CN107979575A - Certificate server and on-line identification method on line - Google Patents
Certificate server and on-line identification method on line Download PDFInfo
- Publication number
- CN107979575A CN107979575A CN201610940156.7A CN201610940156A CN107979575A CN 107979575 A CN107979575 A CN 107979575A CN 201610940156 A CN201610940156 A CN 201610940156A CN 107979575 A CN107979575 A CN 107979575A
- Authority
- CN
- China
- Prior art keywords
- certification
- user
- browser
- line
- certificate server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Abstract
Certificate server and on-line identification method, this method include on a kind of line:Service request is transmitted to service server by browser by user;Certification request is transmitted to certificate server by service server;The authentication device for making certificate server be specified according to certification request acquirement user, and certification brevity code is transmitted to user's end;Stamped signature checking request is transmitted to authentication device, and after the digital signature that the certificate server receives passback by certificate server, terminates the two-stage certification after checking digital signature;When the digital signature is correct, certificate server transmission turns location and notifies to browser, and to the service server and line is required with browser of transduceing again, or when the digital signature is incorrect, interrupts identifying procedure;And service server in receive require line when to certificate server confirm the two-stage certification as a result, the service request for allowing for browser to be proposed.
Description
Technical field
The present invention is on authentication techniques on a kind of line, and espespecially one kind escape fishing (Phishing) flow or can avoid centre
Certificate server and on-line identification method on the line of people's eavesdropping.
Background technology
With world-wide web and the universalness of information device, the service kenel provided by network is also more and more diversified,
User can obtain diversified information service by such as PC, notebook computer, wisdom mobile phone by network.Citing comes
Say, user can download software by network using computer, carry out online shopping, or even transfer accounts on Mobile banking's software
Or Stock Trading.
No doubt facilitated by network acquirement diversified service and efficient, but there is money always and pacify doubt, the phase of user
Close information easily illegally to be intercepted, replicated, destroyed, distort or usurped, the information device for also not including the use of person certainly is subject to virus
Or the attack of other malice formulas.In recent years, network swindle row, the various fishing website woodss for imitating true official website
Vertical, swindler often allows user to take for linking to real official website using the fishing website of height emulation, and then steals
The account number and password of user, even crucial certification information.
To solve the problems, such as such fishing website swindle, many solution technical solutions were had pointed out in the past, seem in user
Add-on kit is installed, when user links to fishing website by mistake, to propose this for fishing website by browser on browser
Warning, avoids user from carrying out subsequent operation.Right the method need to install visitor's putting software in browser end, and need to build and take
Often safeguard the database for being used for comparing that those network address are fishing website.
But and not all user has permission or height money peace idea, therefore user can be influenced such putting of visitor is installed
Software is ready in browser, if suspecting its trustability and abandoning installing, then more serious go-between may be caused to attack
Hit (Man-in-the-Middle) or intermediary attack (Man-in-the-Browser), density of infection more be more than only steal account number and
The fishing website of password.So scheme meets with suitable resistance often in popularization, it is also difficult to popularization comprehensively.
In addition, also have prevention search and the identification technology that method is directed to fishing website, can advance rope using Search engine
Regard it as and the mechanism of cache web site contents, identify whether website is swindle website in advance.When user searches webpage in the future, it can give
Excluding, filtering, avoiding listing this fishing website, or prompting is marked in search result, swindleness is connected to avoid user
Deceive website or fishing website.Although the method is effective, Web search is only limitted to, is the swindle hand for being difficult to avoid that other modes
Section, such as:Swindler utilizes the Email of forgery or the net of the instant message applications transmission fishing website become increasingly popular
Location, and then inveigle user to click on or link to malicious websites, so method will be unable to effective solve the problems, such as.
In order to avoid fishing website has an opportunity the certification information for gaining user by cheating, or line information package is avoided to be intercepted,
Line information is transmitted in many websites using SSL credentials encryptions, or using two-stage verification (Two-factor
Authentication), that is, in addition to inputting account number cipher, the dynamic password (One of one group of dynamic generation of additional input is needed
Time Password, OTP), disposal password is also known as, expects to reduce the risk of account number cipher outflow whereby, even if because account
Password, which is stolen, to be taken, but because dynamic password it is difficult to predict or can not reuse, therefore can effectively protect user.
But though the risk after account number cipher outflow is greatly reduced in preceding method, if user links to swindleness at the beginning
Website or fishing website are deceived, in the case where user does not examine, in the lump may be inputted account number, password and dynamic password to fishing website,
This causes the protection mechanism of dynamic password to perform practically no function, and swindler is after the account number of user, password and dynamic password is obtained, i.e.,
True official website, and the privilege access such as being transferred accounts, change account number cipher, change data can be transferred to, such as Fig. 1 institutes
Show.
In view of the risk that above-mentioned dynamic password is stolen, therefore have the technical solution for returning dynamic password by second channel,
User is reduced whereby crucial important information is input into the website (first passage) for originally asking to login by mistake, to avoid dynamic
Password is stolen.As shown in Fig. 2, in the mode that dynamic password is transmitted or returned on heterogeneous passage (second channel), can effectively avoid
Intentionally personage steals dynamic in (such as using network interception technology, formula etc. is recorded in installing keyboard side on computer) in same channels
The information such as password, can greatly improve the difficulty for stealing key information.
Though there is above-mentioned solution technical solution, if user is attached to fishing website at the beginning, still there are data to be stolen
Possibility.As shown in figure 3, essentially consisting in the imitative client simulation formula of fishing website, true user and official can be modeled to
Website carries out relevent information that is interactive, and therefrom altering true user's submission, wherein, person to be used actively returns in second channel
After passing certification information, after imitative client simulation formula obtains the information being proved to be successful of official website, flow is soon intervened, is replied
Run succeeded information or the system maintenance medium errors information that true user forges, and fishing website continues with the time and official
Website carries out interactive, the franchise access of progress (such as change data, transfer accounts etc.), when true user has found different shape, power
Benefit suffers a loss already.
Though the mode of heterogeneous passage transmission dynamic password is good, but still has its risk, once particularly user is wired to fishing
Fishnet station and when failing to discover, fishing website is just as stealthy go-between's device at this time, be present in user and official website it
Between, the information of all contacts is monitor, and then alter user's data or perform service, because in such scheme, official website
It can not ensure line person therewith, if for real user either go-between's device.
In view of the problem of above-mentioned technical proposal all presence can not overcome, therefore, finds out authentication mechanism in a kind of safety line, it is special
Be not, in the case where user has been connected to fishing website, how to allow user can the existing line of escape, avoid fishing website from having an opportunity
The true user of disguise as, and then cause subsequently to injure, then as the important topic of those skilled in the art.
The content of the invention
In view of the shortcomings that foregoing prior art, the purpose of the present invention is to propose to recognize on certificate server on a kind of line and line
Card method, the browser using certification brevity code by user's end, is interrupted by the page currently browsed and opens new line, browsing
The page is oriented to the exclusive certification waiting page, departs from the risk of fishing website on line whereby.
To reach object defined above and other purposes, the present invention proposes a kind of on-line identification method, comprises the steps of:By making
User transmits service request to service server (service server) by the browser at user end;Taken by the service
Business device transmits certification request to certificate server;The certificate server is made to be obtained according to the certification request specified by the user
Authentication device, and certification brevity code is transmitted to the user's end, recognize so that the browser links to this again by the certification brevity code
The web interface that card server is specified, to require the user to perform two-stage certification using the authentication device;Pass through the certification
Server transmits stamped signature checking request to the authentication device, and receives the numeral label of authentication device passback in the certificate server
Zhang Hou, terminates the two-stage certification after checking the digital signature;When the digital signature is correct, which, which sends, turns
Location is notified to the browser, to the service server and requires line with the browser of transduceing again, or be in the digital signature
When incorrect, identifying procedure is interrupted;And the service server confirms to be somebody's turn to do when receiving this and requiring line to the certificate server
Two-stage certification as a result, allowing for the service request that the browser is proposed.
In an embodiment, which returns the digital signature and directly returns the digital signature including the authentication device
The certificate server is reached to the certificate server, or by the service server turn.
In another embodiment, transmit the certification brevity code and filled to the user's end to transmit the certification brevity code to the certification
Put, the network address that certification brevity code to the browser are inputted for the user is arranged to make browser line again, or transmission should
Certification brevity code is to the browser, so that the user clicks on the certification brevity code and makes browser line again.
In another embodiment, which from the authentication device be transmitted using different passages.
In another embodiment in again, in the user by the browser transmit the service request to the service server it
Before, setting is further included in the certificate server for the authentication device of certification or is set the browser and can be received certification clothes
Pushing away for device of business is broadcast (broadcast).
The present invention more proposes certificate server on a kind of line, in user by the browser at user end to service
When device proposes service request, the authentication of the user is performed, certificate server includes on the line:Processing module, it is received
Certification request from the service server, with according to the certification request as specified by the table of comparisons to prestore obtains the user
Authentication device;Brevity code generation module, it produces certification brevity code to transmit the certification brevity code to the user's end, leads to the browser
Cross the certification brevity code and link to the web interface specified again, to require the user to recognize using the authentication device execution two-stage
Card;Dynamic password module, it performs two-stage certification, including transmission stamped signature checking request to the authentication device, and receives and be somebody's turn to do
The digital signature of authentication device passback is to check the digital signature;And notification module, its transmission turn location and notify to the browser
With the browser of transduceing again to the service server, wherein, confirm the numeral to the certificate server in the service server
After the authentication result of stamped signature, it is allowed to the service request that the browser is proposed.
In conclusion certificate server and on-line identification method on the line of the present invention, mainly in authentication phase, pass through biography
Certification brevity code is sent, allows user to link to authentication interface again, in the case, that is, departs from script fishing website line, goes forward side by side
One step performs subsequent authentication program, even if therefore because connecting fishing website account number cipher may be allowed to be stolen, but yet by this mechanism,
Depart from the line with stealthy go-between's device, avoid under unknown situation, certification is completed for stealthy go-between's device, cause whole
Information completely outflows.In other words, the present invention can effectively escape or termination swindle in the case that user connects fishing website by mistake
Flow, i.e., link to authentication interface again by certification brevity code, can depart from the possibility fraud risk of existing line, and can continue
Into follow-up identifying procedure, or in identifying procedure, discovering because finding stealthy go-between's device has different, and then penetrates and is fished
Fish gimmick and terminate identifying procedure.
Brief description of the drawings
Fig. 1 is the sequence diagram of the possibility defect that dynamic password is authenticated in the prior art;
Fig. 2 is the sequence diagram that dynamic password is authenticated under heterogeneous passage in the prior art;
Fig. 3 is the sequence diagram of the possibility defect that dynamic password is authenticated under heterogeneous passage in the prior art;
The step of Fig. 4 is the on-line identification method of the present invention is schemed;
Fig. 5 is the configuration diagram of certificate server on the line of the present invention;
Fig. 6 is the flow chart in the preposition stage in terms of the first implementation of on-line identification method of the present invention;
Fig. 7 is the flow chart of the authentication phase in terms of the first implementation of on-line identification method of the present invention;
Fig. 8 is the flow chart of the authentication phase in terms of the second implementation of on-line identification method of the present invention;
Fig. 9 A, 9B are the present invention in connecting the sequence diagram under fishing website in terms of the first implementation by mistake;And
Figure 10 A, 10B are the present invention in connecting the sequence diagram under fishing website in terms of the second implementation by mistake.
Symbol description:
5 certificate servers
51 processing modules
52 brevity code generation modules
53 dynamic password modules
54 notification modules
100 browsers
200 service servers
300 authentication devices
S41~S46 steps
S601~S603 flows
S701~S707, S704-1, S704-2, S706 ' flow
S801~S807, S804-1, S804-2, S806 ' flow
S901~S907, S904-1, S904-2, S901 ' flow
S1001~S1007, S1001 ' flows.
Embodiment
Illustrate embodiments of the present invention below by way of specific embodiment, those skilled in the art can be by this specification institute
The content of announcement understands other features and effect of the present invention easily.The present invention can also pass through other different specific embodiments
Implemented or applied.
Referring to Fig. 4, the step of on-line identification method of its explanation present invention, schemes.When user sends clothes by browser
During business request, back-end services server needs certificate server to assist to confirm user's identity, at this time in order to avoid user
Line fishing website and fishing website become the stealthy go-between of service server and user's end, therefore the present invention proposes to authenticate
Cheng Zhong, interrupts and connects originally, produces a new connection, therefore can effectively avoid follow-up injury, on-line identification method bag of the invention
Include the following steps.
In step S41, service request is transmitted to service server by the browser at user end by user.Specifically
It, this step sends service request to the service server of service providing end for user by the browser of its electronic device,
Such as website of bank.
In step S42, certification request is transmitted to certificate server by the service server.In this step, service
There is provided the service server at end can not ensure whether user is legitimate user, therefore transfers request authentication service and provide end requirement
Assist to confirm whether user is legal, transmit the certificate server that certification request provides end to authentication service at this time, this certification please
Seek the information that will be inputted comprising this user in service request, such as account number, phone, identity are not etc..
In step S43, the certificate server is made to obtain the authentication device specified by the user according to the certification request,
And certification brevity code is transmitted to user's end, specified so that the browser links to the certificate server again by the certification brevity code
Web interface, with require the user using the authentication device perform two-stage certification.In detail, can be deposited in certificate server
User's related data, such as comparison list are stored up, records the corresponding authentication device of user's identity, such as mobile phone, control
It is Wang little Ming that table, which may record name, and it is 0912345678 that it, which is used for certification phone number, therefore certificate server can be according to certification
The content of request obtains the authentication device specified by user.
Then, certificate server produce certification brevity code with transmit certification brevity code to user's end, user can be by this certification
Brevity code is inputted to the network address row of browser, to make browser link to the web interface that certificate server is specified again, this webpage
Interface guides user and performs two-stage certification using its authentication device.
In an embodiment, transmission certification brevity code to user's end can be that the certification of transmission certification brevity code to user fill
Put, user by its authentication device obtain certification brevity code after, certification brevity code can be inputted to the network address of the browser arrange it is clear to make
Look at and think highly of new line.
In another embodiment, transmission certification brevity code to user's end is alternatively transmission certification brevity code to its electricity of user
The browser of sub-device, such as by pushing away broadcast mode, user can click directly on certification brevity code so that browser line again.
In step S44, stamped signature checking request is transmitted to the authentication device by the certificate server, and take in the certification
After business device receives the digital signature of authentication device passback, terminate the two-stage certification after checking the digital signature.In this step
In, when performing two-stage certification, certificate server sends a stamped signature checking request to the authentication device of user, if user
Confirm that this certification is associated, then a digital signature can be returned again after stamped signature checking request is connected to, if certificate server
Check the digital signature it is errorless after, that is, complete this two-stage certification, in other words, user has passed through authentication.
In an embodiment, authentication device passback digital signature can be that authentication device directly returns digital signature to certification
Server.In another embodiment, passback digital signature can also be by turning to reach certificate server after service server.
In order to ensure the package in transmission channel is not intercepted, in the present invention, browser is using not with authentication device
It is transmitted with passage, for example, browser may be transmitted by general networking package, and authentication device may be mobile phone,
Therefore news in brief can be used to perform data transfer, therefore data purlonier will be not easy to capture all information in heterogeneous passage, for example,
The transmission of browser package can be in first passage, and authentication device data transfer can be in second channel.
In step S45, when the digital signature is correct, certificate server transmission turns location and notifies to the browser,
Line to the service server and is required with the browser of transduceing again, or when the digital signature is incorrect, interrupts certification
Flow.This step is explanation, and when digital signature is correct, i.e., the user is legitimate user, then is sent out by certificate server
Send and turn location and notify to the browser of user, that is, allow the browser of user to send line request to certificate server.
Conversely, after if authenticated service device is checked, the digital signature is wrong, then interrupts identifying procedure, terminates this second order
Section certification, that is, certificate server thinks that user is not legitimate user, thus follow-up service server will receive must this make
The illegal information of user.
In step S46, which confirms the two-stage when receiving this and requiring line to the certificate server
Certification as a result, allowing for the service request that the browser is proposed.In this step, service server takes to certification again
Business device confirms the authentication result of the user, and is responded in certificate server under this two-stage certification completion, it is allowed to browser
Line and the service request for performing its proposition.
In addition, in on-line identification method, before user sends service request by browser, user is further included
The authentication device for being used for certification can be set in certificate server by browser, or set its browser to receive certification
Pushing away for server is broadcast.This is the preposition setting of whole on-line identification method, if not there is above-mentioned setting, can not carry out two benches and recognize
Card.
