CN104038486A

CN104038486A - System and method for realizing user login identification based on identification type codes

Info

Publication number: CN104038486A
Application number: CN201410244543.8A
Authority: CN
Inventors: 龙毅宏; 唐志红
Original assignee: Wuhan University of Technology WUT
Current assignee: Wuhan University of Technology WUT
Priority date: 2014-06-04
Filing date: 2014-06-04
Publication date: 2014-09-10
Anticipated expiration: 2034-06-04
Also published as: CN104038486B

Abstract

The invention relates to a system and a method for realizing user login identification based on identification type codes. Based on the system, a code identification of a user irrelevant to a Web information system account serves as an identification data for the account and is stored in the user account data of the Web information system; when the user logs in the Web information system, the system determines the current valid identification private key of the code identification of the user account to determine that the user is the account owner. If the Web information system originally uses an account name and passwords or uses codes to log in, a security gateway or a plugin which processes the login uses the user code identification as the passwords or a code substituting account and fills in a login request to enable the user to log in the Web information system after identifying the login account of the user. According to the system and the method for realizing the user login identification based on the identification type codes, the identification type private key of the user is only used for substituting the passwords or codes of the account to prove that the user owns the security private data of the account and does not serve as an identity certificate for logging in the system.

Description

A kind ofly based on identification type password, realize the system and method that user logins discriminating

Technical field

The invention belongs to information security field, particularly a kind ofly based on identification type password, realize the system and method that user logins discriminating.

Background technology

User accesses a Web information system that is kept safe and limits when (comprising various application systems and safety system), conventionally need to carry out register (Logon or Login).The object of user login operation is exactly to confirm that user is a validated user of Web information system, carries out user's discriminating (User Authentication); And in fact for many Web information systems, it is unimportant that whether user's identity information is true, who is he, therefore, or rather, the object of user login operation is exactly to confirm that user is the owner of a registering account of Web information system, carries out account's discriminating (Account Authentication).

Current Web information system generally adopts the mode of account name+password or password (account name also claims user name) as the user of user's login (Long On or Long In) Web information system or the security means of account's discriminating.The scheme of account name+password or password is simple, user is easy for operation, but the dangerous of it is well-known.PKI (Public Key Infrastructure) digital certificate (Digital Certificate) is although safety, but user or account by it for Web information system differentiate, exist user to operate and use inconvenience, private key for user loss recovery difficulty, the poor problems of ease for use such as certificate update trouble (conventionally needing manual operations), and need to be for related browser control development or plug-in unit, cause occurring that technology development work amount is large, the problem such as poor for applicability: the one, because control or plug-in unit that need to be different for different Development of Web Browsers, and browser is numerous at present, for all browsers, comprise that the workload that the browser operating under varying environment carries out control or developing plug is very large, the 2nd, because the browser having is not even supported the support of control or plug-in unit is very limited.Further, when PKI digital certificate is implemented to the system of employing account name+password for having disposed or password, need to transform existed system, therefore up to the present PKI digital certificate does not obtain extensive use.

Cryptographic technique (Identity Based Cryptography based on sign, IBC) be a kind of public-key cipher technology that people extensively pay attention to that recently obtains, it has overcome the shortcoming of PKI digital certificate aspect ease for use, its technical characteristics is the PKI (unique identification that is in fact strictly user adds that one group of open parameter has formed PKI) that user's a unique identification (as E-mail address) has just formed user, can be used for data encryption or signature verification, a sign is simultaneously to there being a private key, for data deciphering or digital signature (IBC PKI and private key for data encryption are same not necessarily identical for IBC PKI and the private key of digital signature), private key is produced by a special cipher key service system that is called private key maker.User or account when IBC can be used in Web information system that user logins equally differentiate, but user or account that IBC is directly used in Web information system are differentiated to also there are the following problems:

1) when IBC is differentiated for the user of Web information system or account, common scheme be using user at the account name of Web information system the IBC sign as user, the shortcoming of this scheme is: the one, and user has different account names in different Web information systems, therefore need to obtain different IBC keys pair, the 2nd, user obtains non-electronic communication identifier (e-mail address from cipher key service system, phone numbers etc. are called electronic communication sign for the address of electronic communication or terminal iidentification) during corresponding private key, cipher key service system validation user is that the real owner of sign is cumbersome, (identifying for electronic communication of difficulty, as E-mail address, phone number, accomplish that this point is than being easier to),

2) while IBC being used for to Web information system, owing to will calling crypto module at user side, carry out IBC crypto-operation, therefore, similar with digital certificate, current scheme is normally used browser control part and plug-in unit to call crypto module at user side to carry out IBC crypto-operation, and this just exists with digital certificate problem application in Web information system user login;

3) there are at present a large amount of employing account name+passwords of having disposed or the system of password, in these systems, directly dispose user or the account's authentication schemes based on IBC, need to make an amendment to Web information system.

Object of the present invention is exactly user or account's discriminating when identification type password (Identity-Typed Cryptography) technology is used for to the login of Web information system, and avoid adopting browser plug-in and ActiveX Techniques, keep and the compatibility of deployment system simultaneously.

Identification type cryptographic technique of the present invention comprises that foregoing cryptographic technique (Identity-Based Cryptography) based on sign and the elliptic curve technology based on sign are (referring to the present patent application people's patent application " a kind of elliptic curve cipher system based on sign ", application number: 20131052098.5).

No matter identification type cryptographic technique of the present invention, be IBC cryptographic technique or the elliptic curve cryptography based on sign, and they have following common feature:

1) user corresponding one of sign identifies PKI and a sign private key (sign PKI and private key for data encryption are same not necessarily identical for sign PKI and the private key of digital signature);

2) in actual key generation and crypto-operation process, be not that a sign itself is generated and crypto-operation for key, but the expansion sign of having added after other prescribed informations is generated and crypto-operation for key;

3) if adopt " identification type cryptographic system and the method for a kind of automatic renewal and recovery private key " (application number: the patented technology 201410058689.3), can realize automatic recovery private key, and current effective sign PKI and the sign private key of realizing automatic more new logo.

Conventional sign prescribed information is time period prescribed information, as " sign || the time period ", " || " wherein represents that word string merges.The PKI that time period prescribed information regulation expansion sign is corresponding and private key be effective in official hour section and use only.The expansion of time period covering current time identifies corresponding PKI and private key is called the current effective sign PKI of sign and identifies private key.

Summary of the invention

The object of this invention is to provide a kind of user or account when identification type cryptographic technique is logined for Web information system differentiates, and avoid adopting browser plug-in and ActiveX Techniques, keep based on identification type password, realizing the system and method that user logins discriminating with the compatible of deployment system simultaneously.

To achieve these goals, the technical solution adopted in the present invention is:

Based on identification type password, realize the system that user logins discriminating, described system comprises:

Web information system: the system that information or application service are provided based on Web technological development user oriented: user's a sign is (as E-mail address, phone number) or the hashed value of user's a sign as user, at the account's of Web information system authentication data (Authentication Data), be kept in the user account data of Web information system (if Web information system account's authentication data is originally password or password, the hashed value of user ID or user ID is kept at original password or the password storeroom in the user account data of Web information system as password or password), the described authentication data as user account is kept at the user ID in user account data, or hashed value is kept at the user ID in user account data as the authentication data of user account, is called cipher mark that user account is corresponding or is called for short the cipher mark of user account, the cipher mark of described user account is inputted when the Web information system registering account by user, or obtains by other means and arrange (cipher mark how account management system or instrument obtain user belongs to the problem outside the present invention) by account management system or instrument,

Browser: user is for accessing the client of Web information system; The random word string that sign private key at browser described in process of user login by the sign password of background process program user login account returns Web information system is carried out digital signature or the random words string data of encryption that Web information system is returned is decrypted, and carries out other password budgets (for the sign PKI of data encryption and private key with not necessarily identical for sign PKI and the private key of digital signature);

Background process program a: program that operates in the computing equipment backstage of user side; In process of user login, call that random word string that crypto module returns Web information system is carried out digital signature or the random words string data of encryption that Web information system is returned is decrypted, and carry out other cryptographic calculations;

Crypto module: implement identification type cryptographic technique and carry out the user side component software of crypto-operation or the assembly that software and hardware combines;

When user uses browser access Web information system, submit to account name to carry out account while logining, the sign private key completing user that Web information system has cipher mark by following digital signature mode or data encryption mode by authentication of users is the owner's of login account discriminating:

Digital signature mode: cipher mark and a random word string generating (random word string) that Web information system is returned to user's login account arrive user side browser, browser adopts the sign private key of the cipher mark of user's login account to sign to the random word string of returning by background process routine call crypto module, then the signed data of random word string is submitted to Web information system, thereby the utilization of Web information system returns to the validity of the signed data of the random word string that the sign public key verifications user side browser of the random word string of browser and the cipher mark of user's login account submits to confirms that user is the owner of cipher mark, and and then confirm that user is the owner of login account,

Data encryption mode: Web information system is returned to the word string (random word string) of random generation of sign public key encryption of cipher mark of user's login account to user side browser, browser adopts the sign private key of the cipher mark of user's login account to be decrypted the random word string of the encryption of returning by background process routine call crypto module, then by the random words of directly returning to the random words string mode of deciphering or utilize deciphering to obtain, ganged up the login of HMAC (Hashed Message Authentication Code) digital signature mode completing user and differentiated that operation was (if correctly return to the random word string of deciphering, or realize correct HMAC digital signature by the random word string of deciphering, show that user has the correctly sign private key of the random word string of enabling decryption of encrypted, can determine that user is the owner of cipher mark, thereby determine that user is the owner of login account),

