CN1564507A - Distinguishing method and system combined information security software, hardware with user's status of enterprise - Google Patents
Distinguishing method and system combined information security software, hardware with user's status of enterprise Download PDFInfo
- Publication number
- CN1564507A CN1564507A CN 200410017823 CN200410017823A CN1564507A CN 1564507 A CN1564507 A CN 1564507A CN 200410017823 CN200410017823 CN 200410017823 CN 200410017823 A CN200410017823 A CN 200410017823A CN 1564507 A CN1564507 A CN 1564507A
- Authority
- CN
- China
- Prior art keywords
- user
- hardware
- equipment
- network
- space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
IC card as physical marker code is served as digital signature for identifying user's id. The system includes following parts: front end control circuit reads IC card in order to identify user's id and physical space; computer management software at upper layer through central computer recognizes authority of a user requesting to access and access level; display device is utilized to send random cipher of permission for entering into current site to authorized user. The said cipher is sent only once to relevant devices such as phones in specified number in specified area.
Description
Technical field
The invention belongs to user identity identification and message reference control technology field, be specifically related to a kind of enterprise-oriented information case user identity discrimination method and system.
Technical background
The specialized information network of large enterprise is general to adopt large-scale network to connect.Because the information security sexual needs of network, the attendant's of visit identification had crucial meaning.At present, always illegally entering from the communication layers of network of information system with B/S or C/S structure inserted.The user name that illegal incomer always at first manages in the personation system is logined, and therefore, the matter of utmost importance of information security access control is to differentiate user identity.There are three kinds of discrimination methods to use: the physical features (sound wave, fingerprint, appearance, signature) that the first, utilizes the user.This is the most reliable in theory, but owing to physical features may change and write down reasons such as still owing maturation in time, makes this method not seen widespread use.The second, certain part that utilizes the user to know can prove the agreement (as the password password) of its identity.This is current method comparatively commonly used.But exist inevitably stolen shortcoming.Three, utilize the distinctive certificate of user, as identity card, machine readable card etc., its limitation is that the application scenario of card restricts.For preventing the stolen of password, developed cryptographic service such as utilizing encryption and digital signature and necessary key and certificate management system again and carried out authenticating user identification.This method exists cryptographic algorithm complexity, cost height, has the defective that occurs security breaches inevitably.
Therefore, the hardware identification technology is incorporated into based on C/S, during the enterprise network of B/S structure is used, combine with the software cryptography means, break through the limitation that in the past user's access control was adopted the software cryptography algorithm merely, software is with the addition of hardware identification technology, can be to place, the validity of calling party, carry out reliable Intelligent Recognition.
Summary of the invention
The object of the present invention is to provide a kind of method and system of discriminating user identity of soft in specialized network, combination of hardware,, realize strict control important message reference to overcome the limitation of software enciphering method.
The method of the discriminating user identity of soft in the specialized network that the present invention proposes, combination of hardware, at first be to introduce that the on-the-spot user's hardware of a cover indicates number and site space indicates number, user identity validity is differentiated, and generate the current password of a software at random by system, send to corresponding site space, its effect is exactly to make the user who has effective hardware seal and work in the space of identification that system manages just can only obtain the validity approval of system.To prevent to usurping of rigid seal or having things stolen of soft password.It is correct that the user returns password, and then system is according to the open accessed resources content that allows of user right decision; After the user withdrawed from from login system, the password of this granting ceased to be in force automatically; After the user withdrawed from from site space, the destination address at this scene, space lost efficacy, and was recorded into database.The wherein use of rigid seal is soft stolen in order to prevent, and the identification management of user workspace is provided.The site space of random cipher shows that its effect mainly is in order to prevent usurping rigid seal.
Corresponding to the method for differentiating user identity in the last specialized network, the present invention has designed similar identification system, this system configuration as shown in Figure 1, it comprises three parts: controlled scene, control centre and network center.Wherein, controlled scene comprises the hardware seal 1 of record user identifications, the fetch equipment 2 that reads the seal user ID, on-the-spot display device 3, the onsite user's access terminal equipment 4 that shows pseudorandom cipher; Control centre comprises that the sign that will read is sent to the computer equipment 6 of the equipment 5 of computer network, generation pseudorandom cipher, the gateway device 7 that native system links to each other with computer network; Network center comprises computer network 9 and resource database 10.Fetch equipment 2 is connected with the transfer equipment 5 of control centre, and the computer equipment 6 of the generation pseudorandom cipher of control centre is connected with gateway device 7 and the on-the-spot display device 3 of pseudorandom cipher that shows; User capture terminal equipment 4 is connected with the gateway device 7 of control centre now; Network center is connected with each module of control centre.
Among the present invention, it number can be physics mark codes such as IC-card, ID card, M1 card that user's hardware indicates, and also is called the hardware seal.The front end of system is to include the front-end controlling circuit that reads, discerns User Identity and physical space identification in the fetch equipment 2 of site space; The upper strata of control centre has the user right of identification requirement visit, the computer management software system of access level.
The user is when entering site space, show the hardware seal 1 that records user ID, read this hardware seal by fetch equipment 2 identifications, fetch equipment 2 should identify by control centre and be sent in the top level computer network, and top level computer equipment 6 produces a pseudorandom cipher, sends on the on-the-spot display device 3, after the onsite user obtains this password, by access terminal 4 inputs, after the gateway checking, enter the top level computer access to netwoks.
The operation principle of system is as follows: for legal authorized user, distributing the physical identification number of the cards such as IC, M1 that obtain is unique in theory, after system writes down mandate to the card information of relative users, the user can enter after each area of space of system management is registered, system will note the area of space at active user place automatically, for this address space distributes a unique internal indicator number.
When validated user occurred in the working site, system can note this user's identify label number and current space identification number automatically.If this user at oneself job number of input after system sends logging request, system can judge according to above-mentioned log-on message whether this user's identity is legal automatically, Permission Levels etc., if it is legal, then utilize pseudo-random algorithm, generate on a random cipher sent and only sent to the display unit of the current place of this user area of space or appointment as the verification entry password the viewing area.Obviously, the user who only has legal identity and appear at effective working space really can obtain the password of this Random assignment.Like this, any one user does not need to remember any password in system, logins as long as can access the random cipher of system assignment at every turn.For the attempt visitor outside the system, promptly allow to enter the top level computer network, even can analyze various cryptography architectures, also can not be entered.
IC-card, card reader are to differentiate the physical basis of user identity and working space.The pseudorandom cipher that the field control management that links to each other with central computer by asynchronous communication means, display centre computer are provided.The employing of asynchronous communication means is in order to reduce the cost of system.
System works flow process figure sees shown in Figure 2.The user by the network manager to system registry, obtain hardware seal as the IC-card class after, possess the qualification that enters system designated space zone.After showing this password seal by the induction installation to designated space, system obtains the destination address of the current corresponding working region of user.For the outer illegal incomer of anti-locking system to the usurping of card number, for the user who enters in this mode, system admits that it possesses suitable reliability at this area of space in current time.Therefore, by sending a password that generates at random, show and require the user to return that if the user returns correctly, then system is according to its accessed resources content of the open permission of authority decision of user to this zone.
After the user withdrawed from from system login, the password of this granting ceased to be in force automatically.
After the user withdrawed from from machine room, the destination address of this area of space lost efficacy, and was recorded into database.
Adopt soft, the combination of hardware encryption system of specific information safety of the present invention, do not need that the user distributes, the memory cipher password, whether landing of each user all is to be appeared in the effective working space by the first rigid seal according to the user of system to judge, if effectively, show in the corresponding work space that the password that then will generate at random sends, make the stolen probability of password outside system reduce to minimum.
Description of drawings
Fig. 1 is the overall construction drawing of system.
Fig. 2 is the workflow schematic diagram of system.
Number in the figure: 1 is the hardware seal, and 2 is fetch equipment, and 3 is the pseudorandom cipher display device, and 4 is access terminal equipment, and 5 for the sign that will read transmits the equipment of computer network, and 6 for producing the computer equipments of pseudorandom cipher, and 7 is gateway device.
Embodiment
Below by 2 examples of implementation, further introduce the present invention.
Embodiment 1
Be distributed with 10 controlled rooms in certain area of space, each room has an access terminal can be connected to the database of computer center.System allows 2 to have other validated user of different rights level and enter any one room and ask and can conduct interviews to database by relevant terminal, wish that these 2 users neither are subjected to the restriction of terminal, can avoid the stolen problem of password password again effectively, prevent that other users from entering database access.
Everyone provides an IC-card that records the personal identification number to these 2 users in system, at each room inlet device IC card-reading apparatus, and the logon rights of arranging everyone, when No. 1 user enters No. 1 room, the system identification device in No. 1 room is judged No. 1 current this zone that appears at of user, and by the top level computer access code that prompting generates at random on the display device in No. 1 room.No. 1 user after top level computer resends this random cipher, the resource of the corresponding addressable authority of open system.When No. 1 user capture finishes, after withdrawing from from system login, this random cipher lost efficacy immediately, and in the time of need logining again, system provides random cipher again.When No. 1 user when this room withdraws from, the space identification sign indicating number of systematic memory lost efficacy immediately.For all operations, system database has corresponding record.
When No. 1 user entered No. 2 room, the system identification device in No. 2 room was judged No. 2 current this zones that appear at of user, and pointed out the access code that generates at random by top level computer in No. 2 room.No. 2 users after top level computer resends this random cipher, the corresponding accessible resource of open system.
For No. 2 users, same, no matter before which terminal he appears at,, just can obtain the access rights of oneself as long as by above-mentioned system authentication.
Embodiment 2
Be distributed with 100 controlled remote sites in the compass of competency of enterprise, each website has an access path can be connected to the network of computer center, and 10 attendants are arranged, and is responsible for the operation and the plant maintenance of these 100 websites.Each attendant can visit central database by portable computer.System allows these 10 to have other legal attendant of different rights level and can enter any one website and can conducting interviews to database by the portable computer terminal, wish that these 10 attendants neither are subjected to the restriction of working terminal, can avoid the stolen problem of mutual password password again effectively, prevent that other users from entering database access.
Everyone provides an IC-card that records the personal identification number to these 10 attendants in system, at each remote site inlet device IC card-reading apparatus, and the logon rights of arranging everyone, when No. 1 attendant enters No. 1 remote site, the system identification device of No. 1 website is judged No. 1 current this zone that appears at of attendant, and by the top level computer access code that prompting generates at random on the display device in No. 1 remote site.No. 1 attendant after top level computer resends this random cipher, the resource of the corresponding addressable authority of open system.When No. 1 attendant visits end, after withdrawing from from system login, this random cipher lost efficacy immediately.In the time of need logining again, system provides random cipher again.When No. 1 attendant when this remote site withdraws from, the space identification sign indicating number of systematic memory lost efficacy immediately.For all operations, system database has corresponding record.
When No. 1 attendant entered No. 2 remote sites, the system identification device of No. 2 websites was judged No. 2 current this zones that appear at of attendant, and pointed out the access code that generates at random by top level computer in No. 2 websites.No. 2 attendants after top level computer resends this random cipher, the corresponding accessible resource of open system.
For other attendants, same, no matter which website he appears at,, just can obtain the system resource of corresponding own access rights as long as by above-mentioned system authentication.
Claims (2)
1, the method for the discriminating user identity of soft in a kind of specialized network, combination of hardware, it is characterized in that introducing that onsite user's hardware indicates number and site space indicates number, user identity validity is differentiated, and generate the current password of a software at random by system, send to site space, to user's hardware seal, and the validity of the user identity of working in the space of identification that this system manages is discerned; It is correct that the user returns password, and then system is according to open its accessed resources content that allows of user's authority decision;
After the user withdrawed from from system login, the password of this granting ceased to be in force automatically;
After the user withdrawed from from the scene, space, the destination address at this scene, space lost efficacy, and was recorded into database.
2, the system of the discriminating user identity of soft in a kind of specialized network, combination of hardware, it is characterized in that it comprises three parts: controlled scene, control centre and network center, wherein, controlled scene comprises that record shows display device (3), onsite user's access terminal equipment (4) of pseudorandom cipher with the hardware seal (1) of sign, the fetch equipment (2) that reads the seal user ID, scene; Control centre comprises that the sign that will read is sent to the computer equipment (6) of the equipment of computer network (5), generation pseudorandom cipher, the gateway device (7) that native system links to each other with computer network; Network center comprises computer network (9) and resource database (10); Fetch equipment (2) is connected with the transfer equipment (5) of control centre, and the computer equipment (6) of the generation pseudorandom cipher of control centre is connected with gateway device (7) and the on-the-spot display device (3) of pseudorandom cipher that shows; Onsite user's access terminal equipment (4) is connected with the gateway device (7) of control centre; Network center is connected with each module of control centre.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410017823 CN1564507A (en) | 2004-04-22 | 2004-04-22 | Distinguishing method and system combined information security software, hardware with user's status of enterprise |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410017823 CN1564507A (en) | 2004-04-22 | 2004-04-22 | Distinguishing method and system combined information security software, hardware with user's status of enterprise |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1564507A true CN1564507A (en) | 2005-01-12 |
Family
ID=34479175
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410017823 Pending CN1564507A (en) | 2004-04-22 | 2004-04-22 | Distinguishing method and system combined information security software, hardware with user's status of enterprise |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1564507A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102238688A (en) * | 2010-04-26 | 2011-11-09 | 大唐移动通信设备有限公司 | Method based on user identity information access control and apparatus thereof |
| CN101635730B (en) * | 2009-08-28 | 2012-05-02 | 深圳市永达电子股份有限公司 | Method and system for safe management of internal network information of small and medium-sized enterprises |
| CN105913533A (en) * | 2016-06-25 | 2016-08-31 | 浙江中烟工业有限责任公司 | Intelligent door safety control method and intelligent door safety control system |
-
2004
- 2004-04-22 CN CN 200410017823 patent/CN1564507A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101635730B (en) * | 2009-08-28 | 2012-05-02 | 深圳市永达电子股份有限公司 | Method and system for safe management of internal network information of small and medium-sized enterprises |
| CN102238688A (en) * | 2010-04-26 | 2011-11-09 | 大唐移动通信设备有限公司 | Method based on user identity information access control and apparatus thereof |
| CN105913533A (en) * | 2016-06-25 | 2016-08-31 | 浙江中烟工业有限责任公司 | Intelligent door safety control method and intelligent door safety control system |
| CN105913533B (en) * | 2016-06-25 | 2018-06-05 | 浙江中烟工业有限责任公司 | Intelligent door method of controlling security and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110149328B (en) | Interface authentication method, device, equipment and computer readable storage medium | |
| US8327421B2 (en) | System and method for identity consolidation | |
| US6938167B2 (en) | Using trusted communication channel to combat user name/password theft | |
| US20150180865A1 (en) | Device and method for identity authentication | |
| CN108134791A (en) | A kind of data center's total management system login validation method | |
| Khan et al. | Comparative study of authentication techniques | |
| US8631486B1 (en) | Adaptive identity classification | |
| JP2010533344A (en) | Identity authentication and protection access system, components, and methods | |
| CN101257489A (en) | Method for protecting account number safety | |
| US11924201B1 (en) | Authentication for application downloads | |
| JP2009181561A (en) | Security management system using biometric authentication | |
| EP1445917A2 (en) | Identification system for admission into protected area by means of an additional password | |
| CN101051905A (en) | Agent identity certificiation method | |
| JP2015525409A (en) | System and method for high security biometric access control | |
| CN110650021A (en) | Authentication terminal network real-name authentication method and system | |
| US20010048359A1 (en) | Restriction method for utilization of computer file with use of biometrical information, method of logging in computer system and recording medium | |
| CN109285256A (en) | Computer room based on block chain authentication enter permission give method | |
| CN102609656A (en) | USB (universal serial bus) key safety enhancing method and USB key safety enhancing system based on image identification | |
| CN113487321A (en) | Identity identification and verification method and system based on block chain wallet | |
| US20200295948A1 (en) | System for generation and verification of identity and a method thereof | |
| CN112905965A (en) | Financial big data processing system based on block chain | |
| CN104135480A (en) | Entrance guard authorization system and entrance guard authorization method | |
| CN102571874A (en) | On-line audit method and device in distributed system | |
| JP2005293490A (en) | Biometrics system | |
| CN112329004A (en) | Method and device for face recognition and face password |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |