CN109874141A - A kind of method and device of mobile phone terminal secure accessing information network - Google Patents
A kind of method and device of mobile phone terminal secure accessing information network Download PDFInfo
- Publication number
- CN109874141A CN109874141A CN201910194167.9A CN201910194167A CN109874141A CN 109874141 A CN109874141 A CN 109874141A CN 201910194167 A CN201910194167 A CN 201910194167A CN 109874141 A CN109874141 A CN 109874141A
- Authority
- CN
- China
- Prior art keywords
- information
- mobile phone
- phone terminal
- network
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000013507 mapping Methods 0.000 claims abstract description 17
- 230000008676 import Effects 0.000 claims abstract description 15
- 238000001629 sign test Methods 0.000 claims description 29
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000012795 verification Methods 0.000 claims description 13
- 238000004891 communication Methods 0.000 claims description 12
- 238000012360 testing method Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000007812 deficiency Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Abstract
The invention discloses a kind of method and devices of mobile phone terminal secure accessing information network, wherein this method comprises the following steps: the user information accessed and information of mobile phone terminal will be allowed to imported into information authentication system, generate Information Authentication white list;User, mobile phone terminal, customer digital certificate are constructed into one-to-one legitimacy mapping table, import network controller in advance;Network controller obtains the user information and information of mobile phone terminal of application access, and the information in the user information and information of mobile phone terminal and the Information Authentication white list of generation of application access is compared;When there is the user information and information of mobile phone terminal of application access in Information Authentication white list, the user of application access, mobile phone terminal, digital certificate are compared with the legitimacy mapping table imported in advance;If consistent, allow mobile phone terminal access information network;Otherwise, denied access.This method can realize that mobile phone terminal is safe and efficient, flexible access information network.
Description
Technical field
The present invention relates to a kind of methods of mobile phone terminal secure accessing information network, while being related to realizing the dress of this method
It sets, belongs to technical field of network security.
Background technique
Information network usually requires to authenticate the identity of user before providing service, and may be to subsequent communication
Data encrypt, and could use related resource, services or functionalities with the user for controlling only legal.Use digital certificate
It is a kind of common security mechanism for solving the problems, such as this at present.By using the digital certificate bound with user, using PKI system,
VPN technologies etc. can simplify complexity when user uses, improve the safety of authentication.
Mobile phone terminal obtains various data resources and service by information network.It is more to access quantity, and data interaction flow
Greatly.Security reliability that information network the accesses mobile phone terminal and demand for taking into account convenience is very urgent.
The identification means that terminal security mainly uses at this stage are judged by collection terminal characteristic information
And verifying, including USBKEY sequence number, digital certificate serial number, mobile terminal sequence number and user fingerprints characteristic information, by this
A little terminal characteristic informations upload to safe access gateway by encrypted tunnel, and safe access gateway verifies the complete of terminal characteristic information
Whole property and validity determine whether terminal can access shielded server according to verification result.
As shown in Figure 1, existing mobile terminal access information network mainly includes the following steps are as follows: encrypted tunnel is established,
By client call USBKEY and it is stored in digital certificate in USBKEY, is completed according to SSLVPN agreement based on digital certificate
Bidirectional identification is verified and the encrypted tunnel based on the close SM1 algorithm of state is negotiated;Then, the fingerprint characteristic letter of client acquisition user
Breath;Client collection terminal characteristic information includes USBKEY sequence number, digital certificate serial number and mobile terminal sequence number;
Finally, user fingerprints characteristic information is uploaded to safe access gateway, secure accessing together with terminal characteristic information by client
Gateway searches for database according to the item data in terminal characteristic information and judges its legitimacy;It, can if information is illegal
Stop the terminal access network server;If information is legal, terminal addressable network server.
However, the technology of the server of existing terminal access information network, has the disadvantage in that
1) crypto module USBKEY is only applicable to the Specialised mobile terminal with USB interface or laptop etc. eventually
End is not suitable for mobile phone terminal.Mobile phone terminal is not available the crypto modules such as USBKEY;
2) when collection and delivery terminal characteristic information, digital certificate serial number is only sent, without signing to digital certificate itself
After send, have security risk;
3) real-time query is not carried out to the validity of digital certificate so that terminal digital certificate it is expired, the feelings such as revoke
Also it can enter information network under condition;
4) it uses fingerprint as user identity authentication, is easy to be falsely used to distort, for example hand film can be used and obtain use
It fakes after the finger print information of family, to cause security risk.
Summary of the invention
In view of the deficiencies of the prior art, primary technical problem to be solved by this invention is to provide a kind of mobile phone terminal peace
The method of full access information network.
Another technical problem to be solved by this invention is to provide a kind of realization mobile phone terminal secure accessing Information Network
The device of network method.
For achieving the above object, the present invention uses following technical solutions:
According to a first aspect of the embodiments of the present invention, a kind of method of mobile phone terminal secure accessing information network is provided, is wrapped
Include following steps:
The user information accessed and information of mobile phone terminal will be allowed to imported into information authentication system, it is white to generate Information Authentication
List;
User, mobile phone terminal, customer digital certificate are constructed into one-to-one legitimacy mapping table, import network-control in advance
Device;
Network controller obtains the user information and information of mobile phone terminal of application access, and the user of application access is believed
Information in breath and information of mobile phone terminal and the Information Authentication white list of generation compares;
When there is the user information and information of mobile phone terminal of application access in Information Authentication white list, application is accessed
User, mobile phone terminal, customer digital certificate be compared with the legitimacy mapping table imported in advance;If consistent, allow hand
Machine terminal access information network;Otherwise, denied access.
Wherein more preferably, the user information accessed and information of mobile phone terminal will be allowed to imported into information authentication system, it is raw
At Information Authentication white list, include the following steps:
The figure information for allowing the legitimate user of access is directed into the portrait data system for being deployed in information network in advance, is built
Vertical figure information white list;
The international mobile equipment identity number information for allowing the legal mobile phone terminal of access is directed into the terminal conduit for being deployed in information network in advance
Control system establishes international mobile equipment identity number white list.
Wherein more preferably, mobile phone terminal client obtains the user information and information of mobile phone terminal of application access, and will
Information in the user information and information of mobile phone terminal and the Information Authentication white list of generation of this application access compares, and wraps
The mobile phone terminal that including will acquire is sent to network controller using the figure information of user and the international mobile equipment identity number information of mobile phone terminal,
The mobile phone terminal that network controller will acquire using the figure information of user, mobile phone terminal international mobile equipment identity number information respectively with portrait
Information in information white list and international mobile equipment identity number white list compares.
Wherein more preferably, the mobile phone terminal that will acquire is sent to network controller, network control using the figure information of user
The mobile phone terminal that device processed will acquire is compared using the figure information of user with the information in figure information white list, including such as
Lower step:
The figure information that mobile phone terminal uses user is obtained, is signed to the figure information;
Figure information after signature is sent to network controller;
Network controller carries out sign test to figure information, and by inquiring figure information white list, verifying application access is
No is that true mobile phone terminal uses user;When there are when the figure information for figure information white list;The then application access
To be true mobile phone terminal use user;Otherwise, stop the network access of mobile phone terminal.
Wherein more preferably, the international mobile equipment identity number information for the mobile phone terminal that will acquire is sent to network controller, network controller
The international mobile equipment identity number information for the mobile phone terminal that will acquire is compared with the information in international mobile equipment identity number white list, is included the following steps:
Mobile phone terminal client reads this terminal international mobile equipment identity number information and signs to the information;
International mobile equipment identity number information after signature is sent to network controller by wireless transmission link by mobile phone terminal client;
Network controller tests international mobile equipment identity number information sign test by inquiring the international mobile equipment identity number white list of terminal managing and control system
Whether legal demonstrate,prove mobile phone terminal access.If legal, continue next step;If illegal, stop the mobile phone terminal
Network access.
Wherein more preferably, when the user information and information of mobile phone terminal that there is application access in Information Authentication white list
When, before the user of application access, mobile phone terminal, customer digital certificate are compared with the legitimacy mapping table imported in advance;
Further include following steps:
The customer digital certificate that will acquire is sent to network controller, passes through number described in certificate directory services query
The validity of certificate.
Wherein more preferably, the customer digital certificate that will acquire is sent to network controller, passes through certificate directory services query
The validity of the customer digital certificate;Include the following steps:
Customer digital certificate is read, and the customer digital certificate after signature is sent to network controller;
Network controller carries out sign test to the customer digital certificate signed;
Network controller passes through the validity of the certificate directory service real-time query customer digital certificate.
Wherein more preferably, the method for the mobile phone terminal secure accessing information network, further includes following steps:
When mobile phone terminal access information network, the international mobile equipment identity number and number to the mobile phone terminal requested access to are recycled
Certificate is verified, and when customer digital certificate fails or international mobile equipment identity number is removed name from the rolls, then stops network connection in time.
According to a second aspect of the embodiments of the present invention, a kind of dress for mobile phone terminal secure accessing information network is provided
It sets, including mobile phone terminal crypto module, mobile phone terminal client, mobile phone terminal, network controller and information authentication system;
Wherein, the terminal password module type that the mobile phone terminal crypto module is used to be selected according to user generates number label
Information needed for name and sign test, and customer digital certificate is provided;
The mobile phone terminal client is for obtaining hand from the mobile phone terminal and the mobile phone terminal crypto module respectively
Machine terminal authentication information, and network controller is sent by the mobile phone terminal verification information after signature;
The mobile phone terminal verification information that the network controller is used to send mobile phone client terminals carries out sign test, and root
The mobile phone terminal verification information after sign test is verified according to the information that information authentication system stores.
Wherein more preferably, the information authentication system includes portrait data system, terminal managing and control system and certificate catalogue clothes
Business;
The portrait data system is used to import the figure information of legitimate user to provide figure information white list;
The terminal managing and control system and network controller establish secure communication, for importing legal mobile phone terminal IMEI number
Code is to provide international mobile equipment identity number white list;
The certificate directory service provides digital certificate validity and looks into real time for synchronizing PKI system digital certificate data
Ask interface.
The method of mobile phone terminal secure accessing information network provided by the present invention, is tested by Identification of Images and face alignment
Card, can be confirmed the true identity using user;Mobile phone terminal can be prevented to be tampered puppet by the confirmation of international mobile equipment identity number information
It makes;And according to different model, it is different use user, mobile phone will use different crypto modules, including TF card, inSE, TEE with
And pasting card, by carrying out automatically retrieval to these crypto modules, and read the customer digital certificate and reality of a variety of crypto modules
When inquire validity, make mobile phone terminal certification more secure and reliable and have real-time;Finally, by establishing man/machine/certificate one by one
The relationship of corresponding binding prevents user, terminal, security module or application service and is forged and distort, certificate will not occurs
Be issued to illegal user or certificate fail phenomena such as carrying out efficient association with user, thus effective real user used it is legal
Mobile phone enters the safety of information network, reduces mobile phone terminal and is falsely used etc. a possibility that security risks occur, it can be achieved that mobile phone
Terminal security, efficient, flexible access information network.
Detailed description of the invention
Fig. 1 is the flow chart of the terminal security access information network server of the prior art;
Fig. 2 is the structural schematic diagram of the device provided by the present invention for mobile phone terminal secure accessing information network;
Fig. 3 is the flow chart of the method for mobile phone terminal secure accessing information network provided by the present invention;
Fig. 4 is the flow chart of the method for mobile phone terminal secure accessing information network in embodiment 1 provided by the present invention;
Fig. 5 is the flow chart of the method for mobile phone terminal secure accessing information network in embodiment 2 provided by the present invention.
Specific embodiment
Detailed specific description is carried out to technology contents of the invention in the following with reference to the drawings and specific embodiments.
In order to solve existing terminal access information network method and apparatus deficiency, it is whole that the invention proposes a kind of mobile phones
The method and apparatus for holding secure accessing information network, comprehensive utilization personnel's verifying --- Identification of Images and face alignment are verified, eventually
End certification --- international mobile equipment identity number legitimacy, certificate verification --- obtains the customer digital certificate of the crypto module of different user terminals
And real-time query validity, and carry out the corresponding binding of man/machine/certificate.Specifically include following advantage:
Firstly, Identification of Images and face alignment verifying, can be confirmed the true identity using user;Second, IMEI
(International Mobile Equipment Identity, international mobile equipment identification number) number is mobile phone terminal
Unique identifier is mobile phone terminal " identity card ", can not carry out distorting forgery to it;Third makes according to different model, difference
With user, mobile phone will use different crypto modules, including TF card, inSE (Inside Security Element, built-in peace
Full chip), TEE (Executive Environment, credible performing environment) and pasting card, need to these crypto modules
Automatically retrieval is carried out, and the customer digital certificate and real-time query validity of a variety of crypto modules can be read, recognizes mobile phone terminal
It demonstrate,proves more secure and reliable and there is real-time;4th, establish the relationship that man/machine/certificate corresponds binding, prevent user,
Terminal, security module or application service, which are forged, distorts, will not occur certificate be issued to illegal user or certificate fail with
User carries out phenomena such as efficient association, therefore effective real user is entered to the safety of information network using legal mobile phone, subtracts
Few mobile phone terminal such as is falsely used at a possibility that security risks occur.Therefore, the invention proposes a kind of mobile phone terminal secure accessings
The method and apparatus of information network can realize that mobile phone terminal is safe and efficient, flexible access information network.
As shown in Fig. 2, the device provided by the present invention for mobile phone terminal secure accessing information network, including mobile phone are whole
Hold crypto module, mobile phone terminal client, mobile phone terminal, network controller and information authentication system.Wherein, mobile phone terminal password
Information needed for module is used to generate digital signature and sign test according to the terminal password module type that user selects, and user is provided
Digital certificate.Specifically, mobile phone terminal crypto module provides key generation, certificate request assembling, digital signature, sign test plus solution
The secure storage of the information such as close, key and customer digital certificate.In embodiment provided by the present invention, mobile phone terminal password mould
Block includes: the security module of external TF card, inSE, TEE, pasting card etc. and the crypto module that in summary various ways are realized.
Wherein, inSE is together with terminal SoC master chip, reduces the physical connection between external chip, from chip bottom carry out physics every
From, while guaranteeing enough performances and memory space.It can be used as hardware cryptographic module in mobile scenery;TEE is credible execution
Environment, the environment can guarantee the calculating that do not interfered by conventional operating systems, can be used as software code module in movable police.
Mobile phone terminal client is for obtaining mobile phone terminal verifying letter from mobile phone terminal and mobile phone terminal crypto module respectively
Breath, and network controller is sent by the mobile phone terminal verification information after signature.Wherein, mobile phone terminal verification information includes portrait
Information (user's human face image information), mobile phone terminal international mobile equipment identity number information, mobile phone terminal crypto module customer digital certificate.Tool
Body, mobile phone terminal client call mobile phone terminal crypto module, according to terminal password module type from mobile phone terminal password mould
Information needed for block obtains signature, signs to mobile phone terminal authentication information, and establishes secure communication with network controller and connect
It connects, figure information, international mobile equipment identity number information, the customer digital certificate after signature is sent to by network-control by wireless transmission link
Device.
Mobile phone terminal crypto module and mobile phone terminal client can be independently arranged, and also can be set in mobile phone terminal,
When mobile phone terminal crypto module and mobile phone terminal client are arranged in mobile phone terminal, as shown in figure 3, mobile phone terminal is that have to adopt
Collect the camera of face information, run the terminal device of mobile phone terminal crypto module and mobile phone terminal client.Mobile phone terminal with
Information network passes through wireless dedicated transmissions link communication.In embodiment provided by the present invention, with mobile phone terminal password mould
Block and the setting of mobile phone terminal client are illustrated for mobile phone terminal.
