CN209882108U - Device for mobile phone terminal to safely access information network - Google Patents
Device for mobile phone terminal to safely access information network Download PDFInfo
- Publication number
- CN209882108U CN209882108U CN201920324769.7U CN201920324769U CN209882108U CN 209882108 U CN209882108 U CN 209882108U CN 201920324769 U CN201920324769 U CN 201920324769U CN 209882108 U CN209882108 U CN 209882108U
- Authority
- CN
- China
- Prior art keywords
- mobile phone
- phone terminal
- information
- network
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Telephonic Communication Services (AREA)
- Telephone Function (AREA)
Abstract
The utility model discloses a device for safely accessing a mobile phone terminal into an information network, which comprises a mobile phone terminal password module, a mobile phone terminal client, a mobile phone terminal, a network controller and an information verification system; the mobile phone terminal password module is used for generating a digital signature and information required by signature verification according to the type of the terminal password module selected by a user and providing a user digital certificate; the mobile phone terminal client is used for respectively acquiring mobile phone terminal verification information from the mobile phone terminal and the mobile phone terminal password module and sending the signed mobile phone terminal verification information to the network controller; the network controller is used for verifying the mobile phone terminal verification information sent by the mobile phone terminal client and verifying the verified mobile phone terminal verification information according to the information stored in the information verification system. The device can realize the safe, efficient and flexible access of the mobile phone terminal to the information network.
Description
Technical Field
The utility model relates to a device that is used for cell-phone terminal safety to insert information network belongs to network security technical field.
Background
Information networks typically require authentication of a user's identity prior to providing a service and possibly cryptographic protection of subsequent communication data to control that only legitimate users can use the relevant resources, services or functions. The use of digital certificates is a common security mechanism that currently addresses this problem. By using the digital certificate bound with the user and utilizing a PKI system, a VPN technology and the like, the complexity of the user in use can be simplified, and the safety of identity authentication is improved.
The mobile phone terminal obtains various data resources and services through the information network. The access quantity is large, and the data interaction flow is large. The information network has urgent requirements for the safety and reliability of the mobile phone terminal access and the convenience.
The identity recognition means mainly adopted by the terminal security at the present stage is to judge and verify by collecting terminal characteristic information, including a USBKEY serial number, a digital certificate serial number, a mobile terminal serial number and user fingerprint characteristic information, and upload the terminal characteristic information to a security access gateway through an encryption channel, wherein the security access gateway verifies the integrity and the validity of the terminal characteristic information, and determines whether the terminal can access a protected server according to a verification result.
As shown in fig. 1, the conventional mobile terminal access information network mainly includes the following steps: establishing an encryption channel, calling the USBKEY and the digital certificate stored in the USBKEY by the client, and finishing two-way authentication based on the digital certificate and encryption channel negotiation based on the SM1 algorithm according to the SSLVPN protocol; secondly, the client collects fingerprint characteristic information of the user; the client collects terminal characteristic information, including a USBKEY serial number, a digital certificate serial number and a mobile terminal serial number; finally, the client uploads the fingerprint characteristic information of the user and the terminal characteristic information to the security access gateway, and the security access gateway searches the database according to one item of data in the terminal characteristic information and judges the validity of the database; if the information is illegal, the terminal is stopped from accessing the network server; if the information is legal, the terminal can access the network server.
However, the existing technology for accessing the terminal to the server of the information network has the following disadvantages:
1) the password module USBKEY is only suitable for terminals such as a special mobile terminal with a USB interface or a notebook computer and the like, and is not suitable for a mobile phone terminal. The mobile phone terminal cannot use the password modules such as USBKEY and the like;
2) when terminal characteristic information is collected and sent, only the serial number of the digital certificate is sent, and the digital certificate is not signed and then sent, so that potential safety hazards are caused;
3) the validity of the digital certificate is not queried in real time, so that the terminal digital certificate can enter an information network under the conditions of expiration, revocation and the like;
4) the fingerprint is used as user identity authentication, and is easy to falsely tamper, for example, the fingerprint information of the user can be acquired by using a hand film and then counterfeit, thereby causing security risk.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a device for realizing the method for the mobile phone terminal to safely access the information network.
In order to realize the purpose of the utility model, the utility model adopts the following technical proposal:
a device for a mobile phone terminal to safely access an information network comprises a mobile phone terminal password module, a mobile phone terminal client, a mobile phone terminal, a network controller and an information verification system;
the mobile phone terminal password module is used for generating a digital signature and information required by signature verification according to the type of the terminal password module selected by a user and providing a user digital certificate;
the mobile phone terminal client is used for respectively acquiring mobile phone terminal verification information from the mobile phone terminal and the mobile phone terminal password module and sending the signed mobile phone terminal verification information to the network controller;
the network controller is used for checking the mobile phone terminal verification information sent by the mobile phone terminal client and verifying the checked mobile phone terminal verification information according to the information stored in the information verification system.
Preferably, the mobile phone terminal password module is one or more of an external TF card, inSE, TEE and a film card.
Preferably, the mobile phone terminal password module and the mobile phone terminal client are independently arranged or arranged in the mobile phone terminal.
Preferably, when the mobile phone terminal password module and the mobile phone terminal client are arranged at the mobile phone terminal, the mobile phone terminal is a terminal device which is provided with a camera for collecting face information and runs the mobile phone terminal password module and the mobile phone terminal client.
Preferably, the information verification system comprises a portrait data system, a terminal management and control system and a certificate directory service;
the portrait data system is used for importing portrait information of a legal user to provide a portrait information white list;
the terminal control system establishes safe communication with a network controller and is used for importing a legal mobile phone terminal IMEI number to provide an IMEI number white list;
the certificate directory service is used for synchronizing the digital certificate data of the PKI system and providing a real-time inquiry interface for the validity of the digital certificate of the user.
Preferably, the network controller verifies the verified mobile phone terminal verification information according to the information stored in the information verification system, and the verification method comprises the steps of sending the obtained portrait information of the mobile phone terminal user and the IMEI number information of the mobile phone terminal to the network controller, and comparing the obtained portrait information of the mobile phone terminal user and the obtained IMEI number information of the mobile phone terminal with information in a portrait information white list and an IMEI number white list respectively by the network controller.
Preferably, the obtained portrait information of the user using the mobile phone terminal is sent to the network controller, and the network controller compares the obtained portrait information of the user using the mobile phone terminal with information in the portrait information white list, and the method comprises the following steps:
acquiring portrait information of a user using a mobile phone terminal, and signing the portrait information;
sending the portrait information after signature to a network controller;
the network controller checks the portrait information, and verifies whether the application access is a real mobile phone terminal user or not by inquiring the portrait information white list; when the portrait information white list has the portrait information; the true mobile phone terminal user is applied for access; otherwise, stopping the network access of the mobile phone terminal.
Preferably, the obtained IMEI number information of the mobile phone terminal is sent to the network controller, and the network controller compares the obtained IMEI number information of the mobile phone terminal with information in the IMEI number white list, and the method comprises the following steps:
a mobile phone terminal client reads the IMEI number information of the terminal and signs the information;
the mobile phone terminal client sends the signed IMEI number information to the network controller through a wireless transmission link;
and the network controller checks the IMEI number information and verifies whether the access of the mobile phone terminal is legal or not by inquiring an IMEI number white list of a terminal management and control system. If the result is legal, continuing the next step; and if the mobile phone terminal is illegal, stopping the network access of the mobile phone terminal.
Preferably, the network controller verifies the verified and signed mobile phone terminal verification information according to the information stored in the information verification system, and further comprises the steps of sending the obtained user digital certificate to the network controller, and inquiring the validity of the user digital certificate through a certificate directory service.
Preferably, the network controller further imports a one-to-one correspondence legitimacy mapping table constructed by the user, the mobile phone terminal and the user digital certificate, so as to verify the correspondence relationship among the user requesting access, the mobile phone terminal and the user digital certificate.
The device for the safe access of the mobile phone terminal to the information network provided by the utility model can confirm the real identity of the user through the portrait recognition and the face comparison verification; the mobile phone terminal is prevented from being falsified and forged through the confirmation of the IMEI number information; according to different models and different users, the mobile phone can use different password modules including TF card, inSE, TEE and film card, and the password modules are automatically searched, and user digital certificates of various password modules are read and the validity of real-time inquiry is realized, so that the authentication of the mobile phone terminal is safer and more reliable and has real-time performance; finally, by establishing the one-to-one corresponding binding relationship of the man/machine/certificate, the phenomenon that a user, a terminal, a security module or application service is falsified and falsified is prevented, the phenomenon that the certificate is issued to an illegal user or the certificate is not effectively associated with the user and the like is avoided, so that the security that the valid and real user uses a legal mobile phone to enter an information network is improved, the possibility of potential safety hazards such as the fraudulent use of the mobile phone terminal is reduced, and the safe, efficient and flexible access of the mobile phone terminal to the information network can be realized.
Drawings
FIG. 1 is a flow chart of a prior art terminal securely accessing an information network server;
fig. 2 is a schematic structural diagram of an apparatus for a mobile phone terminal to securely access an information network according to the present invention;
fig. 3 is a flowchart of a method for securely accessing an information network by a mobile phone terminal according to the present invention;
fig. 4 is a flowchart of a method for a mobile phone terminal to access an information network safely in embodiment 1 provided by the present invention;
fig. 5 is a flowchart of a method for a mobile phone terminal to securely access an information network according to embodiment 2 of the present invention.
Detailed Description
The technical content of the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
In order to solve the defects of the method and the device for accessing the existing terminal into the information network, the utility model provides a method and a device for safely accessing the mobile phone terminal into the information network, which comprehensively utilize personnel verification-portrait identification and face comparison verification, terminal authentication-IMEI number validity, certificate authentication-to obtain the user digital certificates of the cryptographic modules of different user terminals and inquire validity in real time, and further to correspondingly bind the people/machine/certificates. The method specifically comprises the following advantages:
firstly, the real identity of a user can be confirmed by portrait recognition and face comparison verification; secondly, the IMEI (International Mobile Equipment Identity) number is the unique identifier of the Mobile phone terminal, is the "Identity card" of the Mobile phone terminal, and cannot be falsified; thirdly, according to different models and different users, the mobile phone can use different cryptographic modules, including TF card, inSE (internal Security Element), TEE (trusted Environment) and film-attached card, and needs to automatically search the cryptographic modules, read the user digital certificates of various cryptographic modules and inquire validity in real time, so that the mobile phone terminal authentication is safer and more reliable and has real-time performance; fourthly, a one-to-one corresponding binding relationship of the man/machine/certificate is established, so that the phenomena that the user, the terminal, the security module or the application service is falsified and falsified, the certificate is issued to an illegal user or the certificate is not effectively associated with the user and the like can be avoided, the security that the valid and real user uses a valid mobile phone to enter an information network is ensured, and the possibility of potential safety hazards such as the imposition of the mobile phone terminal and the like is reduced. Therefore, the utility model provides a method and device for mobile phone terminal safety access information network can realize mobile phone terminal safety, high efficiency, nimble access information network.
As shown in FIG. 2, the utility model provides a device for mobile phone terminal safety access information network, including mobile phone terminal password module, mobile phone terminal customer end, mobile phone terminal, network controller and information verification system. The mobile phone terminal password module is used for generating a digital signature and information required by signature verification according to the terminal password module type selected by the user and providing a user digital certificate. Specifically, the mobile phone terminal cryptographic module provides secure storage of information such as key generation, certificate request assembly, digital signature, signature verification, encryption and decryption, keys and user digital certificates. In the embodiment provided by the utility model, mobile phone terminal password module includes: the security module of external TF card, inSE, TEE, pad pasting card, etc. and the cipher module realized by integrating the above various modes; namely, the mobile phone terminal cryptographic module can be one of an external TF card, inSE, TEE and a film sticking card, or a combination of multiple kinds of external TF cards, inSE, TEE and film sticking cards. The inSE and the terminal SoC main chip are integrated, so that physical connecting lines among external chips are reduced, physical isolation is performed from the bottom layer of the chip, and meanwhile, sufficient performance and storage space are guaranteed. Can be used as a hardware password module in a moving scene; the TEE is a trusted execution environment that can guarantee computations that are not disturbed by conventional operating systems and can be used as a software cryptographic module in mobile police.
The mobile phone terminal client is used for respectively obtaining mobile phone terminal verification information from the mobile phone terminal and the mobile phone terminal password module and sending the signed mobile phone terminal verification information to the network controller. The utility model provides an in the embodiment, mobile phone terminal customer end can decide whether to sign to the data of acquireing according to the safety transmission needs, when need not signing to data, mobile phone terminal customer end can be the terminal equipment who realizes data acquisition and send wantonly, like pc machine, cell-phone etc.. The mobile phone terminal verification information comprises portrait information (user face image information), mobile phone terminal IMEI number information and a user digital certificate of a mobile phone terminal password module. Specifically, the mobile phone terminal client calls the mobile phone terminal password module, obtains information required by signature from the mobile phone terminal password module according to the type of the terminal password module, signs the verification information of the mobile phone terminal, establishes safe communication connection with the network controller, and sends the signed portrait information, IMEI number information and user digital certificate to the network controller through a wireless transmission link.
The mobile phone terminal password module and the mobile phone terminal client can be independently arranged or can be arranged in the mobile phone terminal, and when the mobile phone terminal password module and the mobile phone terminal client are arranged at the mobile phone terminal, as shown in fig. 3, the mobile phone terminal is a terminal device which is provided with a camera for collecting face information, and operates the mobile phone terminal password module and the mobile phone terminal client. The mobile phone terminal communicates with the information network through a wireless special transmission link. The utility model provides an in the embodiment, all explain at the cell-phone terminal as the example with cell-phone terminal password module and the setting of cell-phone terminal customer end.
The network controller is used for checking the mobile phone terminal verification information sent by the mobile phone terminal client, verifying the checked mobile phone terminal verification information according to the information stored in the information verification system, and allowing the mobile phone terminal to access the information network when the verification is passed; otherwise, the access is refused. The information verification system comprises a portrait data system, a terminal management and control system and a certificate directory service. The portrait data system establishes secure communication with the network controller, and is used for importing the portrait information of a legal user to provide a legal portrait information white list and provide a portrait information validity query structure. The terminal management and control system establishes safe communication with the network controller, and is used for importing a legal IMEI number of the mobile phone terminal to provide a legal IMEI number white list and providing an IMEI number legality query structure. The certificate directory service establishes secure communication with the network controller for synchronizing the digital certificate data of the PKI system, and provides a digital certificate validity real-time query interface, so that not only the correctness of the digital certificate is verified, but also the validity of the data certificate is verified. The utility model provides an in the embodiment, still lead in user, cell-phone terminal, user digital certificate among the network controller and establish the legitimacy mapping table of one-to-one for the corresponding relation to the user, cell-phone terminal and the user digital certificate of requesting the access verifies.
Specifically, the network controller is in secure communication with the mobile phone terminal client, performs signature verification on mobile phone terminal verification information sent by the mobile phone terminal client, communicates with the portrait data system to verify the real identity of a user, communicates with the terminal management and control system to verify the validity of the IMEI (international mobile equipment identity) of the mobile phone terminal, communicates with the certificate directory service to inquire the validity of a digital certificate in real time, and imports the corresponding binding relationship of a man/machine/certificate in advance and verifies the information. When the verification is passed, allowing the mobile phone terminal to access the information network; otherwise, the access is refused.
In the embodiment provided by the utility model, software does not constitute the contribution to prior art, and what only adopted is conventional data processing method, the utility model discloses aim at protecting the relation of connection of hardware to and the collaborative work process between client, server, cell-phone terminal and the encryption chip.
Fig. 2 is a flowchart of a method for a mobile phone terminal to securely access an information network, which is implemented based on the above system, and specifically includes the following steps:
and S1, importing the user information allowed to access and the mobile phone terminal information into an information verification system, and generating an information verification white list. The information verification system can be any server which has an information storage and can provide an information inquiry structure.
Specifically, the method for generating the information verification white list by importing the user information allowed to access and the mobile phone terminal information into the information verification system comprises the following steps:
s11, pre-importing the portrait information of the legal user allowed to access into a portrait data system deployed in an information network, and establishing a portrait information white list;
s12, pre-importing the IMEI number information of the authorized valid mobile phone terminal to a terminal management and control system deployed in an information network, and establishing an IMEI number white list (validity list).
Wherein, in the embodiment provided by the utility model, the leading-in portrait information in advance, IMEI number information do not have precedence.
S2, constructing a one-to-one corresponding legality mapping table by the user, the mobile phone terminal and the user digital certificate, and pre-importing the legality mapping table into the network controller. The network controller can be any network control server with signature checking, storing and comparing functions, is deployed at an information network entrance and can establish HTTPS connection with a mobile phone terminal.
S3, the mobile phone terminal client obtains the user information and the mobile phone terminal information applying for access, compares the user information and the mobile phone terminal information applying for access with the information in the generated information verification white list, and turns to the step S4 when the user information and the mobile phone terminal information applying for access exist in the information verification white list; otherwise, access is denied.
Specifically, the mobile phone terminal client acquires user information and mobile phone terminal information which are applied for access, and compares the user information and the mobile phone terminal information which are applied for access with information in the generated information verification white list, the method comprises the steps of sending the acquired portrait information of the mobile phone terminal user and the IMEI number information of the mobile phone terminal to a network controller, and the network controller compares the acquired portrait information of the mobile phone terminal user and the IMEI number information of the mobile phone terminal with information in the information verification white list respectively.
The method specifically comprises the following steps that the obtained portrait information of the mobile phone terminal user is sent to a network controller, and the network controller compares the obtained portrait information of the mobile phone terminal user with information in an information verification white list:
the method comprises the steps that a mobile phone terminal client acquires portrait information of a user using a mobile phone terminal, and the portrait information is signed in order to prevent the information from being illegally acquired and tampered;
the mobile phone terminal client establishes a secure communication connection with the network controller, and sends the signed portrait information to the network controller through a wireless transmission link in order to prevent the information from being illegally acquired and tampered;
and the network controller checks the label of the portrait information and verifies whether the user is a real user using the mobile phone terminal by inquiring a portrait information white list of the portrait data system. If yes, continuing the next step; if not, stopping the network access of the mobile phone terminal.
Sending the obtained IMEI number information of the mobile phone terminal to a network controller, and comparing the obtained IMEI number information of the mobile phone terminal with information in an information verification white list by the network controller, wherein the method specifically comprises the following steps:
a mobile phone terminal client reads the IMEI number information of the terminal and signs the information;
the mobile phone terminal client sends the signed IMEI number information to the network controller through a wireless transmission link;
and the network controller checks the IMEI number information and verifies whether the access of the mobile phone terminal is legal or not by inquiring an IMEI number white list of a terminal management and control system. If the result is legal, continuing the next step; and if the mobile phone terminal is illegal, stopping the network access of the mobile phone terminal.
In the embodiment provided by the utility model, when the information verification white list has the user information and the mobile phone terminal information which are applied for access, before the user, the mobile phone terminal and the user digital certificate which are applied for access are compared with the pre-imported legality mapping table; also comprises the following steps:
the acquired user digital certificate is sent to a network controller, and the network controller inquires the validity of the user digital certificate through a certificate directory service; the method specifically comprises the following steps: the mobile phone terminal client identifies the type of a password module of the mobile phone terminal client;
the mobile phone terminal client reads the user digital certificate through the password module;
the mobile phone terminal client signs the user digital certificate; the mobile phone terminal client sends the signed user digital certificate to a network controller through a wireless transmission link;
the network controller checks the signed user digital certificate;
the network controller queries the validity of the user's digital certificate in real time through the certificate directory service. If the user digital certificate is valid, the next step of verification is carried out, otherwise, the network access is stopped. The real-time inquiry of the validity of the user digital certificate through the certificate directory service is to obtain an interface for inquiring a valid digital certificate through a certificate directory server synchronization PKI (Public key infrastructure) system data certificate data deployed in an information network.
S4, comparing the user, the mobile phone terminal and the user digital certificate applying for access with the pre-imported legality mapping table; if the two are consistent, the mobile phone terminal is allowed to access the information network; if not, access is denied.
Specifically, the network controller compares the user, the mobile phone terminal, the user digital certificate of the current access link with the pre-imported legality mapping table. If the two are consistent, the mobile phone terminal is allowed to access the information network; otherwise, stopping the network access of the mobile phone terminal.
In the embodiment provided by the present invention, the method further comprises the following steps:
s5, when the mobile phone terminal accesses the information network, the IMEI number of the mobile phone terminal requesting access and the user digital certificate are circularly verified, when the user digital certificate is invalid or the IMEI number is removed from the name, the network connection is stopped in time to ensure the security.
The method for securely accessing the mobile phone terminal to the information network will be described in detail in two specific embodiments.
Example 1
In the embodiment 1 provided by the present invention, the encryption module of the mobile phone terminal is taken as inSE as an example for explanation. The device and environment configuration of this embodiment 1 is as follows:
1) a complete information network environment;
2) a mobile phone terminal is provided with a mobile phone terminal password module inSE which is arranged in the terminal, acquires a user digital certificate and writes the user digital certificate in the inSE. And the mobile phone terminal network control APP is installed. The mobile wireless network data communication capability is provided. The device is provided with a front camera.
3) And the network control server is deployed at an information network entrance, can establish HTTPS connection with the mobile phone terminal and has signature and signature verification capability.
4) And the portrait data server is deployed in the information network, imports the portrait information of the legal user in advance, and provides an interface for inquiring the portrait information of the legal user.
5) And the terminal management and control server is deployed in an information network, imports a legal mobile phone terminal IMEI number in advance, and provides an interface for inquiring the legal IMEI number.
6) And the certificate directory server is deployed in the information network, synchronizes the digital certificate data of the PKI system and provides an interface for inquiring a valid digital certificate.
As shown in fig. 4, in embodiment 1, the method for a mobile phone terminal to safely access an information network provided by the present invention specifically includes the following steps:
the management personnel pre-import the portrait information of a legal user (namely, a user allowed to access the information network) into a portrait data server deployed in the information network, and establish a portrait information white list;
leading IMEI number information of a legal mobile phone terminal (namely IMEI number information of a mobile phone terminal which is allowed to access an information network) into a terminal management and control server deployed in the information network by a manager, and establishing an IMEI number white list (a legal list);
a manager constructs a one-to-one corresponding legitimacy mapping table for a user, a mobile phone terminal and a user digital certificate, and pre-imports the legality mapping table into a network control server;
the mobile phone terminal network controls the APP to prompt the mobile phone terminal to use a user to perform face recognition operation, and after the user face information is obtained, the information is signed by using a state secret SM2 algorithm;
the mobile phone terminal network control APP establishes HTTPS secure access connection with a network control server, and sends the signed portrait information to the network control server through a wireless transmission link;
the network control server checks the label of the portrait information, and verifies whether the user is a real mobile phone terminal user by inquiring a portrait information white list of the portrait data server; if yes, continuing the next step; if not, stopping the network access of the mobile phone terminal;
the mobile phone terminal network controls the APP to read the IMEI number information of the terminal, and the information is signed by using a state secret SM2 algorithm;
the mobile phone terminal network control APP sends the signed IMEI number information to a network control server through a wireless transmission link;
the network control server checks the IMEI number information, and checks whether the mobile phone terminal access is legal or not by inquiring a white list of legal IMEI numbers of a terminal control server; if the result is legal, continuing the next step; if not, stopping the network access of the mobile phone terminal;
the mobile phone terminal network controls the APP to identify the type of a password module of the APP to be inSE;
the mobile phone terminal network controls the APP to read the user digital certificate through the cipher module inSE;
the mobile phone terminal network control APP signs the user digital certificate by using a state secret SM2 algorithm, and the signed user digital certificate is sent to a network control server through a wireless transmission link;
the network control server checks the signed user digital certificate;
the network control server inquires the validity of the user digital certificate in real time through the certificate directory server, if the user digital certificate is valid, the next verification is carried out, otherwise, the network access is stopped;
the network control server compares the user, the mobile phone terminal and the user digital certificate of the current access link with a pre-imported legality mapping table, and if the user, the mobile phone terminal and the user digital certificate of the current access link are consistent with the pre-imported legality mapping table, the mobile phone terminal is allowed to access the information network; and if the mobile phone terminal is inconsistent with the network access control module, stopping the network access of the mobile phone terminal.
The utility model provides an in embodiment 1, when mobile phone terminal inserts the information network, the circulation is verified IMEI number and the user digital certificate to the mobile phone terminal of request visit, when user digital certificate became invalid or IMEI number removes the name, then in time stops the internet access to guarantee the security.
Example 2
In the embodiment 2 provided by the present invention, the encryption module of the mobile phone terminal is exemplified by a TF card. The device and environment configuration of this embodiment 2 is as follows:
1) a complete information network environment;
2) a mobile phone terminal, which is provided with a TF card interface and is inserted with a cryptographic module TF card; the user digital certificate is obtained and written into the TF card; a mobile phone terminal network control APP is installed; the mobile wireless network data communication capability is provided; the device is provided with a front camera;
3) the network control server is deployed at an information network entrance, can establish HTTPS connection with the mobile phone terminal and has signature and signature verification capabilities;
4) in a private cloud of an information network, three virtual cloud hosts are created to achieve cloud deployment of a portrait data server, a terminal control server and a certificate directory server, the virtual cloud hosts are marked as the portrait data cloud host, the terminal control cloud host and the certificate directory cloud host, and a portrait data system module, a terminal control system module and a certificate directory service module are respectively deployed. The portrait data cloud host can lead in the portrait information of the legal user in advance and provide an interface for inquiring the portrait information of the legal user; the terminal management and control cloud host can lead in IMEI number information of a legal mobile phone terminal in advance and provide an interface for inquiring the legal IMEI number; the certificate catalog cloud host synchronized PKI system digital certificate data provides an interface for inquiring a valid digital certificate. Three cloud hosts are provided with a network communication environment.
As shown in fig. 5, in embodiment 2, the method for a mobile phone terminal to safely access an information network provided by the present invention specifically includes the following steps:
the management personnel pre-import the portrait information of the legal user into a portrait data cloud host deployed in an information network, and establish a portrait information white list;
leading IMEI number information of a legal mobile phone terminal into a terminal control cloud host deployed in an information network by a manager, and establishing an IMEI number white list (a legal list);
a manager constructs a one-to-one corresponding legitimacy mapping table for a user, a mobile phone terminal and a user digital certificate, and pre-imports the legality mapping table into a network control server;
the mobile phone terminal network controls the APP to prompt the mobile phone terminal to use a user to perform face recognition operation, and after the user face information is obtained, the information is signed by using a state secret SM2 algorithm;
the mobile phone terminal network control APP establishes HTTPS secure access connection with a network control server, and sends the signed portrait information to the network control server through a wireless transmission link;
the network control server checks the label of the portrait information, and verifies whether the user is a real mobile phone terminal user or not by inquiring a portrait information white list of the portrait data cloud host; if yes, continuing the next step; if not, stopping the network access of the mobile phone terminal;
the mobile phone terminal network control APP reads the IMEI number information of the terminal, and the information is signed by using a state secret SM2 algorithm;
the mobile phone terminal network control APP sends the signed IMEI number information to a network control server through a wireless transmission link;
the network control server checks the IMEI number information, whether the access of the mobile phone terminal is legal or not is verified by inquiring a white list of legal IMEI numbers of a terminal control cloud host, and if the access is legal, the next step is continued; if not, stopping the network access of the mobile phone terminal;
the mobile phone terminal network controls the APP to identify the type of the password module of the mobile phone as a TF card;
the mobile phone terminal network controls the APP to read the user digital certificate through the TF card;
the mobile phone terminal network control APP signs the user digital certificate by using a state secret SM2 algorithm, and the signed user digital certificate is sent to a network control server through a wireless transmission link;
the network control server checks the signed user digital certificate;
and the network control server inquires the validity of the user digital certificate in real time through the certificate directory cloud host, if the user digital certificate is valid, the next verification is carried out, and otherwise, the network access is stopped.
The network control server compares the user, the mobile phone terminal and the user digital certificate of the current access link with a pre-imported legality mapping table, and if the user, the mobile phone terminal and the user digital certificate of the current access link are consistent with the pre-imported legality mapping table, the mobile phone terminal is allowed to access the information network; and if the mobile phone terminal is inconsistent with the network access control module, stopping the network access of the mobile phone terminal.
The utility model provides an in embodiment 2, when mobile phone terminal inserts the information network, the circulation is verified IMEI number and the user digital certificate to the mobile phone terminal of request visit, when user digital certificate became invalid or IMEI number removes the name, then in time stops the internet access to guarantee the security.
The above has described in detail the device for the mobile phone terminal to access the information network safely provided by the present invention. Any obvious modifications to the above would be obvious to those of ordinary skill in the art, without departing from the spirit of the present invention, and it is intended to constitute a violation of the patent rights of the present invention and to bear the relevant legal responsibility.
Claims (6)
1. A device for a mobile phone terminal to safely access an information network is characterized by comprising a mobile phone terminal password module, a mobile phone terminal client, a mobile phone terminal, a network controller and an information verification system;
the mobile phone terminal password module is used for generating a digital signature and information required by signature verification according to the type of the terminal password module selected by a user and providing a user digital certificate;
the mobile phone terminal client is used for respectively acquiring mobile phone terminal verification information from the mobile phone terminal and the mobile phone terminal password module and sending the signed mobile phone terminal verification information to the network controller;
the network controller is used for checking the mobile phone terminal verification information sent by the mobile phone terminal client and verifying the checked mobile phone terminal verification information according to the information stored in the information verification system.
2. The apparatus for securing access by a handset terminal to an information network as recited in claim 1, wherein:
the mobile phone terminal password module is one or more of an external TF card, an internal security chip, a trusted execution environment and a film card.
3. The apparatus for securing access by a handset terminal to an information network as recited in claim 2, wherein:
the built-in security chip is arranged together with a terminal SoC main chip, is physically isolated from the bottom layer of the chip and is used as a hardware password module in mobile police service.
4. The apparatus for securing access by a handset terminal to an information network as recited in claim 1, wherein:
the mobile phone terminal password module and the mobile phone terminal client are independently arranged or arranged in the mobile phone terminal.
5. The apparatus for securing access by a handset terminal to an information network as claimed in claim 4, wherein:
when the mobile phone terminal password module and the mobile phone terminal client are arranged at the mobile phone terminal, the mobile phone terminal is a terminal device which is provided with a camera for collecting face information, and runs the mobile phone terminal password module and the mobile phone terminal client.
6. The apparatus for securing access by a handset terminal to an information network as recited in claim 1, wherein:
the mobile phone terminal communicates with the information network through a wireless special transmission link.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201920324769.7U CN209882108U (en) | 2019-03-14 | 2019-03-14 | Device for mobile phone terminal to safely access information network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201920324769.7U CN209882108U (en) | 2019-03-14 | 2019-03-14 | Device for mobile phone terminal to safely access information network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN209882108U true CN209882108U (en) | 2019-12-31 |
Family
ID=68955543
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201920324769.7U Active CN209882108U (en) | 2019-03-14 | 2019-03-14 | Device for mobile phone terminal to safely access information network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN209882108U (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109874141A (en) * | 2019-03-14 | 2019-06-11 | 公安部第一研究所 | A kind of method and device of mobile phone terminal secure accessing information network |
| CN112105020A (en) * | 2020-08-31 | 2020-12-18 | 上海方付通商务服务有限公司 | Cloud SDK system of film sticking card and operation method thereof |
-
2019
- 2019-03-14 CN CN201920324769.7U patent/CN209882108U/en active Active
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109874141A (en) * | 2019-03-14 | 2019-06-11 | 公安部第一研究所 | A kind of method and device of mobile phone terminal secure accessing information network |
| CN112105020A (en) * | 2020-08-31 | 2020-12-18 | 上海方付通商务服务有限公司 | Cloud SDK system of film sticking card and operation method thereof |
| CN112105020B (en) * | 2020-08-31 | 2024-02-20 | 上海方付通科技服务股份有限公司 | Cloud SDK system of film sticking card and operation method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213246B (en) | Wide-area multi-factor identity authentication system | |
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| US20090158033A1 (en) | Method and apparatus for performing secure communication using one time password | |
| CN106330442B (en) | Identity authentication method, device and system | |
| US20040103312A1 (en) | Domain-based digital-rights management system with easy and secure device enrollment | |
| US20040186880A1 (en) | Management apparatus, terminal apparatus, and management system | |
| CN101841525A (en) | Secure access method, system and client | |
| CN103297437A (en) | Safety server access method for mobile intelligent terminal | |
| CN107113613B (en) | Server, mobile terminal, network real-name authentication system and method | |
| CN112468506A (en) | Method and device for realizing acquisition and issuing of electronic certificate | |
| CN102984045B (en) | The cut-in method and Virtual Private Network client of Virtual Private Network | |
| WO2014110877A1 (en) | Mobile terminal device and user authentication method based on pki technology | |
| JP2017152880A (en) | Authentication system, key processing coordination method, and key processing coordination program | |
| CN209882108U (en) | Device for mobile phone terminal to safely access information network | |
| CN108011873A (en) | A kind of illegal connection determination methods based on set covering | |
| CN103152326A (en) | Distributed authentication method and authentication system | |
| CN114499876A (en) | Internet of things data evidence storing method based on block chain and NB-IoT chip | |
| KR20050071768A (en) | System and method for one time password service | |
| CN109462572A (en) | Multi-factor authentication method and system based on encryption card and UsbKey and security gateway | |
| CN106162644B (en) | A kind of WiFi system and its safe verification method preventing camouflage equipment | |
| KR101745482B1 (en) | Communication method and apparatus in smart-home system | |
| CN111222858A (en) | Method for realizing block chain fingerprint identification authentication of personal wallet | |
| CN105610667B (en) | The method and apparatus for establishing Virtual Private Network channel | |
| CN112887308B (en) | Non-inductive network identity authentication method and system | |
| CN111814130B (en) | Single sign-on method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |