CN103546291A - Third party certification system with specific registration processes or third party certification method - Google Patents
Third party certification system with specific registration processes or third party certification method Download PDFInfo
- Publication number
- CN103546291A CN103546291A CN201310460800.7A CN201310460800A CN103546291A CN 103546291 A CN103546291 A CN 103546291A CN 201310460800 A CN201310460800 A CN 201310460800A CN 103546291 A CN103546291 A CN 103546291A
- Authority
- CN
- China
- Prior art keywords
- service side
- user
- party intermediary
- service
- party
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a third party certification system with specific registration processes or a third party certification method. After registering a user account AUAC in a mediator side, a user terminal can conveniently and directly register in service sides and is associated with a new account APAC in a certification program interface by logging in the AUAC.
Description
Technical field
The present invention relates to a kind of Third Party Authentication system or method with specific registration flow process.
Background technology
The resource that many Internets provide and the quantity of service are very huge and increase swift and violent, the Internet has become the main channel of people's obtaining information resource and information service, many internet resources and service provider require user to login and verify, this has just produced the problem of convenience and fail safe.Authentication method by third party or party intermediary is a kind of effective way addressing these problems.
Summary of the invention
The present invention realizes like this, a kind of Third Party Authentication system or method with specific registration flow process, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, an authentication procedure of moving on user terminal can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user, use terminal by party intermediary, to be undertaken before service side authenticates, user has registered user account AUAC and in service side's association, has registered user account APAC by AUAC in party intermediary, wherein, user register the process of AUAC and the associated APAC of registration and step as: 1) user is at party intermediary registered user account AUAC, 2) user uses the authentication procedure of moving in terminal login party intermediary account AUAC and terminal to authenticate by party intermediary, 3) user selects to want the service side of associated register account number on authentication procedure interface, 4) authentication procedure of moving on user terminal sends associated registration request to party intermediary, 5) authentication procedure of user terminal will start a new procedures or a newly-generated browser object or be redirected a browser object or redirected authentication procedure self, 6) user terminal sends associated registration voucher by this new procedures or this browser object or authentication procedure to service side, 7) after only having service side to verify that this association registration voucher is correct, service can be user's register account number APAC and this APAC is associated with user's AUAC service side just now, 8) party intermediary also can complete associated in party intermediary of AUAC and APAC, wherein, only have service side and party intermediary all after associated AP AC and AUAC success, just be successfully completed the association registration of this APAC of this user.
Wherein, user, register the step 2 of the process of AUAC and associated registration APAC) after, can also be in steps 2.1): party intermediary sends service side's that can associated register account number list to the authentication procedure in terminal.Wherein, this list is list after screening according to the condition of user's appointment or according to the list after implied terms screening.
Wherein, user, register the step 2 of the process of AUAC and associated registration APAC) in, user logins these two steps that party intermediary account AUAC and authentication procedure authenticate by party intermediary, can be specifically same step or the different step of simultaneously carrying out or the different step of carrying out when different.
Wherein, user, register process and the step 5 of AUAC and associated registration APAC) before or after, also in steps 5.1): party intermediary sends associated registration voucher to user terminal.Wherein, the program object that user terminal receives associated registration voucher from party intermediary is the browser object that newly-generated browser object of new procedures starting of authentication procedure or authentication procedure or authentication procedure or authentication procedure are redirected.
Wherein, user, register the step 7 of the process of AUAC and associated registration APAC) after, can also be in steps 7.1): service side can directly or by user terminal send to party intermediary the message that service side's association is succeeded in registration.Wherein, only have the message Hou, intermediary that party intermediary receives that service side's association succeeds in registration just now can completing steps 8).
Wherein, user's APAC can comprise user's AUAC.For example: user's APAC is comprised of the title+user's of party intermediary AUAC.
Wherein, user APAC can have a plurality of user identification code APID in service side's correspondence.
Wherein, user AUAC can have a plurality of user identification code AUID in party intermediary correspondence.
Wherein, the AUAC that comprises this user in associated registration voucher or AUID, the identifying information of party intermediary are, the digital signature of service side's identifying information, rise time and party intermediary.
Wherein, the AUAC or the AUID that in associated registration voucher, comprise this user.
Wherein, the identifying information that comprises service side in associated registration voucher.Wherein, service side's identifying information is the network address or domain name or title etc.