By above-mentioned steps, by identifying procedure suspension and subsequently entering in reliable second channel transmission this time certification
Mouthful, and the authentication mechanism of the digital signature in conjunction with authentication device, it can effectively solve user and connect by mistake caused by fishing website
Certification information be stolen risk, and go-between's eavesdropping and the chance altered can be excluded, significantly improve user's certification with it is follow-up
The security of service.
Referring to Fig. 5, it illustrates the configuration diagram of certificate server on the line of the present invention.As shown in the figure, certification on line
Server 5 performs the identity of the user when user proposes service request by browser 100 to service server 200
Certification, wherein, certificate server 5 includes on line:Processing module 51, brevity code generation module 52, dynamic password module 53 and logical
Know module 54.
Processing module 51 receives the certification request from service server 200, with according to the certification request by pair that prestores
The authentication device 300 specified by the user is obtained according to table.Service server 200 can such as website of bank or service offer net
Stand, user sends service request to the service server 200 of service providing end by the browser 100 of its electronic device,
Ask line to login and perform service.
In addition, user's related data can be stored on line in certificate server 5, such as the table of comparisons, record user and its
Relevance between authentication device.In addition, browser from authentication device is transmitted using different passages.
Brevity code generation module 52 produces certification brevity code to transmit certification brevity code to user's end, makes browser 100 by this
Certification brevity code links to the web interface specified again, to require the user to recognize using the authentication device 300 execution two-stage
Card.Certification brevity code is available for users to the web interface for linking to that certificate server 5 is specified on line again, this can be interrupted connects originally
Line, for having connected upper fishing website and the person of being authenticated, can assist it to depart from the case of fishing website is stealthy go-between
Down-stream, which informs that user will perform two-stage certification.
Method on certification brevity code to user's end can have two kinds, and first method is transmission certification brevity code to user
Authentication device, for user's input authentication brevity code to browser network address row and make browser line again;In addition, second
Kind method is broadcast for transmission certification brevity code to browser, such as by pushing away, so that user clicks on the certification brevity code and makes browser
Again line.
From the foregoing, it will be observed that brevity code generation module 52 more presets this and recognizes before service server 200 proposes service request
Card brevity code is received by the authentication device 300 or received by pushing away broadcast mode by the browser 100.
Dynamic password module 53 performs two-stage certification, including transmission stamped signature checking request to the authentication device 300, and
The digital signature of the authentication device 300 passback is received to check the digital signature.When performing two-stage certification, dynamic password mould
Block 53 sends a stamped signature checking request to the authentication device 300 of user, if user confirms that this certification is errorless, can return
One digital signature, if on line certificate server 5 check the digital signature it is errorless after, that is, complete this two-stage certification, Yi Yan
It, user is on the contrary then interrupt identifying procedure by authentication.
The mode that authentication device 300 returns digital signature can also have two kinds, the first directly returns number for authentication device 300
Certificate server 5 on word stamped signature to line, it is another then for passback digital signature can also by after service server 200 turn reach line
Upper certificate server 5.
The transmission of notification module 54 turns location and notifies to browser 100 with the browser 100 of transduceing again to service server
200, wherein, after service server 200 confirms the authentication result of digital signature to certificate server on line 5, it is allowed to which this is browsed
The service request that device 100 is proposed.When digital signature is correct, the transmission of notification module 54 turns location and notifies browsing to user
Device 100, that is, allow the browser 100 of user to send line request, at this time, service server 200 to service server 200
The authentication result of the user is confirmed to certificate server on line 5 again, and certificate server 5 responds this two-stage on line
Under certification is completed, it is allowed to 100 line of browser and the service request for performing its proposition.
From the foregoing, it will be observed that the present invention proposes the means using certification brevity code, identifying procedure can be made to stop and in reliable the
Two passages transmit the subsequent entry of this certification, coordinate the authentication mechanism of digital signature, will effectively solve user and connect fishing by mistake
Certification information caused by website is stolen risk, and excludes go-between's eavesdropping and the chance altered.
In order to further illustrate a kind of escape fishing flow proposed by the invention and authenticating party on the line of go-between's eavesdropping
Method, will coordinate practical operation situation to be illustrated by flow chart and sequence diagram below.User's end browses involved in the method
Device (B1), second channel mobile device (M1), certification demand end application server (R1), authentication service provide end application server
(P1), and this on-line identification method includes previous operations stage and identifying procedure stage, will be described below different aspect and
The process flow in each stage.
Referring to Fig. 6, the flow chart in the preposition stage in terms of the first implementation of on-line identification method of its explanation present invention.
In flow S601, user need to first use browser (B1) to link to authentication service offer before being authenticated
End application server (P1), registers unique user's account number for identification.
In flow S602, it is logical to provide end application server (P1) binding/initialization at least one set second in authentication service
Road mobile device (M1), wherein, which need to meet authentication service and provide the certification at end, and can store
At least one set of private key, is used for producing Electronic Signature in the future, which also needs possess communication energy
Power is subjected to or sends information, may be, for example, mobile phone.
In flow S603, user need to use browser (B1) pre-wired to certification demand end application server
(R1), end application server (P1) and by the certification demand end application server (R1) transduction to authentication service is provided, is selected
At least one set of second channel mobile device (M1) for being suitable for verification in the future.
Through above-mentioned flow, you can the preposition setting of on-line identification method is completed, can when those settings are for subsequent authentication
Rapidly find out the authentication device of the corresponding user, authentication device described here, that is, second channel mobile device (M1).
Then referring to Fig. 7, the flow of the authentication phase in terms of the first implementation of on-line identification method of its explanation present invention
Figure, that is to say, that after by flows such as above-mentioned preposition settings, then certification can be proposed by user.
In flow S701, user links to certification demand end application server (R1) using browser (B1) and is intended to carry out
Privileged operation, such as login, transfer accounts.
In flow S702, after certification demand end application server (R1) obtains request, end application is provided to authentication service
Server (P1) proposes user's certification request.
In flow S703, after authentication service offer end application server (P1) obtains certification request, according to incoming parameter
Judge the authentication device that the user binds in advance, and produce the unique authentication brevity code in the special time for this certification
(calling brevity code in the following text), and the brevity code is sent to the second channel mobile device (M1) that user binds in advance.
In flow S704, user reads the brevity code that second channel mobile device (M1) is received, and brevity code is inputted
The network address row of browser (B1), this action will make browser (B1) leave the page originally accessed, and link to authentication service and carry
For the web interface specified by end application server (P1).In addition, user can be prompted to use the on the foregoing webpage specified
Two passage mobile devices (M1) carry out two-stage verification, and initially enter wait reciprocal, and waiting user carries out next step action.
Flow S704-1 in such as figure.
, can again after authentication service offer end application server (P1) obtains the request of previous flow in flow S705
According to this authentication phase information, the second channel mobile device (M1) that stamped signature checking request is bound in advance to user is sent, and
The verification of this stamped signature is carried out in prompting user whether to agree in second channel mobile device (M1).
In flow S706, after user inspects information suggested in second channel mobile device (M1), as agreed to put
Row this certification, then using the function of being provided in second channel mobile device (M1), carry out the label of this authentication challenge information
Chapter, and this digital signature is back to authentication service end application server (P1) is provided.
Authentication service offer is reached in addition, also can go back to this digital signature by certification demand end application server (R1)
End application server (P1), as shown in flow S706 ' in figure.Certainly, flow S706 and flow S706 ' select one.
Then as shown in flow S704-2, authentication service provides end application server (P1) and is receiving this certification passback
After stamped signature, whether correct the stamped signature is checked.If it is correct, then stop the wait loop of S704-1, and send out and turn location and notify to making
User end browser (B1), the page is transduceed to certification demand end application server (R1), if conversely, stamped signature is incorrect, in
Disconnected identifying procedure.
In flow S707, certification demand end application server (R1) is in receiving what user's end browser (B1) was sent
After the request of S704-2, whether end application server (P1) duplicate acknowledgment user is provided by recognizing to authentication service again immediately
Card.If it is correct, then allow the access of S704-2, if mistake, refuse user's line.
From the foregoing, it will be observed that it can stop identifying procedure using certification brevity code and transmit this certification in reliable second channel
Subsequent entry, coordinate the authentication mechanism of digital signature, solve the certification that user connects caused by fishing website by mistake by effective and provide
The risk that is stolen is interrogated, and excludes go-between's eavesdropping and the chance altered.
Referring to Fig. 8, the flow chart of the authentication phase in terms of the second implementation of on-line identification method of its explanation present invention.Palpus
Expositor, in this embodiment, on execution line before certification, will equally complete preposition setting, it is similar to flow described in Fig. 6, together
When sample is for subsequent authentication, the authentication device (i.e. second channel mobile device (M1)) of the corresponding user can be rapidly found out,
So it will not be repeated, then, it is following directly explanation user file a request after identifying procedure.
In flow S801, user links to certification demand end application server (R1) using browser (B1) and is intended to carry out
Privileged operation, such as login, transfer accounts.
In flow S802, after certification demand end application server (R1) obtains request, end application is provided to authentication service
Server (P1) proposes user's certification request.
In flow S803, after authentication service offer end application server (P1) obtains certification request, according to incoming parameter
Judge the authentication device that the user binds in advance, and produce the unique authentication brevity code in the special time for this certification
(calling brevity code in the following text), and the brevity code is sent to the user that user authorizes in advance using push technology or related similar techniques
Hold browser (B1).
In flow S804, user's end browser (B1) receive it is foregoing push away the brevity code broadcast after, user can click on brevity code
In connection, this action will make browser (B1) leave the page originally accessed, and link to authentication service and provide end application clothes
The web interface that business device (P1) is specified.In addition, user can be prompted to use second channel movement dress on the foregoing webpage specified
Put (M1) and carry out two-stage verification, and initially enter wait reciprocal, waiting user carries out next step action, such as the flow in figure
S804-1。
, can again after authentication service offer end application server (P1) obtains the request of previous flow in flow S805
According to this authentication phase information, the second channel mobile device (M1) that stamped signature checking request is bound in advance to user is sent, and
The verification of this stamped signature is carried out in prompting user whether to agree in second channel mobile device (M1).
In flow S806, after user inspects information suggested in second channel mobile device (M1), as agreed to put
Row this certification, then using the function of being provided in second channel mobile device (M1), carry out the label of this authentication challenge information
Chapter, and this digital signature is back to authentication service end application server (P1) is provided.
Authentication service offer is reached in addition, also can go back to this digital signature by certification demand end application server (R1)
End application server (P1), as shown in flow S806 ' in figure, wherein, flow S806 and flow S806 ' select one.
Then as shown in flow S804-2, authentication service provides end application server (P1) and is receiving this certification passback
After stamped signature, whether correct the stamped signature is checked.If it is correct, then stop the wait loop of S804-1, and send out and turn location and notify to making
User end browser (B1), the page is transduceed to certification demand end application server (R1), if conversely, stamped signature is incorrect, is interrupted
Identifying procedure.
In flow S807, certification demand end application server (R1) is receiving what user's end browser (B1) was sent
After the request of S804-2, whether end application server (P1) duplicate acknowledgment user is provided by recognizing to authentication service again immediately
Card, if correctly, then allowing the access of S804-2, if mistake, refuses user's line.
