operation Server verifies the legitimacy of second agent's voucher of described proxy server transmission, and the result that will verify sends to described proxy server;
Described proxy server, according to the result of described checking, processes described agent service access request.
Preferably, described first agent's voucher is including of distributing when described terminal is authenticated of described Operation Server:
The distribution when described terminal is converted to duty by off working state or described terminal is authenticated during every Preset Time that is described Operation Server of described first agent's voucher.
Preferably, described Operation Server receives the Operational Visit request that the terminal based on described Operation Server sends, and the request of described Operational Visit also includes before carrying first agent's voucher corresponding to the terminal sending Operational Visit request and service identification:
Described Operation Server stores the corresponding relation of the terminal iidentification of the terminal corresponding with this first agent's voucher based on first agent's voucher of the terminal of Operation Server and effective duration of this first agent's voucher.
Preferably, according to described response message, described terminal determines that second agent's voucher includes:
Whether response message described in described terminal judges includes provisional voucher;
Wherein, described provisional voucher is the distribution before sending response message to described terminal of described Operation Server, and described Operation Server storage has the corresponding relation of the provisional voucher of described terminal and the terminal iidentification of described terminal and effective duration of the provisional voucher of described terminal;
If so, determine that described provisional voucher is second agent's voucher;
If it is not, determine that described first agent's voucher is second agent's voucher.
Preferably, the second agent's voucher transmission in the described agent service access request received is included by described proxy server to described Operation Server:
The second agent's voucher received is sent to described Operation Server by described proxy server by VPN (virtual private network) VPN.
Preferably, described Operation Server verifies that the legitimacy of second agent's voucher of described proxy server transmission includes:
Described Operation Server determines effective deadline of described first agent's voucher according to effective duration of described first agent's voucher;
Described Operation Server judges whether the time of described proxy server transmission first agent's voucher exceeds effective deadline of described first agent's voucher;
Whether first agent's voucher that if so, the more described proxy server of described Operation Server sends is consistent with first agent's voucher of the terminal sending described agent service access request;
When comparative result is consistent, it is determined that first agent's voucher that described proxy server sends is legal;
When comparative result is inconsistent, it is determined that first agent's voucher that described proxy server sends is illegal;
If it is not, first agent's voucher that described proxy server sends lost efficacy.
Preferably, described Operation Server verifies that the legitimacy of second agent's voucher of described proxy server transmission includes:
Described Operation Server determines effective deadline of described provisional voucher according to effective duration of described provisional voucher;
Described Operation Server judges whether the time of the described proxy server provisional voucher of transmission exceeds effective deadline of described provisional voucher;
Whether the provisional voucher that if so, the more described proxy server of described Operation Server sends is consistent with the provisional voucher of the terminal sending described agent service access request;
When comparative result is consistent, it is determined that the provisional voucher that described proxy server sends is legal;
When comparative result is inconsistent, it is determined that the provisional voucher that described proxy server sends is illegal;
If it is not, the provisional voucher that described proxy server sends lost efficacy.
Preferably, described terminal includes Set Top Box;
Described first agent's voucher is agent authorization voucher.
A kind of service authentication system, including Operation Server, terminal and proxy server, wherein:
Described Operation Server is used for, receive the Operational Visit request that the terminal based on described Operation Server sends, first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit, when according to described first agent's voucher determine described terminal be legal terminal and according to described service identification determine described terminal to proxy server order have described service identification corresponding business, response message is sent to described terminal, described response message at least includes the reference address of business corresponding to described service identification, and verify the legitimacy of second agent's voucher that described proxy server sends, and the result of checking is sent to described proxy server, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and described Operation Server when this terminal being authenticated every time first agent's voucher of distribution different;
Described terminal is used for, Operational Visit request is sent to described Operation Server, second agent's voucher is determined according to the response message that described Operation Server sends, and send agent service access request according to the reference address of business corresponding to described service identification to described proxy server, described agent service access request carries second agent's voucher of described terminal, and effective duration of described second agent's voucher is not more than effective duration of described first agent's voucher;
Described proxy server is used for, second agent's voucher in the agent service access request send the described terminal received sends extremely described Operation Server and carries out legitimate verification, and according to the result that described Operation Server sends, process the agent service access request that described terminal sends.
Preferably, described terminal includes Set Top Box;
Described first agent's voucher is agent authorization voucher.
Compared with prior art, the having the beneficial effect that of the application
In this application, Operation Server receives the Operational Visit request that the terminal based on described Operation Server sends, first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and when this terminal is authenticated by described Operation Server every time, first agent's voucher of distribution is different;When described Operation Server according to described first agent's voucher determine described terminal be legal terminal and described Operation Server determine that described terminal orders, to proxy server, the business having described service identification corresponding according to described service identification, described Operation Server sends response message to described terminal, at least includes the reference address of business corresponding to described service identification in described response message;Described terminal determines second agent's voucher according to described response message, and sending agent service access request according to the reference address of business corresponding to described service identification to described proxy server, described agent service access request carries second agent's voucher of described terminal;Second agent's voucher in the described agent service access request received is sent to described Operation Server by described proxy server;Described Operation Server verifies the legitimacy of second agent's voucher of described proxy server transmission, and the result that will verify sends to described proxy server;Described proxy server, according to the result of described checking, processes described agent service access request.
Owing to the application uses first agent's voucher to replace the real information of terminal, in order to realize Operation Server and mutual based between the terminal of Operation Server, and described Operation Server when this terminal being authenticated every time first agent's voucher of distribution different, second agent's voucher replaces the real information of terminal, mutual in order to what realize between described terminal and proxy server, and effective duration of described second agent's voucher is at most equal to effective duration of described first agent's voucher, known first agent's voucher of replacement terminal real information and the information of second agent's voucher are different when transmitting within a certain period of time, intercepting and capturing end message person is made to be difficult to determine changeless first agent's voucher and second agent's voucher according to the first agent's voucher being continually changing and second agent's voucher, thus first agent's voucher and second agent's voucher of terminal can not be intercepted, and then described terminal can not be falsely used, reduce the risk that end message is trapped and falsely uses, improve the safety of terminal access Operation Server and proxy server.
Even if intercepting and capturing end message person to intercept first agent's voucher and second agent's voucher, owing to first agent's voucher and second agent's voucher can change over time, become, first agent's voucher and second agent's voucher that intercepting and capturing end message person intercepts also can lose efficacy, so that terminal can not be falsely used, reduce further the risk that terminal falsely used and improve safety.
The legitimacy of first agent's voucher of Operation Server checking terminal in the application, after Operation Server determines that described terminal is legal terminal, described terminal carries second agent's voucher access proxies, proxy server sends described second agent's voucher to Operation Server, Operation Server verifies described second agent's voucher, forms Operation Server, terminal and proxy server tripartite's faith mechanism.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme in the embodiment of the present application, below the accompanying drawing used required during embodiment is described is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the application, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of flow chart of a kind of service authentication method that the application provides;
Fig. 2 is a kind of schematic diagram of the interworking flow process between Operation Server, terminal and proxy server;
Fig. 3 is that Operation Server determines that whether described terminal is a kind of flow chart of the detailed process of legal terminal;
Fig. 4 is a kind of flow chart that terminal determines the detailed process of second agent's voucher according to described response message;
Fig. 5 is a kind of flow chart of the detailed process of the legitimacy of first agent's voucher that Operation Server checking proxy server sends;
Fig. 6 is a kind of flow chart of the detailed process of the legitimacy of the provisional voucher that Operation Server checking proxy server sends;
Fig. 7 is a kind of structural representation of a kind of service authentication system that the application provides.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of the application protection.
The application Operation Server receives the Operational Visit request that the terminal based on described Operation Server sends, first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and when this terminal is authenticated by described Operation Server every time, first agent's voucher of distribution is different;When described Operation Server according to described first agent's voucher determine described terminal be legal terminal and described Operation Server determine that described terminal orders, to proxy server, the business having described service identification corresponding according to described service identification, described Operation Server sends response message to described terminal, at least includes the reference address of business corresponding to described service identification in described response message;Described terminal determines second agent's voucher according to described response message, and send agent service access request according to the reference address of business corresponding to described service identification to described proxy server, described agent service access request carries second agent's voucher of described terminal, and effective duration of described second agent's voucher is not more than effective duration of described first agent's voucher;Second agent's voucher in the described agent service access request received is sent to described Operation Server by described proxy server;Described Operation Server verifies the legitimacy of second agent's voucher of described proxy server transmission, and the result that will verify sends to described proxy server;Described proxy server, according to the result of described checking, processes described agent service access request.Service authentication method the application provided below in conjunction with flow chart illustrates.
One embodiment
Refer to Fig. 1, it illustrates a kind of flow chart of a kind of service authentication method that the application provides, it is possible to comprise the following steps:
Step S11: Operation Server receives the Operational Visit request that the terminal based on described Operation Server sends, first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and when this terminal is authenticated by described Operation Server every time, first agent's voucher of distribution is different.
In the present embodiment, first the terminal based on Operation Server is authenticated by Operation Server, and the terminal through certification is the validated user in Operation Server.
Operation Server is when being authenticated the terminal based on Operation Server, for described terminal distribution first agent's voucher, and record effective duration of described first agent's voucher, wherein, by described effective duration it can be seen that described first agent's voucher is by the end of the effective deadline being when effective i.e. described first agent's voucher.
In the present embodiment, whenever described terminal is converted to duty by off working state or during every Preset Time, described terminal will be carried out once certification by Operation Server, and every time certification time distribution first agent's voucher all different.Wherein, described terminal is converted to duty by off working state and is specifically as follows: described terminal is converted to opening by closed mode or described terminal is converted to running status by holding state.Described terminal every Preset Time can but be not limited to be set as 24 hours.
Operation Server is after being authenticated the terminal based on Operation Server, described terminal just can send Operational Visit request to Operation Server, Operation Server receives the Operational Visit request that described terminal sends, and the request of described Operational Visit carries first agent's voucher and the service identification of described terminal, wherein, which kind of business described service identification is in order to what identify the request access of described Operational Visit.
Operation Server is for after based on terminal distribution first agent's voucher of Operation Server, namely, before Operation Server receives the Operational Visit request that described terminal sends, Operation Server stores the corresponding relation of the terminal iidentification of this first agent's voucher terminal corresponding with this first agent's voucher and effective duration of this first agent's voucher.
In the present embodiment, described terminal can be Set Top Box, and when described terminal is Set Top Box, described first agent's voucher can be agent authorization voucher (ProxyGrantingTicket, Pgt), wherein, agent authorization voucher can but be not limited to 62 character strings.
Step S12: when described Operation Server according to described first agent's voucher determine described terminal be legal terminal and described Operation Server determine that described terminal orders, to proxy server, the business having described service identification corresponding according to described service identification, described Operation Server sends response message to described terminal, at least includes the reference address of business corresponding to described service identification in described response message.
According to first agent's voucher of the terminal based on Operation Server received, Operation Server determines whether described terminal is legal terminal, after determining that described terminal is legal terminal, described terminal is with regard to the business in Internet access Operation Server.
In the present embodiment, after Operation Server business in determining described terminal Internet access Operation Server, judge whether described terminal has, to proxy server order, the business that described service identification is corresponding according to the service identification in the Operational Visit request that described terminal sends, when judged result is the business that described terminal has described service identification corresponding to proxy server order, described Operation Server sends response message to described terminal, and described terminal accesses described proxy server according to described response message.
Wherein, described response message in different situations, including content different, but no matter when, described response message at least includes the reference address of business corresponding to described service identification.
In the present embodiment, Operation Server is after determining that described terminal has, to proxy server order, the business that described service identification is corresponding, if Operation Server is described terminal redistributes the Proxy Credential being different from described first agent's voucher, then response message includes the reference address of the new Proxy Credential business corresponding with described service identification, if Operation Server does not redistribute the Proxy Credential being different from described first agent's voucher, then response message only includes the reference address of business corresponding to described service identification.
Step S13: described terminal determines second agent's voucher according to described response message, and send agent service access request according to the reference address of business corresponding to described service identification to described proxy server, described agent service access request carries second agent's voucher of described terminal, and effective duration of described second agent's voucher is not more than effective duration of described first agent's voucher.
In the present embodiment, second agent's voucher can be described first agent's voucher, can also be the Proxy Credential being different from first agent's voucher that terminal is redistributed for Operation Server, wherein, Operation Server be the Proxy Credential being different from first agent's voucher redistributed of terminal can but be not limited to provisional voucher, effective duration of described provisional voucher is not more than effective duration of first agent's voucher, and described provisional voucher just lost efficacy after accessing a business.
In the present embodiment, provisional voucher can but be not limited to 29 character strings.
Operation Server after redistributing provisional voucher for described terminal, the corresponding relation of the terminal iidentification of the effective duration recording the provisional voucher of described terminal the provisional voucher storing described terminal and described terminal.By the known described provisional voucher of effective duration of the provisional voucher of described terminal by the end of the effective deadline being when effective i.e. described provisional voucher.
At second agent's voucher it has been determined that, described terminal sends agent service access request according to the reference address of business corresponding to described service identification to described proxy server, and told agent service access request carries second agent's voucher of described terminal.
If it is determined that first agent's voucher is second agent's voucher, then second agent's voucher that described terminal is carried to the agent service access request that proxy server sends is first agent's voucher.
If it is determined that provisional voucher is second agent's voucher, then second agent's voucher that described terminal is carried to the agent service access request that proxy server sends is provisional voucher.
Step S14: the second agent's voucher in the described agent service access request received is sent to described Operation Server by described proxy server.
In the present embodiment, the second agent's voucher received is sent to described Operation Server by described proxy server by VPN (virtual private network) VPN.The purpose using VPN is the safety index during transmission of raising information.
Step S15: described Operation Server verifies the legitimacy of second agent's voucher of described proxy server transmission, and the result that will verify sends to described proxy server.
In the present embodiment, when second agent's voucher that described proxy server sends is described first agent's voucher, described Operation Server verifies the legitimacy of second agent's voucher of described proxy server transmission and the legitimacy of first agent's voucher of described Operation Server checking described proxy server transmission.
In the present embodiment, when second agent's voucher that described proxy server sends is described provisional voucher, described Operation Server verifies the legitimacy of second agent's voucher of described proxy server transmission and the legitimacy of the provisional voucher of described Operation Server checking described proxy server transmission.
Step S16: described proxy server, according to the result of described checking, processes described agent service access request.
In the present embodiment, when second agent's voucher that the result is the transmission of described proxy server is legal, described proxy server responds described agent service access request;It is that in the illegal situation of second agent's voucher that described proxy server sends, described proxy server is not responding to described agent service access request at the result.
The application uses first agent's voucher to replace the real information of terminal, in order to realize Operation Server and mutual based between the terminal of Operation Server, and described Operation Server when this terminal being authenticated every time first agent's voucher of distribution different, second agent's voucher replaces the real information of terminal, mutual in order to what realize between described terminal and proxy server, and effective duration of described second agent's voucher is at most equal to effective duration of described first agent's voucher, known first agent's voucher of replacement terminal real information and the information of second agent's voucher are different when transmitting within a certain period of time, intercepting and capturing end message person is made to be difficult to determine changeless first agent's voucher and second agent's voucher according to the first agent's voucher being continually changing and second agent's voucher, thus first agent's voucher and second agent's voucher of terminal can not be intercepted, and then described terminal can not be falsely used, reduce the risk that end message is trapped and falsely uses, improve the safety of terminal access Operation Server and proxy server.
Even if intercepting and capturing end message person to intercept first agent's voucher and second agent's voucher, owing to first agent's voucher and second agent's voucher can change over time, become, first agent's voucher and second agent's voucher that intercepting and capturing end message person intercepts also can lose efficacy, so that terminal can not be falsely used, reduce further the risk that terminal falsely used and improve safety.
The legitimacy of first agent's voucher of Operation Server checking terminal, after Operation Server determines that described terminal is legal terminal, described terminal carries second agent's voucher access proxies, proxy server sends described second agent's voucher to Operation Server, Operation Server verifies described second agent's voucher, forms Operation Server, terminal and proxy server tripartite's faith mechanism.
In said method step, when described terminal is Set Top Box, the terminal iidentification of described terminal is the TVN(TVNumber of Set Top Box, television signal), TVN is unique mark of Set Top Box.In said method step, the Operation Server corresponding with a kind of flow chart of a kind of service authentication method shown in Fig. 1, the interworking flow process between terminal and proxy server may refer to Fig. 2, and wherein Fig. 2 is a kind of schematic diagram of the interworking flow process between Operation Server, terminal and proxy server.
Another embodiment
Refer to Fig. 3, the present embodiment is illustrated that Operation Server determines that whether described terminal is a kind of flow chart of the detailed process of legal terminal, wherein, to what described Operation Server sent, described terminal verifies that whether described terminal is that the request of legal terminal carries the terminal iidentification of described terminal and described first agent's voucher, it is possible to comprise the following steps:
Step S31: Operation Server determines effective deadline of described first agent's voucher according to effective duration of described first agent's voucher.
Operation Server have recorded the time that described first agent's voucher generates while distributing described first agent's voucher, and namely Operation Server obtains effective deadline of described first agent's voucher on the basis that described first agent's voucher generates plus effective duration of described first agent's voucher.
Step S32: whether time when Operation Server judges to receive described first agent's voucher exceeds effective deadline of described first agent's voucher, if it is not, perform step S33, if it is not, perform step S34.
Step S33: described first agent's voucher lost efficacy.
Step S34: determine first agent's voucher of described terminal that described Operation Server stores according to the terminal iidentification of described terminal.
In Operation Server, storage has the corresponding relation of the terminal iidentification of first agent's voucher of described terminal and described terminal, namely can determine that first agent's voucher of described terminal according to the corresponding relation of first agent's voucher of the terminal iidentification of described terminal and the described terminal of Operation Server storage and the terminal iidentification of described terminal.After determining first agent's voucher of described terminal, perform step S34.
Step S35: relatively whether described first agent's voucher is consistent with first agent's voucher of described terminal, if so, performs step S36, if it is not, perform step S37.
If described first agent's voucher is trapped, then can obtain the result that first agent's voucher of described first agent's voucher and described terminal is inconsistent, step S36 is performed when comparative result is inconsistent, if described first agent's voucher is not trapped, then can obtain the result that described first agent's voucher is consistent with first agent's voucher of described terminal, perform step S35 when comparative result is consistent.
Such as: described first agent's voucher is a1, the terminal iidentification of described terminal corresponding for first agent voucher a1 is A, then the corresponding relation of Operation Server storage is first agent voucher a1 and terminal iidentification A, if described first agent voucher a1 is intercepted and captured by the terminal that terminal iidentification is B, then the terminal iidentification of described terminal is B, Operation Server is when receiving described first agent voucher a1 and terminal iidentification B, first the corresponding relation of first agent voucher b1 corresponding with terminal iidentification B for terminal iidentification B is found, so that it is determined that the first agent voucher b1 that terminal iidentification B is corresponding, then first agent voucher b1 corresponding with terminal iidentification B for first agent voucher a1 is compared, obvious a1 and b1 is inconsistent.If described first agent voucher a1 is not trapped, then the terminal iidentification of described terminal is A, Operation Server is when receiving described first agent voucher a1 and terminal iidentification A, first the corresponding relation according to first agent voucher a1 corresponding with terminal iidentification A for terminal iidentification A, so that it is determined that first agent's voucher corresponding to terminal iidentification A is a1, it is clear that described first agent voucher a1 is consistent with first agent's voucher of described terminal.
Step S36: determine that described terminal is legal.
Step S37: determine that described terminal is illegal.
Further embodiment
Referring to Fig. 4, the present embodiment is illustrated that terminal determines a kind of flow chart of the detailed process of second agent's voucher according to described response message, it is possible to comprise the following steps:
Step S41: whether include provisional voucher in response message described in described terminal judges.
If so, step S42 is performed, if it is not, perform step S43.
If described Operation Server is described terminal has redistributed the provisional voucher being different from described first agent's voucher, the response message that then described Operation Server sends includes provisional voucher, does not include provisional voucher in the response message that otherwise described Operation Server sends.
Step S42: determine that described provisional voucher is second agent's voucher.
Step S43: determine that described first agent's voucher is second agent's voucher.
Further embodiment
Refer to Fig. 5, the present embodiment is illustrated that a kind of flow chart of the detailed process of the legitimacy of first agent's voucher of Operation Server checking proxy server transmission, wherein, the legitimacy request of checking first agent's voucher that described proxy server sends to described Operation Server carries the terminal iidentification of the terminal of first agent's voucher and the described agent service access request of transmission, it is possible to comprise the following steps:
Step S51: Operation Server determines effective deadline of described first agent's voucher according to effective duration of described first agent's voucher.
Operation Server shown in step S51 and Fig. 3 determines that whether described terminal is that the step S31 in the detailed process of legal terminal is identical, does not repeat them here.
Step S52: described Operation Server judges whether the time of described proxy server transmission first agent's voucher exceeds effective deadline of described first agent's voucher.
If the time that judged result is described proxy server transmission first agent's voucher, beyond effective deadline of described first agent's voucher, illustrates that first agent's voucher that described proxy server sends is still effective, performs step S53, otherwise, perform step S54.
Step S53: first agent's voucher that described proxy server sends lost efficacy.
Step S54: whether first agent's voucher that the more described proxy server of described Operation Server sends is consistent with first agent's voucher of the terminal sending described agent service access request.
When comparative result is consistent, illustrate that first agent's voucher that described proxy server sends is not trapped, send the terminal of described agent service access request and true terminal that first agent's voucher that described proxy server sends is corresponding, perform step S55, when comparative result is inconsistent, illustrate that first agent's voucher that described proxy server sends is trapped, sending the terminal of described agent service access request is no longer the true terminal that first agent's voucher that described proxy server sends is corresponding, performs step S56.
Such as: first agent's voucher that described proxy server sends is a, terminal corresponding for first agent voucher a is A, if first agent voucher a is not trapped, the terminal sending described agent service request is A, if first agent voucher a is trapped, then illustrate that the terminal sending described agent service access request is no longer A, but terminal B, the first agent voucher b and first agent voucher a of terminal B must differ, therefore can determine that the first agent voucher a that described proxy server sends is trapped, can determine that the first agent voucher a that described proxy server sends is illegal.
Step S55: determine that first agent's voucher that described proxy server sends is legal.
Step S56: determine that first agent's voucher that described proxy server sends is illegal.
Further embodiment
Refer to Fig. 6, the present embodiment is illustrated that a kind of flow chart of the detailed process of the legitimacy of the provisional voucher of Operation Server checking proxy server transmission, wherein, described proxy server carries the terminal iidentification of the terminal of provisional voucher and the described agent service access request of transmission to the legitimacy request verifying provisional voucher that described Operation Server sends, it is possible to comprise the following steps:
Step S61: Operation Server determines effective deadline of described provisional voucher according to effective duration of described provisional voucher.
Operation Server have recorded the time that described provisional voucher generates while distributing described provisional voucher, and namely Operation Server obtains effective deadline of described provisional voucher on the basis that described provisional voucher generates plus effective duration of described provisional voucher.
Step S62: described Operation Server judges whether the time of the described proxy server provisional voucher of transmission exceeds effective deadline of described provisional voucher.
Send time of provisional voucher beyond described the provisional effective deadline if judged result is described proxy server, illustrate that the provisional voucher that described proxy server sends is still effective, perform step S63, otherwise, execution step S64.
Step S63: the provisional voucher that described proxy server sends lost efficacy.
Step S64: whether the provisional voucher that the more described proxy server of described Operation Server sends is consistent with the provisional voucher of the terminal sending described agent service access request.
In the present embodiment, Operation Server determines the provisional voucher of the terminal sending described agent service access request according to the terminal iidentification of the terminal sending described agent service access request.After the provisional voucher determining the terminal sending described agent service access request, whether the provisional voucher that relatively described proxy server sends is consistent with the provisional voucher of the terminal sending described agent service access request.
When comparative result is consistent, illustrate that the provisional voucher that described proxy server sends is not trapped, send the terminal of described agent service access request and true terminal that provisional voucher that described proxy server sends is corresponding, perform step S65, when comparative result is inconsistent, illustrate that the provisional voucher that described proxy server sends is trapped, sending the terminal of described agent service access request is no longer the true terminal that provisional voucher that described proxy server sends is corresponding, performs step S66.
Such as: first agent's voucher that described proxy server sends is c, terminal corresponding for first agent voucher c is C, if first agent voucher c is not trapped, the terminal sending described agent service request is C, if first agent voucher c is trapped, then illustrate that the terminal sending described agent service access request is no longer C, but terminal D, the first agent voucher d and first agent voucher c of terminal D must differ, therefore can determine that the first agent voucher c that described proxy server sends is trapped, can determine that the first agent voucher c that described proxy server sends is illegal.
Step S65: determine that the provisional voucher that described proxy server sends is legal.
Step S66: determine that the provisional voucher that described proxy server sends is illegal.
For aforesaid each embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the application is not by the restriction of described sequence of movement, because according to the application, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, embodiment described in this description belongs to preferred embodiment, necessary to involved action and module not necessarily the application.