Wherein, the identifying information that comprises party intermediary in associated registration voucher.Wherein, the identifying information of party intermediary is the network address or domain name or title etc.
Wherein, associated registration voucher carries out digital signature by party intermediary, and service side has with the corresponding PKI of digital signature of party intermediary and with this PKI, verifies the digital signature of party intermediary.
Wherein, service side or party intermediary are associated APAC and AUAC specifically to refer to: service side or party intermediary save this APAC of this user (or the corresponding APID of this APAC) and this AUAC (or AUID corresponding to this AUAC) accordingly.
Wherein, authentication procedure authenticates by party intermediary, specifically refers to: user uses the authentication of authentication procedure by party intermediary or authentication procedure undertaken and authenticated by party intermediary by another program connecting with party intermediary.For example: after user logins party intermediary by a dedicated program, this dedicated program is set up safely and is connected with party intermediary, authentication procedure is connected safely and is carried out and authenticate (for example: authentication procedure, this dedicated program and party intermediary three closure are transmitted an authentication information, and authentication procedure is set up one by this closure transmission and party intermediary and is newly connected and authenticates by party intermediary) by party intermediary by this.
Wherein, the process that authentication procedure authenticates by party intermediary can comprise that user uses the authentication of terminal by party intermediary and authentication procedure undertaken and authenticated by party intermediary by another program connecting with party intermediary simultaneously.For example: user uses dedicated program login party intermediary and connects, of being authenticated and being set up by party intermediary again between authentication procedure and party intermediary based on this connections of authentication procedure is newly connected---and above process is all included in user terminal and carries out in process that party intermediary authenticates.
Wherein, after authentication procedure is stopped running, authentication procedure need to be carried out after party intermediary authentication again, and user terminal could carry out service side again and authenticate.
Wherein, user terminal is after login party intermediary, this user account AUAC that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is at all service sides or APAC or the APID of party intermediary association, user can be at the interface of authentication procedure enterprising line operate ask to access the respective service that one of them service side's respective service or request access this service side with user at a service side's APAC or APID.
Wherein, on described authentication procedure interface, can show all service sides that this user terminal has accessed by party intermediary or service side's respective service or APAC or APID, user can end service side to wherein showing or the access of respective service or APAC or APID on authentication procedure interface.
Wherein, user can on authentication procedure interface, select to terminate in all service sides that accessed by party intermediary that show on authentication procedure interface or service side's respective service or among APAC or APID one or several or all.
Wherein, when user selects the service side who has accessed by party intermediary that shows on aborts authentication program interface or service side's respective service or APAC or APID on authentication procedure interface, authentication procedure can be sent one to party intermediary and end access request, party intermediary can be sent and end access notice to corresponding service side, and service side receives and ends will end the access of this user terminal to this service side or respective service or APAC or APID after access notice.
Wherein, user terminal is after login party intermediary, this user account AUAC that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is at all service sides or APAC or the APID of party intermediary association, and user can select to end associated at the user account AUAC of party intermediary of APAC of a service side or a service side or APID and this user on the interface of authentication procedure.
Wherein, user terminal, after login party intermediary, can show or search on authentication procedure interface and allly can carry out with this party intermediary associated service side or service side's respective service.
Wherein, the program of the respective service of user access service side or program object are not authentication procedures.Wherein, the program of the respective service of user access service side or program object are program or the program objects that user asks access service Fang Houxin operation on the interface of authentication procedure.
Wherein, service side's account APAC of user and party intermediary account AUAC need first interrelated, and then user could complete service side by party intermediary and authenticate the also respective service of access service side.Wherein, service side's account of user refers to user's group of the service side at service side's account of user or service side's account place of user.Wherein, user's party intermediary account refers to user's group of the party intermediary at user's party intermediary account or user's party intermediary account place.Wherein, service side's account of user and party intermediary account is interrelated refers to, interrelated between user's group of service side's account of user or the service side at its place and user's group of user's party intermediary account or the party intermediary at its place.
Wherein, after service side's account APAC of user and party intermediary account AUAC are interrelated, service side's user account and the user account of party intermediary have mutual corresponding relation, and this corresponding relation is specifically preserved by service side and party intermediary both sides.