If the Web information system of user's login adopts the owner that the mode of account name+password or password is account to user differentiate and keep original identification method constant originally, and Web information system information based on identification type password, to implement system component that user logins discriminating be to be prepended to a security gateway of Web information system or to be inserted into a safety insert in the request response transmission passage of Web information system, the hashed value of the cipher mark of user account or the cipher mark of user account is kept at original password or the password storeroom in the user account data of Web information system as password or password, and described security gateway or safety insert at the cipher mark that utilizes user account, to complete user be after account's owner differentiates, using user's account name and account's cipher mark as user, logining the account name of Web information system and password or password substitutes family and in the mode of logging request, is submitted to Web information system and completes register, or using the hashed value of user's account name and account's cipher mark as user, logining the account name of Web information system and password or password substitutes family and in the mode of logging request, is submitted to Web information system and completes register, account's authentication data of preserving in the former user account data corresponding to Web information system is the situation of the cipher mark of user account, account's authentication data of preserving in the user account data of the latter corresponding to Web information system is the situation of hashed value of the cipher mark of user account, which kind of situation no matter, Web information system self is carried out account by the mode of checking account name and password or password to user's login and is differentiated processing.

If user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following data encryption mode completing user login:

I step: Web information system is inputted account name by browser requirement user;

II step: user is inputted account name and the account name of input is submitted to Web information system by browser;

III step: Web information system receives after the account name of user side browser submission, utilize the account name receiving in user account data, by the authentication data of user account corresponding to inquiry account name, to obtain the cipher mark of user account, then with the current effective sign PKI that obtains cipher mark, Web information system title and a word string generating at random (random word string) are encrypted, then the Web information system title after encrypting and random word string are turned back to the browser of user side;

IV step: the browser of user side receives after the data that Web information system returns, by network communication mechanism, the Web information system title of the encryption receiving and random word string are submitted to a background process program of user side this locality, then point out user by the random password showing on computing terminal or Password Input password or the Password Input frame to browser;

V step: the background process program of user side this locality receives after the Web information system title and random word string of the encryption that browser submits to, user account's cipher mark calls crypto module access to your password Web information system title and the random word string of the encryption that the current effective sign private key deciphering Web information system of sign returns, and disposable random password or the password of then the Web information system title after deciphering and random word string being logined to Web information system as user show by a personal-machine circle user oriented on computing terminal;

VI step: user is input to the random word string as disposable random password or password of background process program display password or the Password Input frame of browser and by browser, the random word string as account's password or password of user's input is submitted to Web information system;

VII step: Web information system receives after the random word string as account's password or password of user side browser submission, the plaintext that the random word string as account's password or password receiving and (III step) is turned back to the random word string of browser compares, if consistent, confirm that user is the owner of the corresponding user account of account name submitted to and allows user to login, otherwise refusal.

The 1st step: Web information system is inputted account name by browser requirement user;

The 2nd step: user is inputted account name and the account name of input is submitted to Web information system by browser;

The 3rd step: Web information system receives after the account name of browser submission, utilize the account name receiving in user account data, by the authentication data of user account corresponding to inquiry account name, to obtain the cipher mark of user account, then with the current effective sign PKI that obtains cipher mark, a random word string generating (random word string) is encrypted, afterwards the random word string after encrypting is turned back to the browser of user side;

The 4th step: the browser of user side receives after the data that Web information system returns, and by network communication mode, the random word string of the encryption receiving is submitted to background process handling procedure, the random word string of request enabling decryption of encrypted;

The 5th step: background process handling procedure receives after the request of random word string of the request enabling decryption of encrypted that user side browser submits to, call the random word string of current effective sign private key enabling decryption of encrypted of crypto module user account's cipher mark, then the random word string of deciphering is turned back to user side browser;

The 6th step: user side browser receives after the random word string of the deciphering that background process handling procedure returns, ganged up the login of HMAC digital signature mode completing user by the random words of directly returning to the random words string mode of deciphering or utilize deciphering to obtain and differentiated operation.

If the hashed value of user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following data encryption mode completing user login:

Step 1:Web information system is inputted account name and authentication data by browser requirement user;

Step 2: user inputs account name and account's cipher mark by browser, wherein account's cipher mark is inputted as authentication data, is then submitted to Web information system by browser using the account name of input with as the cipher mark of account's authentication data;

Step 3:Web information system receives after the data of browser submission, the hashed value of the cipher mark that calculating receives, and the hashed value of the cipher mark of user account corresponding to the account name of submitting to user of preserving in the user account data of the hashed value of the cipher mark calculating and Web information system is compared, if consistent, the current effective sign PKI of the cipher mark that user submits to is encrypted a random word string generating, and afterwards the random word string of encrypting is turned back to the browser of user side; Otherwise, return and report an error;

Step 4: make mistakes if the Web information system return data receiving is pointed out, the browser prompts mistake of user side; Otherwise the browser of user side is submitted to background process handling procedure by network communication mode by the random word string of the encryption receiving, the random word string of request enabling decryption of encrypted;

Step 5: background process handling procedure receives after the random word string request of the request enabling decryption of encrypted that user side browser submits to, call the random word string of current effective sign private key enabling decryption of encrypted of crypto module user account's cipher mark, then the random word string of deciphering is turned back to user side browser;

Step 6: user side browser receives after the random word string of the deciphering that background process handling procedure returns, ganged up the login of HMAC digital signature mode completing user by the random words of directly returning to the random words string mode of deciphering or utilize deciphering to obtain and differentiated operation.