The mobile phone terminal verification information that network controller is used to send mobile phone client terminals carries out sign test, and according to letter
The information of breath verifying system storage verifies the mobile phone terminal verification information after sign test, allows mobile phone whole when being verified
It terminates into information network;Otherwise refusal access.Wherein, information authentication system include portrait data system, terminal managing and control system and
Certificate directory service.Portrait data system and network controller establish secure communication, for importing the figure information of legitimate user
To provide legal figure information white list, and provide figure information legitimacy query structure.Terminal managing and control system and network control
Device processed establishes secure communication, the international mobile equipment identity number white list for importing legal mobile phone terminal international mobile equipment identity number to provide legal, and
International mobile equipment identity number legitimacy query structure is provided.Certificate directory service and network controller establish secure communication, for synchronizing PKI system
System digital certificate data, provides digital certificate validity real-time query interface, not only verifies the correctness of digital certificate, but also tests
Demonstrate,prove the validity of data certificate.Also imported in embodiment provided by the present invention, in network controller user, mobile phone terminal,
Customer digital certificate constructs one-to-one legitimacy mapping table, to user, mobile phone terminal and the user to request access
The corresponding relationship of digital certificate is verified.
Specifically, network controller is communicated with mobile phone terminal client secure, the mobile phone that mobile phone client terminals are sent
Terminal authentication information carries out sign test, is communicated with portrait data system to verify the true identity of user, lead to terminal managing and control system
Letter is led in advance with verifying mobile phone terminal IMEI legitimacy, communicating with certificate directory service with real-time query digital certificate validity
Enter man/machine/certificate correspondence binding relationship and information is verified.When verifying by when permission mobile phone terminal access information
Network;Otherwise refusal access.
It is the flow chart of the method for the mobile phone terminal secure accessing information network realized based on above system, tool shown in Fig. 2
Body includes the following steps:
S1 will allow the user information accessed and information of mobile phone terminal to imported into information authentication system, generates information and tests
Demonstrate,prove white list.Wherein, information authentication system, which can be arbitrarily, has information storage, and can provide the service of information query structure
Device.
Specifically, the user information accessed and information of mobile phone terminal will be allowed to imported into information authentication system, letter is generated
Breath verifying white list, includes the following steps:
The figure information for allowing the legitimate user of access is directed into the portrait data system for being deployed in information network by S11 in advance
System, establishes figure information white list;
The international mobile equipment identity number information for allowing the legal mobile phone terminal of access is directed into the end for being deployed in information network by S12 in advance
Managing and control system is held, international mobile equipment identity number white list (legitimacy list) is established.
Wherein, in embodiment provided by the present invention, the figure information that imports in advance, international mobile equipment identity number information are not closed successively
System.
User, mobile phone terminal, customer digital certificate are constructed one-to-one legitimacy mapping table, import network in advance by S2
Controller.Wherein, network controller can be any one network-control clothes with signature sign test, storage and comparing function
Business device, is deployed in information network inlet, can establish HTTPS with mobile phone terminal and connect.
S3, mobile phone terminal client obtain the user information and information of mobile phone terminal of application access, and this application is visited
Information in the Information Authentication white list of the user information and information of mobile phone terminal and generation asked compares, and works as Information Authentication
When there is the user information and information of mobile phone terminal of application access in white list, step S4 is turned to;Otherwise, denied access.
Specifically, mobile phone terminal client obtains the user information and information of mobile phone terminal of application access, and by the Shen
Information in the Information Authentication white list of the user information and information of mobile phone terminal and generation that please access compares, including will
The mobile phone terminal of acquisition is sent to network controller, network using the figure information of user and the international mobile equipment identity number information of mobile phone terminal
The mobile phone terminal that controller will acquire using the figure information of user, mobile phone terminal international mobile equipment identity number information respectively with Information Authentication
Information in white list compares.
Wherein, the mobile phone terminal that will acquire is sent to network controller using the figure information of user, and network controller will
The mobile phone terminal of acquisition is compared using the figure information of user with the information in Information Authentication white list, is specifically included as follows
Step:
Mobile phone terminal client obtains the figure information that mobile phone terminal uses user, to prevent information to be illegally accessed and usurping
Change, signs to the figure information;
Mobile phone terminal client is established secure communication with network controller and is connect, to prevent information to be illegally accessed and usurping
Change, the figure information after signature is sent to by network controller by wireless transmission link;
Network controller is to figure information sign test, and by inquiring the figure information white list of portrait data system, verifying should
Whether user is that true mobile phone terminal uses user.If it is, continuing next step;If it is not, then stopping the mobile phone
The network of terminal accesses.
The international mobile equipment identity number information for the mobile phone terminal that will acquire is sent to network controller, the mobile phone that network controller will acquire
The international mobile equipment identity number information of terminal is compared with the information in Information Authentication white list, is specifically comprised the following steps:
Mobile phone terminal client reads this terminal international mobile equipment identity number information and signs to the information;
International mobile equipment identity number information after signature is sent to network controller by wireless transmission link by mobile phone terminal client;
Network controller tests international mobile equipment identity number information sign test by inquiring the international mobile equipment identity number white list of terminal managing and control system
Whether legal demonstrate,prove mobile phone terminal access.If legal, continue next step;If illegal, stop the mobile phone terminal
Network access.