Wherein, user uses the concrete steps of terminal access service side respective service to be: on 1> user terminal, move authentication procedure, authentication procedure authenticates by party intermediary, 2> user selects request access service side on the interface of authentication procedure, whether 3> party intermediary authentication verification program keeps operation, only have this to be verified just and can carry out next step, 4> user terminal, service side and party intermediary complete service side and authenticate, only have service side to authenticate by just carrying out next step, the respective service of 5> user access service side.
Wherein, after user terminal is ended service side's access, user terminal need to again carry out service side by party intermediary and authenticate access service side again.
Wherein, can not by known customer identification information know by inference later or unknown or other or new customer identification information.
Wherein, can not be by known users identifying information customer identification information that know other by inference or that later service side authenticates.
Wherein, customer identification information is included as this service side and authenticates the content of random generation or comprise time that this service side authenticate and the information of computations.For example: the rise time that customer identification information comprises this information is also carried out digital signature.
Wherein, a customer identification information only authenticates for a service side.
Wherein, the free term of validity of each customer identification information, expired customer identification information can lose efficacy and cannot complete service side and authenticate.
Wherein, when party intermediary directly sends Service Ticket to service side, customer identification information and Service Ticket can have the corresponding relation that can verify.Wherein, service side understands authentication of users identifying information and Service Ticket, and whether the two is corresponding, and not corresponding words just can not authenticate by service side.For example: in customer identification information and Service Ticket, can all comprise that user is in service side's user name or same random number.Again for example: Service Ticket is that PKI and customer identification information are to calculate by corresponding private key the information generating.
Wherein, when party intermediary forwards Service Ticket by user terminal to service side, customer identification information and Service Ticket can be that same information or both are included in same information.For example: described Service Ticket is that party intermediary first sends to user terminal, user terminal sends to Service Ticket service side again together with customer identification information.Again for example: Service Ticket sends to user terminal by user terminal, to send to service side again by party intermediary, in this Service Ticket, comprise user in service side's user name and random number, and user is exactly customer identification information in service side's user name and random number.
Wherein, in customer identification information, can comprise this user in the information of service side's account.Wherein, in customer identification information, can comprise the information about service side.
Wherein, while only having authentication procedure to keep operation, user terminal could send customer identification information.Wherein, customer identification information be by authentication procedure, generated or send.
Wherein, user terminal is the respective service of access service side and being connected without party intermediary of service side's foundation after authenticating by service side.
Wherein, service side, authenticate middle user terminal and can forward the Service Ticket from party intermediary to service side, or, service side, authenticating middle user terminal can be sent based on user terminal and party intermediary engagement arithmetic between the two and be calculated the authentication information generating by service orientation party intermediary, or, service side, authenticate middle user terminal, between service side and party intermediary three, can come authentication verification information whether to carry out the starting point of self-closing transmission by the closed terminal that transmits an authentication information and transmitted by closure, or, service side, authenticating middle user terminal can send based on user terminal and service side's engagement arithmetic between the two and calculate the authentication information generating to service side.
Wherein, service side, authenticating middle user terminal can be sent based on user terminal and party intermediary engagement arithmetic between the two and be calculated the authentication information generating by service orientation party intermediary.Wherein, described engagement arithmetic is encrypting and decrypting algorithm.Wherein, user, use after authentication procedure in terminal login party intermediary, party intermediary and user terminal can have respectively in the pair of secret keys of described engagement arithmetic.Wherein, pair of secret keys is the pair of secret keys of asymmetric encryption.Wherein, user terminal has this to the private key in key, and party intermediary has this to the PKI in key.Wherein, only have party intermediary correct with this authentication information of this public key verifications, service side authenticates and could pass through.
Wherein, service side, authenticate between middle user terminal, service side and party intermediary three and can come authentication verification information whether to carry out the starting point of self-closing transmission by the closed terminal that transmits an authentication information and transmitted by closure.Wherein, only have closed transmission to be successfully completed, service side authenticates and could pass through.
Wherein, party intermediary has corresponding engagement arithmetic with service side, and whether the Service Ticket that service side can receive by the engagement arithmetic checking having is correct.Wherein, described engagement arithmetic can be encrypting and decrypting algorithm or Digital Signature Algorithm or one-way function algorithm or dynamic password algorithm etc.Wherein, service side has the PKI of party intermediary, and party intermediary has the private key corresponding with this PKI.
Wherein, service side, authenticating middle user terminal can send based on user terminal and service side's engagement arithmetic between the two and calculate the authentication information generating to service side.Wherein, described engagement arithmetic is encrypting and decrypting algorithm.Wherein, user, use after authentication procedure in terminal login party intermediary, party intermediary and user terminal can have respectively in the pair of secret keys of described engagement arithmetic.Wherein, pair of secret keys is the pair of secret keys of asymmetric encryption.Wherein, user terminal has this to the private key in key, and party intermediary has this to the PKI in key.Wherein, in service side authenticates, service side can receive the PKI corresponding with the private key of user terminal, user terminal can mail to service side by calculate the authentication information generating based on private key, service side can verify that whether the authentication information of receiving from user terminal is correct according to the PKI of receiving, while only having authentication information correct, service side authenticates and could pass through.
Wherein, user has respectively user account service side and party intermediary, and service side's user account and the user account of party intermediary have mutual corresponding relation.This corresponding relation can be one to one or one-to-many or many-to-one corresponding relation.Wherein, man-to-man corresponding relation is for example: first user registers the user account of party intermediary, then user is by the user account of the direct registration service side of user account of party intermediary, user is exactly by party intermediary, to pass to service side's user in user account or the user identification code of party intermediary during in registration service side at service side's user account, and the also user account phase relation two sides by user when the user account of user by party intermediary registration service side.Wherein, the corresponding relation of one-to-many for example: user has a plurality of user accounts in party intermediary, and these user accounts are the same user account service side corresponding to user.Wherein, many-to-one corresponding system for example: user has a plurality of user accounts service side, and these user accounts are the same user account in party intermediary corresponding to user.
Wherein, in service side authenticates, user terminal, service side and party intermediary can complete the closure transmission of an information, the closed terminal one transmitting can enough verify two information in closure transmission be all whether same the dot generation of being transmitted by this closure or send.For example: in party intermediary, generate a random string as Service Ticket, party intermediary directly sends to service side by character string, simultaneously, party intermediary is by turning to service side to send character string in user terminal, and whether whether two character strings that service side receives by comparison are all authentication verification mutually correct.
Wherein, the connection that the respective service of user terminal access service side is set up is without party intermediary.
Wherein, Service Ticket can directly send to service side by party intermediary.Wherein, the route directly sending is without user terminal.Wherein, the mode of described direct transmission is without user terminal.For example: this Service Ticket comprises a PKI, and the authentication procedure of user terminal has corresponding private key, service side verifies that by the right corresponding relation of this key whether described Service Ticket is correct.
Wherein, Service Ticket can be that party intermediary is transmitted to service side by user terminal.For example: this Service Ticket comprises the digital signature of party intermediary, whether service side is correct by this Service Ticket of this digital signature authentication.
Wherein, Service Ticket also comprises the information about the rise time, and the Service Ticket that surpasses the term of validity can lose efficacy.
Wherein, when authentication procedure is stopped running, user terminal also can be ended service side's access.Authentication procedure is when ending, and party intermediary can be ended the access of user terminal to service side in notification service side, and the program object of user terminal login service side is out of service.
Wherein, user terminal, service side and party intermediary are connected by the Internet.Wherein, tripartite's information passes through the Internet and carries out.
Wherein, Service Ticket can be an information, also can be comprised of two information that send respectively.
Wherein, described access, specifically refers to login or connects.
Wherein, service side provides the computer system of resource and service or website etc. by the Internet to user terminal.
Wherein, party intermediary is to carry out on the internet the computer system of Third Party Authentication.
Wherein, terminal, service side and party intermediary are the equipment with computer function, as: PC, mobile phone, server, server farm etc.
Wherein, party intermediary can consist of together a plurality of servers or a plurality of server farm.Wherein, the role of party intermediary or function can be born respectively by a plurality of servers or a plurality of server farm.For example: the server A of user terminal login party intermediary, user terminal keeps being connected with the server B of party intermediary, user terminal obtains scrip from the server C of party intermediary, user terminal exchanges Service Ticket from the server D of party intermediary for scrip, and user terminal goes to login service side with Service Ticket.
Wherein, it can be different forming the different server of party intermediary or the network address of different server group.Wherein, different server or the different server group of composition party intermediary belong to different operator.
Wherein, the result of the respective service of access service side is that user terminal can connect with service side or the side by service side's credit.For example: user terminal sends Service Ticket to service side, service orientation user terminal returns to service side's voucher, and user terminal is with service side's voucher the opposing party of login service side's credit again.
Accompanying drawing explanation
Fig. 1 is the schematic network structure of the embodiment of the present invention 1.
Embodiment
Embodiment 1
User terminal is a computer, service side website: e-commerce website A, search website B and instant messaging website Q, party intermediary is Third Party Authentication provider.
User uses terminal as follows in the flow process of the user account of service side's registration and login service side by party intermediary:
1) register account number and associated account number:
1.1) user downloads authentication procedure client at party intermediary AU, and uses authentication procedure client to be registered in the user account AUAC of party intermediary
1.2) the authentication procedure login party intermediary account AUAC of user to move in terminal, party intermediary sends the service side's that this user of user's appointment can associated register account number list to the authentication procedure in terminal,
1.3) user selects to want the service side A of associated register account number on authentication procedure interface,
1.4) authentication procedure of moving on user terminal sends associated registration request to party intermediary, the title that comprises party intermediary in this association registration request, service side's domain name, user are in the digital signature of user name AUAC, rise time and the party intermediary of party intermediary, wherein, associated registration voucher carries out digital signature by party intermediary, service side has with the corresponding PKI of digital signature of party intermediary and with this PKI, verifies the digital signature of party intermediary
1.5) party intermediary sends associated registration voucher to the authentication procedure of user terminal,
1.6) authentication procedure of user terminal will start a new procedures or a newly-generated browser object or be redirected a browser object, and to service side, send associated registration voucher by this new procedures or browser object,
1.7) after only having service side to verify that this association registration voucher is correct, service can also can send the information that be successfully associated to party intermediary after service side is successfully associated by being user's register account number AID service side and being associated with user's AUAC just now,
1.8) party intermediary is received after the message that service side is successfully associated, and also can complete associated in party intermediary of AUAC and AID.
Wherein, only have party intermediary and service side all successfully carry out associated after, this user's AID and AUAC are just successfully associated.
Wherein, user also can adopt with above identical step at B and Q register account number BID and QID associate respectively with AUAC respectively.
2) respective service of login service side:
2.1) user moves authentication procedure in terminal, and uses authentication procedure login party intermediary;
2.2) party intermediary is to authentication procedure return data, comprising: user is associated service side A, B, Q and service side's user account AID, BID, QID.
2.3) user selects respectively with AID login A on authentication procedure interface;
2.4) user terminal, service side A and party intermediary AU carry out authenticating about the service side of service side A: a, whether party intermediary keeps operation with question and answer response verification authentication procedure, only have authentication procedure to keep operation just to carry out next step, b, party intermediary sends Service Ticket in the mode directly with by user terminal to service side A respectively, service side receives that whether check two Service Ticket after Service Ticket identical, wherein, the Service Ticket sending by user terminal is included in user terminal in the customer identification information of service side's transmission, this customer identification information also comprises that user is in service side's account, party intermediary title and service party name, only have Service Ticket and customer identification information all under correct condition, just to carry out next step, c, user terminal authenticates by service side,
2.5) after the service side of user terminal by service side A authenticates, the service side's that just can be asked with AID access respective service;
2.6) user can also be by repeating above 2.3) and 2.4) two steps come login service side B and Q.
3) user terminal is ended the login to service side's respective service:
3.1) authentication procedure on user terminal can show service side and the respective service that the user of all these terminals has accessed by party intermediary,
3.2) user selects to end access service side or a respective service on the interface of authentication procedure, authentication procedure send to be ended the request of access and party intermediary sends the request of ending access to service side to party intermediary, and service side receives that the request of the termination access that party intermediary is sent will end the access of this user terminal to service side or respective service.
3.3) when authentication procedure is stopped running on user terminal, authentication procedure also can be sent one to party intermediary and end access request, party intermediary can give notice to end the access of this user terminal to all service sides and respective service to all service sides of this user terminal access, or, when party intermediary fails to receive the heartbeat response of authentication procedure or question and answer response, also can end the access of this user terminal to all service sides and respective service.
4) user ends associated to the user account in party intermediary and service side's user account:
4.1) this user account that user terminal can show to authentication procedure transmission and on authentication procedure interface party intermediary in login party intermediary Hou, intermediary is at all service sides or all user accounts service side of party intermediary association,
4.2) user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary.
Embodiment 2
The first 1 of the present embodiment) register account number and associated account number, identical with embodiment 1, is below the 2nd) part.