If user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following digital signature mode completing user login:

The first step: Web information system is inputted account name by browser requirement user;

Second step: user is inputted account name and by browser, the account name of input is submitted to Web information system by browser;

The 3rd step: Web information system receives after the account name of browser submission, the account name that utilization receives obtains the cipher mark of user account in user account data by the authentication data of user account corresponding to inquiry account name, then the word string of the cipher mark of acquisition and a random generation is turned back to the browser of user side;

The 4th step: the browser of user side receives after the data that Web information system returns, is submitted to background process handling procedure by network communication mode by the cipher mark receiving and random word string, and request is carried out digital signature to the random word string of returning;

The 5th step: background process handling procedure receives the random word string to returning of user side browser submission to carry out after the request of digital signature, the current effective sign private key that calls crypto module user account's cipher mark carries out digital signature to random word string, then signed data is turned back to user side browser (signed data is without comprising random word string itself again);

The 6th step: user side browser receives after the signed data of the random word string that background process handling procedure returns, and signed data is submitted to Web information system;

The 7th step: Web information system receives after the signed data of the random word string that browser submits to, utilization turns back to the current effective sign PKI of the random word string of browser and the cipher mark of user account the signature validity of the signed data of the random word string of browser submission is verified, be verified and confirm that user is the owner of the corresponding user account of account name submitted to and allows user to login, otherwise refusal.

If the hashed value of user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following digital signature mode completing user login:

Step 1: Web information system is inputted account name and authentication data by browser requirement user;

Step 2: user inputs account name and account's cipher mark by browser, wherein account's cipher mark is inputted as authentication data, is then submitted to Web information system using the account name of input with as the cipher mark of account's authentication data;

Step 3: Web information system receives after the data of browser submission, the hashed value of the cipher mark that calculating receives, and the hashed value of the cipher mark of user account corresponding to the account name of submitting to user of preserving in the user account data of the hashed value of the cipher mark calculating and Web information system is compared, if consistent, the word string of the cipher mark of then user being submitted to and a random generation turns back to the browser of user side; Otherwise, return and make mistakes;

Step 4: if the prompting of the return data of the Web information system receiving reports an error, the browser prompts of user side is made mistakes; Otherwise the browser of user side is submitted to background process handling procedure by network communication mode by the cipher mark receiving and random word string, request is carried out digital signature to the random word string of returning;

Step 5: background process handling procedure receives the random word string to returning of user side browser submission to carry out after the request of digital signature, the current effective sign private key that calls crypto module user account's cipher mark carries out digital signature to random word string, then signed data is turned back to user side browser (signed data is without comprising random word string itself again);

Step 6: user side browser receives after the signed data of the random word string that background process handling procedure returns, and signed data is submitted to Web information system;

Step 7: Web information system receives after the signed data of the random word string that browser submits to, utilization returns to the current effective sign PKI of the random word string of browser and the cipher mark of user account the signature validity of the signed data of browser submission is verified, be verified and confirm that user is the owner of the corresponding user account of account name submitted to and allows user to login, otherwise refusal.

If the cipher mark of user account is inputted when the Web information system registering account by user, Web information system is after receiving user's account register information, while first logining by user, account differentiates that the same mode adopts digital signature or data encryption mode to verify, confirm that user has the private key of the cipher mark of registration input, thereby confirm that user is the owner of the cipher mark of input, verify, confirm by rear completing user account register and preserve log-on message, otherwise return, make mistakes.

If described, based on identification type password, realize the identification type cryptographic technique that system that user logins discriminating adopts and be IBC (Identity-Based Cryptography) cryptographic technique and support the open parameters of IBC crypto-operation that many groups are different, Web information system determines that the cipher mark of user account carries out crypto-operation open parameter group used in the following way:

If user inputs while logining Web information system by browser simultaneously, submit account name to and as the cipher mark of authentication data, browser first returns to by network communication mechanism request background process program the indication information (as parameter group sign or version number) that cipher mark carries out crypto-operation open parameter group used before submitting cipher mark to, background process program is called the indication information that crypto module password for inquiry sign is carried out crypto-operation open parameter group used after receiving request, the indication information of the open parameter group of then inquiry being obtained returns to browser, browser is submitted to Web information system by the indication information of open parameter group with cipher mark after receiving the indication information of the open parameter group that background process program returns together, Web information system determines that according to the indication information of the open parameter of submitting in logging request user account's cipher mark carries out crypto-operation open parameter group used,

Otherwise, if Web information system is preserved the indication information that the cipher mark of user account carries out crypto-operation open parameter group used in user account data, Web information system is first carried out the definite crypto-operation open parameter group used of carrying out of indication information of crypto-operation open parameter used before user account's cipher mark is encrypted computing by the cipher mark in user account data;

Otherwise Web information system first turns back to the cipher mark of user account the browser of user side before user account's cipher mark is encrypted computing, acquisition request cipher mark carries out the indication information of crypto-operation open parameter group used; The browser of user side receives after the cipher mark and request that Web information system returns, by network communication mechanism, the cipher mark receiving is submitted to the background process program of user side this locality, acquisition request cipher mark carries out the indication information of crypto-operation open parameter group used; The cipher mark that user account is obtained in the inquiry of background process routine call crypto module carries out the indication information of crypto-operation open parameter group used, and the indication information of the open parameter group that inquiry is obtained returns to the browser of user side; The indication information that browser carries out crypto-operation open parameter group used by the cipher mark obtaining turns back to Web information system; Web information system determines that according to the indication information of the open parameter group of returning cipher mark carries out crypto-operation open parameter group used;

Further, if background process routine call crypto module is decrypted and finds in processing procedure that Web information system used incorrect open parameter group the access to your password data of mark encryption of Web information system, background process program by browser to Web information system more the cipher mark of new user account carry out the indication information of crypto-operation open parameter group used.

If Web information system is also preserved the digital signature (being signed by Web information system) of the data (as the data after word string merging) after the cipher mark of user account names and user account or the merging of the hashed value of cipher mark in user account data, to prevent from checking account user account names in user data and the unwarranted modification of account's cipher mark or the hashed value of cipher mark, Web information system is being carried out in the process of account's discriminating user's login, after receiving the account name that user submits to by browser, the digital signature of the data after first the hashed value of the cipher mark of account name and user account or cipher mark being merged verifies to determine whether the user account names of preserving in Web information system account data and the cipher mark of user account or the hashed value of cipher mark are modified, if be modified, end login account discriminating and process and return mistake, otherwise the account who continues user's login differentiates processing, the digital signature method that the digital signature of the data after the cipher mark of account name and user account or the hashed value of cipher mark merge adopts comprises digital signature of symmetric key and the digital signature based on asymmetric key cipher algorithm (as RSA, ECC, IBC) based on HMAC.

Based on above summary of the invention, can see, the user that system of the present invention adopts logins authentication schemes tool and has the following advantages or feature:

1) if the sign of using is electronic communication sign (as E-mail address, phone number), the generation of tagged keys, recovery, renewal will facilitate; Especially, if implement further the automatic renewal of tagged keys, the renewal of tagged keys operation, without user's manual intervention, brings great convenience to user;

2) do not adopt browser, therefore be not subject to the restriction of browser type and kind, not limited by the operation platform of user side computing equipment;

3) user ID and tagged keys are not to use as user's identity documents in the present invention, but differentiate that as the account of high security intensity private data is used, and different Web information systems can be used the key of same cipher mark to carry out the account of user while logining to differentiate, without the Web information system for different, use different tagged keys;

4) the solution of the present invention Web information system that can perform well in having disposed, that self originally adopt account name+password or password to carry out login account discriminating, can be in the situation that not revising Web information system mode by external security gateway or built-in safety insert adopting account name+password or password to carry out implementing secure log scheme of the present invention in the Web information system of login account discriminating.

Accompanying drawing explanation

Fig. 1 is system configuration schematic diagram of the present invention.

Embodiment

Below in conjunction with drawings and Examples, the invention will be further described.

First specific embodiment of the invention relates to the embodiment of identification type cryptographic technique, has two schemes to select: IBC cryptographic technique or the elliptic curve cryptography based on sign, wherein adopt IBC scheme the simplest.

If adopt IBC cryptographic technique, sign PKI at this moment and private key are exactly IBC PKI and private key, and PKI is exactly sign itself.Now, also to implement patent application " a kind of IBE encryption apparatus and data encryption/decryption method " (application number: the IBE crypto module 20131043846.2) and data encryption/decryption method are (though the crypto module title in this patent application is called IBE crypto module, in fact relevant technologies scheme is suitable for IBC) and patent application " identification type cryptographic system and the method for a kind of automatic renewal and recovery private key " (application number: the automatic update scheme of tagged keys 201410058689.3), and implement one for the IBC cipher key service system (comprising IBC private key maker) of the generation of IBC private key and recovery.Implementer's case of IBC itself, can be referring to IEEE international standard IEEE Std1363.3-2013:IEEE Standard for Identity-Based Cryptographic Techniques using Pairings, 22August2013.Under IBC embodiment, if encrypting support, IBC use the open parameter group of IBC that many groups are different to carry out crypto-operation, different open parameter group can be indicated with different signs or version number.

If adopt the elliptic curve cryptography based on sign, to implement patent application " a kind of elliptic curve cipher system based on sign " (application number: the cryptographic system 20131052098.5), the crypto module that comprises cipher key service system and user side, now identifying PKI and private key is exactly elliptic curve cipher PKI and the private key generating based on sign.Further, also to implement patent application " identification type cryptographic system and the method for a kind of automatic renewal and recovery private key " (application number: the automatic update scheme of tagged keys 201410058689.3).The scheme of the elliptic curve cryptography of employing based on sign, the current effective sign PKI how Web information system obtains cipher mark has two schemes available: the one, from cipher key service system acquisition buffer memory, the 2nd, by browser, from the cipher key store of crypto module this locality of user side, obtain and be submitted to Web information system, after adopting a kind of scheme need to identify PKI by cipher key service system signature to guarantee fail safe (not needing to adopt X509 form).

No matter adopt IBC cryptographic technique or the elliptic curve cryptography based on sign, it is that a kind of scheme that the owner of account or cipher mark differentiates is (can also adopt other schemes) that the random words of utilizing deciphering to obtain was ganged up HMAC data signature mode completing user: the background process program by user side merges current time and the random word string that deciphering obtains, by crypto module, for the data after merging, use hashing algorithms (as SHA-1) to generate a hashed value afterwards, then by browser, together with the hashed value of current time and generation, send to Web information system, Web information system receives after the data of browser submission, first check time in the data that browser submits to whether with the difference of current time within the scope of official hour, if, time in the data of user side browser being submitted to merges with the random word string that returns to client before Web information system, for the data after merging, use same hashing algorithm to generate a hashed value, then whether unanimously compare the hashed value that hashed value that user side browser submits to self calculates with Web information system, if consistent, prove that user has the current effective sign private key of cipher mark, and and then confirm that user is the owner of login account.

For background process program, can develop one and operate in program on user side computing equipment as background process program, this program receives the request that random word string is signed or the random word string of encrypting is decrypted of submitting to HTTP request form on the one hand, and returns to result with http response form; By calling, crypto module is signed to random word string or the random word string of encrypting is decrypted and obtains the indication information that cipher mark carries out crypto-operation open parameter group used on the other hand; Also have, background process program is logined disposable random password or the password of Web information system by ejecting a personal-machine interactive interface prompting user.

Corresponding to background process program by HTTP ask, response mode receives random word string signed or the request that the random word string of encrypting is decrypted the processing mode of returning to result, the result submission Web information system that user side browser is submitted to background process program by automatic HTTP POST mode by request and by automatic HTTP POST mode, background process program is returned, or user side browser is undertaken alternately by Ajax and background process program and the result that background process program is returned is submitted to Web information system.

If Web information system is also preserved the digital signature of the hashed value of account name and cipher mark or cipher mark, the digital signature data of the hashed value of account name and cipher mark or cipher mark both can be deposited separately, also can as account's authentication data, deposit together with the hashed value of cipher mark or cipher mark; If digital signature data is deposited as account's authentication data together with the hashed value of cipher mark or cipher mark, the account's authentication data when implementing for user login operation comprises the digital signature data of obtaining from user account data.Web information system with a special public-key cryptography to or random word string for digital signature (public key cryptography signature or HMAC signature).

In order further to strengthen the fail safe that user logins discriminating, can adopt one of following scheme:

Scheme one: before deciphering before the random word string signature that background process program is returned Web information system at the sign private key of user account's cipher mark or to the random word string of the encryption of returning, first eject a personal-machine interface prompt user and carrying out login process, whether inquiry user continues;

Scheme two: believable Web information system has been signed and issued a secure site token through digital signature, when user logins Web information system, this secure site token is returned to user side browser together with random word string (encrypting or unencrypted random word string) and viewed device is submitted to background process program; Background process program is before the sign private key that calls crypto module user account's cipher mark is signed to the random word string of returning or the random word string of the encryption of returning is deciphered, first check and whether have believable secure site token (signing effective and credible), if do not have the digital signature of secure site token or secure site token insincere, eject a personal-machine interactive interface prompting consumer's risk; If there is believable secure site token, the system of pointing out user to access is believable and shows the address of the website that user will access, and inquires whether user continues;

Scheme three: Web information system, before returning to the random word string of random word string or encryption to user side browser, first adopts public-key cipher technology to carry out digital signature to the data of returning, and then return data; Background process program is being called crypto module to the random word string signature returning or before to the random word string deciphering of the encryption of returning, first verify the digital signature of the data that Web information system is returned, if the data of returning do not have digital signature or sign insincerely, eject a personal-machine interactive interface prompting consumer's risk; If have digital signature and sign crediblely, the system of pointing out user to access is believable and shows the address of the website that user will access;

Scheme four: the host address of the Web information system that the browser of user side will be logined user when the random word string of the random word string that Web information system is returned or encryption is submitted to background process program (main frame DNS domain name) is submitted to background process program simultaneously; Background process program is before the sign private key that calls crypto module user account's cipher mark is signed to the random word string of returning or the random word string of the encryption of returning is deciphered, first by a personal-machine interactive interface, to user, show the host address of the Web information system that current browser will be accessed, whether inquiry user continues; If user selects to continue, to the random word string signature returning or the random word string deciphering to the encryption of returning, then call PKI that crypto module uses Web information system and be encrypted to the random word string of the random word string of signature or the deciphering that will directly return or with the login authentication data of the random word string HMAC signature of deciphering, then the data after encryption are turned back to browser and are submitted to Web information system by browser; Web information system, after receiving the data of the encryption that browser returns, is first used the data of the encryption that the private key deciphering of Web information system receives, and then according to the data after deciphering, does further login and differentiates and process; The PKI of described Web information system comprises the IBC PKI (as usingd the host address of Web information system as PKI) of Web information system or by the PKI (as the RSA by data certificate issuance, ECC PKI etc.) of a trusted key service system (as CA certificate system) issue.

Except above scheme, Web information system can also improve the fail safe of system by server certificate and SSL (Secure Socket Layer) secure transmission tunnel.

If the Web information system of user's login adopts the owner that the mode of account name+password or password is account to user to differentiate originally, and the system component that Web Information System Implementation technical scheme of the present invention is carried out login account discriminating to user is a security gateway that is prepended to Web information system, security gateway can be based on Web reverse proxy technological development (as available Apache exploitation); If the system component that Web Information System Implementation technical scheme of the present invention is carried out login account discriminating to user is a safety insert that is built in Web information system, safety insert can be based on filter (as ISAPI, Servlet Filter) or the exploitation of other plug-in part technologies.

Other unaccounted concrete technology are implemented, and are well-known, self-explantory for those skilled in the relevant art.

Claims

1. based on identification type password, realize the system that user logins discriminating, described system comprises:

Web information system: the system that information or application service are provided based on Web technological development user oriented: the hashed value of one of user sign or user's a sign is kept in the user account data of Web information system at the account's of Web information system authentication data as user; The described authentication data as user account is kept at the user ID in user account data, or hashed value is kept at the user ID in user account data as the authentication data of user account, is called cipher mark that user account is corresponding or is called for short the cipher mark of user account; The cipher mark of described user account is inputted when the Web information system registering account by user, or is obtained by other means and arranged by account management system or instrument;

Browser: user is for accessing the client of Web information system; The random word string that sign private key at browser described in process of user login by the sign password of background process program user login account returns Web information system is carried out digital signature or the random words string data of encryption that Web information system is returned is decrypted, and carries out other password budgets;

Digital signature mode: cipher mark and a random word string generating that Web information system is returned to user's login account arrive user side browser, browser adopts the sign private key of the cipher mark of user's login account to sign to the random word string of returning by background process routine call crypto module, then the signed data of random word string is submitted to Web information system, thereby the utilization of Web information system returns to the validity of the signed data of the random word string that the sign public key verifications user side browser of the random word string of browser and the cipher mark of user's login account submits to confirms that user is the owner of cipher mark, and and then confirm that user is the owner of login account,

Data encryption mode: Web information system is returned to the word string of random generation of sign public key encryption of cipher mark of user's login account to user side browser, browser adopts the sign private key of the cipher mark of user's login account to be decrypted the random word string of the encryption of returning by background process routine call crypto module, then by the random words of directly returning to the random words string mode of deciphering or utilize deciphering to obtain, gangs up the login of HMAC digital signature mode completing user and differentiates operation;

2. one kind is utilized realizing based on identification type password the user that user logins the system of discriminating and login discrimination method described in claim 1, it is characterized in that: if user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following data encryption mode completing user login:

III step: Web information system receives after the account name of user side browser submission, utilize the account name receiving in user account data, by the authentication data of user account corresponding to inquiry account name, to obtain the cipher mark of user account, then with the current effective sign PKI of acquisition cipher mark, Web information system title and a random word string generating are encrypted, then the Web information system title after encrypting and random word string are turned back to the browser of user side;

VII step: Web information system receives after the random word string as account's password or password of user side browser submission, the random word string as account's password or password receiving and the plaintext that turns back to the random word string of browser are compared, if consistent, confirm that user is the owner of the corresponding user account of account name submitted to and allows user to login, otherwise refusal.

3. one kind is utilized realizing based on identification type password the user that user logins the system of discriminating and login discrimination method described in claim 1, it is characterized in that: if user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following data encryption mode completing user login:

The 3rd step: Web information system receives after the account name of browser submission, utilize the account name receiving in user account data, by the authentication data of user account corresponding to inquiry account name, to obtain the cipher mark of user account, then with the current effective sign PKI that obtains cipher mark, a random word string generating is encrypted, afterwards the random word string after encrypting is turned back to the browser of user side;

4. one kind is utilized realizing based on identification type password the user that user logins the system of discriminating and login discrimination method described in claim 1, it is characterized in that: if the hashed value of user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following data encryption mode completing user login:

5. one kind is utilized realizing based on identification type password the user that user logins the system of discriminating and login discrimination method described in claim 1, it is characterized in that: if user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following digital signature mode completing user login:

The 5th step: background process handling procedure receives the random word string to returning of user side browser submission to carry out after the request of digital signature, the current effective sign private key that calls crypto module user account's cipher mark carries out digital signature to random word string, then signed data is turned back to user side browser;