Corresponding with the embodiment of a kind of service authentication method shown in Fig. 1, present invention also provides a kind of structure chart of a kind of service authentication system, referring to Fig. 7, service authentication system includes Operation Server 701, terminal 702 and proxy server 703, wherein Operation Server 701
Described Operation Server 701 is used for, and receives the Operational Visit request that the terminal 702 based on described Operation Server sends, and first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit,
When described Operation Server 701 according to described first agent's voucher determine described terminal 702 be legal terminal and described Operation Server determine that described terminal orders, to proxy server, the business having described service identification corresponding according to described service identification, response message is sent to described terminal 702, described response message at least includes the reference address of business corresponding to described service identification, and verify the legitimacy of second agent's voucher that described proxy server 703 sends, and the result of checking is sent to described proxy server 703, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and described Operation Server when this terminal being authenticated every time first agent's voucher of distribution different.
Wherein in the present embodiment, second agent's voucher that proxy server sends is first agent's voucher or provisional voucher.
When described second agent's voucher is first agent's voucher, whether the time of first agent's voucher that Operation Server 701 sends specifically for judging described terminal 702 exceeds effective deadline of described first agent's voucher;
Whether first agent's voucher of the terminal 702 that first agent's voucher that if so, relatively described terminal 702 sends is corresponding with first agent's voucher of described terminal 702 transmission that described Operation Server 701 stores is consistent;
When comparative result is consistent, it is determined that first agent's voucher that described proxy server 703 sends is legal;
When comparative result is inconsistent, it is determined that first agent's voucher that described proxy server 703 sends is illegal;
If it is not, first agent's voucher that described proxy server 703 sends lost efficacy.
When second agent's voucher that described terminal 702 sends is provisional voucher, whether the time of the provisional voucher that described Operation Server 701 sends specifically for judging described terminal 702 exceeds effective deadline of described provisional voucher;
Whether first agent's voucher of the terminal 702 that the provisional voucher that if so, relatively described terminal 702 sends is corresponding with the provisional voucher of described terminal 702 transmission that described Operation Server 701 stores is consistent;
When comparative result is consistent, it is determined that the provisional voucher that described proxy server 703 sends is legal;
When comparative result is inconsistent, it is determined that the provisional voucher that described proxy server 703 sends is illegal;
If it is not, the provisional voucher that described proxy server 703 sends lost efficacy.
Described Operation Server 701 is additionally operable to effective duration of corresponding relation and this first agent's voucher storing the terminal iidentification of the terminal corresponding with this first agent's voucher based on first agent's voucher of the terminal 702 of Operation Server.
Described Operation Server 701 distributed provisional voucher before sending response message to described terminal 702, and stored the corresponding relation of the provisional voucher of described terminal 702 and the terminal iidentification of described terminal 702 and effective duration of the provisional voucher of described terminal 302.
Described terminal 702 is used for, Operational Visit request is sent to described Operation Server, second agent's voucher is determined according to the response message that described Operation Server 701 sends, and send agent service access request according to the reference address of business corresponding to described service identification to described proxy server 703, described agent service access request carries second agent's voucher of described terminal, and effective duration of described second agent's voucher is not more than effective duration of described first agent's voucher.
In the present embodiment, according to described response message, terminal 702 determines that the detailed process of second agent's voucher can be:
Terminal 702 judges whether to include in described response message provisional voucher;If so, determine that described provisional voucher is second agent's voucher;If it is not, determine that described first agent's voucher is second agent's voucher.
Proxy server 703 is used for, second agent's voucher in the described agent service access request received is sent extremely described Operation Server 701 and carries out legitimate verification, and according to the result that described Operation Server 701 sends, process the agent service access request that described terminal 702 sends.
In the present embodiment, the second agent's voucher in the described agent service access request received is sent to described Operation Server 701 by proxy server 703 especially by VPN (virtual private network) VPN.
In the present embodiment, second agent's voucher that proxy server 703 sends is first agent's voucher or provisional voucher.
In said system, terminal 702 can be Set Top Box, and when terminal 702 is Set Top Box, the first agent's voucher processed in described system is agent authorization voucher.
It should be noted that each embodiment in this specification all adopts the mode gone forward one by one to describe, what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually referring to.For device class embodiment, due to itself and embodiment of the method basic simlarity, so what describe is fairly simple, relevant part illustrates referring to the part of embodiment of the method.
Finally, it can further be stated that, in this article, the relational terms of such as first and second or the like is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " includes ", " comprising " or its any other variant are intended to comprising of nonexcludability, so that include the process of a series of key element, method, article or equipment not only include those key elements, but also include other key elements being not expressly set out, or also include the key element intrinsic for this process, method, article or equipment.When there is no more restriction, statement " including ... " key element limited, it is not excluded that there is also other identical element in including the process of described key element, method, article or equipment.
Above a kind of service authentication method provided herein and system are described in detail, principle and the embodiment of the application are set forth by specific case used herein, and the explanation of above example is only intended to help and understands the present processes and core concept thereof;Simultaneously for one of ordinary skill in the art, according to the thought of the application, all will change in specific embodiments and applications, in sum, this specification content should not be construed as the restriction to the application.

Claims (10)

1. a service authentication method, it is characterised in that the method includes:
Operation Server receives the Operational Visit request that the terminal based on described Operation Server sends, first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and when this terminal is authenticated by described Operation Server every time, first agent's voucher of distribution is different;
When described Operation Server according to described first agent's voucher determine described terminal be legal terminal and described Operation Server determine that described terminal orders, to proxy server, the business having described service identification corresponding according to described service identification, described Operation Server sends response message to described terminal, at least includes the reference address of business corresponding to described service identification in described response message;
Described terminal determines second agent's voucher according to described response message, and send agent service access request according to the reference address of business corresponding to described service identification to described proxy server, described agent service access request carries second agent's voucher of described terminal, and effective duration of described second agent's voucher is not more than effective duration of described first agent's voucher;
Second agent's voucher in the described agent service access request received is sent to described Operation Server by described proxy server;
Described Operation Server verifies the legitimacy of second agent's voucher of described proxy server transmission, and the result that will verify sends to described proxy server;
Described proxy server, according to the result of described checking, processes described agent service access request;Wherein, if described the result is that second agent's voucher that described proxy server sends is legal, then described proxy server responds described agent service access request.
2. method according to claim 1, it is characterised in that described first agent's voucher is including of distributing when described terminal is authenticated of described Operation Server:
The distribution when described terminal is converted to duty by off working state or described terminal is authenticated during every Preset Time that is described Operation Server of described first agent's voucher.
3. method according to claim 1, it is characterized in that, described Operation Server receives the Operational Visit request that the terminal based on described Operation Server sends, and the request of described Operational Visit also includes before carrying first agent's voucher corresponding to the terminal sending Operational Visit request and service identification:
Described Operation Server stores the corresponding relation of the terminal iidentification of the terminal corresponding with this first agent's voucher based on first agent's voucher of the terminal of Operation Server and effective duration of this first agent's voucher.
4. method according to claim 1, it is characterised in that according to described response message, described terminal determines that second agent's voucher includes:
Whether response message described in described terminal judges includes provisional voucher;
Wherein, described provisional voucher is the distribution before sending response message to described terminal of described Operation Server, and described Operation Server storage has the corresponding relation of the provisional voucher of described terminal and the terminal iidentification of described terminal and effective duration of the provisional voucher of described terminal;
If so, determine that described provisional voucher is second agent's voucher;
If it is not, determine that described first agent's voucher is second agent's voucher.
5. method according to claim 1, it is characterised in that the second agent's voucher in the described agent service access request received is sent extremely described Operation Server and includes by described proxy server:
The second agent's voucher received is sent to described Operation Server by described proxy server by VPN (virtual private network) VPN.
6. method according to claim 4, it is characterised in that when determining described first agent's voucher for second agent's voucher, described Operation Server verifies that the legitimacy of second agent's voucher of described proxy server transmission includes:
Described Operation Server determines effective deadline of described first agent's voucher according to effective duration of described first agent's voucher;
Described Operation Server judges whether the time of described proxy server transmission first agent's voucher exceeds effective deadline of described first agent's voucher;
Whether first agent's voucher that if so, the more described proxy server of described Operation Server sends is consistent with first agent's voucher of the terminal sending described agent service access request;
When comparative result is consistent, it is determined that first agent's voucher that described proxy server sends is legal;
When comparative result is inconsistent, it is determined that first agent's voucher that described proxy server sends is illegal;
If it is not, first agent's voucher that described proxy server sends lost efficacy.
7. method according to claim 4, it is characterised in that when determining described provisional voucher for second agent's voucher, described Operation Server verifies that the legitimacy of second agent's voucher of described proxy server transmission includes:
Described Operation Server determines effective deadline of described provisional voucher according to effective duration of described provisional voucher;
Described Operation Server judges whether the time of the described proxy server provisional voucher of transmission exceeds effective deadline of described provisional voucher;
Whether the provisional voucher that if so, the more described proxy server of described Operation Server sends is consistent with the provisional voucher of the terminal sending described agent service access request;
When comparative result is consistent, it is determined that the provisional voucher that described proxy server sends is legal;
When comparative result is inconsistent, it is determined that the provisional voucher that described proxy server sends is illegal;
If it is not, the provisional voucher that described proxy server sends lost efficacy.
8. the method according to claim 1-7 any one, it is characterised in that described terminal includes Set Top Box;
Described first agent's voucher is agent authorization voucher.
9. a service authentication system, it is characterised in that include Operation Server, terminal and proxy server, wherein:
Described Operation Server is used for, receive the Operational Visit request that the terminal based on described Operation Server sends, first agent's voucher and the service identification of described terminal is carried in the request of described Operational Visit, when according to described first agent's voucher determine described terminal be legal terminal and according to described service identification determine described terminal to proxy server order have described service identification corresponding business, response message is sent to described terminal, described response message at least includes the reference address of business corresponding to described service identification, and verify the legitimacy of second agent's voucher that described proxy server sends, and the result of checking is sent to described proxy server, described first agent's voucher is that described Operation Server distributes when described terminal is authenticated, and described Operation Server when this terminal being authenticated every time first agent's voucher of distribution different;
Described terminal is used for, Operational Visit request is sent to described Operation Server, second agent's voucher is determined according to the response message that described Operation Server sends, and send agent service access request according to the reference address of business corresponding to described service identification to described proxy server, described agent service access request carries second agent's voucher of described terminal, and effective duration of described second agent's voucher is not more than effective duration of described first agent's voucher;
Described proxy server is used for, second agent's voucher in the agent service access request send the described terminal received sends extremely described Operation Server and carries out legitimate verification, and according to the result that described Operation Server sends, process the agent service access request that described terminal sends;Wherein, if described the result is that second agent's voucher that described proxy server sends is legal, then described proxy server responds described agent service access request.
10. system according to claim 9, it is characterised in that described terminal includes Set Top Box;
Described first agent's voucher is agent authorization voucher.
CN201310132539.8A 2013-04-16 2013-04-16 A kind of service authentication method and system Expired - Fee Related CN103178969B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310132539.8A CN103178969B (en) 2013-04-16 2013-04-16 A kind of service authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310132539.8A CN103178969B (en) 2013-04-16 2013-04-16 A kind of service authentication method and system