2) respective service of login service side:
2.1) user moves dedicated program in terminal, uses between dedicated program login party intermediary and dedicated program and party intermediary, to set up SSL and be connected;
2.2) user selects to start a browser object at dedicated program circle top-operation, this browser object is exactly the authentication procedure in the present embodiment, and dedicated program generates the key (connection key) of a symmetric cryptography and connection key is sent to respectively to authentication procedure and party intermediary;
2.3) authentication procedure (browser object) connects the specific address of party intermediary and the connection key that sends to obtain to party intermediary carries out the information of digital signature, party intermediary is also verified the information of receiving with the connection key of receiving, if correctly, party intermediary is with authentication procedure to be connected Key Establishing encryption connection, and so far user terminal and authentication procedure have been passed through party intermediary authentication;
2.3) party intermediary is to authentication procedure return data, comprising: user is associated service side A, B, Q and service side's user account AID, BID, QID.
2.3) user selects respectively with AID login A on authentication procedure interface;
2.4) user terminal, service side A and party intermediary AU carry out authenticating about the service side of service side A: a, whether party intermediary keeps operation with question and answer response verification authentication procedure, only have authentication procedure to keep operation just to carry out next step, b, party intermediary sends Service Ticket in the mode directly with by user terminal to service side A respectively, service side receives that whether check two Service Ticket after Service Ticket identical, wherein, the Service Ticket sending by user terminal is included in user terminal in the customer identification information of service side's transmission, this customer identification information also comprises that user is in service side's account, party intermediary title and service party name, only have Service Ticket and customer identification information all under correct condition, just to carry out next step, c, user terminal authenticates by service side,
2.5), after the service side of user terminal by service side A authenticates, the program object PRO that authentication procedure or authentication procedure start just can access with AID the service side's that be asked respective service.
In embodiment 2, the process that authentication procedure authenticates by party intermediary is: authentication procedure is undertaken and authenticated by party intermediary by another program connecting with party intermediary, or, comprise that user uses the authentication of terminal by party intermediary and authentication procedure undertaken and authenticated by party intermediary by another program connecting with party intermediary simultaneously.
Embodiment 3
The first 1 of the present embodiment) register account number and associated account number, identical with embodiment 1, is below the 2nd) part.
2) respective service of login service side's appointment:
2.1) user moves authentication procedure in terminal, and uses the user account AUID of authentication procedure login party intermediary;
2.2) user elects and starts browser object BRO (namely program object PRO) in the drilling of authentication procedure interface, when starting browser object BRO, authentication procedure generates a pair of authenticate key based on RSA to (comprising authentication private key and authentication PKI), wherein authentication procedure sends to browser object BRO using this authentication private key as parameter when browser object BRO starts, and authentication procedure sends to party intermediary by authentication PKI;
2.3) access request that browser object carries out digital signature by authenticated private key sends to party intermediary, party intermediary is verified this information with the authentication PKI of receiving from authentication procedure, after being verified, thereby this browser object BRO has just passed through party intermediary authentication and can access party intermediary, and browser object BRO and party intermediary can also be by this authenticate key to setting up SSL encryption connection;
2.4) party intermediary according to user the operation on browser object BRO select to return to browser object BRO service side's account AID, BID and the QID being associated with user's party intermediary account AUID;
2.5) chain that user clicks AID on the interface of browser object BRO fetches selects access AID;
2.6) browser object BRO sends the request of access AID, the AID comprising user service side to party intermediary;
2.7) party intermediary is received after the request of access AID, party intermediary generates a Service Ticket, in this Service Ticket, comprise user in service side's account AID, party intermediary sign, service side's sign, authentication PKI and the digital signature based on party intermediary private key, party intermediary sends to browser object BRO by Service Ticket
2.8) browser object BRO is redirected oneself, will oneself be directed to the address of service side A, and Service Ticket is transmitted to service side A, and wherein, Service Ticket is exactly also customer identification information simultaneously in the present embodiment;
2.9) service side receives after Service Ticket, with party intermediary PKI, this information is verified, after checking is correct, service side sets up SSL encryption connection with authentication PKI with browser object BRO, finally, the respective service of the appointment of the browser object BRO of user terminal success access service side.
