CN105812334B - A kind of method for network authorization - Google Patents
A kind of method for network authorization Download PDFInfo
- Publication number
- CN105812334B CN105812334B CN201410852736.1A CN201410852736A CN105812334B CN 105812334 B CN105812334 B CN 105812334B CN 201410852736 A CN201410852736 A CN 201410852736A CN 105812334 B CN105812334 B CN 105812334B
- Authority
- CN
- China
- Prior art keywords
- key
- identification card
- subscriber identification
- phone number
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The embodiment of the invention discloses a kind of method for network authorization, it include: that login service device receives logging request, certificate server is sent by the cell-phone number of user and logging request, and sends subscriber identification card corresponding with the cell-phone number of user for current authentication characteristics of objects value;Certificate server generates random number, and by and the corresponding key object of cell-phone number, certification object characteristic value and the random number of generation of user be sent to subscriber identification card corresponding with the cell-phone number of user;Subscriber identification card is decrypted to obtain private key to the key object, the current authentication characteristics of objects value is verified according to certification object characteristic value, when the current authentication characteristics of objects value passes through verifying, subscriber identification card signs to the random number with the private key, and sends the certificate server for signature result;After certificate server receives the signature result, sign test is carried out with public key.The embodiment of the present invention can save subscriber identification card memory space, improve the safety of network authentication.
Description
Technical field
The present invention relates to internet security field more particularly to a kind of method for network authorization.
Background technique
Currently, user is stepping on using application, the service or when information system under internet environment, be typically necessary first into
Row login authentication.The most commonly used is user authentication is carried out by way of username and password.However, this username and password
Login mode one side safety it is poor, be easy illegally intercepted and captured and attacked and password is caused to be stolen, on the other hand, it is different
Using or service require respective username and password, user can sometimes forget Password, and user reset password step
It is rapid general all more complicated, the expense of trouble, increased application or system is caused to user, reduces working efficiency.
It currently, can be by subscriber identification card (such as SIM card, USIM in order to improve the safety of network authentication
Card, UIM card etc.) regard authentication component, it is authenticated by registration cell-phone number and subscriber identification card, is recognized to carry out network
Card.Subscriber identification card itself has multiple hardwares safeguard measure, there is very high safety.There are also symmetric encipherment algorithms and non-
The coprocessor of symmetric encipherment algorithm can guarantee the performance of operation.
The conventional steps of authentication method based on subscriber identification card are: subscriber identification card generates public private key pair,
And private key certificate is stored in subscriber identification card, public key certificate is transmitted to server.When doing signature sign test, service
Device passes information to subscriber identification card, and subscriber identification card is encrypted with private key, and encryption information is passed to
Server, server are decrypted with public key, judge the legitimacy of user identity.
Following problems exist in the prior art: due to for different services, application or information system, it may be necessary to different
Private key certificate, thus need to store multiple and different private key certificate in subscriber identification card.The length of each certificate
From several hundred a bytes to thousands of a bytes, multiple certificates just need to occupy a large amount of memory space in subscriber identification card.
And the memory space of private key certificate is mostly reserved, once memory space completely, may will limit the development of follow-up business.
Moreover, in actual use, it is also necessary to develop corresponding STK menu on subscriber identification card, allow user can be into certificate
Row management, for example add, it deletes, update etc., it operates more complex, management is inconvenient.
Summary of the invention
The embodiment of the invention provides a kind of method for network authorization, the safety of user authentication under internet environment can be improved
Property, save the memory space of subscriber identification card.
In view of this, the present invention provides a kind of method for network authorization, it may include:
Login service device receives logging request, sends certificate server for the cell-phone number of user and the logging request,
And subscriber identification card corresponding with the cell-phone number of user is sent by current authentication characteristics of objects value;
Certificate server generates random number, and by key object corresponding with the cell-phone number of user, certification object characteristic value
Subscriber identification card corresponding with the cell-phone number of user is sent to the random number of generation;
Subscriber identification card is decrypted to obtain private key to the key object, is verified according to certification object characteristic value
The current authentication characteristics of objects value, when the current authentication characteristics of objects value passes through verifying, subscriber identification card institute
It states private key to sign to the random number, and sends the certificate server for signature result;
After the certificate server receives the signature result, sign test is carried out with corresponding public key, if by sign test,
It is verified, if not over sign test, authentication failed.
In the first possible implementation, before the login service device receives logging request, may also include that
Memory mobile phone number and certification object characteristic value corresponding with the cell-phone number, public key, key in the certificate server.
In the second possible implementation, in the certificate server memory mobile phone number and with the cell-phone number pair
The step of certification object characteristic value for answering, public key, key can include:
Login service device sends registration request, the cell-phone number that user inputs and certification object characteristic value to certificate server;
After certificate server receives the registration request, to user identity identification corresponding with the cell-phone number of the input
Card sends subscriber identification card registration request;
After subscriber identification card receives the subscriber identification card registration request, public private key pair is generated, by private key
It carries out encryption and forms key object, and send the certificate server for the key object and the public key;
The certificate server receives the key object and the public key, and stores the cell-phone number, described of user's input
The corresponding certification object characteristic value of cell-phone number, public key and key object.
In the third possible implementation, the subscriber identification card receives the subscriber identification card note
After volume request, public private key pair is generated, private key is subjected to the step of encryption forms key object can include: the user identity identification
Card encrypts the private key with symmetric key, forms key object.
In the fourth possible implementation, subscriber identification card is decrypted to obtain private to the key object
Key, the step of current authentication characteristics of objects value is verified according to certification object characteristic value can include: in the current authentication
When characteristics of objects value is unverified, exception information is sent to the login service device, the login service device refusal is notified to use
Family logs in.
In a fifth possible implementation, it after the certificate server receives the signature result, is carried out with public key
Sign test, if be verified by sign test, if not over sign test, the step of authentication failed can include: if passed through
Sign test, then the certificate server notifies the login service device refusal user to log in, if notifying institute not over sign test
Stating login service device allows user to log in.
In a sixth possible implementation, the certification object characteristic value may include it is following at least one: user's
IP address, port numbers, the cryptographic Hash of app encapsulation certificate of login service device.
As can be seen from the above technical solutions, the embodiment of the present invention has the advantage that
In the embodiment of the present invention, do not need for private key to be stored on the subscriber identification card of user mobile phone, but will be public
Key and private key are stored on certificate server, certification when by certificate server by private key be sent to subscriber identification card into
Row certification saves the memory space of subscriber identification card, also, due to being with the progress of encrypted key object to private key
It stores and transmits, and encryption key is only stored in subscriber identification card, so safety is higher.And it is and conventional
It is different in such a way that user name password is verified, it is verified, is avoided caused by user forgets Password by cell-phone number
Trouble.
Detailed description of the invention
Fig. 1 is the flow chart of method for network authorization one embodiment in the embodiment of the present invention.
Specific embodiment
The embodiment of the invention provides a kind of method for network authorization, can save the memory space of subscriber identification card,
Improve the safety of certification.
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work
It encloses.
Referring to Fig. 1, method for network authorization one embodiment includes: in the embodiment of the present invention
S101, login service device receive logging request, send certification clothes for the cell-phone number of user and the logging request
Business device, and subscriber identification card corresponding with the cell-phone number of user is sent by current authentication characteristics of objects value;
Wherein, user is when logging in Internet service, application or information system, and (such as passes through click login page
Submitting button) submission logging request, after login service device receives the logging request of user's submission, server can be according to login account
Number corresponding phone number is searched, the cell-phone number of user is sent collectively to certificate server together with logging request, and will be current
Certification object characteristic value is sent to subscriber identification card corresponding with the cell-phone number of user, which can be
SIM card, usim card, the UIM card etc. of client identity identification are carried out for communication networks such as 2G, 3G, 4G.
S102, certificate server generate random number (or one group of characteristic value comprising random number), and will be with user's
The corresponding key object of cell-phone number, certification object characteristic value and the random number of generation are sent to use corresponding with the cell-phone number of user
Family identification card.
Wherein, the key object is to carry out encrypted information to private key.Certificate server is receiving logging request
Later, random number can be generated, then by the key object corresponding with the cell-phone number of user prestored in certificate server, certification pair
The corresponding subscriber identification card of cell-phone number for being sent collectively to user together with the random number of generation as characteristic value.
