CN101291220A - System, device and method for identity security authentication - Google Patents

System, device and method for identity security authentication Download PDF

Info

Publication number
CN101291220A
CN101291220A CNA2007101004921A CN200710100492A CN101291220A CN 101291220 A CN101291220 A CN 101291220A CN A2007101004921 A CNA2007101004921 A CN A2007101004921A CN 200710100492 A CN200710100492 A CN 200710100492A CN 101291220 A CN101291220 A CN 101291220A
Authority
CN
China
Prior art keywords
user
service
authentication
authenticating
user identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101004921A
Other languages
Chinese (zh)
Other versions
CN101291220B (en
Inventor
刘宏伟
丁小燕
庄小君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101004921A priority Critical patent/CN101291220B/en
Publication of CN101291220A publication Critical patent/CN101291220A/en
Application granted granted Critical
Publication of CN101291220B publication Critical patent/CN101291220B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a system, a device and a method for safe identity authentication. The system comprises an identity authentication center, a user identity authentication center and a service processing unit, wherein, the user identity authentication center is used for distributing identity authentication center identification to the identity authentication center and distributing identification to the service processing unit; the identity authentication center is used for distributing user virtual identification uniquely identifying the user to the user register and for sending the user virtual identification and the distributed user identity authentication center identification to the user; and the service processing unit is used for receiving a service request, authenticating the user according to the user virtual identification and the user identity authentication center identification carried by the request and processing the service request. The system, the device and the method can not only improve the security of the user identity authentication but also effectively protect the privacy of the user identity information.

Description

A kind of system of identification safety authentication, device and method
Technical field
The present invention relates in network, carry out identity identifying technology, particularly a kind of system of identification safety authentication, device and method.
Background technology
Along with popularizing that communication network and internet are used, increasing user begins to accept service by network.When accepting service by network, need carry out authentication, provide the network of service to adopt the mode of the user name and password to discern user identity mostly at present, this just needs the user to import the user name and password of oneself regularly.This identification authentication mode exists drawback: on the one hand, along with accepting heterogeneous networks, the user provides increasing of different services, the user needs the different password of input when carrying out the heterogeneous networks authentication, the difficulty on this causes unnecessary loaded down with trivial details process and remember to the user; On the other hand, the user imports the user name and password regularly in network, and this understands the probability that corresponding increase password is cracked by malice, promptly increases the probability of user's privacy information leakage.
In order to overcome above-mentioned defective, the technology that user identity is managed has been proposed in network.Identity Management is exactly to identity, safety management in authentication processing that service entities is provided for the user and the certain limit this entity authentication relevant information being carried out.For the user provide the entity of service can be any in network by the things of unique identification, people, animal, equipment, object, group, tissue and information object etc.Provide the entity of service in different ranges of application, may have a plurality of identity for the user.The scope of verification process can be in the tissue of setting in network, also can be a plurality of tissues of setting in the spanning network.
Because the information relevant with identity changes in the network authentication process in time, therefore, must manage the relevant information of identity.Some information of service entities is provided is informal and it is more frequent to change for the user, and some be formal and specifically, such as the user is normally stable based on the organizational roles and the accounts of finance of politics.The attribute of identity can be stored in the data base management system in token, catalogue, access means or the network in the network usually safely.
The task that the authentication administrative skill comprises is to consolidate, manage and be exchanged for the entity information that the user provides service in safety and information field.Setting up the authentication control construction in network can make service supplier (SP, Service Provider) provide reliable, credible and safe business by use authority, authentication, access control mechanism and policy management mechanisms for the user in network.
At present, the authenticating user identification management framework of setting up in network as shown in Figure 1, comprise: open identification server (OpenID Server), unified resource location form (URL, Uniform ResourceLocator) website, user agent (User Agent) and user (Consumer) authentication management module.Wherein, User Agent is arranged in the user side of network, and OpenID Server, URL website and Consumer authentication management module are arranged in the network side of network.In OpenID Server, the URL of storage user correspondence can adopt the mode of encryption to store the URL of user's correspondence.Whole authentication process is exactly to confirm that a user has the process of a URL.Idiographic flow is:
First step, User Agent is to authentication (Identity) URL of URL site identity self, and promptly User Agent adds the address information of OpenID Server in the webpage that the URL website sets.
Second step, User Agent submits the Identity (Claimed Identity) of statement to authentication management module Consumer, carry Identity URL and statement Identity server, the Identity that was called statement before carrying out authentication, this is because may be the false identity of User Agent statement.
Third step, Consumer authentication management module is submitted the Identity of statement in order to verify User Agent, and to the statement Identity server that the Identity of this statement carries, promptly the URL station for acquiring arrives the Identity URL of User Agent.
The 4th step, Consumer authentication management module relatively obtain dentity URL that the Identity of accessed Identity URL and this statement carries identical after, get in touch with OpenID Server foundation, obtain to share key (this step of setting up contact is optional), Identity URL of exchangeing subscriber and user's URL, when exchange, because may encrypting, user's URL is stored among the OpenID Server, so can obtain user's URL with secret key decryption.
The 5th step, Consumer authentication management module is confirmed identity to User Agent, carries OpenID Server that UserAgent will be redirected to and user's URL.
The 6th step, User Agent signs in to OpenIDServer by cookie or other authentication mechanisms, input user's URL during login.
The 7th step after OpenID Server authenticates User Agent, sends response message to User Agent, carries the information that is redirected back Consumer authentication management module.
When OpenID Server authenticated User Agent, the URL of input compared when relatively the user's who oneself stores URL (if encrypt storage, obtaining user's URL after can deciphering) and User Agent logined, if identical, authentication is passed through.
The 8th step, User Agent sends to Consumer authentication management module with response message.
Like this, just finished the authentication to User Agent, User Agent can carry out the request of related service in network, and network side can be handled the business of user's request.In framework shown in Figure 1, OpenID Server and URL website are on same server or separate fully.
Framework shown in Figure 1 is to adopt URL that user's identity is authenticated, so only be applicable to the Internet, is not suitable for mobile network.In addition, single to the means of authenticating user identification, can only adopt URL to authenticating user identification.
Framework shown in Figure 1 can't satisfy the demand to the user identity privacy protecting when the authenticated user identity.Network side is to realize by encrypting user identity information mode to the secret protection of storage subscriber identity information, but this mode is brought problems such as inefficiency and complicated key management, and the fail safe of protection subscriber identity information privacy is not high.In addition, when the authenticated user identity, still adopt the real URL authentication of user, this can reduce safety of user authentication.
Summary of the invention
The embodiment of the invention provides a kind of system of identification safety authentication, and this system not only can improve safety of user authentication, and protects the privacy of subscriber identity information effectively.
The embodiment of the invention also provides a kind of device of identification safety authentication, and this device not only can improve safety of user authentication, and protects the privacy of subscriber identity information effectively.
The embodiment of the invention provides a kind of method of identification safety authentication, and this method not only can improve the fail safe of authentication, and protects the privacy of subscriber identity information effectively.
According to above-mentioned purpose, the technical scheme of the embodiment of the invention is achieved in that
A kind of system of identification safety authentication comprises authentication center, authenticating user identification center and Service Processing Unit, wherein,
Described authentication center is used to authenticating user identification central dispense authenticating user identification center sign, is the Service Processing Unit allocation identification;
Described authenticating user identification center is used for the registration to the user, and user's virtual identity of distribution unique identification user sends this user's virtual identity and described authenticating user identification center identifies to described user;
Described Service Processing Unit is used to receive the Business Processing request, and the virtual identity sign and the authenticating user identification center of carrying according to this request identify authentification of user, handle this service request.
A kind of method of identification safety authentication, this method comprises:
Register the user at the authenticating user identification center, distributes user's virtual identifying of unique identification user for the user;
Receive the service request that the user sends, handle this service request according to authenticating user identification center sign and this user's virtual identifying that this request is carried.
A kind of device of controlling authenticating user identification comprises authenticating user identification center cell, Business Processing control unit and authentication administrative unit, wherein,
The authenticating user identification center cell is used to authenticating user identification central dispense sign, manages and authenticated user authentication center, and the interactive strategy at authenticating user identification center is set;
The Business Processing control unit, being used to provides the entity of Business Processing allocation identification, and management and authentication provide the entity of Business Processing, and the entity that Business Processing is provided is authenticated, and the interactive strategy of the entity that Business Processing is provided is set;
Described authentication administrative unit is used to control mutual between authenticating user identification center cell and the Business Processing control unit.
From such scheme as can be seen, the embodiment of the invention is provided with the different service types authenticated subscriber identity authentication center to the user in network, and by the Service Processing Unit of authentication center control and management authenticating user identification center and processing different kinds of business, the service request of different kinds of business adopts corresponding subscriber identity information authentication.Therefore, the embodiment of the invention is owing to storing subscriber identity information respectively according to type of service, so protect the privacy of subscriber identity information effectively.In addition, after user's registration, unique identification user's virtual identity sign (UVID is distributed at the authenticating user identification center for the user, UserVirtual Identity), the user directly adopts this UVID to send service request to Service Processing Unit, Service Processing Unit is handled this service request after authenticating according to this UVID.Therefore, the embodiment of the invention is owing to when initiating the service request of different kinds of business, and that carry is UVID, thus not only improve safety of user authentication, and the difficulty on can not causing unnecessary loaded down with trivial details process and remember to the user.
Description of drawings
The authenticating user identification management framework schematic diagram that Fig. 1 sets up in network for prior art;
The authenticating user identification management framework schematic diagram that Fig. 2 sets up in network for the embodiment of the invention;
Fig. 3 carries out the method flow diagram of authenticating user identification in network for the embodiment of the invention;
Fig. 4 is the method flow diagram of the embodiment of the invention SP request of managing business;
Fig. 5 is the device schematic diagram of the control authenticating user identification of the embodiment of the invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the embodiment of the invention is described in further detail below in conjunction with accompanying drawing.
The embodiment of the invention is set up the authenticating user identification management framework in network, this framework can be managed a user's different user identity information according to type of service respectively, protects the privacy of subscriber identity information effectively; During authentication before carrying out Business Processing, adopt the user's virtual identity UVID authentication that distributes, the efficient and the fail safe that improve authenticating user identification.
The authenticating user identification management framework schematic diagram that Fig. 2 sets up in network for the embodiment of the invention, comprise: authenticating user identification center (UIAC, User Identity Authentication Center), authentication center (IDAC, Identity Authentication Center) and Service Processing Unit, wherein
UIAC is used for the registration to the user, distributes unique identification user's UVID, sends UVID and described UIAC and identifies to described user;
Service Processing Unit is used to receive the Business Processing request, and the UVID and the UIAC that carry according to this request identify authentification of user, handle this service request;
IDAC is used to manage UIAC, distributes the UIAC sign, management service processing unit, distribution service processing unit sign.
In embodiments of the present invention, this management framework also comprises the user, is used for the registration to UIAC, receives UVID and UIAC sign that UIAC sends; Send the service request of carrying UVID and UIAC sign to Service Processing Unit.
In the present embodiment, UIAC can have a plurality of, stores the subscriber identity information of user's different kinds of business respectively, respectively at the subscriber identity information of user's different kinds of business, to authentification of user.
Directly carry out mutual between a plurality of UIAC, after when UIAC registers the user for the first time, distributing UVID to the user, when other UIAC register at the identity information of other types business the user again, do not distribute UVID to the user, other UIAC know alternately and have distributed UVID to the user, and the subscriber identity information of the facies type business of this UVID and storage is associated.
In the present embodiment, Service Processing Unit is SP, certainly, also can comprise the equipment in network and/or the network.
In the present embodiment, the identity information of Service Processing Unit and Permission Levels can be stored among the IDAC, are used for directly Service Processing Unit being authenticated, or offer corresponding UIAC.
In IDAC, specifically comprise: authenticating user identification center cell (UIACU, User IdentityAuthentication Center Unit) is used at least one UIAC is carried out control and management; Managing network identities unit (NIDU, Network Identity Unit) is used for network identity information is carried out control and management; Equipment identities administrative unit (DIDU, Device Identity Unit) is used for the equipment identity information of network is managed control; Service supplier Identity Management unit (SPIDU, ServiceProvider Identity Unit) is used for the service supplier identity information is managed control; Authentication administrative unit (IDAMU, Identity Authentication Manage Unit) is used to control and realizes that UIACU, NIDU, DIDU, SPIDU are respectively and the information interaction between the IDAMU.
In the present embodiment, UIACU can have a plurality of, respectively the different UIAC of corresponding control and management.Correspondingly, NIDU also can have a plurality of, and DIDU also can have a plurality of, manages the distinct device of control store distinct device identity information respectively; SPIDU also can have a plurality of, manages the SP of the different SP identity informations of control store respectively.
In the present embodiment, IDAC also can include only SPIDU.
In the present embodiment, NIDU, DIDU and SPIDU can be referred to as the Business Processing control unit, and when IDAC included only SPIDU, this Business Processing control unit can include only SPIDU.
Below each functional module among Fig. 2 is described in detail.
IDAC is majesty authentication management unit in the network, and directly each Service Processing Unit and each UIAC are controlled in management, and the user can carry out with IDAC by UIAC alternately.
The function that IDAC provides is: can authenticate SP identity, network identity, equipment identities and UIAC identity; Can store and manage SP identity information, network identity information, equipment identity information and UIAC identity information, can centralized stores during storage or be stored in respectively in the different corresponding units, the form of storage can be the identity information tabulation, also can directly store in the different corresponding units; Can realize the mutual of different identity information, send to UIAC, realize the information interaction between Service Processing Unit and the UIAC as SP tabulation with management.
UIAC generally can divide according to type of service, and this makes subscriber identity information to be stored in respectively among the different UIAC according to type of service, and corresponding unique identification user's UVID also can be stored among the different UIAC.That is to say, store among each UIAC for the User Part identity information, privacy that therefore can fine protection subscriber identity information.Each UIAC has a sign, by the UIACU among the IDAC UIAC is authenticated and distribution.Store the Service Processing Unit tabulation that this type of service can be provided among the UIAC, as the SP tabulation, this tabulation can obtain from IDAC or be direct and SP is mutual, gets access to from SP.UIAC can and the user between authenticate according to the registration of the authentication method of setting the user, as adopting authentication methods such as AKA, PKI, also can determine authentication method according to the level of security that the customer service type requires, authenticate.After authentication was passed through, UIAC distributed a unique UVID and the term of validity for this user, and was associated with the SP tabulation of storage, and this term of validity is generally set according to the safe class of type of service, and the safe class of type of service is high more, and the term of validity of UVID is short more.For the user provide the other types business service UIAC can with the UIAC that crosses for authentification of user in get access to the UVID that this UIAC distributes for this user.When the user registered in another UIAC next time again, the subscriber identity information of the corresponding type of service of back storage that succeeds in registration was in this UIAC, and this UIAC need not distribute UVID for the user once more.When the exhaustion of effect of UVID or during the subscriber identity information change, the user can upgrade UVID or upgrade oneself identity information to current UIAC application.When the user after registration, when needing application professional, can send the service request that carry UVID and UIAC sign to the Service Processing Unit of handling the type business, handle this service request by Service Processing Unit.
In the present embodiment, UIAC can obtain the subscriber identity information module and send the subscriber identity information module, wherein, and the described subscriber identity information module of obtaining; Be used to obtain subscriber identity information, described transmission subscriber identity information module is used for subscriber identity information is sent to the corresponding service processing unit.
SP, discern with SP, promptly SPID is distributed by the SPIDU among the IDAC, and SP can store SP identity information and SP tabulation, and be associated with the SP identities and with UVID and UIAC sign according to the type of service that SP can provide, the SP tabulation is being sent to corresponding UIAC.The SP that receives service request can authenticate UVID and the UIAC sign that this service request is carried, and inquires about and obtain the subscriber identity information that needs application professional.If this SP possesses local data base, and Permission Levels with download user identity information, these Permission Levels can be distributed according to the rank of SP by the SPIDU among the IDAC, can directly from UIAC, obtain subscriber identity information and encrypting storing, can also carry out regular update subscriber identity information to this locality.In addition, UIAC also can be direct carries out relatedly with corresponding SP, guarantees that the subscriber identity information among the SP is user's a up-to-date identity information.
UIACU is used to handle the business relevant with UIAC, as UIAC being authenticated and distributing the UIAC sign, sends Service Processing Unit tabulation etc. to UIAC, is arranged in IDAC, is the logic module of IDAC management and control UIAC.
NIDU is used to handle the business relevant with network, as authenticating network identity, storage and supervising the network identity information etc., is a logic module of IDAC management and Control Network.
DIDU is used for handling and the device-dependent business of network, as authenticating device identity, storage and management equipment identity information etc., is a logic module of equipment in IDAC management and the Control Network.
SPIDU is used to handle the business relevant with the service supplier unit, as authentication SP identity, storage and management SP identity information etc., is a logic module of IDAC management and control service supplier unit.
IDAMU is used for the information interaction between UIACU, NIDU, DIDU and the SPIDU is controlled, and is the logic module of IDAC unified management UIACU, NIDU, DIDU and SPIDU.
The embodiment of the invention also provides a kind of method of carrying out authenticating user identification in network, and as shown in Figure 3, its concrete steps are:
Step 300, UIAC receive user's registration, and the user is authenticated.
Authentication method can adopt existing AKA and PKI, perhaps obtains the type of service of user registration, authenticates according to the authentication method of the type of service level of security correspondence of setting.
In this step; when the user initiates service log-on, authenticate to the UIAC that handles this type of service, just this UIAC stores subscriber identity information that should type of service; this is not the whole identity information of user, is convenient to protect the privacy of subscriber identity information.
Step 301, user are by after authenticating, and UIAC judges whether this user has distributed UVID, if, execution in step 302; If not, execution in step 303.
In the present embodiment, there are several modes can judge whether this user has been assigned with UVID.
First kind of mode, UIAC can visit the UIAC that has distributed UVID for the user, determines whether this user's subscriber identity information is associated with UVID, if determine that then this user has distributed UVID;
The second way, when this user has been assigned with UVID, determine the UIAC that other certain customers' identity informations to this user manage by the UIAC that distributes UVID for this user by IDAC, directly this UVID is sent to the UIAC that other certain customers' identity informations to this user manage, the UIAC that other certain customers' identity informations of this user are managed carries out the identity information of the UVID that receives and this User Part of being stored related, whether has distributed UVID thereby can determine this user.
Step 302, UIAC return registration by message to this user, carry the UVID and the UIAC sign of having distributed for the user, change step 304 over to.
After step 303, UIAC distribute UVID for this user, return registration by message, carry UVID and UIAC sign, change step 304 over to this user.
After distributing UVID for this user, this UVID directly can be sent to this UVID the UIAC of other part identity informations of leading subscriber.
Step 304, user receive registration by after the message, send the service request of carrying UIAC sign and UVID to Service Processing Unit, after Service Processing Unit receives this service request, handle this service request.
In the present embodiment, the UVID that distributes for the user can also have valid expiration date, and in step 301, whether the valid expiration date that can also further be judged as the UVID of user's distribution arrives, if, then directly carry out 303, otherwise, execution in step 302.
Below be that SP is an example when introducing Service Processing Unit in detail and receiving service request with Service Processing Unit, the process how to handle.
Fig. 4 is the method flow diagram of the embodiment of the invention SP request of managing business, and its concrete steps are:
Step 401, SP receive the service request that the user sends, and this request comprises user's UVID and UIAC sign.
Step 402, SP authenticate this service request, after authentication is passed through, and execution in step 403.
The process that authenticates has dual mode:
A kind of mode, SP has the Permission Levels of local data base and download user identity information, and at this moment, SP stores the identity information (this identity information obtains from UIAC) of institute's service-user of UVID and UIAC sign correspondence, directly authenticate, the method that authentication is adopted can be prior art.
The second way, SP does not store UVID and the corresponding subscriber identity information of UIAC sign, then carry the UIAC of UIAC sign and send and carry the subscriber identity information query requests that comprises SP sign and UVID to having this service request, whether whether UIAC judges has the corresponding SP of this SP sign and this SP to have authority to obtain user's identity information in the Service Processing Unit tabulation of being stored, if, the identity information that then sends the user to SP (when sending, can adopt the safety of cryptographic means protection subscriber identity information to transmit), SP authenticates according to the subscriber identity information that obtains; Otherwise, then give SP return authentication failed message, this time authentification failure.
Adopt the situation difference of this dual mode, after SP receives the service request that the user sends, can judge whether to store the subscriber identity information of this UVID and this UIAC correspondence, if adopt first kind of mode to carry out; If not, three kinds of possibilities are then arranged, first kind may be that SP handles this service request from user for the first time, another kind is that SP does not have local data base and the authority of download user identity information is arranged, another is the Permission Levels that SP does not have the download user identity information, at this moment can adopt the second way to carry out.
Step 403, SP send the authentification of user successful information to the user, carry out this service request.
In embodiments of the present invention, the user can also upgrade the subscriber identity information that is stored among the UIAC, i.e. transmission is carried the user and is upgraded the renewal identity information request of back identity information to UIAC, the subscriber identity information of UIAC updated stored, and the identity information that upgrades is sent to IDAC corresponding to user UVID, so that corresponding UIACU management among the IDAC, or directly offer Service Processing Unit and when managing business request, authenticate.
The embodiment of the invention also provides a kind of device of controlling authenticating user identification, and as shown in Figure 5, this device comprises: UIACU, Business Processing control unit and IDAMU, wherein,
Described UIACU is used to the UIACU allocation identification, manages and authentication UIACU, and the interactive strategy of UIACU is set;
Described Business Processing control unit, being used to provides the entity of Business Processing allocation identification, and management and authentication provide the entity of Business Processing, and the entity that Business Processing is provided is authenticated, and the interactive strategy of the entity that Business Processing is provided is set;
Described IDAMU is used to control mutual between authenticating user identification center cell and the Business Processing control unit.
In the present embodiment, provide the entity of Business Processing can be SP, also can be network or the equipment that business service is provided.Certainly, provide the entity of Business Processing to be preferably SP.
In the present embodiment, the Business Processing control unit can include only SPIDU, also can comprise SPIDU, NIDU or/and DIDU, wherein,
NIDU is used for network identity information is controlled and managed, and for the network allocation sign, is the network setup information interactive strategy;
DIDU, Device Identity Unit is used for the equipment identity information of network is managed control, for the devices allocation sign, is equipment configuration information interactive strategy;
SPIDU, Service ProviderIdentity Unit is used for the SP identity information is managed and controls, and is the SP allocation identification, is SP configuration information interactive strategy;
IDAMU, Identity Authentication Center Unit is used to control and realizes that UIACU, NIDU, DIDU, SPIDU are respectively and the information interaction between the IDAMU.
In the present embodiment, NIDU, DIDU and SPIDU can be called the Business Processing control unit, respectively different Service Processing Units are handled.Certainly, when Service Processing Unit only comprised SP, the Business Processing control unit also comprised SPIDU.
In the present embodiment, in fact network can as internet network or next generation network, can also be local area network (LAN) etc. for the network of business service is provided.
From such scheme as can be seen, the system that provides of the embodiment of the invention, method and device can bring following technique effect:
UIAC and authentication among users method can be consulted, so system shown in Figure 2 goes for variety of network environments, promptly the subscriber identity information under the variety of network environments are carried out safety management and protection;
UIAC distributes unique identification user's UVID for the user, and the user does not need to remember the password of a plurality of access different business processing units again, can not cause difficulty in unnecessary loaded down with trivial details process and the memory to the user;
User's identity information is stored in different UIAC according to type of service, i.e. distributed storage user's identity information has more effectively guaranteed the privacy of subscriber identity information;
The user can manage the identity information of oneself easily, and for example renewal of information is the information setting access rights etc. of oneself.
More than be explanation, in concrete implementation process, can carry out suitable improvement, to adapt to the concrete needs of concrete condition method of the present invention to the specific embodiment of the invention.Therefore be appreciated that according to the specific embodiment of the present invention just to play an exemplary role, not in order to restriction protection scope of the present invention.

Claims (16)

1, a kind of system of identification safety authentication is characterized in that, comprises authentication center, authenticating user identification center and Service Processing Unit, wherein,
Described authentication center is used to authenticating user identification central dispense authenticating user identification center sign, is the Service Processing Unit allocation identification;
Described authenticating user identification center is used for the registration to the user, and user's virtual identity of distribution unique identification user sends this user's virtual identity and described authenticating user identification center identifies to described user;
Described Service Processing Unit is used to receive the Business Processing request, and the virtual identity sign and the authenticating user identification center of carrying according to this request identify authentification of user, handle this service request.
2, the system as claimed in claim 1 is characterized in that, comprises at least one authenticating user identification center, and described authenticating user identification center is used for user's different kinds of business is registered respectively.
3, the system as claimed in claim 1 is characterized in that, described authenticating user identification center comprises and obtain the subscriber identity information module and send the subscriber identity information module, wherein,
The described subscriber identity information module of obtaining is used to obtain subscriber identity information,
Described transmission subscriber identity information module is used for subscriber identity information is sent to the corresponding service processing unit.
4, the system as claimed in claim 1 is characterized in that, described authentication center comprises authenticating user identification center cell, Business Processing control unit and authentication administrative unit, wherein,
The authenticating user identification center cell is used to authenticating user identification central dispense sign, manages and authenticated user authentication center, and the interactive strategy at authenticating user identification center is set;
The Business Processing control unit is used to the Service Processing Unit allocation identification, and management and authentication business processing unit authenticate Service Processing Unit, and the interactive strategy of Service Processing Unit is set;
Described authentication administrative unit is used to control mutual between authenticating user identification center cell and the Business Processing control unit.
5, as claim 1 or 4 described systems, it is characterized in that described Service Processing Unit comprises service supplier.
6, system as claimed in claim 5, it is characterized in that described Business Processing control unit comprises the service supplier administrative unit, be used for authentication and management service supplier, be service supplier distribution service supplier sign, the interactive strategy of service supplier is set.
7, as claim 1 or 4 described systems, it is characterized in that described Service Processing Unit comprises network and/or equipment.
8, system as claimed in claim 7 is characterized in that, described Business Processing control unit also comprises managing network identities unit and/or equipment identities administrative unit, wherein,
Described managing network identities unit is used for authentication and supervising the network identity, is network allocation network identity sign, and the interactive strategy of network identity is set;
Described equipment identities administrative unit is used for authentication and management equipment identity, is devices allocation equipment identities sign, and the interactive strategy of equipment is set.
9, a kind of method of identification safety authentication is characterized in that, this method comprises:
Register the user at the authenticating user identification center, distributes user's virtual identifying of unique identification user for the user;
Receive the service request that the user sends, handle this service request according to authenticating user identification center sign and this user's virtual identifying that this request is carried.
10, method as claimed in claim 9 is characterized in that, described authenticating user identification center needle is registered user's different kinds of business user's different service types classification.
11, method as claimed in claim 10 is characterized in that, described authenticating user identification center is provided with corresponding to the different service types level of security the mode of user's different kinds of business registration.
12, method as claimed in claim 9 is characterized in that, before the described user's virtual identifying that distributes the unique identification user for the user, also comprises:
Judge whether this user has been assigned with user's virtual identifying, if not, be user's distributing user virtual identifying; If be user's distributing user virtual identifying not.
13, method as claimed in claim 12 is characterized in that, described is user not before the distributing user virtual identifying, also comprises:
Judge that this user's virtual identifying is whether in the term of validity of setting, if continue to be implemented as the not step of distributing user virtual identifying of user; If not, redistribute user's virtual identifying for the user.
14, method as claimed in claim 9 is characterized in that, described authenticating user identification center sign of carrying according to this request and this user's virtual identifying are handled this service request and be:
Judge whether to store this user's virtual identifying and corresponding subscriber identity information, if to authentification of user, carry out this service request according to this information;
If not, send query requests to authenticating user identification center with this authenticating user identification center sign, the subscriber identity information of this user's virtual identifying correspondence is determined to store in the authenticating user identification center, send subscriber identity information, to authentification of user, carry out this service request according to this information that receives.
15, a kind of device of controlling authenticating user identification is characterized in that, comprises authenticating user identification center cell, Business Processing control unit and authentication administrative unit, wherein,
Described authenticating user identification center cell is used to authenticating user identification central dispense sign, manages and authenticated user authentication center, and the interactive strategy at authenticating user identification center is set;
Described Business Processing control unit, being used to provides the entity of Business Processing allocation identification, and management and authentication provide the entity of Business Processing, and the entity that Business Processing is provided is authenticated, and the interactive strategy of the entity that Business Processing is provided is set;
Described authentication administrative unit is used to control mutual between authenticating user identification center cell and the Business Processing control unit.
16, device as claimed in claim 15 is characterized in that, described Business Processing control unit comprises the service supplier administrative unit.
CN2007101004921A 2007-04-16 2007-04-16 System, device and method for identity security authentication Expired - Fee Related CN101291220B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101004921A CN101291220B (en) 2007-04-16 2007-04-16 System, device and method for identity security authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101004921A CN101291220B (en) 2007-04-16 2007-04-16 System, device and method for identity security authentication

Publications (2)

Publication Number Publication Date
CN101291220A true CN101291220A (en) 2008-10-22
CN101291220B CN101291220B (en) 2010-08-18

Family

ID=40035321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101004921A Expired - Fee Related CN101291220B (en) 2007-04-16 2007-04-16 System, device and method for identity security authentication

Country Status (1)

Country Link
CN (1) CN101291220B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013044569A1 (en) * 2011-09-30 2013-04-04 北京亿赞普网络技术有限公司 Network user identification method and application server thereof
CN103281680A (en) * 2013-05-07 2013-09-04 杭州东信北邮信息技术有限公司 Uniform communication system and method for on-demand accurate sales and protection of user privacy
CN104980428A (en) * 2015-04-28 2015-10-14 腾讯科技(深圳)有限公司 Network communication method, device and system
CN108604990A (en) * 2016-12-02 2018-09-28 华为技术有限公司 The application method and device of local authorized certificate in terminal
CN110166246A (en) * 2016-03-30 2019-08-23 阿里巴巴集团控股有限公司 The method and apparatus of identity registration, certification based on biological characteristic
CN112100682A (en) * 2020-11-23 2020-12-18 北京软通智慧城市科技有限公司 Identity information protection system and method
CN112491836A (en) * 2020-11-16 2021-03-12 新华三技术有限公司合肥分公司 Communication system, method, device and electronic equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE60314871T2 (en) * 2002-05-24 2008-03-13 Telefonaktiebolaget Lm Ericsson (Publ) METHOD FOR AUTHENTICATING A USER IN ACCESS TO A SERVICE PROVIDER'S SERVICE
CN100527887C (en) * 2006-08-29 2009-08-12 中国移动通信集团公司 Method for processing information of user's ID

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013044569A1 (en) * 2011-09-30 2013-04-04 北京亿赞普网络技术有限公司 Network user identification method and application server thereof
CN103281680A (en) * 2013-05-07 2013-09-04 杭州东信北邮信息技术有限公司 Uniform communication system and method for on-demand accurate sales and protection of user privacy
CN103281680B (en) * 2013-05-07 2015-11-18 杭州东信北邮信息技术有限公司 Realize accurate marketing as required and protect unified communications and the method for privacy of user
CN104980428A (en) * 2015-04-28 2015-10-14 腾讯科技(深圳)有限公司 Network communication method, device and system
CN104980428B (en) * 2015-04-28 2018-09-04 腾讯科技(深圳)有限公司 A kind of network communication method, device and system
CN110166246A (en) * 2016-03-30 2019-08-23 阿里巴巴集团控股有限公司 The method and apparatus of identity registration, certification based on biological characteristic
CN110166246B (en) * 2016-03-30 2022-07-08 创新先进技术有限公司 Identity registration and authentication method and device based on biological characteristics
CN108604990A (en) * 2016-12-02 2018-09-28 华为技术有限公司 The application method and device of local authorized certificate in terminal
CN112491836A (en) * 2020-11-16 2021-03-12 新华三技术有限公司合肥分公司 Communication system, method, device and electronic equipment
CN112491836B (en) * 2020-11-16 2022-04-22 新华三技术有限公司合肥分公司 Communication system, method, device and electronic equipment
CN112100682A (en) * 2020-11-23 2020-12-18 北京软通智慧城市科技有限公司 Identity information protection system and method
CN112100682B (en) * 2020-11-23 2021-02-19 北京软通智慧城市科技有限公司 Identity information protection system and method

Also Published As

Publication number Publication date
CN101291220B (en) 2010-08-18

Similar Documents

Publication Publication Date Title
US11397829B2 (en) Method for handling privacy data
CN101409592B (en) Method, system and apparatus for implementing multi-application business based on condition receiving card
CN100596361C (en) Safety protection system of information system or equipment and its working method
CN103067399B (en) Wireless transmitter/receiver unit
KR101565828B1 (en) Apparatus and method for sharing of user control enhanced digital identity
CN103327084B (en) The cloud storage system of a kind of public and private mixed distribution formula and cloud storage method
CN107483491A (en) The access control method of distributed storage under a kind of cloud environment
CN101291220B (en) System, device and method for identity security authentication
US8578452B2 (en) Method for securely creating a new user identity within an existing cloud account in a cloud computing system
JP2009519557A (en) Offline authentication method for devices with limited resources
CN111049835B (en) Unified identity management system of distributed public certificate service network
CN101405759A (en) Method and apparatus for user centric private data management
JP2007110377A (en) Network system
CN101540757A (en) Method and system for identifying network and identification equipment
JP2002335239A (en) Method and system device for authenticating single sign- on
CN101291221B (en) Privacy protecting method for identity of customer, and communication system, device
CN106921678A (en) A kind of unified safety authentication platform of the carrier-borne information system of integrated isomery
US20040186998A1 (en) Integrated security information management system and method
CN101136098A (en) Method, device and system for accessing to certificate revocation list
Vossaert et al. User-centric identity management using trusted modules
KR100639992B1 (en) Security apparatus for distributing client module and method thereof
JP2001202332A (en) Authentication program managing system
Ahmed et al. Transparency of SIM profiles for the consumer remote SIM provisioning protocol
CN109905365B (en) Distributed deployed single sign-on and service authorization system and method
CN109600220B (en) Trusted service management method and system for Java card

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100818