Publications (2)

Publication Number Publication Date
CN103178969A CN103178969A (en) 2013-06-26
CN103178969B true CN103178969B (en) 2016-06-29

Family

ID=48638601

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310132539.8A Expired - Fee Related CN103178969B (en) 2013-04-16 2013-04-16 A kind of service authentication method and system

Country Status (1)

Country Link
CN (1) CN103178969B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717192B (en) * 2013-12-16 2018-05-18 腾讯科技(深圳)有限公司 Legality identification method and intermediate server
CN110417797B (en) 2015-04-02 2021-07-30 创新先进技术有限公司 Method and device for authenticating user
WO2017128286A1 (en) * 2016-01-29 2017-08-03 华为技术有限公司 Method for downloading subscription file, related device, and system
CN107231335B (en) * 2016-03-24 2021-05-25 创新先进技术有限公司 Service processing method and device
CN108462671A (en) * 2017-02-20 2018-08-28 沪江教育科技(上海)股份有限公司 A kind of authentication protection method and system based on reverse proxy
CN112559994B (en) * 2020-12-25 2023-12-01 北京百度网讯科技有限公司 Access control method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1610319A (en) * 2003-10-22 2005-04-27 华为技术有限公司 Analytic switch-in processing method for selecting business in radio local area network
CN1812421A (en) * 2006-03-06 2006-08-02 中国移动通信集团公司 Data business right discriminating method
CN101431654A (en) * 2008-12-12 2009-05-13 天柏宽带网络科技(北京)有限公司 Method and system for implementing authentication

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9600679B2 (en) * 2011-04-29 2017-03-21 Micro Focus Software Inc. Techniques for resource operation based on usage, sharing, and recommendations with modular authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1610319A (en) * 2003-10-22 2005-04-27 华为技术有限公司 Analytic switch-in processing method for selecting business in radio local area network
CN1812421A (en) * 2006-03-06 2006-08-02 中国移动通信集团公司 Data business right discriminating method
CN101431654A (en) * 2008-12-12 2009-05-13 天柏宽带网络科技(北京)有限公司 Method and system for implementing authentication

Also Published As

Publication number Publication date
CN103178969A (en) 2013-06-26

Similar Documents

Publication Publication Date Title
CN103178969B (en) A kind of service authentication method and system
US10382434B2 (en) Actively federated mobile authentication
US7827318B2 (en) User enrollment in an e-community
US9553858B2 (en) Hardware-based credential distribution
WO2016006520A1 (en) Detection device, detection method and detection program
CN109743163A (en) Purview certification method, apparatus and system in micro services framework
CN109413000B (en) Anti-stealing-link method and anti-stealing-link network relation system
CN108173850A (en) A kind of identity authorization system and identity identifying method based on block chain intelligence contract
CN108200050A (en) Single logging-on server, method and computer readable storage medium
CN107122674B (en) Access method of oracle database applied to operation and maintenance auditing system
US10542044B2 (en) Authentication incident detection and management
CN106302346A (en) The safety certifying method of API Calls, device, system
CN104718526A (en) Secure mobile framework
CN103780580B (en) Method, server and system for providing capability access strategy
CN101488857B (en) Authenticated service virtualization
CN101986598B (en) Authentication method, server and system
CN103209168A (en) Method and system for achieving single sign-on
CN108881309A (en) Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform
CN101540757A (en) Method and system for identifying network and identification equipment
CN109150800A (en) Login access method, system and storage medium
KR20150026587A (en) Apparatus, method and computer readable recording medium for providing notification of log-in from new equipments
CN109495458A (en) A kind of method, system and the associated component of data transmission
US9232078B1 (en) Method and system for data usage accounting across multiple communication networks
CN101291345A (en) Controlling method of storage resource access, IP storage system, memory apparatus and host
CN108989334A (en) A kind of SSO single-point logging method based on JAVA

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160629

Termination date: 20210416