Embodiment
In order to improve the security of key storage and use, and then the security that improves authentication process itself, the embodiment of the present invention provides a kind of key storage device and using method thereof.
Below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein is only for description and interpretation the present invention, be not intended to limit the present invention, and in the situation that not conflicting, the feature in embodiment and embodiment in the present invention can combine mutually.
Embodiment mono-
As shown in Figure 1, the structural representation of the key storage device providing for the embodiment of the present invention, comprising:
Security module 11, for storage key, described key is for identifying user identity.
Computing module 12, for generating authentication information in the time that needs carry out authentication.
Wherein, in the authentication information that computing module 12 generates, at least comprise and utilize the key that security module 11 is stored seed information to be processed to the seed information after treatment obtaining, this seed information is arbitrary information that computer system can be processed, fix information (such as name, fixing numeral etc.), random number, time, summary counter etc. as is known, as long as can use information that key processes all can, the present invention does not limit this.Preferably, while specifically enforcement, seed information can be the current time of key storage device.
Cipher key interaction module 13, for the mutual authentication information of external device.
When concrete enforcement, cipher key interaction module 13 can comprise display sub-module 131 and/or communicator module 132, wherein:
Display sub-module 131 can be for the authentication information that shows that computing module 12 generates, and external device can carry out authentication by the authentication information of obtaining this demonstration.Preferably, the authentication information that display sub-module 131 shows can be graphic code, this graphic code can be one dimension code (bar code) and Quick Response Code, wherein, Quick Response Code comprises that standard Quick Response Code and non-standard Quick Response Code (are the Quick Response Code of some distortion, as circular two-dimensional code, color 2 D code etc.), the present invention does not limit this.Like this, the authentication information that external device can show by scanning display sub-module 131 is obtained this authentication information.
Communicator module 132, can be for establishing a communications link with external device, and authentication information computing module 12 being generated by the communication connection of setting up is transferred to external device.Preferably, communicator module 132, can be, but not limited to for establishing a communications link according to following either type and described external device: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (data transmission interface).
When concrete enforcement, the key that computing module 12 can be, but not limited to utilize in accordance with the following methods security module 11 to store is processed seed information: utilize key that security module 11 stores to seed information be encrypted, signature or Hash operation obtain corresponding cryptographic hash.Concrete, computing module 12 can utilize the key that security module 11 is stored to be encrypted and to obtain the cipher-text information that this seed information is corresponding seed information; Or computing module also can utilize the key that security module 11 is stored to sign and obtain the seed information after signature seed information, can also carry out Hash operation to seed information and obtain corresponding cryptographic hash.
Based on same inventive concept, a kind of using method of key storage device is also provided in the embodiment of the present invention, because the principle that said method is dealt with problems is similar to key storage device, therefore the enforcement of said method can be referring to the enforcement of key storage device, repeats part and repeat no more.
Embodiment bis-
Based on the above-mentioned key storage device providing, the embodiment of the present invention also provides a kind of its corresponding using method, as shown in Figure 2, can comprise the following steps:
S21, computing module generate authentication information in the time that needs carry out authentication.
Wherein, at least comprise and utilize the key of described security module storage seed information to be processed to the seed information after treatment obtaining in authentication information, this seed information is arbitrary information that computer system can be processed.
S22, cipher key interaction module are after described computing module generates described authentication information, with the mutual described authentication information of external device.
When concrete enforcement, in step S22, cipher key interaction module can adopt following either type and the mutual authentication information of external device:
The display sub-module that mode one, cipher key interaction module comprise shows the authentication information that computing module generates.
Communicator module and external device that mode two, cipher key interaction module comprise establish a communications link, and authentication information computing module being generated by the communication connection of setting up is transferred to external device.
When concrete enforcement, the key storage device that the embodiment of the present invention provides can be applied to following three kinds of application scenarioss that need to carry out authentication, and its respectively corresponding three kinds of different embodiments below describe respectively.
Embodiment tri-
The first embodiment,
As shown in Figure 3, the structural representation of the key storage device the first application system providing for the embodiment of the present invention, comprises key storage device and Authentication server, wherein:
Key storage device, for generate subscriber authentication information in the time that needs carry out authentication, wherein, subscriber authentication information at least comprises utilizes the key of storage seed information to be processed to the seed information after treatment obtaining;
Authentication server, the authentication request sending for receiving terminal apparatus, in authentication request, carry seed information after treatment, wherein seed information after treatment is to obtain the subscriber authentication information obtained from key storage device of terminal device; The key of storing from self, search key corresponding to key of storing in key storage device; The key recovery that utilization finds and/or verify seed information after treatment; Determine one's identity to verify whether pass through according to reduction result or the result.
For convenience of explanation, the current time taking seed information as key storage device is example.Like this, Authentication server can be for the interval between current time and the current time of self determining the key storage device that restores within Preset Time interval time, determines one's identity and is verified; Can also be used for determining being verified of current time to key storage device time, determine one's identity and be verified.
Preferably, the authentication information that key storage device generates can be, but not limited to as graphic code, in the time that needs carry out authentication, key storage device can generate this graphic code in accordance with the following methods: computing module utilizes the pre-stored key of security module to process and obtain seed information after treatment seed information.Computing module utilizes seed information after treatment (cipher-text information obtained above or the seed information of having signed or cryptographic hash) generate a graphic code and show by display sub-module.Like this, thus terminal device can by scanning display sub-module show graphic code obtain the seed information after treatment comprising in this graphic code.The seed information after treatment obtaining is carried at the Authentication server that sends to network side in authentication request by terminal device, the key that Authentication server is stored from self, search the corresponding key of key of this key storage device storage and use the key recovery finding and/or verify seed information after treatment, determining one's identity to verify whether pass through according to reduction result or the result.
Preferably, while specifically enforcement, the authentication system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key of security module storage is identical with the key of Authentication server storage.If adopt asymmetric-key encryption system, can be random one group of PKI and private key, the security module storage private key of key storage device, the Authentication server storage of public keys of generating of each key storage device.Than symmetric key encryption mechanism, asymmetric-key encryption mechanism can further improve the security of authentication system, and in this case, even if Authentication server is invaded, assailant also cannot forge user's login.
Concrete, in the time using asymmetric-key encryption technology, if key storage device is used private key to sign to seed information, the PKI of Authentication server storage can be for verifying the seed information of having signed; If key storage device is used private key to be encrypted seed information, the PKI of Authentication server storage can, for the seed information of encrypting is decrypted, obtain seed information.If use symmetric key encryption technology, if key storage device is used the key of storage to sign to seed information, the key of Authentication server storage can be for verifying the seed information of having signed; If key storage device is used the key of storage to be encrypted seed information, the key of Authentication server storage both can be for being decrypted and obtaining verifying after seed information again the seed information of encryption, also can not reduce direct checking ciphertext; If key storage device is used hash algorithm to carry out Hash operation to seed information and obtains cryptographic hash, Authentication server can be for verifying the cryptographic hash obtaining.
Current time taking seed information as key storage device is example, if the time interval (as being set to the extremely short time interval) within Preset Time interval between the current time of key storage device and the current time of Authentication server that reduction obtains, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through; Or while determining being verified of current time to key storage device, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through.
In said method, Authentication server, after receiving the authentication request of terminal device, need to be searched the key recovery that the key stored in key storage device is corresponding and/or verify seed information after treatment from all keys of self storage.Concrete, Authentication server can be attempted each key that self stores successively, until it can reduce and/or verify seed information after treatment.
Preferably, the efficiency of reducing and/or verifying seed information after treatment in order to improve Authentication server, in the embodiment of the present invention, in the authentication information that key storage device generates, can also comprise the device identification of this key storage device, like this, terminal device can obtain this device identification from authentication information, and be carried at together with seed information after treatment and in authentication request, send in the lump Authentication server, Authentication server can directly be searched key corresponding to this device identification according to device identification from the corresponding relation of pre-stored device identification and key, set it as key corresponding to key of storing in key storage device.
Embodiment tetra-
Embodiment for a better understanding of the present invention, information interaction flow process during below in conjunction with authentication describes the specific implementation process of the embodiment of the present invention, for convenience of explanation, the embodiment of the present invention is accessed Web bank taking user and is described as example, the flow process of user's logging in to online banks as shown in Figure 4, can comprise the following steps:
S41, key storage device generate and show for Quick Response Code that user is carried out to authentication.