S103, subscriber identification card are decrypted to obtain private key to the key object, according to certification object characteristic value
The current authentication characteristics of objects value is verified, when the current authentication characteristics of objects value passes through verifying, user identity identification
Card signs to the random number with the private key, and sends the certificate server for signature result.
Wherein, subscriber identification card receives the current authentication characteristics of objects value that login service device is sent to, and receives
After the key object that is sent to certificate server, certification object characteristic value and random number, the current authentication object that will receive
Characteristic value is compared with the certification object characteristic value prestored, if consistent with each other, current authentication characteristics of objects value is by testing
Card, then the private key after subscriber identification card decompression signs to random number.
S104 after the certificate server receives the signature result, carries out sign test with public key, if by sign test,
It is verified, if not over sign test, authentication failed.
Using method for network authorization provided by the invention, the user identity identification that private key is stored in user mobile phone is not needed
On card, but public key and private key are stored on certificate server, private key is sent to user by certificate server in certification
Identification card is authenticated, and saves the memory space of subscriber identification card, also, due to being with encrypted to private key
What key object was stored and transmitted, so safety is higher.And it and conventional is verified by user name password
Mode is different, is verified by cell-phone number, and trouble caused by user forgets Password is avoided.
Preferably, the certification object characteristic value may include the IP address of the login service device of user, port numbers, app
Encapsulate the cryptographic Hash etc. of certificate.
It in a preferred embodiment of the present invention, can be with before the login service device receives logging request
It include: memory mobile phone number and certification object characteristic value corresponding with the cell-phone number, public key, close in the certificate server
Key.
Preferably, by the following method generate and memory mobile phone number, public key corresponding with cell-phone number, key, certification object
The information such as characteristic value:
Login service device sends registration request, the cell-phone number that user inputs and certification object characteristic value to certificate server;
After certificate server receives the registration request, to user identity identification corresponding with the cell-phone number of the input
Card sends subscriber identification card registration request;
After subscriber identification card receives the subscriber identification card registration request, public private key pair is generated, by private key
It carries out encryption and forms key object, and send the certificate server for the key object and the public key;
The certificate server receives the key object and the public key, and stores the cell-phone number, described of user's input
The corresponding certification object characteristic value of cell-phone number, public key and key object.
User mobile phone number is registered in the above manner, user first passes through login page, by subscriber identification card
Public key and key are generated, and public key and key are transmitted on certificate server, by certificate server memory mobile phone number and and hand
The corresponding certification object characteristic value of machine number, public key and key object.Recognize in this manner it is possible to which the information such as private key and key are stored in
Demonstrate,prove in server, save space for subscriber identification card, also facilitate the data such as public key, key are added, are deleted,
The management of the operations such as update.
Preferably, the subscriber identification card is when carrying out encryption for private key and forming key object, can be with symmetrical close
Key encrypts the private key, such as the symmetric keys such as AES or 3DES.Correspondingly, user identity is known when user log-in authentication
It is not stuck in when receiving key object from certificate server, same symmetric key also can be used, key object is solved
It is close, obtain private key.The symmetric key can store on subscriber identification card.
Preferably, subscriber identification card verifies the current authentication characteristics of objects value according to certification object characteristic value,
When current authentication characteristics of objects value is unverified, exception information is sent to the login service device, is stepped on described in notice
Server refusal user is recorded to log in.
Preferably, after the certificate server receives the signature result, sign test is carried out with public key, if by testing
Label, then the certificate server notifies the login service device refusal user to log in, if not over sign test, described in notice
Login service device allows user to log in.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the present invention
Portion or part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journey
The medium of sequence code.
Description and claims of this specification and term " first ", " second ", " third " " in above-mentioned attached drawing
The (if present)s such as four " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should manage
The data that solution uses in this way are interchangeable under appropriate circumstances, so that the embodiments described herein can be in addition to illustrating herein
Or the sequence other than the content of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that
Cover it is non-exclusive include, for example, containing the process, method, system, product or equipment of a series of steps or units need not limit
In step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, produce
The other step or units of product or equipment inherently.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although referring to before
Stating embodiment, invention is explained in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.
Claims (5)
1. a kind of method for network authorization characterized by comprising
Login service device receives logging request, sends certificate server for the cell-phone number of user and the logging request, and will
Current authentication characteristics of objects value is sent to subscriber identification card corresponding with the cell-phone number of user;
Certificate server generates random number, and by key object corresponding with the cell-phone number of user, certification object characteristic value and life
At random number be sent to subscriber identification card corresponding with the cell-phone number of user;
Subscriber identification card is decrypted to obtain private key to the key object, is verified according to certification object characteristic value described
Current authentication characteristics of objects value, when the current authentication characteristics of objects value passes through verifying, the subscriber identification card private
Key signs to the random number, and sends the certificate server for signature result;
After the certificate server receives the signature result, sign test is carried out with public key, if be verified by sign test,
If not over sign test, authentication failed;
Before the login service device receives logging request, further includes:
Memory mobile phone number and certification object characteristic value corresponding with the cell-phone number, public key, key in the certificate server;
Memory mobile phone number and certification object characteristic value corresponding with the cell-phone number, public key, key in the certificate server
The step of include:
Login service device sends registration request, the cell-phone number that user inputs and certification object characteristic value to certificate server;
After certificate server receives the registration request, sent out to subscriber identification card corresponding with the cell-phone number of the input
Send subscriber identification card registration request;
After subscriber identification card receives the subscriber identification card registration request, public private key pair is generated, private key is carried out
Encryption forms key object, and sends the certificate server for the key object and the public key;
The certificate server receives the key object and the public key, and stores the cell-phone number of user's input, the mobile phone
Number corresponding certification object characteristic value, public key and key object.
2. method for network authorization according to claim 1, which is characterized in that the subscriber identification card receives described
After subscriber identification card registration request, public private key pair is generated, private key, which is carried out the step of encryption forms key object, includes:
The subscriber identification card encrypts the private key with symmetric key, forms key object.
3. method for network authorization according to claim 1, which is characterized in that subscriber identification card is to the key object
The step of being decrypted to obtain private key, the current authentication characteristics of objects value is verified according to certification object characteristic value include:
When current authentication characteristics of objects value is unverified, exception information is sent to the login service device, notifies institute
Login service device refusal user is stated to log in.
4. method for network authorization according to claim 1, which is characterized in that the certificate server receives the signature knot
After fruit, sign test is carried out with public key, if be verified by sign test, if not over sign test, the step of authentication failed
Include:
If the certificate server notifies the login service device refusal user to log in, if passed through not over sign test
Sign test then notifies the login service device that user is allowed to log in.
5. method for network authorization described in any one of -4 according to claim 1, which is characterized in that the certification object characteristic value
Including it is following at least one: the IP address of the login service device of user, port numbers, the cryptographic Hash of app encapsulation certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410852736.1A CN105812334B (en) | 2014-12-31 | 2014-12-31 | A kind of method for network authorization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410852736.1A CN105812334B (en) | 2014-12-31 | 2014-12-31 | A kind of method for network authorization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105812334A CN105812334A (en) | 2016-07-27 |
| CN105812334B true CN105812334B (en) | 2019-02-05 |
Family
ID=56420920
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410852736.1A Active CN105812334B (en) | 2014-12-31 | 2014-12-31 | A kind of method for network authorization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105812334B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302544A (en) * | 2016-10-18 | 2017-01-04 | 深圳市金立通信设备有限公司 | A kind of safe verification method and system |
| CN106850209A (en) * | 2017-02-28 | 2017-06-13 | 苏州福瑞思信息科技有限公司 | A kind of identity identifying method and device |
| CN108768650B (en) * | 2018-04-12 | 2021-06-22 | 济南大学 | Short message verification system based on biological characteristics |
| CN109005155B (en) * | 2018-07-04 | 2021-11-12 | 奇安信科技集团股份有限公司 | Identity authentication method and device |
| CN110417848B (en) * | 2019-05-22 | 2022-04-01 | 无锡源致科技有限公司 | Racing pigeon decentralized competition method |
| CN110602076B (en) * | 2019-08-15 | 2021-11-26 | 中国人民银行数字货币研究所 | Identity using method, device and system based on master identity multiple authentication |
| CN110492989B (en) * | 2019-08-23 | 2020-11-13 | 广州华多网络科技有限公司 | Private key processing method, access method, and medium and device corresponding to method |
| CN114244565B (en) * | 2021-11-16 | 2023-09-19 | 广东电网有限责任公司 | Key distribution method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254380A (en) * | 2010-05-31 | 2011-11-23 | 北京汇冠金财科技有限公司 | Safe mobile phone payment method and system based on hybrid encryption mechanism |
| CN103346887A (en) * | 2013-07-02 | 2013-10-09 | 山东科技大学 | Low-complexity identity authentication method based on intelligent card and under multiserver environment |
| CN103813333A (en) * | 2014-02-21 | 2014-05-21 | 天地融科技股份有限公司 | Data processing method based on negotiation keys |
| CN103944724A (en) * | 2014-04-18 | 2014-07-23 | 天地融科技股份有限公司 | User identity identification card |
| CN103944715A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data processing method based on agreement key |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601958B (en) * | 2003-09-26 | 2010-05-12 | 北京三星通信技术研究有限公司 | HRPD network access authentication method based on CAVE algorithm |
| US7418595B2 (en) * | 2004-01-02 | 2008-08-26 | Nokia Siemens Networks Oy | Replay prevention mechanism for EAP/SIM authentication |
| EP1976322A1 (en) * | 2007-03-27 | 2008-10-01 | British Telecommunications Public Limited Company | An authentication method |
-
2014
- 2014-12-31 CN CN201410852736.1A patent/CN105812334B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254380A (en) * | 2010-05-31 | 2011-11-23 | 北京汇冠金财科技有限公司 | Safe mobile phone payment method and system based on hybrid encryption mechanism |
| CN103346887A (en) * | 2013-07-02 | 2013-10-09 | 山东科技大学 | Low-complexity identity authentication method based on intelligent card and under multiserver environment |
| CN103813333A (en) * | 2014-02-21 | 2014-05-21 | 天地融科技股份有限公司 | Data processing method based on negotiation keys |
| CN103944724A (en) * | 2014-04-18 | 2014-07-23 | 天地融科技股份有限公司 | User identity identification card |
| CN103944715A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data processing method based on agreement key |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105812334A (en) | 2016-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105812334B (en) | A kind of method for network authorization | |
| US10187202B2 (en) | Key agreement for wireless communication | |
| CN106161359B (en) | It authenticates the method and device of user, register the method and device of wearable device | |
| CN102761870B (en) | Terminal authentication and service authentication method, system and terminal | |
| CN103747443B (en) | One kind is based on cellphone subscriber's identification card Multi-security domain device and its method for authenticating | |
| CN109858262A (en) | Workflow examination and approval method, apparatus, system and storage medium based on block catenary system | |
| US9088408B2 (en) | Key agreement using a key derivation key | |
| CN106060078B (en) | User information encryption method, register method and verification method applied to cloud platform | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN111447220B (en) | Authentication information management method, server of application system and computer storage medium | |
| US20170148014A1 (en) | Device-Associated Token Identity | |
| CN108418679B (en) | Method and device for processing secret key under multiple data centers and electronic equipment | |
| CN109740319A (en) | Digital identity verification method and server | |
| CN108234126B (en) | System and method for remote account opening | |
| CN114666040A (en) | Radio frequency identification authentication system and method based on quantum cryptography network | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device | |
| CN104683979B (en) | A kind of authentication method and equipment | |
| CN115801448A (en) | Data communication method and system | |
| TW201947434A (en) | Application login method | |
| WO2016161717A1 (en) | Data processing method and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100089 Floor 12 1506, Building A 1, 66 Zhongguancun East Road, Haidian District, Beijing Patentee after: Beijing Huahong Integrated Circuit Design Co., Ltd. Address before: 100080 Beijing City, Haidian District Zhongguancun Road No. 66, building 1, 12 layers of 1501-1510 Patentee before: Beijing Huahong Integrated Circuit Design Co., Ltd. |
|
| CP03 | Change of name, title or address |