It is above-mentioned all to illustrate that user requires how to be authenticated during service, make to connect fishing website by mistake then for user
When, the flow of on-line identification method proposed by the invention.Specifically, Fig. 9 A, 9B and Figure 10 A, 10B can arrange in pairs or groups Fig. 7 respectively
And Fig. 8, maximum difference are in Fig. 7 flow S701 and Fig. 8 flow S801, i.e., want line in user's end browser (B1)
During certification demand end application server (R1), the middle imitative client simulation formula by fishing website intercepts, and is modeled as true
User, then this fishing website will become stealthy go-between's device, if under user is ignorant, may also replace this fishing website complete
Into certification, allow this fishing website to substitute true user and link to certification demand end application server (R1) to perform service, example
Such as transfer accounts or alter password.
Therefore, Fig. 7 flows S701 can be considered to the S901 and S901 ' in Fig. 9 A, because middle intercepted by fishing website,
I.e. user's end browser (B1) transmission is logined request S901 and is altered to fishing website (connecting fishing website by mistake) and fishing website
Change partial content, and turn to certification demand end application server (R1) send login request S901 '.Similarly, Fig. 8 flows S801 can
The S1001 and S1001 ' being considered as in Figure 10 A, because middle also intercepted by fishing website, i.e., user's end browser (B1) transmits
Login request S1001 and alter partial content to fishing website (connecting fishing website by mistake) and fishing website, and turn to certification to need
Ask end application server (R1) to send and login request S1001 '.
As shown in Fig. 9 A, 9B, it illustrates the present invention in connecting the sequence diagram under fishing website in terms of the first implementation by mistake.Fishing swindleness
Website is deceived when flow starts, swindle mail, news in brief is dispatched or using social communication software, inveigles user to click on the company forged
Connect, and then allow user to be connected to the white alloy row official website (i.e. fishing website) that height emulates by mistake, and prompt message induction uses
Person need to be logined to carry out subsequent operation.User is at this time because failing to discover this as fishing swindle website, and to fishing website
The imitative client simulation formula specified is sent out and logins request, such as flow S901 in figure.
By mechanism of the present invention, user should be had appreciated that in any authenticating step, need not all insert the machine of key
Close certification information, such as password, and only need to provide simple and disclosed identification information, such as account No..Moreover,
After simple and disclosed identification information has been inputted, initial stage, identifying procedure should be completed, and can only be shown as " you have been filed on webpage
The simple prompting information of certification request ", and webpage is invalid at this time, it is normal for user will not be required to continue to appoint on webpage
What step.If fishing website is thought to steal more information more, or lures user into when the webpage carries out subsequent operation, user will
Different shape can be found, and then the intention to see through the swindle.Therefore, even if completing in this flow, fishing website is only capable of stealing unrelated pain
The open information itched.
In flow S901 ', partial content is altered in fishing swindle website when being connected to this request, and pretends oneself truly to make
User logins request to certification demand end application server (R1)/bank, transfer.
In flow S902, for certification demand end application server (R1) after certification request is received, transferring this certification please
Ask to authentication service and provide end application server (P1) to carry out follow-up identifying procedure.
In flow S903, authentication service provides end application server (P1) after certification request is received, according to incoming ginseng
Number judges the authentication device that the user binds in advance, and produces unique brevity code in the special time for this certification,
And the brevity code is sent to the second channel mobile device (M1) that user binds in advance.
In flow S904, user inputs this brevity code after second channel mobile device (M1) obtains certification brevity code
Network address to user's end browser (B1) arranges and presses execution, and input mode can be input through keyboard or use such as bluetooth, NFC
Etc. mode, this page that user's end browser (B1) will be caused currently to browse interrupts (such as the current page non-blank-white page
When), and open new line and provide browsing pages guiding authentication service to exclusive certification specified by end application server (P1) etc.
The page (this page in the user is only specific in single timeliness) is waited, such as flow S904-1 in figure, and if it is desired, also can be real
Conducted a survey previously in the registration service stage, bury only to limit authentication service in browser end application server (P1) is provided and can be read
" inspection key " whether be consistent, as not being consistent, interrupt identifying procedure.
In flow S904-1 waiting processs, user's end browser (B1), which will be prompted to user, to be moved in second channel
It is authenticated letting pass on device (M1), lasting inverse is waited until that user tests by letting pass by picture before clearance is approved
Untill card, or end suspension verification flow reciprocal.
In the waiting process that user's end browser (B1) carries out flow S904-1, authentication service provides end application service
The stamped signature that device (P1) can then send out this certification asks to give second channel mobile device (M1), such as flow S905 in figure.User
After second channel mobile device (M1) prompting, the clearance of this certification is judged whether to.Such as agree to this certification of letting pass, then
Using the function of being provided in second channel mobile device (M1), the stamped signature of this authentication challenge information is carried out, and by this numeral
Stamped signature is back to authentication service and provides end application server (P1), such as flow S906 in figure.
Authentication service provides end application server (P1) after the stamped signature of this certification passback is received, and whether checks the stamped signature
Correctly.As correct, then stop the wait loop of flow S904-1, and submitting turns location and notifies to give user's end browser (B1), will
The page is transduceed to certification demand end application server (R1)/bank, such as flow S904-2 in figure.As stamped signature is incorrect, then interrupt
Identifying procedure.
Certification demand end application server (R1)/bank is in the flow S904-2 for receiving user's end browser (B1) and sending
Request after, whether provide end application server (P1) duplicate acknowledgment user by certification to authentication service again immediately, such as
Flow S907 in figure, allows the access of flow S904-2 if correct, and sets by certification, and user is correctly complete at this time
Into certification, if otherwise mistake, refusal user's line.