When concrete enforcement, user may access Web bank by following two kinds of modes:
Mode one,
User uses the terminal device access Web bank that obtains subscriber authentication information, and for example, user uses mobile phone access Web bank, uses this mobile phone to obtain the subscriber authentication information that key storage device generates simultaneously.In this case, the login page of the Web bank that user accesses need to provide the application programming interfaces of the use auth method that the embodiment of the present invention provides encapsulation, in the time that user needs logging in to online banks, triggers the authentication to user by calling these application programming interfaces.
Mode two,
User uses the other-end device access Web bank beyond the terminal device that obtains subscriber authentication information, and for example user uses computer to access Web bank, uses the mobile phone of oneself to obtain the subscriber authentication information that key storage device generates.In this case, the proving program that the auth method that Web bank's login page need to embed the embodiment of the present invention to be provided encapsulates, and show with the form of graphic code (can be, but not limited to as Quick Response Code) at login page, in the time that user needs logging in to online banks, directly scan this Quick Response Code and just can trigger the authentication to user.
After triggering user's authentication, user generates subscriber authentication information by triggering one's own key storage device (this equipment offers user by bank can register bank account for user time), concrete grammar can, referring to the description in above-described embodiment one, repeat no more here.
Preferably, the risk of bringing for fear of user's Lost Security Key memory device, in the embodiment of the present invention, key storage device can also be identified user identity before generating subscriber authentication information, for example, can identify by fingerprint, the password that also can set in advance by user is identified user, here do not limit, corresponding, key storage device can also comprise digital keys or fingerprint acquisition device.
The Quick Response Code that S42, terminal device scanning key storage device generate, obtains the device identification of current time information after treatment and key storage device.
When concrete enforcement, for mode one, the subscriber authentication information that the authentication application program that the auth method that it can directly call provides according to the embodiment of the present invention is realized generates key storage device scans.For mode two, the authentication application program of the auth method providing according to the embodiment of the present invention realization of installing in terminal device is provided user voluntarily, and the subscriber authentication information that key storage device is generated scans.
S43, terminal device send authentication request to the Authentication server of network side.
Wherein, in authentication request, carry the seed information after treatment that obtains and the device identification of key storage device.In addition, terminal device also need to carry application identities or Apply Names and the unique identification of this internet, applications in global scope of the internet, applications of user's access in authentication request, this unique identification is a coding that the overall situation is unique, on different internet, applications, different terminal device, different time, does not repeat.Preferably, this unique identification can be, but not limited to (the Universally UniqueIdentifier into UUID, general unique identifier) or GUID (Globally Unique Identifier, Globally Unique Identifier), can certainly be the mark adopting in the global scope that similar techniques realizes, describe as an example of UUID example below for convenience of description.
If user by above-mentioned first kind of way access internet, applications, terminal device can directly obtain the application identities of the current internet, applications of accessing of user or Apply Names and corresponding UUID thereof and send in the lump Authentication server; If user is by above-mentioned second way access internet, applications, comprise application identities or Apply Names and the UUID corresponding to this internet, applications of internet, applications at the graphic code that generates login page demonstration, like this, terminal device just can obtain application identities or Apply Names and UUID corresponding to this internet, applications by scanning this graphic code, sends in the lump Authentication server with the seed information after treatment obtaining the Quick Response Code generating from key storage device and the device identification of key storage device.
When concrete enforcement, terminal device can pass through cable network, wireless network and mobile communications network etc. and send authentication request to the Authentication server of network side.
S44, Authentication server are searched corresponding key according to the device identification of carrying in authentication request.
The key recovery that S45, Authentication server utilization find and/or verify current time information after treatment.
S46, Authentication server carry out authentication.
When concrete enforcement, with key storage device, current time is encrypted as to example, the current time of the key storage device that Authentication server relatively restores and the current time of self, if the time interval is no more than the default time interval, determines and be verified, otherwise, determine that checking do not pass through.
S47, Authentication server send the result to the application server that internet, applications is provided.
When concrete enforcement, Authentication server provides the result according to the application identities of carrying in authentication request or Apply Names to this application identities or application server corresponding to Apply Names, and in the result sending, carries the UUID of the internet, applications of user's current accessed.
S48, application server send the response message of permission/denied access to terminal device.
When concrete enforcement, application server determines that according to UUID user accesses terminal device and the application program of internet, applications, and sends the response message of permission/denied access to this terminal device according to the result.
In security system due to existing employing encryption mechanism, the security of asymmetric-key encryption technology has obtained abundant theoretical proof, and is widely used.But its topmost shortcoming is that key is oversize, the mankind cannot directly remember and input, and user need to, by key storage in computer document or hardware device, import when use conventionally, like this, just has the risk of Key Exposure, and use very inconvenience.And in the embodiment of the present invention, because graphic code is as one machine automatic identification technology easily, can be used for representing cipher-text information, and be easily identified and transmit and then decipher.It is oversize that this has solved in existing asymmetric-key encryption mechanism key, is not easy to the problem directly using.In addition, in the embodiment of the present invention, use separate hardware to generate graphic code, can avoid private key be stolen, copy and distort, with the internet, applications physical isolation that user uses, fundamentally avoided suffering the possibility of hacker attacks, there is high security.Simultaneously, while using asymmetric-key encryption mechanism in the embodiment of the present invention, private key is stored in authorization information and generates in the security module of equipment, PKI is stored in Authentication server, even if Authentication server suffers hacker attacks, PKI is all revealed, and assailant also cannot forge any user's identity and verify, thereby does not form any threat.Finally, because length and the intensity of key are enough, therefore can directly use the device identification (can be its unique numbering) of authorization information generation equipment as user name, the cipher-text information that encryption generates to seed information at every turn or the information of having signed are carried out authentication as password, realize one-time pad, and the password that password complexity arranges higher than the common mankind far away, security and convenience all improve greatly.
The second embodiment,
As shown in Figure 5, the structural representation of the key storage device the second application system providing for the invention process, comprises key storage device, Authentication server and terminal device, wherein:
Terminal device, in the time that access internet, applications need to be carried out authentication, establishes a communications link with authorization information generation equipment; Be verified alternately after the authentication information of information generating device generation by communication connection and the authorization information generation equipment set up, send authentication request to Authentication server, in authentication request, carry authentication information; Authorization information generates equipment, be used for generating authentication information, and by with terminal device set up communication connection and the mutual authentication information of terminal device, authentication information at least comprises the seed information after treatment obtaining after the first key of utilization storage is processed seed information, and seed information is arbitrary information that computer system can be processed; Authentication server, for after receiving authentication request, uses the seed information after treatment comprising in second key recovery corresponding to the first key of self storage and/or identity verification authorization information; Determine one's identity to verify whether pass through according to reduction result or the result.
When concrete enforcement, when user is in the time that access internet, applications need to be carried out authentication, can trigger the communication connection of setting up between terminal device and authorization information generation equipment.Preferably, in the embodiment of the present invention, between terminal device and authorization information generation equipment, can be, but not limited to adopt following either type to establish a communications link: earphone interface, bluetooth, infrared, NFC (near-field communication), WIFI (Wireless Fidelity), USB (USB (universal serial bus)) or OTG (data transmission interface) etc.
When concrete enforcement, after establishing a communications link, authorization information generates equipment can be by communication connection and the mutual authentication information self generating of terminal device set up.When specific implementation, can initiatively read from authorization information the authentication information that authorization information generation equipment generates for terminal device, also can send to terminal device for the authentication information that authorization information generation equipment initiatively generates self.The embodiment of the present invention does not limit this.Wherein, in the authentication information that authorization information generation equipment generates, at least comprise the seed information after treatment obtaining after the first key that authorization information generates equipment utilization storage is processed seed information.
For convenience of explanation, taking seed information as authorization information, the current time of generation equipment is example.Like this, Authentication server can be for determining that the authorization information that restores generates interval between current time and the current time of self of equipment within Preset Time interval time, determines one's identity and is verified; Can also be used for determining when authorization information is generated to being verified of current time of equipment, determine one's identity and be verified.
In the time that needs carry out authentication, authorization information generates equipment can generate authentication information in accordance with the following methods:
Computing module utilizes the pre-stored key of security module (i.e. the first key) to process and obtain seed information after treatment seed information.When concrete enforcement, computing module can utilize the key of security module storage to be encrypted and to obtain the cipher-text information that this seed information is corresponding seed information; Or computing module also can utilize the key of security module storage to sign and obtain the seed information after signature seed information, can also carry out Hash operation to seed information and obtain corresponding cryptographic hash.
The seed information after treatment that communicator module obtains computing module is carried at and in authentication information, sends to terminal device, or also can initiatively obtain to communicator module the authentication information that comprises seed information after treatment by terminal device.The seed information after treatment obtaining is carried at the Authentication server that sends to network side in authentication request by terminal device, the key that Authentication server is stored from self, search the corresponding key of key (i.e. the second key) of this authorization information generation device storage and use the key recovery finding and/or verify seed information after treatment, determining one's identity to verify whether pass through according to reduction result or the result.
Preferably, while specifically enforcement, the interactive authentication system that the embodiment of the present invention provides can adopt symmetric key encryption system, also can adopt asymmetric-key encryption system.If adopt symmetric key encryption system, the key of the security module storage of authorization information generation equipment is identical with the key of Authentication server storage.If adopt asymmetric-key encryption system, can generate random one group of PKI and the private key of generating of equipment for each authorization information, authorization information generates the security module storage private key of equipment, Authentication server storage of public keys.Than symmetric key encryption mechanism, asymmetric-key encryption mechanism can further improve the security of authentication system, and in this case, even if Authentication server is invaded, assailant also cannot forge user's login.
When concrete enforcement, in the time using asymmetric-key encryption technology, if authorization information generation equipment uses private key to sign to seed information, the PKI of Authentication server storage can be for verifying the seed information of having signed; If authorization information generation equipment uses private key to be encrypted seed information, the PKI of Authentication server storage can, for the seed information of encrypting is decrypted, obtain seed information.If use symmetric key encryption technology, if authorization information generation equipment uses the key of storage to sign to seed information, the key of Authentication server storage can be for verifying the seed information of having signed; If authorization information generation equipment uses the key of storage to be encrypted seed information, the key of Authentication server storage both can be for being decrypted and obtaining verifying after seed information again the seed information of encrypting, and also can not reduce direct checking ciphertext; If authorization information generation equipment uses hash algorithm to carry out Hash operation to seed information and obtains cryptographic hash, Authentication server can be for verifying the cryptographic hash obtaining.
The current time that generates equipment taking seed information as authorization information is example, if the authorization information that reduction obtains generates the time interval (as being set to the extremely short time interval) within Preset Time interval between the current time of equipment and the current time of Authentication server, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through; Or determine when authorization information is generated to being verified of current time of equipment, determine one's identity and be verified, otherwise the checking that determines one's identity is not passed through.
In said method, Authentication server, after receiving the authentication request of terminal device, need to be searched the key recovery that the key stored in authorization information generation equipment is corresponding and/or verify seed information after treatment from all keys of self storage.Concrete, Authentication server can be attempted each key that self stores successively, until it can reduce and/or verify seed information after treatment.
Preferably, the efficiency of reducing and/or verifying seed information after treatment in order to improve Authentication server, in the embodiment of the present invention, authorization information generates equipment in the time generating authentication information, can also comprise the device identification that this authorization information generates equipment, like this, terminal device can obtain this device identification from the authentication information receiving, and be carried at together with seed information after treatment and in authentication request, send in the lump Authentication server, Authentication server can directly be searched key corresponding to this device identification according to device identification from the corresponding relation of pre-stored device identification and key, set it as key corresponding to key of storing in authorization information generation equipment.
When concrete enforcement, terminal device can also be used for before sending authentication request to Authentication server, obtain the application identities of the internet, applications that user accesses, and the application identities of obtaining is carried at and in authentication request, sends to Authentication server.So that Authentication server is after obtaining authentication result, notify the application server corresponding to this application identities by the authentication result obtaining.Concrete, Authentication server can be searched application server identifier corresponding to described application identities from the corresponding relation of pre-stored application identities and application server identifier, according to the application server identifier finding, authentication result is sent to the application server that this application server identifier is corresponding.
When concrete enforcement, because user may use the terminal device access internet, applications of carrying out authentication, also may be by other terminal device access internet, applications, therefore, during the embodiment of the present invention is converged, terminal device can obtain according to any in following two kinds of modes application identities of the internet, applications that user accesses:
If mode one user is while using the terminal device access internet, applications of carrying out authentication, terminal device can be provided by the interface that calls internet, applications and provide by the application identities of this internet, applications; If when user uses other terminal device access internet, applications, the graphic code (can be, but not limited to as Quick Response Code) that it can use terminal device to scan this internet, applications provides obtains the application identities of this internet, applications.
When concrete enforcement, in order to improve the security of internet, applications access, terminal device is after the communication connection of setting up between authorization information generation equipment, terminal device can also obtain the application identification code of the internet, applications that user accesses, and send to authorization information to generate equipment the application identification code of obtaining, after the first key of authorization information generation equipment utilization self storage is processed this application identification code, be carried at and in authentication information, sent to terminal device, terminal device will receive application identification code after treatment and be carried at and in authentication request, send to Authentication server.When concrete enforcement, the mode that terminal device obtains application identification code is identical with the mode that above-mentioned terminal device obtains application identities, repeats no more here.
Preferably, application identification code is a coding that the overall situation is unique, on different internet, applications, different terminal device, different time, does not repeat.Preferably, this application identification code can be, but not limited to (the Universally Unique Identifier into UUID, general unique identifier) or GUID (GloballyUnique Identifier, Globally Unique Identifier), can certainly be the mark adopting in the global scope that similar techniques realizes, describe as an example of UUID example below for convenience of description.
Authentication server is after receiving application identification code after treatment, if authorization information generates equipment, this application identification code is carried out to encryption, Authentication server need to utilize self storage the second secret key pair its send in the lump corresponding application server with authentication result after being decrypted, application server can determine that according to the application identification code receiving user accesses the terminal device of internet, applications, and the authentication result sending according to Authentication server sends the response message of permission/denied access to this terminal device.
Embodiment six
Embodiment for a better understanding of the present invention, information interaction flow process during below in conjunction with authentication describes the specific implementation process of the embodiment of the present invention, for convenience of explanation, the embodiment of the present invention is accessed Web bank taking user and is described as example, the flow process of user's logging in to online banks as shown in Figure 6, can comprise the following steps:
When S61, user access internet, applications, set up the communication connection between terminal device and authorization information generation equipment.
When concrete enforcement, user may access Web bank by following two kinds of modes:
Mode one,
User uses the terminal device access Web bank that obtains authentication information, and for example, user uses mobile phone access Web bank, uses this mobile phone to obtain the authentication information that authorization information generation equipment generates simultaneously.In this case, the login page of the Web bank that user accesses need to provide the application programming interfaces of the use auth method that the embodiment of the present invention provides encapsulation, in the time that user needs logging in to online banks, triggers the authentication to user by calling these application programming interfaces.
Mode two,
User uses the other-end device access Web bank beyond the terminal device that obtains authentication information, and for example user uses computer to access Web bank, uses the mobile phone of oneself to obtain the authentication information that authorization information generation equipment generates.In this case, the proving program that the auth method that Web bank's login page need to embed the embodiment of the present invention to be provided encapsulates, and show with the form of graphic code (can be, but not limited to as Quick Response Code) at login page, in the time that user needs logging in to online banks, directly scan this Quick Response Code and just can trigger the authentication to user.
S62, authorization information generation equipment generate authentication information.
After triggering user's authentication, user generates equipment (this equipment offers user by bank can register bank account for user time) generation authentication information by triggering one's own authorization information, for example, the button that user provides by authorization information generation equipment triggers authorization information generation equipment and generates authentication information, the concrete grammar that authorization information generation equipment generates authentication information can, referring to the description in above-described embodiment one, repeat no more here.
Preferably, lose for fear of user the risk that authorization information generation equipment brings, in the embodiment of the present invention, authorization information generates equipment and can also before generating authentication information, identify user identity, for example, can identify by fingerprint, the password that also can set in advance by user is identified user, here do not limit, corresponding, authorization information generates equipment can also comprise digital keys or fingerprint acquisition device.
When concrete enforcement, step S62 also can carry out prior to step S61, and authorization information generates equipment and first generates authentication information, then establishes a communications link with terminal device, and the two also can carry out simultaneously, and the embodiment of the present invention does not limit this.
S63, authorization information generate equipment and the mutual authentication information self generating of terminal device.
When concrete enforcement, authorization information generates the key of equipment utilization self storage seed information is processed and obtained seed information after treatment, the device identification of seed information after treatment and self is carried at and in authentication information, sends to terminal device, or also can initiatively obtain to communicator module the authentication information that comprises seed information after treatment by terminal device.
S64, terminal device send authentication request to the Authentication server of network side.
Wherein, in authentication request, carry the seed information after treatment that obtains and authorization information and generate the device identification of equipment.
It should be noted that, terminal device can also obtain application identification code and the application identities of the internet, applications that user accesses, and is carried at and in authentication request, sends in the lump Authentication server.
When concrete enforcement, terminal device can obtain the application identities of the internet, applications that user accesses before establishing a communications link with authorization information generation equipment, also can after establishing a communications link with authorization information generation equipment, obtain the application identities of the internet, applications that user accesses, also can after receiving authentication information, obtain again the application identities of the internet, applications that user accesses, as long as send obtain before authentication request all can, the present invention does not limit this.
For example, if user by above-mentioned first kind of way access internet, applications, terminal device can directly obtain the application identities of the current internet, applications of accessing of user or Apply Names and corresponding UUID thereof and send in the lump Authentication server; If user is by above-mentioned second way access internet, applications, comprise application identities or Apply Names and the UUID corresponding to this internet, applications of internet, applications at the graphic code that generates login page demonstration, like this, terminal device just can obtain application identities or Apply Names and UUID corresponding to this internet, applications by scanning this graphic code, and the device identification that generates equipment with the seed information after treatment obtaining the Quick Response Code generating from authorization information generation equipment and authorization information sends to Authentication server in the lump.
Preferably, in order to improve the security of data transmission, terminal device can send to the UUID obtaining after authorization information generation equipment processes, then sends to Authentication server, to prevent that it is tampered in transmitting procedure.Be to be understood that, if when terminal device sends to authorization information generation equipment to process UUID, it need to obtain UUID and application identities or obtain UUID and application identities connecting before receiving authentication information after communicating by letter before establishing a communications link.So that authorization information generates equipment UUID after treatment is carried at and sends in the lump terminal device in authentication information.
When concrete enforcement, terminal device can pass through cable network, wireless network and mobile communications network etc. and send authentication request to the Authentication server of network side.
S65, Authentication server are searched corresponding key according to the device identification of carrying in authentication request.
The key recovery that S66, Authentication server utilization find and/or verify current time information after treatment.
S67, Authentication server carry out authentication.
When concrete enforcement, generate equipment with authorization information current time is encrypted as to example, the authorization information that Authentication server relatively restores generates the current time of equipment and the current time of self, if the time interval is no more than the default time interval, determines and be verified, otherwise, determine that checking do not pass through.
S68, Authentication server send the result to the application server that internet, applications is provided.
When concrete enforcement, Authentication server provides the result according to the application identities of carrying in authentication request or Apply Names to this application identities or application server corresponding to Apply Names, and in the result sending, carries the UUID of the internet, applications of user's current accessed.
S69, application server send the response message of permission/denied access to terminal device.
When concrete enforcement, application server determines that according to UUID user accesses terminal device and the application program of internet, applications, and sends the response message of permission/denied access to this terminal device according to the result.
In security system due to existing employing encryption mechanism, the security of asymmetric-key encryption technology has obtained abundant theoretical proof, and is widely used.But its topmost shortcoming is that key is oversize, the mankind cannot directly remember and input, and user need to, by key storage in computer document or hardware device, import when use conventionally, like this, just has the risk of Key Exposure, and use very inconvenience.And in the embodiment of the present invention, because graphic code is as one machine automatic identification technology easily, can be used for representing cipher-text information, and be easily identified and transmit and then decipher.It is oversize that this has solved in existing asymmetric-key encryption mechanism key, is not easy to the problem directly using.In addition, in the embodiment of the present invention, use separate hardware to generate authentication information, can avoid private key be stolen, copy and distort, there is high security.Simultaneously, while using asymmetric-key encryption mechanism in the embodiment of the present invention, private key is stored in authorization information and generates in the security module of equipment, PKI is stored in Authentication server, even if Authentication server suffers hacker attacks, PKI is all revealed, and assailant also cannot forge any user's identity and verify, thereby does not form any threat.Finally, because length and the intensity of key are enough, therefore can directly use the device identification (can be its unique numbering) of authorization information generation equipment as user name, the cipher-text information that encryption generates to seed information at every turn or the information of having signed are carried out authentication as password, realize one-time pad, and the password that password complexity arranges higher than the common mankind far away, security and convenience all improve greatly.
The third embodiment,
The authentication system that the embodiment of the present invention provides can also be used for enterprise's gate control system, be that enterprise only needs installation diagram shape code scanister (can be for example camera), and be equipped with a key storage device for each employee, the subscriber authentication information that can generate by scanning key storage device in the time entering is verified it, enter by allowing, meanwhile, can also record the information such as an opening time.
When concrete enforcement, the authentication system that the embodiment of the present invention provides can provide a key storage device for different internet, applications, also can provide independent key storage device as Web bank, on-line payment etc. for the high internet, applications of safety requirements, now, Authentication server need to be safeguarded the corresponding relation between the application identities of internet, applications and device identification and the key of its corresponding key storage device, to provide authentication to different internet, applications.
It should be noted that, the terminal device relating in the embodiment of the present invention can be the mobile terminal devices such as mobile phone, panel computer, PDA (personal digital assistant), intelligent watch, also can be the equipment such as PC (PC), as long as the terminal device that camera head or scanister is installed, can scans the graphic code that obtains key storage device generation all can.
In addition, the internet, applications relating in the embodiment of the present invention comprises website, the application client etc. that can conduct interviews by internet/mobile Internet.
Therefore, with respect to traditional auth method, the auth method security that the embodiment of the present invention provides is higher, has realized password and the one-time pad of high complexity, the risk of having avoided password to be stolen.And the auth method that the embodiment of the present invention provides, more convenient and quicker, user is without memory and input various username and password, and directly scintigram shape code can complete authentication process itself fast.
6 pure digi-tal that the password that Password Length in the auth method providing due to the embodiment of the present invention and strength ratio domestic consumer arrange and existing RSA SecurID two-factor authentication token use are high a lot, therefore, can directly carry out authentication as main password.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, completely implement software example or the form in conjunction with the embodiment of software and hardware aspect.And the present invention can adopt the form at one or more upper computer programs of implementing of computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) that wherein include computer usable program code.
The present invention is with reference to describing according to process flow diagram and/or the block scheme of the method for the embodiment of the present invention, equipment (system) and computer program.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or block scheme and/or square frame and process flow diagram and/or block scheme and/or the combination of square frame.Can provide these computer program instructions to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, the instruction that makes to carry out by the processor of computing machine or other programmable data processing device produces the device for realizing the function of specifying at flow process of process flow diagram or multiple flow process and/or square frame of block scheme or multiple square frame.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, the instruction that makes to be stored in this computer-readable memory produces the manufacture that comprises command device, and this command device is realized the function of specifying in flow process of process flow diagram or multiple flow process and/or square frame of block scheme or multiple square frame.
These computer program instructions also can be loaded in computing machine or other programmable data processing device, make to carry out sequence of operations step to produce computer implemented processing on computing machine or other programmable devices, thereby the instruction of carrying out is provided for realizing the step of the function of specifying in flow process of process flow diagram or multiple flow process and/or square frame of block scheme or multiple square frame on computing machine or other programmable devices.
Although described the preferred embodiments of the present invention, once those skilled in the art obtain the basic creative concept of cicada, can make other change and amendment to these embodiment.So claims are intended to be interpreted as comprising preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if these amendments of the present invention and within modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.