CN107979575A - Certificate server and on-line identification method on line - Google Patents

Certificate server and on-line identification method on line Download PDF

Info

Publication number
CN107979575A
CN107979575A CN201610940156.7A CN201610940156A CN107979575A CN 107979575 A CN107979575 A CN 107979575A CN 201610940156 A CN201610940156 A CN 201610940156A CN 107979575 A CN107979575 A CN 107979575A
Authority
CN
China
Prior art keywords
certification
user
browser
line
certificate server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610940156.7A
Other languages
Chinese (zh)
Inventor
黄柏舜
熊鸿钧
郭瑞麟
曾子欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chunghwa Telecom Co Ltd
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to CN201610940156.7A priority Critical patent/CN107979575A/en
Publication of CN107979575A publication Critical patent/CN107979575A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Abstract

Certificate server and on-line identification method, this method include on a kind of line:Service request is transmitted to service server by browser by user;Certification request is transmitted to certificate server by service server;The authentication device for making certificate server be specified according to certification request acquirement user, and certification brevity code is transmitted to user's end;Stamped signature checking request is transmitted to authentication device, and after the digital signature that the certificate server receives passback by certificate server, terminates the two-stage certification after checking digital signature;When the digital signature is correct, certificate server transmission turns location and notifies to browser, and to the service server and line is required with browser of transduceing again, or when the digital signature is incorrect, interrupts identifying procedure;And service server in receive require line when to certificate server confirm the two-stage certification as a result, the service request for allowing for browser to be proposed.

Description

Certificate server and on-line identification method on line
Technical field
The present invention is on authentication techniques on a kind of line, and espespecially one kind escape fishing (Phishing) flow or can avoid centre Certificate server and on-line identification method on the line of people's eavesdropping.
Background technology
With world-wide web and the universalness of information device, the service kenel provided by network is also more and more diversified, User can obtain diversified information service by such as PC, notebook computer, wisdom mobile phone by network.Citing comes Say, user can download software by network using computer, carry out online shopping, or even transfer accounts on Mobile banking's software Or Stock Trading.
No doubt facilitated by network acquirement diversified service and efficient, but there is money always and pacify doubt, the phase of user Close information easily illegally to be intercepted, replicated, destroyed, distort or usurped, the information device for also not including the use of person certainly is subject to virus Or the attack of other malice formulas.In recent years, network swindle row, the various fishing website woodss for imitating true official website Vertical, swindler often allows user to take for linking to real official website using the fishing website of height emulation, and then steals The account number and password of user, even crucial certification information.
To solve the problems, such as such fishing website swindle, many solution technical solutions were had pointed out in the past, seem in user Add-on kit is installed, when user links to fishing website by mistake, to propose this for fishing website by browser on browser Warning, avoids user from carrying out subsequent operation.Right the method need to install visitor's putting software in browser end, and need to build and take Often safeguard the database for being used for comparing that those network address are fishing website.
But and not all user has permission or height money peace idea, therefore user can be influenced such putting of visitor is installed Software is ready in browser, if suspecting its trustability and abandoning installing, then more serious go-between may be caused to attack Hit (Man-in-the-Middle) or intermediary attack (Man-in-the-Browser), density of infection more be more than only steal account number and The fishing website of password.So scheme meets with suitable resistance often in popularization, it is also difficult to popularization comprehensively.
In addition, also have prevention search and the identification technology that method is directed to fishing website, can advance rope using Search engine Regard it as and the mechanism of cache web site contents, identify whether website is swindle website in advance.When user searches webpage in the future, it can give Excluding, filtering, avoiding listing this fishing website, or prompting is marked in search result, swindleness is connected to avoid user Deceive website or fishing website.Although the method is effective, Web search is only limitted to, is the swindle hand for being difficult to avoid that other modes Section, such as:Swindler utilizes the Email of forgery or the net of the instant message applications transmission fishing website become increasingly popular Location, and then inveigle user to click on or link to malicious websites, so method will be unable to effective solve the problems, such as.
In order to avoid fishing website has an opportunity the certification information for gaining user by cheating, or line information package is avoided to be intercepted, Line information is transmitted in many websites using SSL credentials encryptions, or using two-stage verification (Two-factor Authentication), that is, in addition to inputting account number cipher, the dynamic password (One of one group of dynamic generation of additional input is needed Time Password, OTP), disposal password is also known as, expects to reduce the risk of account number cipher outflow whereby, even if because account Password, which is stolen, to be taken, but because dynamic password it is difficult to predict or can not reuse, therefore can effectively protect user.
But though the risk after account number cipher outflow is greatly reduced in preceding method, if user links to swindleness at the beginning Website or fishing website are deceived, in the case where user does not examine, in the lump may be inputted account number, password and dynamic password to fishing website, This causes the protection mechanism of dynamic password to perform practically no function, and swindler is after the account number of user, password and dynamic password is obtained, i.e., True official website, and the privilege access such as being transferred accounts, change account number cipher, change data can be transferred to, such as Fig. 1 institutes Show.
In view of the risk that above-mentioned dynamic password is stolen, therefore have the technical solution for returning dynamic password by second channel, User is reduced whereby crucial important information is input into the website (first passage) for originally asking to login by mistake, to avoid dynamic Password is stolen.As shown in Fig. 2, in the mode that dynamic password is transmitted or returned on heterogeneous passage (second channel), can effectively avoid Intentionally personage steals dynamic in (such as using network interception technology, formula etc. is recorded in installing keyboard side on computer) in same channels The information such as password, can greatly improve the difficulty for stealing key information.
Though there is above-mentioned solution technical solution, if user is attached to fishing website at the beginning, still there are data to be stolen Possibility.As shown in figure 3, essentially consisting in the imitative client simulation formula of fishing website, true user and official can be modeled to Website carries out relevent information that is interactive, and therefrom altering true user's submission, wherein, person to be used actively returns in second channel After passing certification information, after imitative client simulation formula obtains the information being proved to be successful of official website, flow is soon intervened, is replied Run succeeded information or the system maintenance medium errors information that true user forges, and fishing website continues with the time and official Website carries out interactive, the franchise access of progress (such as change data, transfer accounts etc.), when true user has found different shape, power Benefit suffers a loss already.
Though the mode of heterogeneous passage transmission dynamic password is good, but still has its risk, once particularly user is wired to fishing Fishnet station and when failing to discover, fishing website is just as stealthy go-between's device at this time, be present in user and official website it Between, the information of all contacts is monitor, and then alter user's data or perform service, because in such scheme, official website It can not ensure line person therewith, if for real user either go-between's device.
In view of the problem of above-mentioned technical proposal all presence can not overcome, therefore, finds out authentication mechanism in a kind of safety line, it is special Be not, in the case where user has been connected to fishing website, how to allow user can the existing line of escape, avoid fishing website from having an opportunity The true user of disguise as, and then cause subsequently to injure, then as the important topic of those skilled in the art.
The content of the invention
In view of the shortcomings that foregoing prior art, the purpose of the present invention is to propose to recognize on certificate server on a kind of line and line Card method, the browser using certification brevity code by user's end, is interrupted by the page currently browsed and opens new line, browsing The page is oriented to the exclusive certification waiting page, departs from the risk of fishing website on line whereby.
To reach object defined above and other purposes, the present invention proposes a kind of on-line identification method, comprises the steps of:By making User transmits service request to service server (service server) by the browser at user end;Taken by the service Business device transmits certification request to certificate server;The certificate server is made to be obtained according to the certification request specified by the user Authentication device, and certification brevity code is transmitted to the user's end, recognize so that the browser links to this again by the certification brevity code The web interface that card server is specified, to require the user to perform two-stage certification using the authentication device;Pass through the certification Server transmits stamped signature checking request to the authentication device, and receives the numeral label of authentication device passback in the certificate server Zhang Hou, terminates the two-stage certification after checking the digital signature;When the digital signature is correct, which, which sends, turns Location is notified to the browser, to the service server and requires line with the browser of transduceing again, or be in the digital signature When incorrect, identifying procedure is interrupted;And the service server confirms to be somebody's turn to do when receiving this and requiring line to the certificate server Two-stage certification as a result, allowing for the service request that the browser is proposed.
In an embodiment, which returns the digital signature and directly returns the digital signature including the authentication device The certificate server is reached to the certificate server, or by the service server turn.
In another embodiment, transmit the certification brevity code and filled to the user's end to transmit the certification brevity code to the certification Put, the network address that certification brevity code to the browser are inputted for the user is arranged to make browser line again, or transmission should Certification brevity code is to the browser, so that the user clicks on the certification brevity code and makes browser line again.
In another embodiment, which from the authentication device be transmitted using different passages.
In another embodiment in again, in the user by the browser transmit the service request to the service server it Before, setting is further included in the certificate server for the authentication device of certification or is set the browser and can be received certification clothes Pushing away for device of business is broadcast (broadcast).
The present invention more proposes certificate server on a kind of line, in user by the browser at user end to service When device proposes service request, the authentication of the user is performed, certificate server includes on the line:Processing module, it is received Certification request from the service server, with according to the certification request as specified by the table of comparisons to prestore obtains the user Authentication device;Brevity code generation module, it produces certification brevity code to transmit the certification brevity code to the user's end, leads to the browser Cross the certification brevity code and link to the web interface specified again, to require the user to recognize using the authentication device execution two-stage Card;Dynamic password module, it performs two-stage certification, including transmission stamped signature checking request to the authentication device, and receives and be somebody's turn to do The digital signature of authentication device passback is to check the digital signature;And notification module, its transmission turn location and notify to the browser With the browser of transduceing again to the service server, wherein, confirm the numeral to the certificate server in the service server After the authentication result of stamped signature, it is allowed to the service request that the browser is proposed.
In conclusion certificate server and on-line identification method on the line of the present invention, mainly in authentication phase, pass through biography Certification brevity code is sent, allows user to link to authentication interface again, in the case, that is, departs from script fishing website line, goes forward side by side One step performs subsequent authentication program, even if therefore because connecting fishing website account number cipher may be allowed to be stolen, but yet by this mechanism, Depart from the line with stealthy go-between's device, avoid under unknown situation, certification is completed for stealthy go-between's device, cause whole Information completely outflows.In other words, the present invention can effectively escape or termination swindle in the case that user connects fishing website by mistake Flow, i.e., link to authentication interface again by certification brevity code, can depart from the possibility fraud risk of existing line, and can continue Into follow-up identifying procedure, or in identifying procedure, discovering because finding stealthy go-between's device has different, and then penetrates and is fished Fish gimmick and terminate identifying procedure.
Brief description of the drawings
Fig. 1 is the sequence diagram of the possibility defect that dynamic password is authenticated in the prior art;
Fig. 2 is the sequence diagram that dynamic password is authenticated under heterogeneous passage in the prior art;
Fig. 3 is the sequence diagram of the possibility defect that dynamic password is authenticated under heterogeneous passage in the prior art;
The step of Fig. 4 is the on-line identification method of the present invention is schemed;
Fig. 5 is the configuration diagram of certificate server on the line of the present invention;
Fig. 6 is the flow chart in the preposition stage in terms of the first implementation of on-line identification method of the present invention;
Fig. 7 is the flow chart of the authentication phase in terms of the first implementation of on-line identification method of the present invention;
Fig. 8 is the flow chart of the authentication phase in terms of the second implementation of on-line identification method of the present invention;
Fig. 9 A, 9B are the present invention in connecting the sequence diagram under fishing website in terms of the first implementation by mistake;And
Figure 10 A, 10B are the present invention in connecting the sequence diagram under fishing website in terms of the second implementation by mistake.
Symbol description:
5 certificate servers
51 processing modules
52 brevity code generation modules
53 dynamic password modules
54 notification modules
100 browsers
200 service servers
300 authentication devices
S41~S46 steps
S601~S603 flows
S701~S707, S704-1, S704-2, S706 ' flow
S801~S807, S804-1, S804-2, S806 ' flow
S901~S907, S904-1, S904-2, S901 ' flow
S1001~S1007, S1001 ' flows.
Embodiment
Illustrate embodiments of the present invention below by way of specific embodiment, those skilled in the art can be by this specification institute The content of announcement understands other features and effect of the present invention easily.The present invention can also pass through other different specific embodiments Implemented or applied.
Referring to Fig. 4, the step of on-line identification method of its explanation present invention, schemes.When user sends clothes by browser During business request, back-end services server needs certificate server to assist to confirm user's identity, at this time in order to avoid user Line fishing website and fishing website become the stealthy go-between of service server and user's end, therefore the present invention proposes to authenticate Cheng Zhong, interrupts and connects originally, produces a new connection, therefore can effectively avoid follow-up injury, on-line identification method bag of the invention Include the following steps.
In step S41, service request is transmitted to service server by the browser at user end by user.Specifically It, this step sends service request to the service server of service providing end for user by the browser of its electronic device, Such as website of bank.
In step S42, certification request is transmitted to certificate server by the service server.In this step, service There is provided the service server at end can not ensure whether user is legitimate user, therefore transfers request authentication service and provide end requirement Assist to confirm whether user is legal, transmit the certificate server that certification request provides end to authentication service at this time, this certification please Seek the information that will be inputted comprising this user in service request, such as account number, phone, identity are not etc..
In step S43, the certificate server is made to obtain the authentication device specified by the user according to the certification request, And certification brevity code is transmitted to user's end, specified so that the browser links to the certificate server again by the certification brevity code Web interface, with require the user using the authentication device perform two-stage certification.In detail, can be deposited in certificate server User's related data, such as comparison list are stored up, records the corresponding authentication device of user's identity, such as mobile phone, control It is Wang little Ming that table, which may record name, and it is 0912345678 that it, which is used for certification phone number, therefore certificate server can be according to certification The content of request obtains the authentication device specified by user.
Then, certificate server produce certification brevity code with transmit certification brevity code to user's end, user can be by this certification Brevity code is inputted to the network address row of browser, to make browser link to the web interface that certificate server is specified again, this webpage Interface guides user and performs two-stage certification using its authentication device.
In an embodiment, transmission certification brevity code to user's end can be that the certification of transmission certification brevity code to user fill Put, user by its authentication device obtain certification brevity code after, certification brevity code can be inputted to the network address of the browser arrange it is clear to make Look at and think highly of new line.
In another embodiment, transmission certification brevity code to user's end is alternatively transmission certification brevity code to its electricity of user The browser of sub-device, such as by pushing away broadcast mode, user can click directly on certification brevity code so that browser line again.
In step S44, stamped signature checking request is transmitted to the authentication device by the certificate server, and take in the certification After business device receives the digital signature of authentication device passback, terminate the two-stage certification after checking the digital signature.In this step In, when performing two-stage certification, certificate server sends a stamped signature checking request to the authentication device of user, if user Confirm that this certification is associated, then a digital signature can be returned again after stamped signature checking request is connected to, if certificate server Check the digital signature it is errorless after, that is, complete this two-stage certification, in other words, user has passed through authentication.
In an embodiment, authentication device passback digital signature can be that authentication device directly returns digital signature to certification Server.In another embodiment, passback digital signature can also be by turning to reach certificate server after service server.
In order to ensure the package in transmission channel is not intercepted, in the present invention, browser is using not with authentication device It is transmitted with passage, for example, browser may be transmitted by general networking package, and authentication device may be mobile phone, Therefore news in brief can be used to perform data transfer, therefore data purlonier will be not easy to capture all information in heterogeneous passage, for example, The transmission of browser package can be in first passage, and authentication device data transfer can be in second channel.
In step S45, when the digital signature is correct, certificate server transmission turns location and notifies to the browser, Line to the service server and is required with the browser of transduceing again, or when the digital signature is incorrect, interrupts certification Flow.This step is explanation, and when digital signature is correct, i.e., the user is legitimate user, then is sent out by certificate server Send and turn location and notify to the browser of user, that is, allow the browser of user to send line request to certificate server.
Conversely, after if authenticated service device is checked, the digital signature is wrong, then interrupts identifying procedure, terminates this second order Section certification, that is, certificate server thinks that user is not legitimate user, thus follow-up service server will receive must this make The illegal information of user.
In step S46, which confirms the two-stage when receiving this and requiring line to the certificate server Certification as a result, allowing for the service request that the browser is proposed.In this step, service server takes to certification again Business device confirms the authentication result of the user, and is responded in certificate server under this two-stage certification completion, it is allowed to browser Line and the service request for performing its proposition.
In addition, in on-line identification method, before user sends service request by browser, user is further included The authentication device for being used for certification can be set in certificate server by browser, or set its browser to receive certification Pushing away for server is broadcast.This is the preposition setting of whole on-line identification method, if not there is above-mentioned setting, can not carry out two benches and recognize Card.
By above-mentioned steps, by identifying procedure suspension and subsequently entering in reliable second channel transmission this time certification Mouthful, and the authentication mechanism of the digital signature in conjunction with authentication device, it can effectively solve user and connect by mistake caused by fishing website Certification information be stolen risk, and go-between's eavesdropping and the chance altered can be excluded, significantly improve user's certification with it is follow-up The security of service.
Referring to Fig. 5, it illustrates the configuration diagram of certificate server on the line of the present invention.As shown in the figure, certification on line Server 5 performs the identity of the user when user proposes service request by browser 100 to service server 200 Certification, wherein, certificate server 5 includes on line:Processing module 51, brevity code generation module 52, dynamic password module 53 and logical Know module 54.
Processing module 51 receives the certification request from service server 200, with according to the certification request by pair that prestores The authentication device 300 specified by the user is obtained according to table.Service server 200 can such as website of bank or service offer net Stand, user sends service request to the service server 200 of service providing end by the browser 100 of its electronic device, Ask line to login and perform service.
In addition, user's related data can be stored on line in certificate server 5, such as the table of comparisons, record user and its Relevance between authentication device.In addition, browser from authentication device is transmitted using different passages.
Brevity code generation module 52 produces certification brevity code to transmit certification brevity code to user's end, makes browser 100 by this Certification brevity code links to the web interface specified again, to require the user to recognize using the authentication device 300 execution two-stage Card.Certification brevity code is available for users to the web interface for linking to that certificate server 5 is specified on line again, this can be interrupted connects originally Line, for having connected upper fishing website and the person of being authenticated, can assist it to depart from the case of fishing website is stealthy go-between Down-stream, which informs that user will perform two-stage certification.
Method on certification brevity code to user's end can have two kinds, and first method is transmission certification brevity code to user Authentication device, for user's input authentication brevity code to browser network address row and make browser line again;In addition, second Kind method is broadcast for transmission certification brevity code to browser, such as by pushing away, so that user clicks on the certification brevity code and makes browser Again line.
From the foregoing, it will be observed that brevity code generation module 52 more presets this and recognizes before service server 200 proposes service request Card brevity code is received by the authentication device 300 or received by pushing away broadcast mode by the browser 100.
Dynamic password module 53 performs two-stage certification, including transmission stamped signature checking request to the authentication device 300, and The digital signature of the authentication device 300 passback is received to check the digital signature.When performing two-stage certification, dynamic password mould Block 53 sends a stamped signature checking request to the authentication device 300 of user, if user confirms that this certification is errorless, can return One digital signature, if on line certificate server 5 check the digital signature it is errorless after, that is, complete this two-stage certification, Yi Yan It, user is on the contrary then interrupt identifying procedure by authentication.
The mode that authentication device 300 returns digital signature can also have two kinds, the first directly returns number for authentication device 300 Certificate server 5 on word stamped signature to line, it is another then for passback digital signature can also by after service server 200 turn reach line Upper certificate server 5.
The transmission of notification module 54 turns location and notifies to browser 100 with the browser 100 of transduceing again to service server 200, wherein, after service server 200 confirms the authentication result of digital signature to certificate server on line 5, it is allowed to which this is browsed The service request that device 100 is proposed.When digital signature is correct, the transmission of notification module 54 turns location and notifies browsing to user Device 100, that is, allow the browser 100 of user to send line request, at this time, service server 200 to service server 200 The authentication result of the user is confirmed to certificate server on line 5 again, and certificate server 5 responds this two-stage on line Under certification is completed, it is allowed to 100 line of browser and the service request for performing its proposition.
From the foregoing, it will be observed that the present invention proposes the means using certification brevity code, identifying procedure can be made to stop and in reliable the Two passages transmit the subsequent entry of this certification, coordinate the authentication mechanism of digital signature, will effectively solve user and connect fishing by mistake Certification information caused by website is stolen risk, and excludes go-between's eavesdropping and the chance altered.
In order to further illustrate a kind of escape fishing flow proposed by the invention and authenticating party on the line of go-between's eavesdropping Method, will coordinate practical operation situation to be illustrated by flow chart and sequence diagram below.User's end browses involved in the method Device (B1), second channel mobile device (M1), certification demand end application server (R1), authentication service provide end application server (P1), and this on-line identification method includes previous operations stage and identifying procedure stage, will be described below different aspect and The process flow in each stage.
Referring to Fig. 6, the flow chart in the preposition stage in terms of the first implementation of on-line identification method of its explanation present invention.
In flow S601, user need to first use browser (B1) to link to authentication service offer before being authenticated End application server (P1), registers unique user's account number for identification.
In flow S602, it is logical to provide end application server (P1) binding/initialization at least one set second in authentication service Road mobile device (M1), wherein, which need to meet authentication service and provide the certification at end, and can store At least one set of private key, is used for producing Electronic Signature in the future, which also needs possess communication energy Power is subjected to or sends information, may be, for example, mobile phone.
In flow S603, user need to use browser (B1) pre-wired to certification demand end application server (R1), end application server (P1) and by the certification demand end application server (R1) transduction to authentication service is provided, is selected At least one set of second channel mobile device (M1) for being suitable for verification in the future.
Through above-mentioned flow, you can the preposition setting of on-line identification method is completed, can when those settings are for subsequent authentication Rapidly find out the authentication device of the corresponding user, authentication device described here, that is, second channel mobile device (M1).
Then referring to Fig. 7, the flow of the authentication phase in terms of the first implementation of on-line identification method of its explanation present invention Figure, that is to say, that after by flows such as above-mentioned preposition settings, then certification can be proposed by user.
In flow S701, user links to certification demand end application server (R1) using browser (B1) and is intended to carry out Privileged operation, such as login, transfer accounts.
In flow S702, after certification demand end application server (R1) obtains request, end application is provided to authentication service Server (P1) proposes user's certification request.
In flow S703, after authentication service offer end application server (P1) obtains certification request, according to incoming parameter Judge the authentication device that the user binds in advance, and produce the unique authentication brevity code in the special time for this certification (calling brevity code in the following text), and the brevity code is sent to the second channel mobile device (M1) that user binds in advance.
In flow S704, user reads the brevity code that second channel mobile device (M1) is received, and brevity code is inputted The network address row of browser (B1), this action will make browser (B1) leave the page originally accessed, and link to authentication service and carry For the web interface specified by end application server (P1).In addition, user can be prompted to use the on the foregoing webpage specified Two passage mobile devices (M1) carry out two-stage verification, and initially enter wait reciprocal, and waiting user carries out next step action. Flow S704-1 in such as figure.
, can again after authentication service offer end application server (P1) obtains the request of previous flow in flow S705 According to this authentication phase information, the second channel mobile device (M1) that stamped signature checking request is bound in advance to user is sent, and The verification of this stamped signature is carried out in prompting user whether to agree in second channel mobile device (M1).
In flow S706, after user inspects information suggested in second channel mobile device (M1), as agreed to put Row this certification, then using the function of being provided in second channel mobile device (M1), carry out the label of this authentication challenge information Chapter, and this digital signature is back to authentication service end application server (P1) is provided.
Authentication service offer is reached in addition, also can go back to this digital signature by certification demand end application server (R1) End application server (P1), as shown in flow S706 ' in figure.Certainly, flow S706 and flow S706 ' select one.
Then as shown in flow S704-2, authentication service provides end application server (P1) and is receiving this certification passback After stamped signature, whether correct the stamped signature is checked.If it is correct, then stop the wait loop of S704-1, and send out and turn location and notify to making User end browser (B1), the page is transduceed to certification demand end application server (R1), if conversely, stamped signature is incorrect, in Disconnected identifying procedure.
In flow S707, certification demand end application server (R1) is in receiving what user's end browser (B1) was sent After the request of S704-2, whether end application server (P1) duplicate acknowledgment user is provided by recognizing to authentication service again immediately Card.If it is correct, then allow the access of S704-2, if mistake, refuse user's line.
From the foregoing, it will be observed that it can stop identifying procedure using certification brevity code and transmit this certification in reliable second channel Subsequent entry, coordinate the authentication mechanism of digital signature, solve the certification that user connects caused by fishing website by mistake by effective and provide The risk that is stolen is interrogated, and excludes go-between's eavesdropping and the chance altered.
Referring to Fig. 8, the flow chart of the authentication phase in terms of the second implementation of on-line identification method of its explanation present invention.Palpus Expositor, in this embodiment, on execution line before certification, will equally complete preposition setting, it is similar to flow described in Fig. 6, together When sample is for subsequent authentication, the authentication device (i.e. second channel mobile device (M1)) of the corresponding user can be rapidly found out, So it will not be repeated, then, it is following directly explanation user file a request after identifying procedure.
In flow S801, user links to certification demand end application server (R1) using browser (B1) and is intended to carry out Privileged operation, such as login, transfer accounts.
In flow S802, after certification demand end application server (R1) obtains request, end application is provided to authentication service Server (P1) proposes user's certification request.
In flow S803, after authentication service offer end application server (P1) obtains certification request, according to incoming parameter Judge the authentication device that the user binds in advance, and produce the unique authentication brevity code in the special time for this certification (calling brevity code in the following text), and the brevity code is sent to the user that user authorizes in advance using push technology or related similar techniques Hold browser (B1).
In flow S804, user's end browser (B1) receive it is foregoing push away the brevity code broadcast after, user can click on brevity code In connection, this action will make browser (B1) leave the page originally accessed, and link to authentication service and provide end application clothes The web interface that business device (P1) is specified.In addition, user can be prompted to use second channel movement dress on the foregoing webpage specified Put (M1) and carry out two-stage verification, and initially enter wait reciprocal, waiting user carries out next step action, such as the flow in figure S804-1。
, can again after authentication service offer end application server (P1) obtains the request of previous flow in flow S805 According to this authentication phase information, the second channel mobile device (M1) that stamped signature checking request is bound in advance to user is sent, and The verification of this stamped signature is carried out in prompting user whether to agree in second channel mobile device (M1).
In flow S806, after user inspects information suggested in second channel mobile device (M1), as agreed to put Row this certification, then using the function of being provided in second channel mobile device (M1), carry out the label of this authentication challenge information Chapter, and this digital signature is back to authentication service end application server (P1) is provided.
Authentication service offer is reached in addition, also can go back to this digital signature by certification demand end application server (R1) End application server (P1), as shown in flow S806 ' in figure, wherein, flow S806 and flow S806 ' select one.
Then as shown in flow S804-2, authentication service provides end application server (P1) and is receiving this certification passback After stamped signature, whether correct the stamped signature is checked.If it is correct, then stop the wait loop of S804-1, and send out and turn location and notify to making User end browser (B1), the page is transduceed to certification demand end application server (R1), if conversely, stamped signature is incorrect, is interrupted Identifying procedure.
In flow S807, certification demand end application server (R1) is receiving what user's end browser (B1) was sent After the request of S804-2, whether end application server (P1) duplicate acknowledgment user is provided by recognizing to authentication service again immediately Card, if correctly, then allowing the access of S804-2, if mistake, refuses user's line.
It is above-mentioned all to illustrate that user requires how to be authenticated during service, make to connect fishing website by mistake then for user When, the flow of on-line identification method proposed by the invention.Specifically, Fig. 9 A, 9B and Figure 10 A, 10B can arrange in pairs or groups Fig. 7 respectively And Fig. 8, maximum difference are in Fig. 7 flow S701 and Fig. 8 flow S801, i.e., want line in user's end browser (B1) During certification demand end application server (R1), the middle imitative client simulation formula by fishing website intercepts, and is modeled as true User, then this fishing website will become stealthy go-between's device, if under user is ignorant, may also replace this fishing website complete Into certification, allow this fishing website to substitute true user and link to certification demand end application server (R1) to perform service, example Such as transfer accounts or alter password.
Therefore, Fig. 7 flows S701 can be considered to the S901 and S901 ' in Fig. 9 A, because middle intercepted by fishing website, I.e. user's end browser (B1) transmission is logined request S901 and is altered to fishing website (connecting fishing website by mistake) and fishing website Change partial content, and turn to certification demand end application server (R1) send login request S901 '.Similarly, Fig. 8 flows S801 can The S1001 and S1001 ' being considered as in Figure 10 A, because middle also intercepted by fishing website, i.e., user's end browser (B1) transmits Login request S1001 and alter partial content to fishing website (connecting fishing website by mistake) and fishing website, and turn to certification to need Ask end application server (R1) to send and login request S1001 '.
As shown in Fig. 9 A, 9B, it illustrates the present invention in connecting the sequence diagram under fishing website in terms of the first implementation by mistake.Fishing swindleness Website is deceived when flow starts, swindle mail, news in brief is dispatched or using social communication software, inveigles user to click on the company forged Connect, and then allow user to be connected to the white alloy row official website (i.e. fishing website) that height emulates by mistake, and prompt message induction uses Person need to be logined to carry out subsequent operation.User is at this time because failing to discover this as fishing swindle website, and to fishing website The imitative client simulation formula specified is sent out and logins request, such as flow S901 in figure.
By mechanism of the present invention, user should be had appreciated that in any authenticating step, need not all insert the machine of key Close certification information, such as password, and only need to provide simple and disclosed identification information, such as account No..Moreover, After simple and disclosed identification information has been inputted, initial stage, identifying procedure should be completed, and can only be shown as " you have been filed on webpage The simple prompting information of certification request ", and webpage is invalid at this time, it is normal for user will not be required to continue to appoint on webpage What step.If fishing website is thought to steal more information more, or lures user into when the webpage carries out subsequent operation, user will Different shape can be found, and then the intention to see through the swindle.Therefore, even if completing in this flow, fishing website is only capable of stealing unrelated pain The open information itched.
In flow S901 ', partial content is altered in fishing swindle website when being connected to this request, and pretends oneself truly to make User logins request to certification demand end application server (R1)/bank, transfer.
In flow S902, for certification demand end application server (R1) after certification request is received, transferring this certification please Ask to authentication service and provide end application server (P1) to carry out follow-up identifying procedure.
In flow S903, authentication service provides end application server (P1) after certification request is received, according to incoming ginseng Number judges the authentication device that the user binds in advance, and produces unique brevity code in the special time for this certification, And the brevity code is sent to the second channel mobile device (M1) that user binds in advance.
In flow S904, user inputs this brevity code after second channel mobile device (M1) obtains certification brevity code Network address to user's end browser (B1) arranges and presses execution, and input mode can be input through keyboard or use such as bluetooth, NFC Etc. mode, this page that user's end browser (B1) will be caused currently to browse interrupts (such as the current page non-blank-white page When), and open new line and provide browsing pages guiding authentication service to exclusive certification specified by end application server (P1) etc. The page (this page in the user is only specific in single timeliness) is waited, such as flow S904-1 in figure, and if it is desired, also can be real Conducted a survey previously in the registration service stage, bury only to limit authentication service in browser end application server (P1) is provided and can be read " inspection key " whether be consistent, as not being consistent, interrupt identifying procedure.
In flow S904-1 waiting processs, user's end browser (B1), which will be prompted to user, to be moved in second channel It is authenticated letting pass on device (M1), lasting inverse is waited until that user tests by letting pass by picture before clearance is approved Untill card, or end suspension verification flow reciprocal.
In the waiting process that user's end browser (B1) carries out flow S904-1, authentication service provides end application service The stamped signature that device (P1) can then send out this certification asks to give second channel mobile device (M1), such as flow S905 in figure.User After second channel mobile device (M1) prompting, the clearance of this certification is judged whether to.Such as agree to this certification of letting pass, then Using the function of being provided in second channel mobile device (M1), the stamped signature of this authentication challenge information is carried out, and by this numeral Stamped signature is back to authentication service and provides end application server (P1), such as flow S906 in figure.
Authentication service provides end application server (P1) after the stamped signature of this certification passback is received, and whether checks the stamped signature Correctly.As correct, then stop the wait loop of flow S904-1, and submitting turns location and notifies to give user's end browser (B1), will The page is transduceed to certification demand end application server (R1)/bank, such as flow S904-2 in figure.As stamped signature is incorrect, then interrupt Identifying procedure.
Certification demand end application server (R1)/bank is in the flow S904-2 for receiving user's end browser (B1) and sending Request after, whether provide end application server (P1) duplicate acknowledgment user by certification to authentication service again immediately, such as Flow S907 in figure, allows the access of flow S904-2 if correct, and sets by certification, and user is correctly complete at this time Into certification, if otherwise mistake, refusal user's line.
Specifically, the certification brevity code transmitted in flow S903, in passage trusty or will utilize encrypted method, It is transmitted in second channel mobile device (M1), unless second channel mobile device trusty (M1) is also held under the arm by malice personage Hold or crack, not so in addition to true user, when nobody understands this certification brevity code, in other words, malice personage can not obtain easily Know and carry out the action of flow S904.
Regress speech, if malice personage Brute Force or guesing out brevity code, is designed by suitably protecting, such as foregoing check is buried It is hidden in and the mechanism whether " the inspection key " that authentication service offer end application server (P1) can be read is consistent only is limited in browser, Also checking in flow S904-1 can not be passed through.Further, since flow S904 is the line that another stage is initiated by user, i.e., " voluntarily line " to authentication service provides end application server (P1), and SSL or similar encryption mechanism can be used in this line stage Encryption, is no longer to link to fishing website due to the use of person by the method for the invention therefore, even if therefore previously connecting fishing by mistake Fishnet station is also not related, the flow of the swindle of escape fishing under this mechanism, thus just malice personage uses network interception at last Mechanism, because website on line to correct and line have correctly been encrypted, thus be only capable of intercepting encrypted information.
As shown in Figure 10 A, 10B, it illustrates the present invention in connecting the sequence diagram under fishing website in terms of the second implementation by mistake.It must say Bright person, similar to most flows in terms of the first implementation in terms of the second implementation, both maximum differences are to obtain certification brevity code mode Difference, (Fig. 9 A, 9B) is that brevity code is sent to second channel mobile device (M1) in terms of the first implementation, and in terms of the second implementation (Figure 10 A, 10B) is to push away brevity code to cast to user's end browser (B1), then makes user's end clear by inputting or clicking on Device (B1) of looking at is redirected into correct server, authentication authorization and accounting service providing end application server (P1), thus can escape script line, From continuing the risk under fishing website.Therefore, Figure 10 A, 10B flows will no longer be described in detail one by one.
In conclusion the present invention proposes certificate server on a kind of on-line identification method and line, by of the present invention Mechanism, though user connect by mistake fishing swindle website, because the identifying procedure originally initiated need not be inputted in the present invention it is any close Code information, and flow is fixed and can interrupted, intentionally personage will be unable to steal any secret information.Furthermore because follow-up in the present invention Certification entrance is to be notified by authentication service server by pre-registered second channel trusty, and re-initiates recognize whereby Flow is demonstrate,proved, therefore can effectively interrupt the/original fishing website of escape, and re-directs correct and real certification entrance to complete The original authentication tasks to be completed.Therefore, the present invention can effectively solve certification information in existing authentication techniques and be logged, Huo Zheyin Be strayed into fishing website cause status be stolen or the person's of being forged to use status after carry out privileged operation the problems such as.
The above-described embodiments merely illustrate the principles and effects of the present invention, not for the limitation present invention.Any Field technology personnel can modify above-described embodiment and changed under the spirit and scope without prejudice to the present invention.Therefore, The scope of the present invention, should be as listed by the appended claims.

Claims (10)

1. a kind of on-line identification method, comprises the steps of:
Service request is transmitted to service server by the browser at user end by user;
Certification request is transmitted to certificate server by the service server;
Make the certificate server obtain the authentication device specified by the user according to the certification request, and transmit certification brevity code extremely The user's end, so that the browser links to the web interface that the certificate server specifies again by the certification brevity code, with It is required that the user performs two-stage certification using the authentication device;
Stamped signature checking request is transmitted to the authentication device by the certificate server, and certification dress is received in the certificate server After putting back into the digital signature of biography, terminate the two-stage certification after checking the digital signature;
When the digital signature is correct, certificate server transmission turns location and notifies to the browser, and to transduce again, this is browsed Device is to the service server and requires line, or when the digital signature is incorrect, interrupts identifying procedure;And
The service server when receiving this and requiring line to the certificate server confirm the two-stage certification as a result, and then permit Perhaps the service request that the browser is proposed.
2. on-line identification method as claimed in claim 1, wherein, which returns the digital signature and is filled including the certification Put and directly return the digital signature to the certificate server, or the certificate server is reached by the service server turn.
3. on-line identification method as claimed in claim 1, wherein, transmit the certification brevity code and recognize to the user's end to transmit this Brevity code is demonstrate,proved to the authentication device, the network address that certification brevity code to the browser are inputted for the user is arranged to make the browser again Line.
4. on-line identification method as claimed in claim 1, wherein, transmit the certification brevity code and recognize to the user's end to transmit this Brevity code is demonstrate,proved to the browser, so that the user clicks on the certification brevity code and makes browser line again.
5. on-line identification method as claimed in claim 1, wherein, the browser and the authentication device be using different passages into Row transmission.
6. on-line identification method as claimed in claim 1, wherein, the service request is transmitted by the browser in the user To before the service server, setting is further included in the certificate server for the authentication device of certification or sets this and browses Device can receive pushing away for the certificate server and broadcast.
7. certificate server on a kind of line, service request is proposed in user by the browser at user end to service server When, the authentication of the user is performed, certificate server includes on the line:
Processing module, it receives certification request from the service server, with according to the certification request by the table of comparisons that prestores Obtain the authentication device specified by the user;
Brevity code generation module, it produces certification brevity code to transmit the certification brevity code to the user's end, the browser is passed through this Certification brevity code links to the web interface specified again, to require the user to perform two-stage certification using the authentication device;
Dynamic password module, it performs two-stage certification, including transmission stamped signature checking request to the authentication device, and receives and be somebody's turn to do The digital signature of authentication device passback is to check the digital signature;And
Notification module, its transmission turn location and notify to the browser with the browser of transduceing again to the service server, wherein, in After the service server confirms the authentication result of the digital signature to the certificate server, it is allowed to the service that the browser is proposed Request.
8. certificate server on line as claimed in claim 7, wherein, which, which returns the digital signature, includes the certification Device directly returns the digital signature to the certificate server, or reaches the certificate server by the service server turn.
9. certificate server on line as claimed in claim 7, wherein, transmitting the certification brevity code to the user's end should for transmission Certification brevity code makes the browser so that the user inputs the certification brevity code to the authentication device to the network address row of the browser Again line, or the certification brevity code is transmitted to the browser, so that the user clicks on the certification brevity code and makes the browser Again line.
10. certificate server on line as claimed in claim 7, wherein, which proposes in the service server Before the service request, more preset the certification brevity code and received by the authentication device or connect by pushing away broadcast mode by the browser Receive.
CN201610940156.7A 2016-10-25 2016-10-25 Certificate server and on-line identification method on line Pending CN107979575A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610940156.7A CN107979575A (en) 2016-10-25 2016-10-25 Certificate server and on-line identification method on line

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610940156.7A CN107979575A (en) 2016-10-25 2016-10-25 Certificate server and on-line identification method on line

Publications (1)

Publication Number Publication Date
CN107979575A true CN107979575A (en) 2018-05-01

Family

ID=62004120

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610940156.7A Pending CN107979575A (en) 2016-10-25 2016-10-25 Certificate server and on-line identification method on line

Country Status (1)

Country Link
CN (1) CN107979575A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102984121A (en) * 2011-06-02 2013-03-20 富士通株式会社 Access monitoring method and information processing apparatus
CN104394133A (en) * 2014-11-14 2015-03-04 百度在线网络技术(北京)有限公司 Login method and login system
CN104468592A (en) * 2014-12-12 2015-03-25 北京百度网讯科技有限公司 Login method and system
CN104468115A (en) * 2013-10-28 2015-03-25 安信通科技(澳门)有限公司 Information system access authentication method and device
CN104917766A (en) * 2015-06-10 2015-09-16 飞天诚信科技股份有限公司 Security authentication method for two-dimension code
US9171292B1 (en) * 2012-02-21 2015-10-27 Inveshare, Inc. Method and system for providing electronic delivery of regulated shareholder communications to account electronic mail addresses
CN105897424A (en) * 2016-03-14 2016-08-24 深圳奥联信息安全技术有限公司 Method for enhancing identity authentication
CN105991518A (en) * 2015-01-29 2016-10-05 杭州迪普科技有限公司 Network access authentication method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102984121A (en) * 2011-06-02 2013-03-20 富士通株式会社 Access monitoring method and information processing apparatus
US9171292B1 (en) * 2012-02-21 2015-10-27 Inveshare, Inc. Method and system for providing electronic delivery of regulated shareholder communications to account electronic mail addresses
CN104468115A (en) * 2013-10-28 2015-03-25 安信通科技(澳门)有限公司 Information system access authentication method and device
CN104394133A (en) * 2014-11-14 2015-03-04 百度在线网络技术(北京)有限公司 Login method and login system
CN104468592A (en) * 2014-12-12 2015-03-25 北京百度网讯科技有限公司 Login method and system
CN105991518A (en) * 2015-01-29 2016-10-05 杭州迪普科技有限公司 Network access authentication method and device
CN104917766A (en) * 2015-06-10 2015-09-16 飞天诚信科技股份有限公司 Security authentication method for two-dimension code
CN105897424A (en) * 2016-03-14 2016-08-24 深圳奥联信息安全技术有限公司 Method for enhancing identity authentication

Similar Documents

Publication Publication Date Title
US11405380B2 (en) Systems and methods for using imaging to authenticate online users
KR100331671B1 (en) Personal device, terminal, server and methods for establishing a trustworthy connection between a user and a terminal
EP1922632B1 (en) Extended one-time password method and apparatus
CN101453458B (en) Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables
CN101448001B (en) System for realizing WAP mobile banking transaction security control and method thereof
CN107358419A (en) Airborne Terminal pays method for authenticating, device and system
US20090199272A1 (en) Authentication using a turing test to block automated attacks
CN101897166A (en) Systems and methods for establishing a secure communication channel using a browser component
WO2011102979A2 (en) Device-pairing by reading an address provided in device-readable form
CN105978994B (en) A kind of login method of web oriented system
JP4698751B2 (en) Access control system, authentication server system, and access control program
JP2014531070A (en) Method and system for authorizing actions at a site
JP4758575B2 (en) User authentication method and user authentication system
CN112565172B (en) Control method, information processing apparatus, and information processing system
GB2449240A (en) Conducting secure online transactions using CAPTCHA
TWI579728B (en) Online certificate verification server and method for online certificate verification
CN107979575A (en) Certificate server and on-line identification method on line
TWI778319B (en) Method for cross-platform authorizing access to resources and authorization system thereof
KR20070076575A (en) Method for processing user authentication
KR20070076576A (en) Processing method for approving payment
CN103621008B (en) Identity identifying method and device
KR20090006815A (en) Method for processing user authentication
KR20060112167A (en) System and method for relaying user authentication, server and recording medium
KR20070077481A (en) Process server for relaying user authentication
JP2007279775A (en) Web server authentication system capable of performing web access point authentication (wapa)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180501

WD01 Invention patent application deemed withdrawn after publication