CN101132281A - Network security authentication system for preventing key from stealing - Google Patents

Network security authentication system for preventing key from stealing Download PDF

Info

Publication number
CN101132281A
CN101132281A CNA2007100303061A CN200710030306A CN101132281A CN 101132281 A CN101132281 A CN 101132281A CN A2007100303061 A CNA2007100303061 A CN A2007100303061A CN 200710030306 A CN200710030306 A CN 200710030306A CN 101132281 A CN101132281 A CN 101132281A
Authority
CN
China
Prior art keywords
key
token
service end
user
security mechanism
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007100303061A
Other languages
Chinese (zh)
Inventor
刘亚梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CNA2007100303061A priority Critical patent/CN101132281A/en
Publication of CN101132281A publication Critical patent/CN101132281A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

This invention provides a network safety authentication system for preventing stealing of cryptographic keys including a service end and a UE, in which, the service end authenticates the user cryptographic key of the UE, which is set with a token for storing the key and the token is set with a safe system securing that the key is not stolen in the process of storing and transmission, which stops the problem of filching accounts ciphers for a long time in the internet service and guarantees the safety of network identity authentication system by storing user cryptographic keys in a token and applying a security method in the process of initializing and storing the key and data transmission in the identity authentication process.

Description

A kind of network security authentication system that prevents key from stealing
Technical field
The invention belongs to the network ID authentication security fields, particularly relate to a kind of Verification System that prevents key from stealing.
Technical background
The situation that present user's account number cipher on the internet is stolen is very general, makes safety of user authentication have great hidden danger.
In order to reduce this potential safety hazard, taked various method, but effect still not very desirable.
In the authentication of identification of network user process, user's key must be kept at safe place, and except user oneself, others is difficult to obtain.But primary problem is exactly user's a computer infective virus probably, is infeasible so key directly is stored in user computer.Even through strong again encipherment protection, the decrypting process when virus can be used by supervisory user is taken original key easily during storage.
Have now and also occur key is kept on the special parts " token ".Token has multiple implementation, and all schemes are wanted a lot of practical factors of balance.Except fail safe, the most important thing is the convenience of cost and use.The factor that loses contact with reality considers that safety can obtain a pleasnt to the eye but of no use false scheme purely.In the various schemes, roughly be divided into two classes:
Specialized hardware is realized.Key is stored on the special hardware, and this hardware can accomplish not leak as far as possible key.Solidify such as the software section in, the hardware, with the communication in the external world be restricted, virus can't infect.Hard-wired advantage is to accomplish as safe as a housely, but is exactly that cost can increase a lot.Because the existence of the generation product of token hardware, even only do the most basic defencive function, the user has cost also than higher.Add to relate to the transportation logistics cost that user's total cost is difficult to reduce.
On common hardware, assist and realize with software.Along with the increase of mobile device, the terminal use has had various handheld devices on hand, comprises mobile phone, PDA, even MP3 etc.And very most of handheld device all possesses the function that loads new software.Certainly, can load new software and also mean the energy infective virus.But with regard to current actual environment, the virus overflowing degree on the handheld device is also very slight, and especially virus also is difficult in and infects its device systems under the complete unwitting situation of user.
Except the security performance of key on storing, potential safety hazard also is present in the process of authentication, and in theory, common user name adds the authentication that static password also is " symmetric key ".Key is exactly user's a password, and the maximum fragility of static password is that the process that authenticates has exposed key, and verification process has jeopardized the confidentiality of key in other words.Such as, password expressly transmits, and the hacker is as long as the network data of energy monitoring users just can obtain user's password.Static password is through the encryption channel of safety, and such as SSL, with regard to height how safe coefficient.But user's computer is interpreted as a communication channel part, since user's computer terminal is because virus is all dangerous, that is exactly that channel is dangerous.The encryption of SSL connects can not solve virus problems.So even Web bank has all used SSL, but extra safety measure (such as USB KEY) is still very necessary.
In addition, existing Verification System is also usually ignored the fail safe of initialization key, token system on the market is all paid little attention to this aspect, promptly how when user's turn up service safely initialization share key, key is not stolen by the third party in this process, often ignored, and this exactly also is one of main performance of potential safety hazard.
Summary of the invention
The objective of the invention is to overcome the deficiencies in the prior art, a kind of network security authentication system of safe and practical prevented key from stealing is provided.
In order to realize the foregoing invention purpose, the technical scheme of employing is as follows:
A kind of network security authentication system that prevents key from stealing, comprise service end and user side, service end authenticates the user key of user side, user side is provided with the token of preserving key, and token is provided with the assurance user key in the security mechanism of storing and the certified transmission process is not stolen.
In the technique scheme, described security mechanism mainly contains two kinds, and a kind of is the symmetric key security mechanism, specifically comprises the security mechanism, key of initialization key security mechanism and the security mechanism of key in verification process in token store.
The security mechanism of described initialization key comprises that the transmission channel of employing safety is sent to user side with key.
The security mechanism of described initialization key also is included in service end and is provided with a pair of public and private key, and generates key at user side, again service end is encrypted and be sent to the key that user side generated with the PKI of service end.
The security mechanism of described initialization key also is included in service end and generates a random number S, client generates a random number C, and random number S and C be sent to client and service end respectively, client is calculated key k1 according to the S that obtains, and service end is calculated key k2 according to the C that obtains, and makes k1 always equal k2 by the design of algorithm.
(annotate: owing to add " by the design of algorithm ", this can not appear in claims, and, allow K1=K2 in fact it is enough and say something, because the particular design by algorithm is the wherein example of k1=k2,, can not occur so " by the design of algorithm " can occur in specification yet, but occur, the arthmetic statement of believing preferably is provided.)
Described key comprises that in the security mechanism of token store the secure hardware equipment that adopts special use is as token.
Described key also comprises employing general hardware equipment as token in the security mechanism of token store, and by the cryptographic algorithm of software setting safety key is encrypted on token.
The security mechanism of described key in verification process is in verification process, and user side adopts dynamic data to the service end transmission security key, and promptly each verification process all has some variablees to influence the data of transmission by one or more following modes:
(1) token and service end all are provided with a counter, and both sides' counter is from common state, and each authentication calculations all adds one;
(2) token and service end all are provided with the clock log current time;
(3) each verification process, service end provide the input parameter of data that produce at random as authentication calculations earlier.
The another kind of mode of described security mechanism is the unsymmetrical key security mechanism, the concrete smart card token store key that adopts, and a software that depends on the specific object generation dynamic password of this smart card token is set, this software generates dynamic password and adopts one or more following modes:
(1) user side and service end produce the public private key pair of oneself respectively according to the key derivation algorithm, and each side sends the PKI of oneself to the other side, and both sides carry out following " derivative key " calculating separately then:
At first generate the public private key pair of a Diffie-Hellman secret key exchange algorithm at user side, PKI uploads to service end, private key is stored in the smart card token and can not be read out outside the token, in the time of authentication, service end generates the public private key pair of oneself, and client software carries out the calculating of " derivation secret key ":
Client is made following calculating:
DK1=D (client private key, server end PKI);
Wherein D is an algorithm that generates derivative key, and this calculating is to carry out in the token;
On the other hand, server also carries out corresponding calculating:
DK2=D (server end private key, client public key);
Make DK1=DK2;
(2) user side is uploaded the interior PKI of its smart card token to service end, when the authentication beginning, the software of user side can be filed a request to service end, service end temporary key of public key encryption of the user side smart card token that is write down, and be sent to user side, make user side and service end have a shared key, to generate dynamic password.
The present invention has following beneficial features for the Internet user provides than the safer authentication mode of domestic consumer's name encrypted code:
1, the terminal use can use the token of various ways, and token can be that software is realized, also can realize with specialized hardware;
2, the cost of different tokens is different with security algorithm, and the user can be according to cost, and use habit is selected suitable oneself token to the factors such as demand of safe coefficient, and the present invention can provide the user operation habits of basically identical;
3, interface provided by the invention can call in ISP, realize the authentication of safety, and in this process, ISP does not need to understand the details of the used token of user, is software or hardware etc. such as token;
4, the concrete cryptographic algorithm of the present invention's employing and realization thereof are all enough resisted the hacker and are intercepted attacks such as network packet, be with good expansibility simultaneously, can constantly absorb new achievement in research according to the encrypting and decrypting progress of research, be incorporated into existing system, grow with each passing hour.
The present invention is by the token store user key, pass through again at the initialization procedure of key, the storing process of key, and the data transmission procedure that comprises key in the authentication process adopts effective security mechanism, effectively stop the account number cipher that Internet service midium or long term spreads unchecked and stolen problem, ensured the fail safe of network identification system, had very big Practical significance for the Internet of popularizing day by day.
Description of drawings
Fig. 1 is a system architecture schematic diagram of the present invention.
Embodiment
The present invention is further illustrated below in conjunction with accompanying drawing.
Overall system framework of the present invention is divided into service end and client two large divisions as shown in Figure 1.
The most critical of service end partly is:
User's key, information such as cryptographic algorithm and parameter thereof have wherein been write down in identity authentication information center;
One or more interface servers, the information that they are responsible for carrying out input is carried out the encrypting and decrypting computing, differentiates user identity;
Unified logon server cluster comprises a plurality of single logon servers, and each single logon server provides single login service.The user passes through " single login service " interface login service end at user side, with the electron gain voucher, the calling interface access services end that the Internet Service Provider then provides by this Verification System, to check user's electronic certificate, errorless as the electronic certificate inspection, then this user can obtain this Internet Service Provider's multiple service application smoothly; Also comprise a plurality of customer service servers, each service for the Internet Service Provider is used, with logining at the Internet Service Provider place per family, the Internet Service Provider is by calling interface access services end, to check user's electronic certificate, errorless as the electronic certificate inspection, then this user can obtain this service smoothly;
Other part of server end plays to be supported and auxiliary effect, as the authentication Visitor Logs and control database, provides the terminal use required query service status, and the query history authentication information is reported the loss or the like function.
And client mainly comprises user token token on hand, no matter token adopts hardware or software, all be will the realization system calculating and verification in the verification process of regulation, it is in certain network application, identity authentication information center by interface server Connection Service end, carry out authentication, that is to say, token is that the requirement according to the realization of authentication process designs.
The overall process of authentication at first is described.
Authentication comprises dual mode:
One, the user directly uses browser to login in native system " single login service " and obtains certain electronic certificate, and the service provider then passes through native system interface check user's electronic certificate.
The characteristics of this mode are: for the user who uses multiple service, the user is local a login once, and related service can be gone everywhere without any hindrance here.User's experience is relatively good.
Two, the user locates login the Internet Service Provider, the interface of Internet Service Provider backstage invokes authentication system, be that the user logins on the interface that the Internet Service Provider provides by browser, the Internet Service Provider confirms user identity from the backstage to this Verification System.
The characteristics of this mode are: safer relatively, the scope of application is wider.The service provider can use the private client of oneself, even further controls some parameters of verification process, improves antiviral ability.
Verification process also comprises being used in combination of above-mentioned dual mode, begins with the login of single login service such as the user, only when indivedual important operation, reaffirms identity one time.The enforcement of this mode will be seen the demand of concrete service and decide.
The authentication detailed process is as follows:
1, based on the authentication of symmetrical secret key
So-called " symmetrical secret key " in other words, user's token on hand with the service end of this Verification System, can be shared a secret, this secret is exactly " key ", because client is all the same with service end, is called " symmetric key ".Whole authentication process is that client calculates a result, sends to service end, and the calculating of service end check results and service end oneself is consistent, just thinks that authentication passes through.
The core of this type of authentication mode is to protect user's key not obtained by the third party.For this reason, following key measure is arranged:
1.1 this locality of key protection
The possibility of token device infective virus is enough low in this Verification System.If all software sections of token itself all solidify, there is not special hardware can't revise internal processes, so just can not infective virus.Even token is loading procedure comparatively easily, if but there are enough safeguard measures in the interior system of token, and can think can infective virus yet.With the mobile phone is example, and a lot of mobile phones restrictions once can only move an application program, and application program also can't be stolen the information of other programs, and such as user's input etc., virus just can't be stolen key so.This machine-processed optional equipment comprises: special equipment, mobile phone, Personal Handyphone System, PDA.
The storage of key is through enough encrypting.Key can directly be visited such as isolating the external world on the hardware through the encryption of hardware type, and is also powerless even the hacker takes this token.Also can pass through software cryptography, the hacker can take the data of encrypting, but needs enough intensity owing to cracking, and leave user's time enough for and report the loss, also be acceptable so in practicality.
The algorithm of encrypting uses through the public algorithm of studying and facts have proved, comprises 3DES, AES etc.Encrypted secret key can generate from the identification code of user's input.Just, the key K of storage is:
K=E (k, p), wherein E is a kind of cryptographic algorithm, and k is the initial data of key, and p is user's a recognition code.
1.2 key can not be exposed or endanger in verification process
The contradiction that verification process need solve is exactly: the key (thinking that just user's identity is correct) that should allow service end tell client to have the user really, the data of Chuan Songing also do not expose or jeopardize this key simultaneously.This just requires each data that transmit that certain variation is all arranged.If the data that each authentication is transmitted are static, what (needing not to be key itself) is the data that no matter transmit are, as long as the hacker records and replay next time just can reach their purpose.So, each verification process, the data that all have some variable influences to transmit mainly comprise following several:
1.2.1 the counter that each calculating all increases progressively.
Token and service end all have a counter, and both sides' counter is from common state.Each authentication calculations all adds one.
1.2.2 the current time.
Token and service end all have the clock log current time, and both sides' time need obtain certain accuracy.Each verification process, the random data that service end produces.
1.2.3 question-response is all passed through in each authentication.
Service end provides the input parameter of data that produce at random as authentication calculations earlier.And token is all done identical calculating with service end, and whether the result of calculation that the service end verification obtains is consistent with expection.Formula is as follows:
A=H (key, v1, v2 ...), wherein H is a reliable unidirectional Hash function, and key is user's a key, and v1, v2 etc. are exactly above-mentioned interference parameter.
In the network application, in the particularly online game industry, main cryptoguard product joining day parameter is as interference.This Verification System can be supported above interference parameter is all added.But according to the investigation of reality to user operation habits and environment for use, it is better that the joining day ratio adds indegree.Such as having only this interference of number of times, the hacker still can data intercept so, and stops server to receive the response of authentication this time, then user next time successfully by authentication before, use the data of holding back before to pretend to be the user.Same attack also applicable with the situation of free disturbing factor only, but the data section of holding back effective time is subjected to the peaked restriction of time permissible error.So safer way is the authentication mode as interfering data that produces random data with server.Unique situation about can be attacked of this mode is, the hacker pretends to be the user to remove authenticating identity, obtain a stochastic problem, the hacker will have way to pretend to be Verification System then, come user cheating to calculate the result with same interfering data, at last user's result of calculation is sent to certificate server with his token on hand.Intersymbol interference factor further limited when this attack can be used increase.
1.3 the fail safe of initialization key.
The initialized process of this Verification System support has following two class methods:
1.3.1 the initialization of not encrypting relies on the safety with channel
Modal way is that service end is that each token has generated key in advance, with certain safe mode key is installed to corresponding token.If token is a specialized hardware, be again when production is dispatched from the factory, the disposable burning of key to be entered usually.This pilot process relates to considerable flow process, variable factor, especially a lot of human factors.The generation of key is in authentication service provider inside, and producing then is special factory.Here relate to two units that boundary is clear and definite at least, key must be through a plurality of people's hand simultaneously.The confidentiality of key just relies on careful working method of the strict control of two units and related personnel's safety and good professional personal integrity very much.Hardware token must relate to processes such as logistics on adding, if hardware does not have enough protections on hardware designs, key is stolen in the process after might dispatching from the factory.
If token is a software, or the specialized hardware of support initialization key, a side that can be chosen in so in token or the service end generates key, is sent to the opposing party with secured channels.Such as, surfing Internet with cell phone the channel of process at present safe and reliable at last, the token on the mobile phone can obtain the key that generates from service end by being connected to network so.Similarly method is by note, also can temporarily be accepted as safety.
1.3.2 come initialization with encrypted process
The support of this Verification System comes initialization with encrypted process.Two kinds of ways are specifically arranged:
1.3.2.1 key is uploaded in the encryption based on the asymmetric secret key of service end
The main points of the method are that key is to generate in token, and are sent to server reliably.
Transfer approach is to use asymmetrical encryption algorithm reliably.Server has a pair of public private key pair.Token generates after the key, encrypts with the PKI of server, so be sent to server.The hacker does not know the private key of server, so can't untie the key that is transmitted.
Also having a key is exactly to generate key reliably.It is exactly the process that produces one section random data usually that key generates.The fail safe that random number produces directly influences the fail safe of key.Owing to resource limit, the randomizer that system provides all is " pseudo random number " generator on the mobile device.So-called " pseudorandom number generator ", the random number that is exactly its generation is determined in fact, as long as input (this input is called " seed ") is determined.Simulate the effect of " at random ", will accomplish that " seed " is " at random ".Have a lot of programs directly to take system time to be used as " seed ", such way makes key that quite high " confirmability ", the privacy that directly endangers key be arranged.
Therefore, remove the randomizer that nonsystematic provides safe enough, token is wanted oneself to realize the randomizer of a safe enough.And concrete way is collected some chance events exactly and is used as seed.Such as, token can point out the user to import one section random character, reaches certain length; Token can also be collected the user at these time points with ideographic characters of input.Above incident has enough true randomness, and as seed, the random number of generation can be thought safe enough, so the sufficient protection that the privacy of user's key just obtains with these.
1.3.2.2 secret key exchange based on the Diffie-Hellman algorithm
This algorithm it seems that totally effect is as follows: service end produces a number S, and client token produces a number C; Client obtains calculating key k1 behind the S then, and service end obtains can calculating k2 behind the C; And this algorithm just in time makes k1=k2.And the hacker steals S and C can not directly calculate k1 or k2.
Reliable procedure for cipher key initialization has been arranged, and this Verification System user can in time constantly change key, ensures the safety of user profile.
2, based on the authentication of asymmetric key
Asymmetric key in other words, key by two the part form, a part is called " private key ", another part is " PKI ".The algorithm basic process of authentication is: client is carried out the digital signature computing with own private key to certain data, and whether service end can check signature correct because of the PKI that has write down client, thinks then that correctly proof of identity passes through.In this authentication mode, what protect is the private key of client, and PKI is can be disclosed.
The characteristics of this Verification System provide a kind of various tokens common on the market of integrating, and common such as various USB Key, current a lot of Internet users use Web bank, the operation that the USB key catch net that wherein a lot of users use bank to provide goes to bank.And just there has been public private key pair the USB key that bank provides the inside, even a pair of incessantly, also can generate new public private key pair.The user is ready, can use their current equipment to protect other network service fully.The prerequisite that realizes is that the product of prior USB key or smart card and so on all provides some standard interface at present.Such as the pkcs#11 standard, under the windows platform, also provide the Cryptographic Service interface of Provider.The interface that standard has been arranged is just conveniently made the computations function that general program visits these hardware tokens.
Realize that concrete mode has two kinds of ways again:
2.1 directly use asymmetric cryptosystem and signature algorithm
This way can also be done digital signature except being used for authentication.Can extend a lot of services.These services are so-called PKI service.The products ﹠ services that a lot of technical mature and reliable are arranged on the market.The mode that adopts such as each big Web bank is exactly like this.
This Verification System is also supported the various services of PKI.
2.2 the token of Smart Card formula is converted to the dynamic password token
This Verification System has designed a software, can cooperate user's Smart Card token (USBKey also is a kind of smart card in fact) on hand, generates dynamic password.And this dynamic password generates the hardware token that depends on the user, does not have hardware token, and the hacker can't pseudo-produce user's dynamic password.In other words,, add the Smart Card token of representative of consumer identity, generate the dynamic password of representative of consumer with a common software.Dynamic password can be logined in various services easily, comprises Email commonly used and online game etc.
This computed in software dynamic password has two kinds of ways.
First kind following (public private key pair in the literary composition is meant that the Diffie-Hellman secret key derives from the open value and the secret key of algorithm):
Before the user enables the native system service, at first will generate the public private key pair of a DH algorithm in smart card, PKI is uploaded onto the server and is noted, and private key is protected by smart card, can not read outside the token.In the time of authentication, system end produces the public private key pair of oneself.And client software carries out the calculating of " derivation secret key ": DK1=D (client private key, the server end PKI), wherein D is an algorithm that generates derivative key, and this calculating is to carry out in the token, so the private key that produces before does not know in the external world calculates and still can carry out.Server public key can be obtained in real time by network communication, also can adopt a fixing value when server does not often generate new public private key pair.
On the other hand, server also carries out corresponding calculating: DK2=D (server end private key, client public key).
Because the DH algorithm, both sides' result of calculation DK1 just in time is the same with DK2.And their value just can be used as symmetrical secret key.So can calculate a dynamic password with the mode of described generation dynamic password.
Another one way principle is more direct: during user's turn up service, upload the interior PKI of its smart card to server.When the authentication beginning, this Verification System is installed in the software of subscription client and can files a request to service end, and service end temporary key of User Token public key encryption that is write down, this temporary key are only with there being the private key deciphering in the token can obtain original text.Because private key is subjected to smart card protection, the hacker can't steal, and can obtain this temporary key so only have the user of token.This moment, client and service end had a shared key.Follow-uply just dynamic password can have been generated.

Claims (10)

1. network security authentication system that prevents key from stealing, comprise service end and user side, service end authenticates the user key of user side, it is characterized in that user side is provided with the token of preserving key, and token is provided with the assurance user key in the security mechanism of storing and the certified transmission process is not stolen.
2. Verification System according to claim 1 is characterized in that described security mechanism is the symmetric key security mechanism, specifically comprises the security mechanism, key of initialization key security mechanism and the security mechanism of key in verification process in token store.
3. Verification System according to claim 2 is characterized in that the security mechanism of described initialization key is sent to user side for the transmission channel that adopts safety with key.
4. Verification System according to claim 2, the security mechanism that it is characterized in that described initialization key is for to be provided with a pair of public and private key in service end, and generate key at user side, again service end is encrypted and be sent to the key that user side generated with the PKI of service end.
5. Verification System according to claim 2, the security mechanism that it is characterized in that described initialization key is for generating a random number S in service end, client generates a random number C, and random number S and C be sent to client and service end respectively, client is calculated key k1 according to the S that obtains, and service end is calculated key k2 according to the C that obtains, and makes k1 always equal k2.
6. Verification System according to claim 2 is characterized in that described key is to adopt special-purpose secure hardware equipment as token in the security mechanism of token store.
7. Verification System according to claim 2 is characterized in that described key is to adopt general hardware equipment as token in the security mechanism of token store, and by the cryptographic algorithm of software setting safety key is encrypted on token.
8. Verification System according to claim 2, it is characterized in that the security mechanism of described key in verification process is in verification process, user side adopts dynamic data to the service end transmission security key, be each verification process, all have some variablees to influence the data of transmission by one or more following modes:
(1) token and service end all are provided with a counter, and both sides' counter is from common state, and each authentication calculations all adds one;
(2) token and service end all are provided with the clock log current time;
(3) each verification process, service end provide the input parameter of data that produce at random as authentication calculations earlier.
9. Verification System according to claim 1, it is characterized in that described security mechanism is the unsymmetrical key security mechanism, the concrete smart card token store key that adopts, and a software that depends on the specific object generation dynamic password of this smart card token is set, this software generates dynamic password and adopts one or more following modes:
(1) user side and service end produce the public private key pair of oneself respectively according to the key derivation algorithm, and each side sends the PKI of oneself to the other side, and both sides carry out following " derivative key " calculating separately then:
Client is made following calculating:
DK1=D (client private key, server end PKI);
Wherein D is an algorithm that generates derivative key, and this calculating is to carry out in the token;
Service end is carried out corresponding calculating:
DK2=D (server end private key, client public key);
Derivative key makes DK1 always equal DK2, even and two PKIs (client public key, server end PKI) of knowing in the communication process to be exposed all can not calculate DK1 and DK2.
(2) user side is uploaded the interior PKI of its smart card token to service end, when the authentication beginning, the software of user side can be filed a request to service end, service end temporary key of public key encryption of the user side smart card token that is write down, and be sent to user side, make user side and service end have a shared key, to generate dynamic password.
10. Verification System according to claim 1 is characterized in that the verification process of Verification System comprises one or more following modes:
(1) user passes through " single login service " interface login service end at user side, with the electron gain voucher, the calling interface access services end that the Internet Service Provider then provides by this Verification System, to check user's electronic certificate, errorless as the electronic certificate inspection, then this user can obtain this Internet Service Provider's multiple service application smoothly;
(2) use for each service of Internet Service Provider, with logining at the Internet Service Provider place per family, the Internet Service Provider is by calling interface access services end, to check user's electronic certificate, errorless as the electronic certificate inspection, then this user can obtain this service smoothly.
CNA2007100303061A 2007-09-18 2007-09-18 Network security authentication system for preventing key from stealing Pending CN101132281A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007100303061A CN101132281A (en) 2007-09-18 2007-09-18 Network security authentication system for preventing key from stealing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007100303061A CN101132281A (en) 2007-09-18 2007-09-18 Network security authentication system for preventing key from stealing

Publications (1)

Publication Number Publication Date
CN101132281A true CN101132281A (en) 2008-02-27

Family

ID=39129414

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007100303061A Pending CN101132281A (en) 2007-09-18 2007-09-18 Network security authentication system for preventing key from stealing

Country Status (1)

Country Link
CN (1) CN101132281A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710611A (en) * 2012-05-11 2012-10-03 福建联迪商用设备有限公司 Network security authentication method and system
CN102724205A (en) * 2012-06-27 2012-10-10 浙江中控软件技术有限公司 Method for encrypting communication process in industrial field and data collection device
CN102783081A (en) * 2010-03-11 2012-11-14 西门子公司 Method for the secure unidirectional transmission of signals
CN103198263A (en) * 2012-10-26 2013-07-10 马国强 Method for establishing encrypted/decrypted storage space by virtue of personnel computer external secrete key
CN103491084A (en) * 2013-09-17 2014-01-01 天脉聚源(北京)传媒科技有限公司 Authentication processing method and device of client side
CN104094308A (en) * 2012-02-02 2014-10-08 西门子公司 Authentication system for mobile devices for exchanging medical data
CN104090853A (en) * 2014-07-03 2014-10-08 武汉迅存科技有限公司 Solid-state disc encryption method and system
CN104468099A (en) * 2013-09-12 2015-03-25 全联斯泰克科技有限公司 Dynamic password generating method and device based on CPK (Combined Public Key) and dynamic password authentication method and device based on CPK (Combined Public Key)
CN105141568A (en) * 2014-05-28 2015-12-09 腾讯科技(深圳)有限公司 Safe communication channel establishment method and system, client and server
CN105391549A (en) * 2015-12-10 2016-03-09 四川长虹电器股份有限公司 Method for realizing communication dynamic keys between client and server
CN106921647A (en) * 2015-12-28 2017-07-04 现代自动车株式会社 Automobile management system and method
CN107210911A (en) * 2014-10-09 2017-09-26 凯里赛克公司 The improvement of terminal is installed in security system
CN107261502A (en) * 2017-05-10 2017-10-20 珠海金山网络游戏科技有限公司 A kind of anti-external store system of game on line based on procotol and method
CN107862209A (en) * 2017-09-22 2018-03-30 捷开通讯(深圳)有限公司 A kind of file encryption-decryption method, mobile terminal and the device with store function
CN108600264A (en) * 2018-05-09 2018-09-28 聚龙股份有限公司 A kind of encrypting and decrypting method and credit Verification System applied to credit certification
CN110249330A (en) * 2017-02-07 2019-09-17 德国邮政股份公司 The method of the unauthorized copy of security token for identification
CN111327629A (en) * 2020-03-04 2020-06-23 广州柏视医疗科技有限公司 Identity verification method, client and server
CN112187832A (en) * 2020-11-03 2021-01-05 北京指掌易科技有限公司 Data transmission method and electronic equipment

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102783081A (en) * 2010-03-11 2012-11-14 西门子公司 Method for the secure unidirectional transmission of signals
US9628278B2 (en) 2010-03-11 2017-04-18 Siemens Aktiengesellschaft Method for the secure unindirectional transmission of signals
CN102783081B (en) * 2010-03-11 2015-10-07 西门子公司 For the method for one-way transmission signal safely
US9747653B2 (en) 2012-02-02 2017-08-29 Siemens Aktiengesellschaft Authentication system for mobile devices for exchanging medical data
CN104094308A (en) * 2012-02-02 2014-10-08 西门子公司 Authentication system for mobile devices for exchanging medical data
CN102710611A (en) * 2012-05-11 2012-10-03 福建联迪商用设备有限公司 Network security authentication method and system
CN102724205A (en) * 2012-06-27 2012-10-10 浙江中控软件技术有限公司 Method for encrypting communication process in industrial field and data collection device
CN102724205B (en) * 2012-06-27 2015-10-28 浙江中控软件技术有限公司 A kind of method to the encryption of industrial circle communication process and data acquisition equipment
CN103198263B (en) * 2012-10-26 2016-07-06 高榕科技(深圳)有限公司 By the method that the peripheral hardware key of personal computer sets up enciphering/deciphering memory space
CN103198263A (en) * 2012-10-26 2013-07-10 马国强 Method for establishing encrypted/decrypted storage space by virtue of personnel computer external secrete key
CN104468099A (en) * 2013-09-12 2015-03-25 全联斯泰克科技有限公司 Dynamic password generating method and device based on CPK (Combined Public Key) and dynamic password authentication method and device based on CPK (Combined Public Key)
CN103491084B (en) * 2013-09-17 2016-06-15 天脉聚源(北京)传媒科技有限公司 The authentication method of a kind of client and device
CN103491084A (en) * 2013-09-17 2014-01-01 天脉聚源(北京)传媒科技有限公司 Authentication processing method and device of client side
CN105141568A (en) * 2014-05-28 2015-12-09 腾讯科技(深圳)有限公司 Safe communication channel establishment method and system, client and server
CN105141568B (en) * 2014-05-28 2019-02-12 腾讯科技(深圳)有限公司 Secured communication channel method for building up and system, client and server
CN104090853A (en) * 2014-07-03 2014-10-08 武汉迅存科技有限公司 Solid-state disc encryption method and system
CN107210911A (en) * 2014-10-09 2017-09-26 凯里赛克公司 The improvement of terminal is installed in security system
CN105391549B (en) * 2015-12-10 2018-10-12 四川长虹电器股份有限公司 Communication dynamics key implementation method between client and server
CN105391549A (en) * 2015-12-10 2016-03-09 四川长虹电器股份有限公司 Method for realizing communication dynamic keys between client and server
CN106921647A (en) * 2015-12-28 2017-07-04 现代自动车株式会社 Automobile management system and method
CN110249330A (en) * 2017-02-07 2019-09-17 德国邮政股份公司 The method of the unauthorized copy of security token for identification
CN107261502A (en) * 2017-05-10 2017-10-20 珠海金山网络游戏科技有限公司 A kind of anti-external store system of game on line based on procotol and method
CN107862209A (en) * 2017-09-22 2018-03-30 捷开通讯(深圳)有限公司 A kind of file encryption-decryption method, mobile terminal and the device with store function
CN107862209B (en) * 2017-09-22 2021-08-31 捷开通讯(深圳)有限公司 File encryption and decryption method, mobile terminal and device with storage function
CN108600264A (en) * 2018-05-09 2018-09-28 聚龙股份有限公司 A kind of encrypting and decrypting method and credit Verification System applied to credit certification
CN108600264B (en) * 2018-05-09 2020-10-02 聚龙股份有限公司 Encryption and decryption method applied to credit authorization and credit authorization system
CN111327629A (en) * 2020-03-04 2020-06-23 广州柏视医疗科技有限公司 Identity verification method, client and server
CN111327629B (en) * 2020-03-04 2021-07-27 广州柏视医疗科技有限公司 Identity verification method, client and server
CN112187832A (en) * 2020-11-03 2021-01-05 北京指掌易科技有限公司 Data transmission method and electronic equipment

Similar Documents

Publication Publication Date Title
CN101132281A (en) Network security authentication system for preventing key from stealing
Jiang et al. On the security of a privacy-aware authentication scheme for distributed mobile cloud computing services
CN108737326B (en) Method, system, device and electronic equipment for token verification
Darwish et al. Decentralizing privacy implementation at cloud storage using blockchain-based hybrid algorithm
Yang et al. Mutual Authentication Scheme with Smart Cards and Password under Trusted Computing.
CN101834853A (en) Method and system for sharing anonymous resource
Hussein et al. A survey of cryptography cloud storage techniques
Lee et al. Two factor authentication for cloud computing
CN105187405A (en) Reputation-based cloud computing identity management method
Zhang et al. EL PASSO: efficient and lightweight privacy-preserving single sign on
Zhang et al. El passo: privacy-preserving, asynchronous single sign-on
Chen et al. Designing a healthcare authorization model based on cloud authentication
Prabakaran et al. Secure channel for financial transactions in cloud environment using blockchain technology
Shah et al. Encryption of data over HTTP (hypertext transfer protocol)/HTTPS (hypertext transfer protocol secure) requests for secure data transfers over the internet
Gupta et al. Implementing high grade security in cloud application using multifactor authentication and cryptography
CN109644137A (en) The certification based on token with signature information
Tan et al. Securing password authentication for web-based applications
Elganzoury et al. A new secure one-time password algorithm for mobile applications
Rastogi et al. Secured identity management system for preserving data privacy and transmission in cloud computing
Kim et al. A secure channel establishment method on a hardware security module
Kumar et al. PB verification and authentication for server using multi communication
Paranjape et al. An approach towards security in private cloud using OTP
Kumari et al. Hacking resistance protocol for securing passwords using personal device
Aboshosha et al. Secure Authentication Protocol Based on Machine-metrics and RC4-EA Hashing.
Xu et al. OTP bidirectional authentication scheme based on MAC address

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20080227