Specifically, the certification brevity code transmitted in flow S903, in passage trusty or will utilize encrypted method,
It is transmitted in second channel mobile device (M1), unless second channel mobile device trusty (M1) is also held under the arm by malice personage
Hold or crack, not so in addition to true user, when nobody understands this certification brevity code, in other words, malice personage can not obtain easily
Know and carry out the action of flow S904.
Regress speech, if malice personage Brute Force or guesing out brevity code, is designed by suitably protecting, such as foregoing check is buried
It is hidden in and the mechanism whether " the inspection key " that authentication service offer end application server (P1) can be read is consistent only is limited in browser,
Also checking in flow S904-1 can not be passed through.Further, since flow S904 is the line that another stage is initiated by user, i.e.,
" voluntarily line " to authentication service provides end application server (P1), and SSL or similar encryption mechanism can be used in this line stage
Encryption, is no longer to link to fishing website due to the use of person by the method for the invention therefore, even if therefore previously connecting fishing by mistake
Fishnet station is also not related, the flow of the swindle of escape fishing under this mechanism, thus just malice personage uses network interception at last
Mechanism, because website on line to correct and line have correctly been encrypted, thus be only capable of intercepting encrypted information.
As shown in Figure 10 A, 10B, it illustrates the present invention in connecting the sequence diagram under fishing website in terms of the second implementation by mistake.It must say
Bright person, similar to most flows in terms of the first implementation in terms of the second implementation, both maximum differences are to obtain certification brevity code mode
Difference, (Fig. 9 A, 9B) is that brevity code is sent to second channel mobile device (M1) in terms of the first implementation, and in terms of the second implementation
(Figure 10 A, 10B) is to push away brevity code to cast to user's end browser (B1), then makes user's end clear by inputting or clicking on
Device (B1) of looking at is redirected into correct server, authentication authorization and accounting service providing end application server (P1), thus can escape script line,
From continuing the risk under fishing website.Therefore, Figure 10 A, 10B flows will no longer be described in detail one by one.
In conclusion the present invention proposes certificate server on a kind of on-line identification method and line, by of the present invention
Mechanism, though user connect by mistake fishing swindle website, because the identifying procedure originally initiated need not be inputted in the present invention it is any close
Code information, and flow is fixed and can interrupted, intentionally personage will be unable to steal any secret information.Furthermore because follow-up in the present invention
Certification entrance is to be notified by authentication service server by pre-registered second channel trusty, and re-initiates recognize whereby
Flow is demonstrate,proved, therefore can effectively interrupt the/original fishing website of escape, and re-directs correct and real certification entrance to complete
The original authentication tasks to be completed.Therefore, the present invention can effectively solve certification information in existing authentication techniques and be logged, Huo Zheyin
Be strayed into fishing website cause status be stolen or the person's of being forged to use status after carry out privileged operation the problems such as.
The above-described embodiments merely illustrate the principles and effects of the present invention, not for the limitation present invention.Any
Field technology personnel can modify above-described embodiment and changed under the spirit and scope without prejudice to the present invention.Therefore,
The scope of the present invention, should be as listed by the appended claims.
Claims (10)
1. a kind of on-line identification method, comprises the steps of:
Service request is transmitted to service server by the browser at user end by user;
Certification request is transmitted to certificate server by the service server;
Make the certificate server obtain the authentication device specified by the user according to the certification request, and transmit certification brevity code extremely
The user's end, so that the browser links to the web interface that the certificate server specifies again by the certification brevity code, with
It is required that the user performs two-stage certification using the authentication device;
Stamped signature checking request is transmitted to the authentication device by the certificate server, and certification dress is received in the certificate server
After putting back into the digital signature of biography, terminate the two-stage certification after checking the digital signature;
When the digital signature is correct, certificate server transmission turns location and notifies to the browser, and to transduce again, this is browsed
Device is to the service server and requires line, or when the digital signature is incorrect, interrupts identifying procedure;And
The service server when receiving this and requiring line to the certificate server confirm the two-stage certification as a result, and then permit
Perhaps the service request that the browser is proposed.
2. on-line identification method as claimed in claim 1, wherein, which returns the digital signature and is filled including the certification
Put and directly return the digital signature to the certificate server, or the certificate server is reached by the service server turn.
3. on-line identification method as claimed in claim 1, wherein, transmit the certification brevity code and recognize to the user's end to transmit this
Brevity code is demonstrate,proved to the authentication device, the network address that certification brevity code to the browser are inputted for the user is arranged to make the browser again
Line.
4. on-line identification method as claimed in claim 1, wherein, transmit the certification brevity code and recognize to the user's end to transmit this
Brevity code is demonstrate,proved to the browser, so that the user clicks on the certification brevity code and makes browser line again.
5. on-line identification method as claimed in claim 1, wherein, the browser and the authentication device be using different passages into
Row transmission.
6. on-line identification method as claimed in claim 1, wherein, the service request is transmitted by the browser in the user
To before the service server, setting is further included in the certificate server for the authentication device of certification or sets this and browses
Device can receive pushing away for the certificate server and broadcast.
7. certificate server on a kind of line, service request is proposed in user by the browser at user end to service server
When, the authentication of the user is performed, certificate server includes on the line:
Processing module, it receives certification request from the service server, with according to the certification request by the table of comparisons that prestores
Obtain the authentication device specified by the user;
Brevity code generation module, it produces certification brevity code to transmit the certification brevity code to the user's end, the browser is passed through this
Certification brevity code links to the web interface specified again, to require the user to perform two-stage certification using the authentication device;
Dynamic password module, it performs two-stage certification, including transmission stamped signature checking request to the authentication device, and receives and be somebody's turn to do
The digital signature of authentication device passback is to check the digital signature;And
Notification module, its transmission turn location and notify to the browser with the browser of transduceing again to the service server, wherein, in
After the service server confirms the authentication result of the digital signature to the certificate server, it is allowed to the service that the browser is proposed
Request.
8. certificate server on line as claimed in claim 7, wherein, which, which returns the digital signature, includes the certification
Device directly returns the digital signature to the certificate server, or reaches the certificate server by the service server turn.
9. certificate server on line as claimed in claim 7, wherein, transmitting the certification brevity code to the user's end should for transmission
Certification brevity code makes the browser so that the user inputs the certification brevity code to the authentication device to the network address row of the browser
Again line, or the certification brevity code is transmitted to the browser, so that the user clicks on the certification brevity code and makes the browser
Again line.
10. certificate server on line as claimed in claim 7, wherein, which proposes in the service server
Before the service request, more preset the certification brevity code and received by the authentication device or connect by pushing away broadcast mode by the browser
Receive.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610940156.7A CN107979575A (en) | 2016-10-25 | 2016-10-25 | Certificate server and on-line identification method on line |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610940156.7A CN107979575A (en) | 2016-10-25 | 2016-10-25 | Certificate server and on-line identification method on line |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107979575A true CN107979575A (en) | 2018-05-01 |
Family
ID=62004120
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610940156.7A Pending CN107979575A (en) | 2016-10-25 | 2016-10-25 | Certificate server and on-line identification method on line |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107979575A (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102984121A (en) * | 2011-06-02 | 2013-03-20 | 富士通株式会社 | Access monitoring method and information processing apparatus |
CN104394133A (en) * | 2014-11-14 | 2015-03-04 | 百度在线网络技术(北京)有限公司 | Login method and login system |
CN104468592A (en) * | 2014-12-12 | 2015-03-25 | 北京百度网讯科技有限公司 | Login method and system |
CN104468115A (en) * | 2013-10-28 | 2015-03-25 | 安信通科技(澳门)有限公司 | Information system access authentication method and device |
CN104917766A (en) * | 2015-06-10 | 2015-09-16 | 飞天诚信科技股份有限公司 | Security authentication method for two-dimension code |
US9171292B1 (en) * | 2012-02-21 | 2015-10-27 | Inveshare, Inc. | Method and system for providing electronic delivery of regulated shareholder communications to account electronic mail addresses |
CN105897424A (en) * | 2016-03-14 | 2016-08-24 | 深圳奥联信息安全技术有限公司 | Method for enhancing identity authentication |
CN105991518A (en) * | 2015-01-29 | 2016-10-05 | 杭州迪普科技有限公司 | Network access authentication method and device |
-
2016
- 2016-10-25 CN CN201610940156.7A patent/CN107979575A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102984121A (en) * | 2011-06-02 | 2013-03-20 | 富士通株式会社 | Access monitoring method and information processing apparatus |
US9171292B1 (en) * | 2012-02-21 | 2015-10-27 | Inveshare, Inc. | Method and system for providing electronic delivery of regulated shareholder communications to account electronic mail addresses |
CN104468115A (en) * | 2013-10-28 | 2015-03-25 | 安信通科技(澳门)有限公司 | Information system access authentication method and device |
CN104394133A (en) * | 2014-11-14 | 2015-03-04 | 百度在线网络技术(北京)有限公司 | Login method and login system |
CN104468592A (en) * | 2014-12-12 | 2015-03-25 | 北京百度网讯科技有限公司 | Login method and system |
CN105991518A (en) * | 2015-01-29 | 2016-10-05 | 杭州迪普科技有限公司 | Network access authentication method and device |
CN104917766A (en) * | 2015-06-10 | 2015-09-16 | 飞天诚信科技股份有限公司 | Security authentication method for two-dimension code |
CN105897424A (en) * | 2016-03-14 | 2016-08-24 | 深圳奥联信息安全技术有限公司 | Method for enhancing identity authentication |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11405380B2 (en) | Systems and methods for using imaging to authenticate online users | |
KR100331671B1 (en) | Personal device, terminal, server and methods for establishing a trustworthy connection between a user and a terminal | |
EP1922632B1 (en) | Extended one-time password method and apparatus | |
CN101453458B (en) | Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables | |
CN101448001B (en) | System for realizing WAP mobile banking transaction security control and method thereof | |
CN107358419A (en) | Airborne Terminal pays method for authenticating, device and system | |
US20090199272A1 (en) | Authentication using a turing test to block automated attacks | |
CN101897166A (en) | Systems and methods for establishing a secure communication channel using a browser component | |
WO2011102979A2 (en) | Device-pairing by reading an address provided in device-readable form | |
CN105978994B (en) | A kind of login method of web oriented system | |
JP4698751B2 (en) | Access control system, authentication server system, and access control program | |
JP2014531070A (en) | Method and system for authorizing actions at a site | |
JP4758575B2 (en) | User authentication method and user authentication system | |
CN112565172B (en) | Control method, information processing apparatus, and information processing system | |
GB2449240A (en) | Conducting secure online transactions using CAPTCHA | |
TWI579728B (en) | Online certificate verification server and method for online certificate verification | |
CN107979575A (en) | Certificate server and on-line identification method on line | |
TWI778319B (en) | Method for cross-platform authorizing access to resources and authorization system thereof | |
KR20070076575A (en) | Method for processing user authentication | |
KR20070076576A (en) | Processing method for approving payment | |
CN103621008B (en) | Identity identifying method and device | |
KR20090006815A (en) | Method for processing user authentication | |
KR20060112167A (en) | System and method for relaying user authentication, server and recording medium | |
KR20070077481A (en) | Process server for relaying user authentication | |
JP2007279775A (en) | Web server authentication system capable of performing web access point authentication (wapa) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180501 |
|
WD01 | Invention patent application deemed withdrawn after publication |