6. one kind is utilized realizing based on identification type password the user that user logins the system of discriminating and login discrimination method described in claim 1, it is characterized in that: if the hashed value of user's a cipher mark is kept in the user account data of Web information system as the authentication data of user account,, when user uses browser login Web information system, the browser of Web information system, user, user side and background process program are differentiated and are processed by following digital signature mode completing user login:

Step 5: background process handling procedure receives the random word string to returning of user side browser submission to carry out after the request of digital signature, the current effective sign private key that calls crypto module user account's cipher mark carries out digital signature to random word string, then signed data is turned back to user side browser;

7. according to claim 1ly based on identification type password, realize the system that user logins discriminating, it is characterized in that: if the cipher mark of user account is inputted when the Web information system registering account by user, Web information system is after receiving user's account register information, while first logining by user, account differentiates that the same mode adopts digital signature or data encryption mode to verify, confirm that user has the private key of the cipher mark of registration input, thereby confirm that user is the owner of the cipher mark of input, checking, confirmation is by rear completing user account register and preserve log-on message, otherwise return, make mistakes.

8. according to claim 1ly based on identification type password, realize the system that user logins discriminating, it is characterized in that: if the identification type cryptographic technique that described system adopts is IBC cryptographic technique and support, organize the open parameters of different IBC crypto-operations, Web information system determines that the cipher mark of user account carries out crypto-operation open parameter group used in the following way more:

If user inputs while logining Web information system by browser simultaneously, submit account name to and as the cipher mark of authentication data, browser first returns to by network communication mechanism request background process program the indication information that cipher mark carries out crypto-operation open parameter group used before submitting cipher mark to, background process program is called the indication information that crypto module password for inquiry sign is carried out crypto-operation open parameter group used after receiving request, the indication information of the open parameter group of then inquiry being obtained returns to browser, browser is submitted to Web information system by the indication information of open parameter group with cipher mark after receiving the indication information of the open parameter group that background process program returns together, Web information system determines that according to the indication information of the open parameter of submitting in logging request user account's cipher mark carries out crypto-operation open parameter group used,

9. according to claim 1ly based on identification type password, realize the system that user logins discriminating, it is characterized in that: if Web information system is also preserved the digital signature of the data after the cipher mark of user account names and user account or the merging of the hashed value of cipher mark in user account data, to prevent from checking account user account names in user data and the unwarranted modification of account's cipher mark or the hashed value of cipher mark, Web information system is being carried out in the process of account's discriminating user's login, after receiving the account name that user submits to by browser, the digital signature of the data after first the hashed value of the cipher mark of account name and user account or cipher mark being merged verifies to determine whether the user account names of preserving in Web information system account data and the cipher mark of user account or the hashed value of cipher mark are modified, if be modified, end login account discriminating and process and return mistake, otherwise the account who continues user's login differentiates processing, the digital signature method that the digital signature of the data after the cipher mark of account name and user account or the hashed value of cipher mark merge adopts comprises digital signature of symmetric key and the digital signature based on asymmetric key cipher algorithm based on HMAC.

10. according to realizing based on identification type password the user that user logins the system of discriminating and login discrimination method described in claim 3-6 any one, it is characterized in that: described user logins discrimination method and improves by one of following scheme the fail safe that user logins discriminating:

Scheme two: believable Web information system has been signed and issued a secure site token through digital signature, when user logins Web information system, this secure site token is returned to user side browser together with random word string and viewed device is submitted to background process program; Background process program is before the sign private key that calls crypto module user account's cipher mark is signed to the random word string of returning or the random word string of the encryption of returning is deciphered, first check and whether have believable secure site token, if do not have the digital signature of secure site token or secure site token insincere, eject a personal-machine interactive interface prompting consumer's risk; If there is believable secure site token, the system of pointing out user to access is believable and shows the address of the website that user will access, and inquires whether user continues;

Scheme four: the host address of the Web information system that the browser of user side will be logined user when the random word string of the random word string that Web information system is returned or encryption is submitted to background process program is submitted to background process program simultaneously; Background process program is before the sign private key that calls crypto module user account's cipher mark is signed to the random word string of returning or the random word string of the encryption of returning is deciphered, first by a personal-machine interactive interface, to user, show the host address of the Web information system that current browser will be accessed, whether inquiry user continues; If user selects to continue, to the random word string signature returning or the random word string deciphering to the encryption of returning, then call PKI that crypto module uses Web information system and be encrypted to the random word string of the random word string of signature or the deciphering that will directly return or with the login authentication data of the random word string HMAC signature of deciphering, then the data after encryption are turned back to browser and are submitted to Web information system by browser; Web information system, after receiving the data of the encryption that browser returns, is first used the data of the encryption that the private key deciphering of Web information system receives, and then according to the data after deciphering, does further login and differentiates and process; The PKI of described Web information system comprises the IBC PKI of Web information system or the PKI of being issued by a trusted key service system.