Claims (10)
1. Third Party Authentication system or a method with specific registration flow process, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, an authentication procedure of moving on user terminal can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user, use terminal by party intermediary, to be undertaken before service side authenticates, user has registered user account AUAC and in service side's association, has registered user account APAC by AUAC in party intermediary, wherein, user register the process of AUAC and the associated APAC of registration and step as: 1) user is at party intermediary registered user account AUAC, 2) user uses the authentication procedure of moving in terminal login party intermediary account AUAC and terminal to authenticate by party intermediary, 3) user selects to want the service side of associated register account number on authentication procedure interface, 4) authentication procedure of moving on user terminal sends associated registration request to party intermediary, 5) authentication procedure of user terminal will start a new procedures or a newly-generated browser object or be redirected a browser object or redirected authentication procedure self, 6) user terminal sends associated registration voucher by this new procedures or this browser object or authentication procedure to service side, 7) after only having service side to verify that this association registration voucher is correct, service can be user's register account number APAC and this APAC is associated with user's AUAC service side just now, 8) party intermediary also can complete associated in party intermediary of AUAC and APAC, wherein, only have service side and party intermediary all after associated AP AC and AUAC success, just be successfully completed the association registration of this APAC of this user.
2. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, user, register the step 2 of the process of AUAC and associated registration APAC) after, can also be in steps 2.1): party intermediary sends the service side's that this user of user's appointment can associated register account number list to the authentication procedure in terminal.
3. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, user, register process and the step 5 of AUAC and associated registration APAC) before or after, also in steps 5.1): party intermediary sends associated registration voucher to user terminal.
4. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, user, register the step 7 of AUAC and the process of associated registration APAC) after, can also be in steps 7.1): service side can directly or by user terminal send to party intermediary the message that service side's association is succeeded in registration, wherein, only have the message Hou, intermediary that party intermediary receives that service side's association succeeds in registration just now can completing steps 8).
5. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, the AUAC that comprises this user in associated registration voucher or AUID, the identifying information of party intermediary are, the digital signature of service side's identifying information, rise time and party intermediary.
6. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, associated registration voucher carries out digital signature by party intermediary, and service side has with the corresponding PKI of digital signature of party intermediary and with this PKI, verifies the digital signature of party intermediary.
7. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, user terminal is after login party intermediary, this user account AUAC that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is at all service sides or APAC or the APID of party intermediary association, user can be at the interface of authentication procedure enterprising line operate ask to access the respective service that one of them service side's respective service or request access this service side with user at a service side's APAC or APID.
8. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, on described authentication procedure interface, can show all service sides that this user terminal has accessed by party intermediary or service side's respective service or APAC or APID, user can end service side to wherein showing or the access of respective service or APAC or APID on authentication procedure interface.
9. Third Party Authentication system or the method with specific registration flow process according to claim 1, it is characterized in that, user can on authentication procedure interface, select to terminate in all service sides that accessed by party intermediary that show on authentication procedure interface or service side's respective service or among APAC or APID one or several or all.
10. Third Party Authentication system or the method with specific registration flow process according to claim 1, is characterized in that, this system or method have or several in following characteristics:
1) when user selects the service side who has accessed by party intermediary that shows on aborts authentication program interface or service side's respective service or APAC or APID on authentication procedure interface, authentication procedure can be sent one to party intermediary and end access request, party intermediary can be sent and end access notice to corresponding service side, service side receives and ends will end the access of this user terminal to this service side or respective service or APAC or APID after access notice
2) user terminal is after login party intermediary, this user account AUAC that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is at all service sides or APAC or the APID of party intermediary association, user can select to end associated at the user account AUAC of party intermediary of APAC of a service side or a service side or APID and this user on the interface of authentication procedure
3) user terminal, after login party intermediary, can show or search on authentication procedure interface and allly can carry out with this party intermediary associated service side or service side's respective service,
4) program of the respective service of user access service side or program object are not authentication procedures,
5) can not by known customer identification information know by inference later or unknown or other or new customer identification information,
6) can not be by known users identifying information customer identification information that know other by inference or that later service side authenticates,
7) user, register process and the step 4 of AUAC and associated registration APAC) before or after, also in steps 4.1): party intermediary sends associated registration voucher to user terminal,
8) authentication procedure authenticates by party intermediary, specifically refers to: user uses the authentication of authentication procedure by party intermediary or authentication procedure undertaken and authenticated by party intermediary by another program connecting with party intermediary,
9) process that authentication procedure authenticates by party intermediary comprises that user uses the authentication of terminal by party intermediary and authentication procedure undertaken and authenticated by party intermediary by another program connecting with party intermediary simultaneously,
10) after authentication procedure is stopped running, authentication procedure need to be carried out after party intermediary authentication again, and user terminal could carry out service side again and authenticate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310460800.7A CN103546291A (en) | 2013-10-08 | 2013-10-08 | Third party certification system with specific registration processes or third party certification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310460800.7A CN103546291A (en) | 2013-10-08 | 2013-10-08 | Third party certification system with specific registration processes or third party certification method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103546291A true CN103546291A (en) | 2014-01-29 |
Family
ID=49969371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310460800.7A Withdrawn CN103546291A (en) | 2013-10-08 | 2013-10-08 | Third party certification system with specific registration processes or third party certification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103546291A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302612A (en) * | 2015-06-10 | 2017-01-04 | 阿里巴巴集团控股有限公司 | The creation method of account and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060236383A1 (en) * | 2005-04-04 | 2006-10-19 | Cisco Technology, Inc. | System and method for multi-session establishment involving disjoint authentication and authorization servers |
| CN101052033A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying and key consulting method and its device based on TTP |
| CN101051372A (en) * | 2006-04-06 | 2007-10-10 | 北京易富金川科技有限公司 | Method for safety verifying financial business information in electronic business |
| CN102333085A (en) * | 2008-07-04 | 2012-01-25 | 任少华 | Security network authentication system and method |
| CN102510336A (en) * | 2011-12-05 | 2012-06-20 | 任少华 | Security certification system or method |
-
2013
- 2013-10-08 CN CN201310460800.7A patent/CN103546291A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060236383A1 (en) * | 2005-04-04 | 2006-10-19 | Cisco Technology, Inc. | System and method for multi-session establishment involving disjoint authentication and authorization servers |
| CN101052033A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying and key consulting method and its device based on TTP |
| CN101051372A (en) * | 2006-04-06 | 2007-10-10 | 北京易富金川科技有限公司 | Method for safety verifying financial business information in electronic business |
| CN102333085A (en) * | 2008-07-04 | 2012-01-25 | 任少华 | Security network authentication system and method |
| CN102510336A (en) * | 2011-12-05 | 2012-06-20 | 任少华 | Security certification system or method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302612A (en) * | 2015-06-10 | 2017-01-04 | 阿里巴巴集团控股有限公司 | The creation method of account and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790194B (en) | Access control method and device based on SSL (secure socket layer) protocol | |
| CN101978650B (en) | A system and method of secure network authentication | |
| CN105515783B (en) | Identity identifying method, server and certification terminal | |
| CN108965230A (en) | A kind of safety communicating method, system and terminal device | |
| CN101127604B (en) | Information secure transmission method and system | |
| CN102333085B (en) | Security network authentication system and method | |
| US20120260330A1 (en) | User authentication for intermediate representational state transfer (rest) client via certificate authority | |
| CN105577612B (en) | Identity authentication method, third-party server, merchant server and user terminal | |
| CN110930147B (en) | Offline payment method and device, electronic equipment and computer-readable storage medium | |
| CN108834144A (en) | Association management method and system of operator's code number with account | |
| CN107040513A (en) | A kind of credible access registrar processing method, user terminal and service end | |
| DK2695410T3 (en) | Methods and devices to avoid network attack damage | |
| CN101304318A (en) | Safe network authentication system and method | |
| CN101902476A (en) | Method for authenticating identity of mobile peer-to-peer user | |
| CN103546292A (en) | Third-party certification system or method with multiple identification codes | |
| CN105719131A (en) | Server, client and paying-for-another method of e-payment | |
| CN103546290A (en) | Third party certification system with user groups or third party certification method | |
| CN103368831B (en) | A kind of anonymous instant communicating system identified based on frequent visitor | |
| CN117336092A (en) | Client login method and device, electronic equipment and storage medium | |
| CN103379119A (en) | Network multi-authentication system or network multi-authentication method | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| CN103546462A (en) | Third party certification system with specific associated processes or third party certification method | |
| CN108289100B (en) | A kind of safety access method, terminal device and system | |
| CN101252438A (en) | Third party identification authentication system based on mobile type IC | |
| CN103546293A (en) | Third party certification system or method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20140129 |
|
| WW01 | Invention patent application withdrawn after publication |