CN101155033B - Method for confirming client identity - Google Patents
Method for confirming client identity Download PDFInfo
- Publication number
- CN101155033B CN101155033B CN200610152343A CN200610152343A CN101155033B CN 101155033 B CN101155033 B CN 101155033B CN 200610152343 A CN200610152343 A CN 200610152343A CN 200610152343 A CN200610152343 A CN 200610152343A CN 101155033 B CN101155033 B CN 101155033B
- Authority
- CN
- China
- Prior art keywords
- client
- server
- cipher
- identity
- text information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a method for confirming the identity of the customer end, which comprises the steps of: transmitting the identity mark to the server by the customer end; enquiring the identity information of the customer end by the server according to the mark and doing calculation to the identity information of the customer end according to the algorithm; doing calculation to the identity information itself by the customer end according to the algorithm; and doing comparison to the each obtained calculated result by the customer end and the server to confirm the identity of the customer end. When the method of the invention is applied the hostile attacker on the network can not obtain the identity information of the customer end thereby increasing the safety property in the identity authorizing process.
Description
Technical field
The present invention relates to network safety filed, relate in particular to a kind of method of confirming client identity, come the identity of verification client by using ciphertext.
Background technology
In general application system, normally by the identity information of server by the client submission, for example: bank card number/password, check the legitimacy of client, if client is legal, server provides service to client, and the method that this client identity is confirmed is used fairly simple, but have following potential safety hazard: by the message identifying of intercepting user end to server, malicious attacker can be known identity informations such as the bank card number, password of client; Client does not know whether its requested service device is legal server, and illegal server may be gained the client identity authentication authentication information by cheating, and for example: false bank server is gained user's card number and password by cheating.Therefore just need do further improvement to the method for this simple affirmation client identity.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of method of confirming client identity, come the identity of verification client by using ciphertext, make the malicious attacker in the network can't know the identity information that client is definite, thereby improved authentication process safe performance.
In order to solve the problems of the technologies described above, the invention provides a kind of method of confirming client identity, this method comprises:
(1) user end to server sends the identity marks of himself;
(2) server is received the identity marks of client, inquire about the identity information of corresponding client according to this mark, and respectively the identity information of this client is carried out computing according to the first algorithm group and the second algorithm group, obtain first cipher-text information and second cipher-text information at server place respectively;
(3) client is carried out computing to the identity information of himself respectively according to described first algorithm group and the described second algorithm group, obtains first cipher-text information and second cipher-text information at client place respectively;
(4) server sends to client with first cipher-text information that the server place generates, first cipher-text information that client generates the server place that receives and first cipher-text information at the client place of itself compare, if the two is identical, then server is legal, proceeds the authentication of client;
(5) client sends to server with second cipher-text information that the client place generates, second cipher-text information that server generates the client place that receives and second cipher-text information at server place compare, if the two is identical, then server thinks that this client is a legitimate client, if the two difference thinks that then this client is an illegitimate client.
Wherein, described step (4) further comprises: if the two difference, then server is illegal, finishes the authentication of client.
Wherein, further comprise: add random number in the parameter of being imported when carrying out computing according to the algorithm group, this random number and described cipher-text information are together transmitted.Wherein, described random number is generated by server or client.
Wherein, described client and server has identical algorithm group.
Wherein, carrying out the client identity information of computing at described server place is consistent with the client identity information of carrying out computing at described client place.
Wherein, server is divided into service server and certificate server, wherein, the identity information of described authentication server stores client, described service server compares second cipher-text information of certificate server place generation and second cipher-text information of client place generation.
A kind of method and system of confirming client identity of the present invention, come the identity of verification client by using ciphertext, this ciphertext adopts hashing algorithm to encrypt usually, MD5 algorithm for example, this algorithm can not carry out inverse operation usually, and the possibility that is cracked is very little, so even such identity information is intercepted by the malicious attacker in the network, it also can't obtain the definite identity information of client, thereby has improved authentication process safe performance.
Description of drawings
Fig. 1 is according to the described a kind of system configuration schematic diagram of confirming client identity of the embodiment of the invention;
Fig. 2 is according to the system configuration schematic diagram after the described a kind of optimization of confirming client identity of the embodiment of the invention;
Fig. 3 is according to the method flow schematic diagram after the described a kind of optimization of confirming client identity of the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing the present invention is described in further detail.
Be the described a kind of system configuration schematic diagram of confirming client identity of the embodiment of the invention with reference to figure 1.Described client is used to store the identity information of self, and described server is used to store the identity information of all clients.Described client and server has identical algorithm group F0, F1...Fn, and the identity information of described server and client is consistent, and client and server is judged the unanimity of information by the content that compares identical operation rule group in the process of authentication.
Concrete authentication process is as follows:
Step 110: user end to server sends the identity marks (ID) of self.
Step 120: server is received the identity marks of client, and inquire about corresponding client identity information (ID INFO) according to this mark, and respectively client identity information is carried out computing according to algorithm group F0 and algorithm group F1, obtain F0 (ID INFO), F1 (ID INFO) respectively, the client identity information described in the present embodiment is all or part of content.
Step 130: client is carried out computing to the identity information of himself respectively according to F0 and F1, obtain F0 ' (ID INFO), F1 ' (ID INFO) respectively, the identity information content of described participation computing (the hardening capacity regulation is also negotiable to be determined) will be consistent with server.
Step 140: server sends to client with F0 (ID INFO), F0 (ID INFO) and the F0 ' (ID INFO) of client to receiving, if the two is identical, then server is legal, proceed the authentication of client, if the two difference, then server is illegal, finishes the authentication of client.
Step 150: client sends to server with F1 ' (ID INFO), server compares with F1 (ID INFO) the F1 ' (ID INFO) that receives, if the two is identical, then server thinks that this client is a legitimate client, if the two difference thinks that then this client is an illegitimate client.
In addition, in order to improve the applicability of system, the present invention also will carry out following optimization: the one, at algorithm group F0, F1, ... add random number RA ND in the input parameter of Fn, this random number can be generated by server or client, and to keep single ciphertext result's freshness, described random number can together be transmitted with the ciphertext result; The 2nd, for improving the performance of server, server can be divided into service server and certificate server.The identity information of authentication server stores client, when client when service server carries out authentication, service server obtains the ciphertext operation result relevant with client from certificate server, promptly by algorithm group F0, the operation result that F1...Fn calculates, the ciphertext operation result with client compares then.
From the above, the system configuration after the optimization as shown in Figure 2, this system is made up of client, service server, certificate server three parts.Wherein, client has identical algorithm group F0 with certificate server, F1...Fn, and certificate server is preserved the identity information of whole clients simultaneously.The authentication process of client is with reference to figure 3, is the method flow schematic diagram after the described a kind of optimization of confirming client identity of the embodiment of the invention.Concrete implementation step is as follows:
Step 310: client sends the identity marks (User ID) of himself to service server request authentication.In the mobile network, if client is a mobile phone, identity marks can be TMSI (Temporary Mobile Subscriber Identity, temporary mobile subscriber identity).
Step 320: after service server is received the User ID of client, to the relevant cipher-text information of certificate server request, after certificate server receives the request of service server, find corresponding client identity Information ID Info (for convenience of implementation according to User ID, present embodiment is with the rigid User ID that is decided to be approximately of ID Info), and and the random number RA ND that self generates, generate F0 (UserID), F1 (UserID) according to the algorithm group ... Fn cipher-text information such as (UserID).Then RAND and cipher-text information are together sent to service server.
Step 330: service server sends to client with RAND and F0 (UserID).
Step 340: client is carried out the F0 computing with self identity information and RAND, with the F0 ' as a result that obtains (UserID) with F0 (UserID) relatively, if identical then service server is legal, continue authentication, otherwise the failure of authentication flow process.
Step 350: client is carried out the F1 computing with self identity information and RAND, and the F1 ' as a result that obtains (UserID) is sent to service server.
Step 360: service server (UserID) compares F1 ' with F1 (UserID), confirm then that as identical client is labeled as the client of UserID really for the user, as difference, then is illegitimate client.
Step 370: service server returns identity authentication result to client.
Claims (7)
1. a method of confirming client identity is come the identity of verification client by using ciphertext, it is characterized in that this method comprises:
(1) user end to server sends the identity marks of himself;
(2) server is received the identity marks of client, inquire about the identity information of corresponding client according to this mark, and respectively the identity information of this client is carried out computing according to the first algorithm group and the second algorithm group, obtain first cipher-text information and second cipher-text information at server place respectively;
(3) client is carried out computing to the identity information of himself respectively according to described first algorithm group and the described second algorithm group, obtains first cipher-text information and second cipher-text information at client place respectively;
(4) server sends to client with first cipher-text information that the server place generates, first cipher-text information that client generates the server place that receives and first cipher-text information at the client place of itself compare, if the two is identical, then server is legal, proceeds the authentication of client;
(5) client sends to server with second cipher-text information that the client place generates, second cipher-text information that server generates the client place that receives and second cipher-text information at server place compare, if the two is identical, then server thinks that this client is a legitimate client, if the two difference thinks that then this client is an illegitimate client.
2. the method for claim 1 is characterized in that, described step (4) further comprises: if the two difference, then server is illegal, finishes the authentication of client.
3. the method for claim 1 is characterized in that, further comprises: add random number in the parameter of being imported when carrying out computing according to the algorithm group, this random number and described cipher-text information are together transmitted.
4. method as claimed in claim 3 is characterized in that, described random number is generated by server or client.
5. the method for claim 1 is characterized in that, described client and server has identical algorithm group.
6. the method for claim 1 is characterized in that, carries out the client identity information of computing at described server place and is consistent with the client identity information of carrying out computing at described client place.
7. the method for claim 1, it is characterized in that, server is divided into service server and certificate server, wherein, the identity information of described authentication server stores client, described service server compares second cipher-text information of certificate server place generation and second cipher-text information of client place generation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610152343A CN101155033B (en) | 2006-09-26 | 2006-09-26 | Method for confirming client identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610152343A CN101155033B (en) | 2006-09-26 | 2006-09-26 | Method for confirming client identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101155033A CN101155033A (en) | 2008-04-02 |
| CN101155033B true CN101155033B (en) | 2010-05-19 |
Family
ID=39256494
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610152343A Expired - Fee Related CN101155033B (en) | 2006-09-26 | 2006-09-26 | Method for confirming client identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101155033B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383846B (en) * | 2008-10-06 | 2011-12-28 | 华为终端有限公司 | Media transmission protocol connecting method, system and apparatus thereof |
| CN101951321B (en) * | 2008-10-23 | 2012-11-14 | 普天信息技术研究院有限公司 | Device, system and method for realizing identity authentication |
| CN101938465B (en) * | 2010-07-05 | 2013-05-01 | 北京广电天地科技有限公司 | Method and system based on webservice authentication |
| CN102387016A (en) * | 2010-08-26 | 2012-03-21 | 西门子公司 | Authentication method, device and system |
| CN101917669A (en) * | 2010-08-31 | 2010-12-15 | 华为技术有限公司 | Method and device for train safe boarding |
| CN102710421A (en) * | 2012-06-14 | 2012-10-03 | 深圳市中联创新自控系统有限公司 | Matched communication method |
| CN105099707B (en) * | 2015-08-27 | 2019-08-02 | 广州密码科技有限公司 | A kind of offline authentication method, server and system |
| CN107395341A (en) * | 2017-06-23 | 2017-11-24 | 陈景辉 | A kind of Internet of Things safety certification chip and the access control method based on the chip |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549526A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing radio local area network authentication |
| CN1698309A (en) * | 2003-04-21 | 2005-11-16 | 索尼株式会社 | Device authentication system |
| CN1780206A (en) * | 2004-11-23 | 2006-05-31 | 华为技术有限公司 | Internet identity authentication and system |
-
2006
- 2006-09-26 CN CN200610152343A patent/CN101155033B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1698309A (en) * | 2003-04-21 | 2005-11-16 | 索尼株式会社 | Device authentication system |
| CN1549526A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing radio local area network authentication |
| CN1780206A (en) * | 2004-11-23 | 2006-05-31 | 华为技术有限公司 | Internet identity authentication and system |
Non-Patent Citations (1)
| Title |
|---|
| JP特開2006-197065A 2006.07.27 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101155033A (en) | 2008-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108810029B (en) | Authentication system and optimization method between micro-service architecture services | |
| CN101155033B (en) | Method for confirming client identity | |
| CN106878318B (en) | Block chain real-time polling cloud system | |
| US8533482B2 (en) | Method for generating a key pair and transmitting a public key or request file of a certificate in security | |
| US8245030B2 (en) | Method for authenticating online transactions using a browser | |
| CN102868665B (en) | The method of data transmission and device | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| JP2018519706A (en) | Method, network access device, application server, and non-volatile computer readable storage medium for causing a network access device to access a wireless network access point | |
| CN108243176B (en) | Data transmission method and device | |
| CN102299930A (en) | Method for ensuring security of client software | |
| CN103297403A (en) | Method and system for achieving dynamic password authentication | |
| US20140380059A1 (en) | Authentication of email servers | |
| CN109714370B (en) | HTTP (hyper text transport protocol) -based cloud security communication implementation method | |
| US10091189B2 (en) | Secured data channel authentication implying a shared secret | |
| CN1925393A (en) | Point-to-point network identity authenticating method | |
| CN115842680A (en) | Network identity authentication management method and system | |
| CN110708337A (en) | Big data security framework system based on identity authentication | |
| CN105187417B (en) | Authority acquiring method and apparatus | |
| CN111767531B (en) | Authentication system and method based on biological characteristics | |
| CN110035035B (en) | Secondary authentication method and system for single sign-on | |
| US9038143B2 (en) | Method and system for network access control | |
| KR101635598B1 (en) | Method, device, and system for authentication | |
| EP3664363B1 (en) | Device and method for processing public key of user in communication system that includes a plurality of nodes | |
| CN114389903B (en) | Digital identity information encryption and authentication method | |
| CN106576245B (en) | User equipment proximity request authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100519 Termination date: 20150926 |
|
| EXPY | Termination of patent right or utility model |