In embodiment provided by the present invention, when in Information Authentication white list exist application access user information and
When information of mobile phone terminal, to the user of application access, mobile phone terminal, customer digital certificate and the legitimacy mapping table that in advance imports into
Before row compares;Further include following steps:
The customer digital certificate that will acquire is sent to network controller, and network controller is used by certificate directory services query
The validity of family digital certificate;Specifically comprise the following steps: that mobile phone terminal client identifies the crypto module type of the machine;
Mobile phone terminal client reads customer digital certificate by crypto module;
Mobile phone terminal client signs to the customer digital certificate;Mobile phone terminal client is by the number of users after signature
Word certificate is sent to network controller by wireless transmission link;
Network controller carries out sign test to the customer digital certificate signed;
Network controller passes through the validity of the certificate directory service real-time query customer digital certificate.If number
Certificate is effective, then carries out next step verifying, otherwise will stop network access.It wherein, should by certificate directory service real-time query
The validity of customer digital certificate is by being deployed in synchronous PKI (the Public Key of the certificate LIST SERVER of information network
Infrastructure, Public Key Infrastructure) system data certificate data, obtain the interface of inquiry validated user digital certificate.
S4 compares the user of application access, mobile phone terminal, customer digital certificate with the legitimacy mapping table imported in advance
It is right;If consistent, allow mobile phone terminal access information network;If it is inconsistent, denied access.
Specifically, network controller current accessed is linked user, mobile phone terminal, customer digital certificate in advance import
Legitimacy mapping table is compared.If consistent, allow mobile phone terminal access information network;Otherwise, stop mobile phone terminal
Network access.
Further include following steps in embodiment provided by the present invention:
S5 when mobile phone terminal access information network, recycles the international mobile equipment identity number to the mobile phone terminal requested access to and user
Digital certificate is verified, and when customer digital certificate fails or international mobile equipment identity number is removed name from the rolls, then stops network connection in time, to protect
Demonstrate,prove safety.
Below with two specific embodiments, the method for opponent's terminal security access information network is described in detail.
Embodiment 1
In embodiment 1 provided by the present invention, it is illustrated so that mobile phone terminal encrypting module is inSE as an example.This implementation
The equipment and environment configurations of example 1 are as follows:
1) complete information network surroundings;
2) mobile phone terminal has terminal built-in mobile phone terminal crypto module inSE, has obtained customer digital certificate, and
Have been written into inSE.Mobile phone terminal network-control APP has been installed.Has mobile radio network communication ability.Has preposition camera shooting
Head.
3) network comtrol server is deployed in information network inlet, can establish HTTPS with mobile phone terminal and connect,
Has signature sign test ability.
4) a portrait data server is deployed in information network, imports the figure information of legitimate user in advance, and provides
Inquire the interface of the figure information of legitimate user.
5) terminal manages server, is deployed in information network, imports legal mobile phone terminal international mobile equipment identity number in advance, and
The interface for inquiring legal international mobile equipment identity number is provided.
6) a certificate LIST SERVER, is deployed in information network, and synchronous PKI system digital certificate data provides inquiry
The interface of effective digital certificate.
As shown in figure 4, in embodiment 1, the method for mobile phone terminal secure accessing information network provided by the present invention, tool
Body includes the following steps:
The figure information of legitimate user (user for allowing access information network) is directed into advance and is deployed in by administrative staff
The portrait data server of information network, establishes figure information white list;
The international mobile equipment identity number information of legal mobile phone terminal (is allowed the mobile phone terminal of access information network by administrative staff
International mobile equipment identity number information) the terminal control server for being deployed in information network is imported, establish international mobile equipment identity number white list (legitimacy column
Table);
User, mobile phone terminal, customer digital certificate are constructed one-to-one legitimacy mapping table by administrative staff, pre- to import
Network comtrol server;
Mobile phone terminal network-control APP prompting mobile telephone set terminal carries out face recognition operation using user, obtains user's portrait
Using the close SM2 algorithm of state to the Information Signature after information;
Mobile phone terminal network-control APP and network comtrol server are established HTTPS secure access and are connected, and wireless transmission is passed through
Figure information after signature is sent to network comtrol server by link;
Network comtrol server is to figure information sign test, by inquiring the figure information white list of portrait data server,
Verify whether the user is that true mobile phone terminal uses user;If it is, continuing next step;If it is not, then stopping
The network of the mobile phone terminal accesses;
Mobile phone terminal network-control APP reads the international mobile equipment identity number information of this terminal, using the close SM2 algorithm of state to the information label
Name;
International mobile equipment identity number information after signature is sent to network control by wireless transmission link by mobile phone terminal network-control APP
Control server;
Network comtrol server is white by inquiry terminal control server legitimacy international mobile equipment identity number to international mobile equipment identity number information sign test
Whether list verifies mobile phone terminal access legal;If legal, continue next step;If illegal, stop the hand
The network of machine terminal accesses;
Mobile phone terminal network-control APP identifies that the crypto module type of the machine is inSE;
Mobile phone terminal network-control APP reads customer digital certificate by crypto module inSE;
Mobile phone terminal network-control APP signs to the customer digital certificate using the close SM2 algorithm of state, after signature
Customer digital certificate is sent to network comtrol server by wireless transmission link;
Network comtrol server carries out sign test to the customer digital certificate signed;
Network comtrol server passes through the validity of the certificate LIST SERVER real-time query customer digital certificate, if with
Family digital certificate is effective, then carries out next step verifying, otherwise will stop network access;
User, mobile phone terminal, customer digital certificate and the conjunction imported in advance that network comtrol server links current accessed
Method mapping table is compared, if unanimously, allowing mobile phone terminal access information network;If it is inconsistent, stopping the hand
The network of machine terminal accesses.
In embodiment 1 provided by the present invention, when mobile phone terminal access information network, recycle to the mobile phone requested access to
The international mobile equipment identity number and customer digital certificate of terminal are verified, when customer digital certificate fails or international mobile equipment identity number is removed name from the rolls,
Stop network connection, in time then to guarantee safety.
Embodiment 2
In embodiment 2 provided by the present invention, it is illustrated so that mobile phone terminal encrypting module is TF card as an example.This implementation
The equipment and environment configurations of example 2 are as follows:
1) complete information network surroundings;
2) mobile phone terminal has TF card interface, and has been inserted into crypto module TF card;Customer digital certificate has been obtained,
And have been written into TF card;Mobile phone terminal network-control APP has been installed;Has mobile radio network communication ability;Have preposition take the photograph
As head;
3) network comtrol server is deployed in information network inlet, can establish HTTPS with mobile phone terminal and connect,
Has signature sign test ability;
4) in the private clound of information network, three virtual cloud hosts are created, to realize portrait data server, terminal conduit
The cloudization deployment for controlling server and certificate LIST SERVER, labeled as portrait data cloud host, terminal control cloud host and certificate
Catalogue cloud host disposes portrait data system module, terminal control system module and certificate directory service module respectively.Portrait number
The figure information of legitimate user can be imported in advance according to cloud host, and the interface of the figure information of inquiry legitimate user is provided;Terminal
Control cloud host can import the international mobile equipment identity number information of legal mobile phone terminal in advance, and provide the interface for inquiring legal international mobile equipment identity number;
The PKI system digital certificate data of certificate catalogue cloud host synchronization provides the interface of inquiry effective digital certificate.Three cloud hosts
All has network communications environment.
As shown in figure 5, in example 2, the method for mobile phone terminal secure accessing information network provided by the present invention, tool
Body includes the following steps:
The figure information of legitimate user is directed into the portrait data cloud host for being deployed in information network by administrative staff in advance, is built
Vertical figure information white list;
The international mobile equipment identity number information of legal mobile phone terminal is imported the terminal control cloud master for being deployed in information network by administrative staff
Machine establishes international mobile equipment identity number white list (legitimacy list);
User, mobile phone terminal, customer digital certificate are constructed one-to-one legitimacy mapping table by administrative staff, pre- to import
Network comtrol server;
Mobile phone terminal network-control APP prompting mobile telephone set terminal carries out face recognition operation using user, obtains user's portrait
Using the close SM2 algorithm of state to the Information Signature after information;
Mobile phone terminal network-control APP and network comtrol server are established HTTPS secure access and are connected, and wireless transmission is passed through
Figure information after signature is sent to network comtrol server by link;
Network comtrol server is to figure information sign test, by inquiring the figure information white list of portrait data cloud host,
Verify whether the user is that true mobile phone terminal uses user;If it is, continuing next step;If it is not, then stopping
The network of the mobile phone terminal accesses;
Mobile phone terminal network-control APP reads this terminal international mobile equipment identity number information, using the close SM2 algorithm of state to the information label
Name;
International mobile equipment identity number information after signature is sent to network control by wireless transmission link by mobile phone terminal network-control APP
Control server;
Network comtrol server carries out sign test to international mobile equipment identity number information, manages the legal IMEI number of cloud host by inquiry terminal
Code white list verify the mobile phone terminal access it is whether legal, if legal, continue next step;If illegal, stop
The network of the mobile phone terminal accesses;
Mobile phone terminal network-control APP identifies that the crypto module type of the machine is TF card;
Mobile phone terminal network-control APP reads customer digital certificate by crypto module TF card;
Mobile phone terminal network-control APP signs to the customer digital certificate using the close SM2 algorithm of state, after signature
Customer digital certificate is sent to network comtrol server by wireless transmission link;
Network comtrol server carries out sign test to the customer digital certificate signed;
Network comtrol server passes through the validity of the certificate catalogue cloud host real-time query customer digital certificate, if with
Family digital certificate is effective, then carries out next step verifying, otherwise will stop network access.
User, mobile phone terminal, customer digital certificate and the conjunction imported in advance that network comtrol server links current accessed
Method mapping table is compared, if unanimously, allowing mobile phone terminal access information network;If it is inconsistent, stopping the hand
The network of machine terminal accesses.
In embodiment 2 provided by the present invention, when mobile phone terminal access information network, recycle to the mobile phone requested access to
The international mobile equipment identity number and customer digital certificate of terminal are verified, when customer digital certificate fails or international mobile equipment identity number is removed name from the rolls,
Stop network connection, in time then to guarantee safety.
The method and device of mobile phone terminal secure accessing information network provided by the present invention is carried out above detailed
Explanation.For those of ordinary skill in the art, it is done under the premise of without departing substantially from true spirit any
Obvious change, the infringement for all weighing composition to the invention patent will undertake corresponding legal liabilities.
Claims (10)
1. a kind of method of mobile phone terminal secure accessing information network, it is characterised in that include the following steps:
The user information accessed and information of mobile phone terminal will be allowed to imported into information authentication system, generate the white name of Information Authentication
It is single;
User, mobile phone terminal, customer digital certificate are constructed into one-to-one legitimacy mapping table, import network controller in advance;
Network controller obtain application access user information and information of mobile phone terminal, and will application access user information with
And the information in information of mobile phone terminal and the Information Authentication white list of generation compares;
When there is the user information and information of mobile phone terminal of application access in Information Authentication white list, to the use of application access
Family, mobile phone terminal, customer digital certificate are compared with the legitimacy mapping table imported in advance;If consistent, allow mobile phone whole
It terminates into information network;Otherwise, denied access.
2. the method for mobile phone terminal secure accessing information network as described in claim 1, it is characterised in that by allow to access
User information and information of mobile phone terminal imported into information authentication system, generate Information Authentication white list, include the following steps:
The figure information for allowing the legitimate user of access is directed into the portrait data system for being deployed in information network in advance, establishes people
As information white list;
The international mobile equipment identity number information for allowing the legal mobile phone terminal of access is directed into the terminal control system for being deployed in information network in advance
System, establishes international mobile equipment identity number white list.
3. the method for mobile phone terminal secure accessing information network as described in claim 1, it is characterised in that:
Mobile phone terminal client obtains the user information and information of mobile phone terminal of application access, and the user that this application is accessed
Information in information and information of mobile phone terminal and the Information Authentication white list of generation compares, and the mobile phone including will acquire is whole
End is sent to network controller using the figure information of user and the international mobile equipment identity number information of mobile phone terminal, and network controller will acquire
Mobile phone terminal using the figure information of user, mobile phone terminal international mobile equipment identity number information respectively with figure information white list and IMEI
Information in number white list compares.
4. the method for mobile phone terminal secure accessing information network as claimed in claim 3, it is characterised in that the mobile phone that will acquire
Terminal is sent to network controller using the figure information of user, and the mobile phone terminal that network controller will acquire uses the people of user
As information and the information in figure information white list compare, include the following steps:
The figure information that mobile phone terminal uses user is obtained, is signed to the figure information;
Figure information after signature is sent to network controller;
Network controller to figure information carry out sign test, by inquire figure information white list, verifying application access whether be
True mobile phone terminal uses user;When there are when the figure information for figure information white list;Then the application access is
True mobile phone terminal uses user;Otherwise, stop the network access of mobile phone terminal.
5. the method for mobile phone terminal secure accessing information network as claimed in claim 3, it is characterised in that the mobile phone that will acquire
The international mobile equipment identity number information of terminal is sent to network controller, the international mobile equipment identity number information for the mobile phone terminal that network controller will acquire with
Information in international mobile equipment identity number white list compares, and includes the following steps:
Mobile phone terminal client reads this terminal international mobile equipment identity number information and signs to the information;
International mobile equipment identity number information after signature is sent to network controller by wireless transmission link by mobile phone terminal client;
Network controller is to international mobile equipment identity number information sign test, and by inquiring the international mobile equipment identity number white list of terminal managing and control system, verifying should
Whether mobile phone terminal access is legal.If legal, continue next step;If illegal, stop the net of the mobile phone terminal
Network access.
6. the method for mobile phone terminal secure accessing information network as described in claim 1, it is characterised in that when Information Authentication is white
User, mobile phone terminal, user when there is the user information and information of mobile phone terminal of application access in list, to application access
Before digital certificate is compared with the legitimacy mapping table imported in advance;Further include following steps:
The customer digital certificate that will acquire is sent to network controller, passes through customer digital certificate described in certificate directory services query
Validity.
7. the method for mobile phone terminal secure accessing information network as claimed in claim 6, it is characterised in that the user that will acquire
Digital certificate is sent to network controller, passes through the validity of customer digital certificate described in certificate directory services query;Including such as
Lower step:
Customer digital certificate is read, and the customer digital certificate after signature is sent to network controller;
Network controller carries out sign test to the customer digital certificate signed;
Network controller passes through the validity of the certificate directory service real-time query customer digital certificate.
8. the method for mobile phone terminal secure accessing information network as described in claim 1, it is characterised in that further include walking as follows
It is rapid:
When mobile phone terminal access information network, the international mobile equipment identity number and customer digital certificate to the mobile phone terminal requested access to are recycled
It is verified, when customer digital certificate fails or international mobile equipment identity number is removed name from the rolls, then stops network connection in time.
9. a kind of device for mobile phone terminal secure accessing information network, for realizing any one of claim 1~8 institute
The method for the mobile phone terminal secure accessing information network stated, it is characterised in that including mobile phone terminal crypto module, mobile phone terminal visitor
Family end, mobile phone terminal, network controller and information authentication system;
Wherein, the terminal password module type that the mobile phone terminal crypto module is used to select according to user generate digital signature with
Information needed for sign test, and customer digital certificate is provided;
The mobile phone terminal client is for obtaining mobile phone end from the mobile phone terminal and the mobile phone terminal crypto module respectively
Verification information is held, and sends network controller for the mobile phone terminal verification information after signature;
The mobile phone terminal verification information that the network controller is used to send mobile phone client terminals carries out sign test, and according to letter
The information of breath verifying system storage verifies the mobile phone terminal verification information after sign test.
10. being used for the device of mobile phone terminal secure accessing information network as claimed in claim 9, it is characterised in that:
The information authentication system includes portrait data system, terminal managing and control system and certificate directory service;
The portrait data system is used to import the figure information of legitimate user to provide figure information white list;
The terminal managing and control system and network controller establish secure communication, for import legal mobile phone terminal international mobile equipment identity number with
International mobile equipment identity number white list is provided;
The certificate directory service provides digital certificate validity real-time query and connects for synchronizing PKI system digital certificate data
Mouthful.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910194167.9A CN109874141A (en) | 2019-03-14 | 2019-03-14 | A kind of method and device of mobile phone terminal secure accessing information network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910194167.9A CN109874141A (en) | 2019-03-14 | 2019-03-14 | A kind of method and device of mobile phone terminal secure accessing information network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109874141A true CN109874141A (en) | 2019-06-11 |
Family
ID=66920355
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910194167.9A Pending CN109874141A (en) | 2019-03-14 | 2019-03-14 | A kind of method and device of mobile phone terminal secure accessing information network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109874141A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113473463A (en) * | 2021-06-30 | 2021-10-01 | 广东纬德信息科技股份有限公司 | Mobile office communication method and system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105429760A (en) * | 2015-12-01 | 2016-03-23 | 神州融安科技(北京)有限公司 | Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment) |
CN106488452A (en) * | 2016-11-18 | 2017-03-08 | 国网江苏省电力公司南京供电公司 | A kind of mobile terminal safety access authentication method of combination fingerprint |
CN106487511A (en) * | 2015-08-27 | 2017-03-08 | 阿里巴巴集团控股有限公司 | Identity identifying method and device |
CN107800725A (en) * | 2017-12-11 | 2018-03-13 | 公安部第研究所 | A kind of digital certificate remote online managing device and method |
CN207939549U (en) * | 2017-12-11 | 2018-10-02 | 公安部第一研究所 | A kind of digital certificate remote online managing device |
CN209882108U (en) * | 2019-03-14 | 2019-12-31 | 公安部第一研究所 | Device for mobile phone terminal to safely access information network |
-
2019
- 2019-03-14 CN CN201910194167.9A patent/CN109874141A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106487511A (en) * | 2015-08-27 | 2017-03-08 | 阿里巴巴集团控股有限公司 | Identity identifying method and device |
CN105429760A (en) * | 2015-12-01 | 2016-03-23 | 神州融安科技(北京)有限公司 | Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment) |
CN106488452A (en) * | 2016-11-18 | 2017-03-08 | 国网江苏省电力公司南京供电公司 | A kind of mobile terminal safety access authentication method of combination fingerprint |
CN107800725A (en) * | 2017-12-11 | 2018-03-13 | 公安部第研究所 | A kind of digital certificate remote online managing device and method |
CN207939549U (en) * | 2017-12-11 | 2018-10-02 | 公安部第一研究所 | A kind of digital certificate remote online managing device |
CN209882108U (en) * | 2019-03-14 | 2019-12-31 | 公安部第一研究所 | Device for mobile phone terminal to safely access information network |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113473463A (en) * | 2021-06-30 | 2021-10-01 | 广东纬德信息科技股份有限公司 | Mobile office communication method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110213246B (en) | Wide-area multi-factor identity authentication system | |
CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
CN107800725B (en) | Remote online management device and method for digital certificates | |
CN103259667B (en) | The method and system of eID authentication on mobile terminal | |
CN103780397B (en) | A kind of multi-screen multiple-factor convenient WEB identity authentication method | |
CN105991287B (en) | A kind of generation of signed data and finger print identifying requesting method and device | |
US8171531B2 (en) | Universal authentication token | |
CN108512862A (en) | Internet-of-things terminal safety certification control platform based on no certificates identified authentication techniques | |
CN104618117B (en) | The identification authentication system and method for smart card device based on Quick Response Code | |
TW201741922A (en) | Biological feature based safety certification method and device | |
CN112953970B (en) | Identity authentication method and identity authentication system | |
CN102045367A (en) | Registration method and authentication server of real-name authentication | |
CN101300808A (en) | Method and arrangement for secure autentication | |
CN101841525A (en) | Secure access method, system and client | |
CN106488452A (en) | A kind of mobile terminal safety access authentication method of combination fingerprint | |
CN111787530A (en) | Block chain digital identity management method based on SIM card | |
WO2014110877A1 (en) | Mobile terminal device and user authentication method based on pki technology | |
CN106713279A (en) | Video terminal identity authentication system | |
CN109150547A (en) | A kind of system and method for the digital asset real name registration based on block chain | |
CN113411184B (en) | Integrated management terminal device and integrated management method | |
CN110545274A (en) | Method, device and system for UMA service based on people and evidence integration | |
CN112347188A (en) | Authorization and access auditing system and method based on private chain | |
CN107634834A (en) | A kind of trusted identity authentication method based on the more scenes in multiple terminals | |
CN109960916A (en) | A kind of identity authentication method and system | |
CN109462572A (en) | Multi-factor authentication method and system based on encryption card and UsbKey and security gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |