CN101374050A

CN101374050A - Apparatus, system and method for implementing identification authentication

Info

Publication number: CN101374050A
Application number: CNA2008102248379A
Authority: CN
Inventors: 刘宏伟; 王四军; 姚俊武
Original assignee: Potevio Institute of Technology Co Ltd
Current assignee: Petevio Institute Of Technology Co ltd
Priority date: 2008-10-23
Filing date: 2008-10-23
Publication date: 2009-02-25
Anticipated expiration: 2028-10-23
Also published as: CN101374050B

Abstract

The invention discloses a device, a system, and a method for implementing ID authentication.. Based on the prior ID authentication technique, the binding of the user ID and the user equipment is implemented by means of the measurement certification or the ID authentication, or the attack to the user ID is blocked by means of the combination of the measurement certification and the ID authentication, so that the security of the ID authentication is improved, the benefit of the authorized user is protected and the problems of man-in-the-middle attack and session hijack are solved. Furthermore, the ID authentication system is compatible to various prior ID authentication systems, works without needing to modify the prior ID authentication system, reduces the investment cost, facilitates the management and maintenance, and greatly improves the security of the ID authentication system.

Description

A kind of device, system and method for realizing authentication

Technical field

The present invention relates to authentication techniques, particularly a kind of device, system and method for realizing authentication.

Background technology

At present, along with the develop rapidly of Internet technology, during online transaction had been deep into daily life and has worked, wherein, " Web bank " was the most representative application with the application of " ecommerce ".For instance, " Web bank " submits channel to as a kind of brand-new bank client service, no matter the client stays at home, office, still can handle various bankings such as comprise inquiry, transfer accounts, pay the fees on the road by the internet, manages the assets of oneself.

But Internet technology is bringing people simultaneously greatly easily, the safety issue of internet displays with also becoming increasingly conspicuous, for example, for Web bank, when the client concludes the business by the internet, data such as client's user identification code (for example account number) and password are very easily victim interception or steal in process of exchange, the assailant utilizes user identification code and the password tackling or steal to carry out illegal operation, client's interests have directly been encroached on, this not only directly has influence on the prestige of online transaction, also the online transaction development is produced disadvantageous negative effect.

In order to strengthen the fail safe of internet message transmission, need set up the security system of internet message transmission, can only there be the people of corresponding authority to visit to guarantee the data in the internet system; Simultaneously, also need to provide certain Authentication mechanism, client's the user identity that guarantees to be stored in the internet system is consistent with the identity that the client declared of internet usage network system, has only the user by authentication, could access system resources and operate.Therefore, for the internet, the authentication management is the basis of whole information security system, if do not have effective identity verification management means, method and measure, the client identity authentication of access internet network system just is easy to victim and forges, and causes the assailant to be entered the safety precaution system.For example, domestic in recent years " fake site " and the main cause of the stolen case of clients fund that repeatedly takes place is exactly because client's user identity is stolen.

Several authentication techniques that prior art is set up the security system of internet message transmission are described below, mainly comprise:

One, dynamic password ID authentication

The dynamic password ID authentication technology is also referred to as " one-time pad " technology, and promptly the each password that uses of user all waits dynamically according to time or access times and produces, and each password can only use once.

Subscriber equipment can use proprietary token to produce dynamic password, and the user only need be with the current password input that shows on the token in use, and the certificate server end adopts the identical current valid password of algorithm computation can realize the affirmation of identity.

Specifically, the principle of dynamic password ID authentication is, the each password that uses of user is produced by proprietary token, and each password that uses is all inequality, because password uses once the back just to lose efficacy, thereby, even the assailant intercepts and captures this password, the certificate server end also can't use the counterfeit validated user identity of this password, so as long as just can think that by password authentification this user's identity is reliable.By adopting the method for one-time pad, the dynamic password ID authentication technology has guaranteed the fail safe of user identity effectively, and compare with the follow-up IC-card authentication of mentioning, USB Key authentication, biological characteristic authentication, cost is lower, and present dynamic password mode adopts hardware mode mostly, based on the token of time synchronized or incident.

Though the dynamic password ID authentication technology is easy to use, its fail safe is unsatisfactory.For example, when meeting with virus or assailant's attack, if the user imports dynamic password and transmits by network, the assailant who is positioned between subscriber equipment and certificate server communication port just can monitor or internal memory reads etc. and to attack after mode be intercepted and captured dynamic password by keyboard, can make the user can't finish login, and cause the network connection to disconnect, connect illusions such as overtime; The assailant can also utilize the dynamic password fake user of intercepting and capturing to sign in to certificate server on the other hand, carries out illegal operation, and the user is sustained a loss.

Two, USB (USB, Universal Serial Bus) Key digital certificate authentication

The authentication of USB Key digital certificate is carried out authentication by USB interface-based USB key hardware device, is a kind of identity identifying technology that grew up in recent years.USB Key adopts built-in single-chip microcomputer or intelligent card chip, and the storage user is based on the digital certificate of PKIX (PKI, Public KeyInfrastructure) framework.This digital certificate is one group of data structure that comprises subscriber identity information (key) being issued by third party trusty certification authority, and the PKI framework has made up identity and data security that a cover perfect flow process guarantees the holder of digital certificate by adopting cryptographic algorithm.Specifically, the principle of digital certificate authentication is: transmit leg produces passage information and this section Word message is carried out unidirectional irreversible conversion, then, transmit leg is encrypted the text transform that carries out unidirectional irreversible conversion generation with the privacy key of oneself again, and with the original character information that produces and the text transform result after encrypting send the recipient of appointment to, this section just is called digital signature through the text transform result after encrypting.The recipient receives the text transform result after original character information and the encryption, the original character information that receives is carried out the irreversible conversion of same individual event, the public-key cryptography that utilizes transmit leg simultaneously is decrypted the text transform result of the encryption that receives, if the irreversible text transform result of individual event that text transform result and recipient after the deciphering carry out self is consistent, then the recipient thinks that transmit leg has passed through authentication, can believe the other side's identity.

Yet, the digital certificate of USB Key digital certificate authentication itself also is a kind of digital identity, still exist by the danger of bootlegging, so, prior USB Key has increased a lot of self-destruction measures as the digital certificate store medium, to guarantee the destroying digital certificate of being stored automatically when being cracked; And, strengthened some safety measures of PKI frame system, make USB Key can guarantee that customer digital certificate can't be replicated.

But,, and need cause customer using cost higher at subscriber equipment for each user disposes a USB KEY owing to the cost at the CA center of disposing and safeguarding the authentication of USB Key digital certificate is very huge; In addition, all need when using USB KEY is inserted in the USB interface of subscriber equipment, if subscriber equipment does not have USB interface or USB interface is damaged or USB KEY damages, the user can't visit the CA center at every turn; And, no matter be signing messages, or digital certificate, when in network, transmitting, still can't stop the man-in-the-middle attack in the authentication each time.

Existing a kind of the improving one's methods that proposes is that the communication link channel is encrypted; as socket layer (SSL safe in utilization; Security Socket Layer) protocol protection; can stop network interception signing messages or digital certificate, but this encryption channel still can't stop the connection hijack attack in the authentication each time.For instance, when browser points to https: //when xxx.com connected, digital certificate can exchange during SSL shakes hands, and the PKI of preserving in the digital certificate is used to the encryption of session.If the user does not have the PKI at CA center during connection, browser will point out the user to accept or refuse this digital certificate, and for the certificate of a large amount of websites distribution, the PKI that the user does not have a respective site is checked the legitimacy of certificate, thereby, for common interactive CLIENT PROGRAM, for example, browser may cause SSL to be connected lose meaning, is really or oneself has suffered the connection hijack attack thereby make the user can't differentiate the information that website uses unknown CA center; Further, even the user once browsed this website in the past and preserved its digital certificate, also still may succeed by victim; In addition, because present attack technology can be broken through ssl protocol at an easy rate, so, in authentication, still can suffer the attack that similar connection is kidnapped even the user can check the legitimacy of website digital certificate.

Three, biometric identity authentication

The biometric identity authentication is based on the unique biological characteristic of user, and for example, fingerprint recognition, iris recognition wait the technology of identifying user identity.Because its direct end user's physical features is represented everyone digital identity, different people has the possibility of identical biological characteristic and can ignore, and therefore, in theory, the biometric identity authentication is reliable identity authentication mode.But the authentication of prior biological feature based on the influence of biometrics identification technology maturity, also has bigger limitation.At first, the accuracy of living things feature recognition and stability are still waiting to improve, if particularly user's body is subjected to the influence of sick and wounded or spot, often causes and can't normally discern, the situation that causes validated user to land; Secondly, because research and development drop into big and output is less, the cost of biological characteristic authentication system is very high, only is suitable for the very high occasion of some security requirements at present, as uses such as armies, also can't accomplish the large tracts of land popularization; In addition, if carry out authentication, then can't stop replay attack, man-in-the-middle attack etc. at the transmission over networks biological information.Replay attack, the information that is about to intercept and capture resends to authentication server and authenticates, thus the attack of obtaining accesses identity; Go-between (MITM, Man-in-the-Middle Attack) attacks, the invasion that is a kind of " indirectly " is attacked, this attack mode is to be placed between two communication computers of network in connecting by the computer virtual that various technological means will be controlled by the invador, and this computer just is called " go-between ".The invador is one of this computer simulation or two primitive compuers then, " go-between " can set up be flexibly connected with primitive compuer and allow it to read or revise the information of transmission, yet two primitive compuer users think that but they are in mutual communication.Usually, the process of this " data interception---is revised data---and sent data " just is called as " Session Hijack " (Session Hijack).

Four, integrated circuit (IC, Integrate Circuit) card authentication

What IC-card authentication was based on IC-card hardware can not guarantee that user identity can be by counterfeit technology by duplication characteristic.The IC-card built-in integrated circuit has the data relevant with user identity in the card, by special device fabrication, can think not reproducible hardware by special manufacturer.IC-card is carried by validated user, during login IC-card is inserted special-purpose card reader and reads wherein information, with checking user's identity.Because the data that read from IC-card are static at every turn, than the authentication information that is easier to be truncated to the user, therefore there is bigger potential safety hazard by technology such as internal memory scanning or network monitorings in the assailant.

By as seen above-mentioned, existing identity identifying method commonly used, the authentication fail safe is lower, has damaged the interests of validated user, in addition, also has following defective:

(1), identity identifying technology is realized complicated.As the authentication of USB KEY digital certificate;

(2), cost is higher.As the authentication of USB KEY digital certificate, biometric identity authentication;

(3), safeguard complexity.As USB KEY digital certificate authentication;

(4), suitable scene is limited, convenience is poor.As biological characteristic authentication, the authentication of USB KEY digital certificate.

Summary of the invention

In view of this, a main purpose of the present invention is to provide a kind of device of realizing authentication, improves the fail safe of authentication, the interests of guarantee validated user.

Another main purpose of the present invention is to provide a kind of system that realizes authentication, improves the fail safe of authentication, the interests of guarantee validated user.

Another main purpose of the present invention is to provide a kind of method that realizes authentication, improves the fail safe of authentication, the interests of guarantee validated user.

For achieving the above object, the invention provides a kind of subscriber equipment tolerance engine of realizing authentication, this subscriber equipment tolerance engine comprises: survey middleware module, metric collection module and metric verification module, wherein,

Survey middleware module, be used for receiving tolerance authentication request information, notice metric collection module is collected the metric of subscriber equipment; The metric of the subscriber equipment that reception metric collection module returns, from tolerance log-on message module, obtain registered user's equipment metric of this subscriber equipment of storage in advance, the metric of subscriber equipment and registered user's equipment metric of this subscriber equipment are sent to metric verification module; The information that metric verification module is returned sends;

The metric collection module is used to receive the information of collecting the metric of subscriber equipment from the notice of surveying middleware module, according to the metric strategy of storing in advance, collects the tolerance authentication information of subscriber equipment;

Metric verification module, be used for the tolerance authentication information of the subscriber equipment that receives is measured processing, and the registered user's equipment metric that will handle the described subscriber equipment of metric that the back forms and reception to carry out matching ratio right, if matching ratio to unanimity, is notified the information of described subscriber equipment by authentication by surveying middleware module.

Described metric collection module is further used for the metric strategy of basis storage in advance and the information of collecting the tolerance log-on message of subscriber equipment from the notice of surveying middleware module, collect the tolerance authentication registration information of subscriber equipment, described subscriber equipment tolerance engine further comprises tolerance log-on message module, be used for tolerance authentication registration information according to the subscriber equipment of surveying the middleware module transmission, measure processing, form the registered user equipment metric of metric as described subscriber equipment.

Described subscriber equipment tolerance engine further comprises the behavioural analysis judge module, is used to collect the behavioural characteristic with recording user, and user's behavioural characteristic is judged and is analyzed according to predefined behavioural analysis algorithm.

Described metric strategy comprises: a kind of or combination in any in the geographical location information at the network interface card information of each subscriber equipment correspondence, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.

A kind of outer authentication server of band of realizing authentication, the outer authentication server of described band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein

Information receiving module, authentication credential information outside the band that outer ID authentication request information of the band from the Certificate Authority executor that is used for receiving and subscriber equipment return is sent to message processing module;

Message processing module is used for generating the outer authentication credential information of band according to the outer ID authentication request information of the band that receives, and is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;

Be with outer authentication credential information memory module, be used for the outer authentication credential information of band that the stored information processing module generates;

Be with outer authentication credential information comparing module, be used to receive from the outer authentication credential information of the band of message processing module, whether checking is consistent with the outer authentication credential information of band of the outer authentication credential information memory module storage of band, if consistent, ID authentication request response message outside information sending module sends the band that comprises authentication successful information outside the band;

Information sending module, the outer ID authentication request response message of band and the outer authentication credential information of band that are used for receiving send.

A kind of system that realizes authentication, this system comprises: Certificate Authority executor, subscriber equipment tolerance engine, authentication policy module, wherein,

The Certificate Authority executor is used at definite subscriber equipment by common authentication, and knows when subscriber equipment need be carried out the tolerance authentication, sends tolerance authentication request information to subscriber equipment tolerance engine, measures authentication; If determine the tolerance authentication success, notifying user equipment enters operation system;

Subscriber equipment tolerance engine is used for the tolerance authentication request information that sends according to the Certificate Authority executor, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; The tolerance authentication information that obtains is measured processing, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio to unanimity, then enters operation system by Certificate Authority executor notifying user equipment;

The authentication policy module is used for the Certificate Authority executor alternately, comprises the tolerance authentication registration information of subscriber equipment in the authentication strategy of determining self to store in advance, and notification authentication mandate executor carries out the tolerance authentication to subscriber equipment.

Described system further comprises the outer authentication server of band, correspondingly,

The Certificate Authority executor is used at definite subscriber equipment by tolerance authentication, and when the authentication policy module knows that subscriber equipment need be carried out the outer authentication of band, ID authentication request information outside the outer authentication server transmission of band is with; If determine to comprise the outer authentication successful information of band in the outer ID authentication request response message of the band of being with outer authentication server to return, notifying user equipment enters operation system;

Be with outer authentication server, be used for the outer ID authentication request information of receiving belt, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment, if consistent, ID authentication request response message outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band.

Described subscriber equipment tolerance engine comprises: survey middleware module, metric collection module and metric verification module, wherein,

Metric verification module, be used for the tolerance authentication information of the subscriber equipment that receives is measured processing, and the registered user's equipment metric that will handle the described subscriber equipment of metric that the back forms and reception to carry out matching ratio right, if matching ratio to unanimity, notifies described subscriber equipment by authentication by surveying middleware module.

The outer authentication server of described band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein,

Information receiving module, the outer authentication credential information of band that ID authentication request information and subscriber equipment return outside the band that is used for receiving is sent to message processing module;

Message processing module is used for the outer ID authentication request information of receiving belt, generates the outer authentication credential information of band, is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;

Be with outer authentication credential information comparing module, whether consistently be used to verify from the outer authentication credential information of the band of message processing module with the outer authentication credential information of the band that carries outer authentication credential information memory module storage, if consistent, ID authentication request response message outside information sending module sends the band that comprises authentication successful information outside the band;

Information sending module, the outer authentication credential information of band that is used for receiving is sent to subscriber equipment, and the outer ID authentication request response message of the band that will receive is sent to the Certificate Authority executor.

Described system further comprises common authentication server, is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to subscriber equipment.

Described Certificate Authority executor is further used for receiving the access request that subscriber equipment sends, and sends common ID authentication request to common authentication server; Receive common authentication requirement information, authenticating identity information and the common authentication requirement information that self generates is carried in the access request response message, be sent to subscriber equipment;

Subscriber equipment receives the access request response message, determines that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;

Common authentication server is used to receive common ID authentication request, returns common authentication requirement information to the Certificate Authority executor; Require response message to carry out authentication according to the common authentication that receives, determine subscriber equipment, return to the Certificate Authority executor and carry the subscriber equipment authenticating identity response message of subscriber equipment by common authentication information by common authentication.

A kind of system that realizes authentication, this system comprises: Certificate Authority executor, the outer authentication server of band, authentication policy module, wherein,

The Certificate Authority executor is used at definite subscriber equipment by common authentication, and knows that ID authentication request information outside the outer authentication server transmission of band is with was with outer authentication when subscriber equipment need be carried out the outer authentication of band; If determine the outer authentication success of band, notifying user equipment enters operation system;

Be with outer authentication server, be used for the outer ID authentication request information of receiving belt, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment, if consistent, enters operation system by Certificate Authority executor notifying user equipment;

The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of determining self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment.

Described system further comprises subscriber equipment tolerance engine, is used for the tolerance authentication request information that sends according to the Certificate Authority executor, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; The tolerance authentication information that obtains is measured processing, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio to unanimity, then determines alternately by Certificate Authority executor and authentication policy module whether subscriber equipment is with outer authentication.

Described system further comprises: common authentication server, be used for subscriber equipment, Certificate Authority executor alternately, and carry out common authentication to the user.

Described subscriber equipment tolerance engine comprises: metric collection module and metric verification module, wherein,

The metric collection module is used for collecting the tolerance authentication information of subscriber equipment according to the metric strategy of storage in advance and the tolerance authentication request information of reception;

Metric verification module, be used for the tolerance authentication information of subscriber equipment is measured processing, and will handling metric that the back forms and registered user's equipment metric of the described subscriber equipment of storage in advance, to carry out matching ratio right, if matching ratio to unanimity, notifies described subscriber equipment by authentication.

A kind of method that realizes authentication, this method comprises:

After definite subscriber equipment is by common authentication, when the Certificate Authority executor knows that from the authentication policy module subscriber equipment need be carried out the tolerance authentication, send tolerance authentication request information to subscriber equipment tolerance engine;

Subscriber equipment tolerance engine receives tolerance authentication request information, obtain the tolerance authentication information of subscriber equipment alternately with subscriber equipment, and the tolerance authentication information that obtains measured processing, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio to unanimity, then enters operation system by Certificate Authority executor notifying user equipment.

Described Certificate Authority executor knows that subscriber equipment need carry out tolerance authentication and comprise:

The Certificate Authority executor sends tolerance authentication challenge solicited message to the authentication policy module;

The authentication policy module receives tolerance authentication challenge solicited message, the authentication strategy of inquiry storage, if this user's authentication strategy comprises the tolerance authentication registration information, return tolerance authentication challenge request response message to the Certificate Authority executor, notification authentication mandate executor carries out the tolerance authentication.

The step of described authentication policy module storage authentication strategy comprises:

After definite subscriber equipment was by common authentication, the Certificate Authority executor sent tolerance authentication registration information to subscriber equipment tolerance engine;

Subscriber equipment tolerance engine receives tolerance authentication registration information, obtain the tolerance authentication information of subscriber equipment alternately with subscriber equipment, and the tolerance authentication information that obtains measured processing, generate the registration metric value, and registration metric value object information is stored;

Subscriber equipment tolerance engine writes the tolerance authentication is carried out in requirement to subscriber equipment tolerance certification policy in the authentication policy module.

Described tolerance is handled and comprised: integrality is handled, perhaps data compression process, perhaps encryption.

The tolerance authentication information that described and subscriber equipment obtains subscriber equipment alternately specifically comprises:

Subscriber equipment tolerance engine, generates and obtains tolerance authentication registration information according to the metric strategy of storing in advance according to the tolerance authentication registration information that receives, and is sent to subscriber equipment;

Subscriber equipment obtains tolerance authentication registration information according to what receive, and self tolerance authentication information of correspondence is sent to subscriber equipment tolerance engine.

Described tolerance authentication information comprises: a kind of or combination in any in the geographical location information at the network interface card information of each subscriber equipment correspondence, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.

Described Certificate Authority executor knows that subscriber equipment need carry out tolerance authentication and further comprise: Certificate Authority executor and authentication policy module know that alternately subscriber equipment does not need to carry out tolerance and authenticates, and notifying user equipment enters operation system.

If described matching ratio is to unanimity, then entering operation system by Certificate Authority executor notifying user equipment further comprises: if matching ratio is to inconsistent, then return the tolerance authentication request response message of carrying Bind Failed information or registration information to the Certificate Authority executor, notifying user equipment Bind Failed or register again, refusing user's equipment enters operation system.

The described step that enters operation system by Certificate Authority executor notifying user equipment further comprises:

Described Certificate Authority executor and authentication policy module are known when subscriber equipment need be carried out the outer authentication of band alternately, send the outer ID authentication request information of being with;

Be with the outer ID authentication request information of outer authentication server receiving belt, generate the outer authentication credential information of band, be sent to subscriber equipment, whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self generates, if consistent, ID authentication request response message outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band;

Described Certificate Authority executor enters operation system according to the outer ID authentication request response message notifying user equipment of the band that receives.

Described and authentication policy module know that alternately subscriber equipment need carry out the outer authentication of band and specifically comprise:

Described Certificate Authority executor is authentication query requests information outside the authentication policy module sends band;

The outer authentication query requests information of authentication policy module receiving belt, the authentication strategy of inquiry storage, if comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notification authentication mandate executor carries out the outer authentication of band.

If the authentication strategy of storage does not comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notifying user equipment enters operation system.

Be with outer authentication credential information to comprise: password, phone, short message or a mail.

Send the outer authentication credential information of band to described subscriber equipment by short-message system, phone or lettergram mode.

If described consistent, the step of ID authentication request response message further comprises outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band:

If in the preset time window mouth, do not receive user's feedback information, or the outer authentication credential information that returns of user and the outer authentication credential information that self generates are inconsistent, then to the Certificate Authority executor return the band outside the ID authentication request response message, carry the outer authentication failure information of band, or the registration information; Correspondingly,

Described Certificate Authority executor fails according to authentication outside the outer ID authentication request response message notifying user equipment band of the band that receives or registers again, and refusing user's equipment enters operation system.

Described definite subscriber equipment comprises by common authentication:

Subscriber equipment sends access request to the Certificate Authority executor, and requires the Certificate Authority executor is carried out the trusted identity authentication;

The Certificate Authority executor receives access request, to the authentication of common authentication server request to the user;

Common authentication server receives common ID authentication request, returns common authentication requirement information to the Certificate Authority executor;

The Certificate Authority executor receives common authentication requirement information, and authenticating identity information and the common authentication requirement information that self generates is carried in the access request response message, is sent to subscriber equipment;

Common authentication server receives subscriber equipment authenticating identity information, carries out authentication, if authentication is passed through, then carries the authenticating identity successful information in the subscriber equipment authenticating identity response message of returning.

A kind of method that realizes authentication, this method comprises:

After definite subscriber equipment is by common authentication, when the Certificate Authority executor knows that from the authentication policy module subscriber equipment need be carried out the outer authentication of band, ID authentication request information outside the outer authentication server transmission of band is with;

Be with the outer ID authentication request information of outer authentication server receiving belt, generate the outer authentication credential information of band, be sent to subscriber equipment, whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self generates, if consistent, then enter operation system by Certificate Authority executor notifying user equipment.

Send the outer authentication credential information of described band to described subscriber equipment by short-message system, phone or lettergram mode.

As seen from the above technical solutions, a kind of device, system and method for realizing authentication provided by the invention, on the basis of existing common identity identifying technology, attack by increasing the binding that the tolerance authentication mode of subscriber equipment is realized the subscriber equipment that user identity and user use, stop the major part of implementing at authentication on the network; Perhaps, on the basis of existing common identity identifying technology, increase the outer authentication of band and block on the network attack user identity; Perhaps, on the basis of existing common identity identifying technology, by increasing attack to user identity is blocked on the network in the tolerance authentication of subscriber equipment and the outer authentication of band, thereby the fail safe of authentication, the interests of guarantee validated user have been improved, problems such as solution assailant's middle attack, connection hijack attack.And, the system of authentication provided by the invention can be with to have various identity authorization systems compatible mutually, need not during enforcement original Verification System is done excessive modification, input cost is low, management maintenance is easy and can promote the fail safe of identity authorization system greatly.

Description of drawings

Fig. 1 a realizes the system configuration schematic diagram of authentication for the present invention;

Fig. 1 b realizes another structural representation of system of authentication for the present invention;

Fig. 2 realizes the method flow schematic diagram of authentication for the present invention;

Fig. 3 realizes the schematic flow sheet of authentication strategy registration for the present invention;

Fig. 4 realizes the method idiographic flow schematic diagram of authentication for the present invention.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with the accompanying drawings and the specific embodiments.

The device of realization authentication provided by the invention, system and method, on the basis of existing identity identifying technology, the mode of the tolerance authentication of subscriber equipment is realized the binding of the subscriber equipment that user identity and user use by increase, can stop on the network major part of implementing at authentication attack or, assailant's difficulty of attacking is strengthened; Further, increase the outer authentication of band and block on the network the attack of user identity, further improve authentication fail safe, ensure the interests of validated user, fundamentally solve assailant's problems such as middle attack, connection hijack attack.

In the practical application,, in describing below, user and subscriber equipment are bound because the user always carries out authentication by subscriber equipment.

Fig. 1 a realizes the system configuration schematic diagram of authentication for the present invention, and referring to Fig. 1 a, this system comprises: subscriber equipment, Certificate Authority executor, authentication policy module, common authentication server, subscriber equipment tolerance engine, wherein,

Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to subscriber equipment;

The Certificate Authority executor is used at definite subscriber equipment by common authentication, when knowing alternately that with the authentication policy module subscriber equipment need be carried out the tolerance authentication, sends tolerance authentication request information to subscriber equipment tolerance engine, measures authentication; If determine the tolerance authentication success, notifying user equipment enters operation system;

In the practical application, can be to determine to comprise the binding successful information in the tolerance authentication request response message that subscriber equipment tolerance engine returns, think the tolerance authentication success.

The authentication policy module is used for the Certificate Authority executor alternately, comprises the tolerance authentication registration information of subscriber equipment in the authentication strategy of determining self to store in advance, and notification authentication mandate executor carries out the tolerance authentication to subscriber equipment;

Subscriber equipment tolerance engine is used for receiving tolerance authentication request information, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; The metric that obtains is carried out processing such as integrality, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio to unanimity, then enters operation system by Certificate Authority executor notifying user equipment;

If matching ratio is to unanimity, subscriber equipment tolerance engine is thought and is returned the tolerance authentication request response message of carrying the binding successful information to the Certificate Authority executor by the tolerance authentication success;

Subscriber equipment is used for subscriber equipment tolerance engine alternately, and self tolerance authentication information is sent to subscriber equipment tolerance engine.

Subscriber equipment tolerance engine is further used for receiving tolerance authentication registration information, according to the metric strategy that sets in advance, tolerance authentication registration information is obtained in generation, be sent to subscriber equipment, and the tolerance authentication registration information that subscriber equipment returns is carried out integrality handle, form registered user's equipment metric and storage.

The tolerance authentication registration information comprises the geographical location information, subscriber equipment name information, user behavior information at network interface card information, operation system information, browser information, the place, IP address of each subscriber equipment correspondence etc.;

The metric strategy that sets in advance can be one or more in the tolerance authentication registration information.

Generation is obtained tolerance authentication registration information and is comprised: the metric strategy information corresponding that generates and set in advance, for example, the metric strategy that sets in advance comprises network interface card information and operation system information, then generate the tolerance of obtaining that comprises subscriber equipment network interface card information and operation system information and authenticate registration information, subscriber equipment is carried at self network interface card information and operation system information in the tolerance authentication registration information.

In the practical application, this system also can only comprise Certificate Authority executor, subscriber equipment tolerance engine, authentication policy module, and the user utilizes this system directly to measure authentication, and need not carry out common authentication.

Common authentication server and subscriber equipment, Certificate Authority executor are mutual, execution is to user's common authentication, the identity identifying technology that common authentication server adopts can be dynamic password ID authentication, digital certificate authentication, biometric identity authentication, trusted terminal authentication etc., similar with existing authentication, be briefly described below:

The Certificate Authority executor is used to receive the access request that subscriber equipment sends, and sends common ID authentication request to common authentication server; Receive common authentication requirement information, authenticating identity information and the common authentication requirement information that self generates is carried in the access request response message, be sent to subscriber equipment;

Subscriber equipment is used to receive the access request response message, determines that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;

Subscriber equipment tolerance engine comprises surveys middleware module, metric collection module, metric verification module and tolerance log-on message module,

Metric verification module, be used for the tolerance authentication information of the subscriber equipment that receives is measured processing, and the registered user's equipment metric that will handle the subscriber equipment of metric that the back forms and reception to carry out matching ratio right, if matching ratio to unanimity, returns the information of described subscriber equipment by authentication of notifying to surveying middleware module.

Survey middleware module and also receive tolerance authentication registration information, correspondingly, subscriber equipment tolerance engine further comprises tolerance log-on message module,

The metric collection module is further used for the metric strategy of basis storage in advance and the information of collecting the tolerance log-on message of subscriber equipment from the notice of surveying middleware module, the tolerance authentication registration information of collecting subscriber equipment,

Tolerance log-on message module is used for the tolerance authentication registration information according to the subscriber equipment of surveying the middleware module transmission, measures processing, forms the registered user equipment metric of metric as described subscriber equipment.

In the practical application, this subscriber equipment tolerance engine can also comprise the behavioural analysis judge module, is used to collect the behavioural characteristic with recording user, and user's behavioural characteristic is judged and is analyzed according to predefined behavioural analysis algorithm.

The metric strategy comprises: a kind of or combination in any in the geographical location information at the network interface card information of each subscriber equipment correspondence, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.

In another embodiment of the present invention, subscriber equipment tolerance engine comprises metric collection module, metric verification module, tolerance log-on message module and behavioural analysis judge module,

The metric collection module is used for collecting the metric of subscriber equipment according to the metric strategy of storage in advance and the information of reception;

In the practical application, the metric collection module is collected the metric with metric policy-related (noun) subscriber equipment according to tolerance authentication registration information that receives or the metric strategy of measuring authentication request information and storing in advance.Be specially, the metric collection module will be sent to tolerance log-on message module according to the tolerance authentication registration information with the metric policy-related (noun) subscriber equipment of storing in advance that tolerance authentication register requirement is collected, and will be sent to metric verification module according to the tolerance authentication information with metric policy-related (noun) subscriber equipment that the tolerance authentication request is collected;

The metric of subscriber equipment comprises information such as the geographical location information, subscriber equipment name information, user behavior information at network interface card information, operation system information, browser information, place, IP address.Corresponding to tolerance authentication registration information, the metric of subscriber equipment is the tolerance authentication registration information; Corresponding to tolerance authentication request information, the metric of subscriber equipment is the tolerance authentication information.

In advance Cun Chu metric strategy be used in reference to indication amount information gathering module the metric of the subscriber equipment that should collect, for example, one or more information in the information such as the geographical location information at the network interface card information of collection subscriber equipment, operation system information, browser information, place, IP address, machine name information, visitor's behavioural information.

The metric strategy can also can be provided with different metric strategies according to different subscriber equipmenies at all subscriber equipmenies.

Preferably, the metric collection module according to the tolerance authentication registration information that receives that collect with tolerance authentication registration information metric policy-related (noun) subscriber equipment, with identical according to the tolerance authentication information with metric policy-related (noun) subscriber equipment of the tolerance authentication request information gathering that receives, that is, the tolerance authentication registration information is identical with the content that the tolerance authentication information comprises.Different is that it collects the time point difference of the metric of subscriber equipment.

Metric verification module, be used for metric according to the subscriber equipment of metric collection module collection, measure processing, and the registered user's equipment metric that will handle this subscriber equipment in metric that the back forms and the tolerance log-on message module to carry out matching ratio right, if matching ratio is to unanimity, the tolerance authentication request response message of binding successful information is carried in generation, is sent to the Certificate Authority executor; If matching ratio, generates the tolerance authentication request response message of carrying Bind Failed information or registration information to inconsistent, be sent to the Certificate Authority executor.

In the practical application, if metric verification module determines that matching ratio is to unanimity, be equivalent to the subscriber equipment of user and user's use is bound, this binding is not unique, can increase flexibly according to the conversion of environment for use and change, but carry out necessary before changing by common authentication.

Tolerance log-on message module is used for the metric according to the subscriber equipment of metric collection module collection, measures processing, forms the registered user equipment metric of metric as this subscriber equipment;

Tolerance is handled the metric comprise the subscriber equipment chosen and is carried out integrality and handle, perhaps data compression process, perhaps encryption etc.

The behavioural analysis judge module is used to collect the behavioural characteristic with recording user, and user's behavioural characteristic is judged and is analyzed according to predefined behavioural analysis algorithm.

In the practical application, subscriber equipment tolerance engine also can not comprise the behavioural analysis judge module.

The behavioural analysis judge module is by the behavioural characteristic of collection and recording user, and judge and analyze, reinforcement is to user's safety certification, for example, record metric collection module is according to the users' such as temporal information of the metric of tolerance authentication register requirement collection subscriber equipment behavioural characteristic, when the behavioural analysis judge module judged that user's behavioural characteristic is unusual, it was legal to confirm this user to require the user to carry out further authentication.

In the practical application, the system of authentication shown in Figure 1 can further include the outer authentication server of band,

The Certificate Authority executor is used for authenticating by tolerance at definite subscriber equipment, and when knowing alternately that with the authentication policy module subscriber equipment need be carried out the outer authentication of band, authentication server sends ID authentication request information outside the band outside band; If determine to comprise the outer authentication successful information of band in the outer ID authentication request response message of the band of being with outer authentication server to return, notifying user equipment enters operation system;

The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of determining self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment;

Be with outer authentication server to comprise: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein,

In the present embodiment, the authentication policy module is actual to be a database server, deposit each user's authentication strategy, the corresponding authentication strategy of user, authentication strategy form can be expressed as: the user-common authentication-outer authentication of tolerance authentication-band, also can be expressed as: user-common authentication-tolerance authentication can also be expressed as: the user-common authentication-outer authentication of band.Metric can be that metric is carried out the integrity value that obtains behind the integrity operations.

Fig. 1 b realizes another structural representation of system of authentication for the present invention, and referring to Fig. 1 b, this system comprises: subscriber equipment, Certificate Authority executor, authentication policy module, common authentication server, the outer authentication server of band, wherein,

Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to the user;

The Certificate Authority executor, be used at definite subscriber equipment by common authentication, when knowing alternately that with the authentication policy module subscriber equipment need be carried out the outer authentication of band, authentication server sends ID authentication request information outside the band outside band, is with outer authentication; If determine the outer authentication success of band, notifying user equipment enters operation system;

In the practical application, determine the outer authentication success of band if be with outer authentication server, ID authentication request response message outside the Certificate Authority executor returns band, comprise the outer authentication successful information of band, the outer ID authentication request response message of Certificate Authority executor receiving belt, according to the outer authentication successful information of the band that comprises, notifying user equipment enters operation system.

Be with outer authentication server, be used for the outer ID authentication request information of receiving belt, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment, if consistent, enters operation system by Certificate Authority executor notifying user equipment.

In the practical application, be with outer authentication server to determine the outer authentication success of band, ID authentication request response message outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band.Be with the outer authentication server structure similar of band among outer authentication server structure and Fig. 1 a, do not repeat them here.

In the practical application, subscriber equipment can be finished the outer authentication registration of band by this system.

The Certificate Authority executor is used for after definite subscriber equipment is by common authentication, whether registers certification policy outside the band to the subscriber equipment inquiry; Receive the outer certification policy log-on message of band that subscriber equipment sends, be sent to the authentication policy module;

The authentication policy module is used for the outer certification policy log-on message of receiving belt, for this subscriber equipment is carried out the outer certification policy registration of band.

In the present embodiment, also user application equipment tolerance engine or the outer authentication server of band are finished authentication separately.

Fig. 2 realizes the method flow schematic diagram of authentication for the present invention, and referring to Fig. 2, this flow process comprises:

Step 201, subscriber equipment sends access request to the Certificate Authority executor;

Step 202, the Certificate Authority executor receives access request, sends common ID authentication request to common authentication server, receives the common authentication of returning and requires information, send the access request response message to subscriber equipment, carry self authenticating identity information;

In this step, the Certificate Authority executor receives access request, the customer equipment identification that can comprise according to access request, determine the authentication strategy to this subscriber equipment, the authentication strategy can be that subscriber equipment sets in advance in the Certificate Authority executor, for example, it is 1 that common identity identifier is set, the tolerance authentication is designated 2, and being with outer identity identifier is 3, identifies high authentication and comprises simultaneously identifying low authentication.For instance, if the authentication strategy that subscriber equipment sets in advance is designated 3, represent that then subscriber equipment need carry out common authentication, tolerance authentication and the outer authentication of band successively; Also can be that the authentication strategy is arranged in the authentication policy module, be the necessary flow process of carrying out and give tacit consent to common authentication, after common authentication is passed through, inquire about authentication strategy in the authentication policy module by the Certificate Authority executor, whether also need to carry out tolerance authentication or outer authentication of band or tolerance authentication and be with outer authentication thereby obtain.

In the present embodiment, need carry out common authentication, tolerance authentication and the outer authentication of band successively to subscriber equipment.

The Certificate Authority executor receives access request, after determining subscriber equipment authentication strategy sign, send common ID authentication request to common authentication server, receive the common authentication that common authentication server returns and require information, send the access request response message to subscriber equipment, carry self authenticating identity information, self authenticating identity information digital signature information that can be the Certificate Authority executor generate with self private key.

In the practical application, the identity identifying technology that the Certificate Authority executor supports according to the different application and the subscriber equipment of subscriber equipment, can adopt the authentication of corresponding dynamic password, the authentication of USB Key digital certificate, biometric identity authentication or IC-card authentication mode, send corresponding authenticating identity information to subscriber equipment.

Step 203, subscriber equipment receives the access request response message, and authentication verification mandate executor's authenticating identity information is passed through as checking, returns common authentication requirement response message to authentication verification mandate executor;

In this step, subscriber equipment receives the access request response message, authenticating identity information according to Certificate Authority executor transmission, adopt corresponding authentication mode, for example, the Certificate Authority executor adopts dynamic password ID authentication to send authenticating identity information, and then subscriber equipment adopts corresponding dynamic password ID authentication technical identification Certificate Authority executor's authenticating identity information, checking flow process and existing procedure are similar, do not repeat them here.

If subscriber equipment is by the authenticating identity Information Authentication to the Certificate Authority executor, think that then this Certificate Authority executor is trusty, subscriber equipment is handled self authenticating identity information, as password, signing messages, biological characteristic etc., and the authenticating identity information of handling is carried at common authentication requires in the response message; Otherwise, return the common authentication of carrying authentification failure to the Certificate Authority executor and require response message.

Step 204, the Certificate Authority executor receives common identity and requires response message, and the subscriber equipment authenticating identity information that will comprise sends to common authentication server;

Step 205, common authentication server receive subscriber equipment authenticating identity information, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;

In this step, common authentication server receives subscriber equipment authenticating identity information, and the flow process and the existing flow for authenticating ID of carrying out authentication are similar, do not repeat them here.

If authentication is passed through, then in the subscriber equipment authenticating identity response message of returning, carry the authenticating identity successful information, otherwise, in the subscriber equipment authenticating identity response message of returning, carry the authenticating identity failure information, the authentication request of refusing user's equipment.

Step 206, the Certificate Authority executor receives subscriber equipment authenticating identity response message, and the authentication that determines one's identity is passed through, and sends tolerance authentication request information;

In this step,, in present embodiment, need successively subscriber equipment to be measured authentication and the outer authentication of band again, send tolerance authentication request information to subscriber equipment tolerance engine if the Certificate Authority executor has determined subscriber equipment authentication strategy sign.

If user's authentication policy store in the authentication policy module, then sends tolerance authentication challenge solicited message, execution in step 206a～step 206b (not shown) to the authentication policy module.

Step 206a, the authentication policy module receives tolerance authentication challenge solicited message, and the authentication strategy of inquiry storage returns tolerance authentication challenge request response message to the Certificate Authority executor;

In this step, the authentication policy module receives tolerance authentication challenge solicited message, the authentication strategy that obtains according to inquiry, determine whether to need to carry out further authentication, as not needing, return tolerance authentication challenge request response message to the Certificate Authority executor, notifying user equipment can enter operation system; If desired, return tolerance authentication challenge request response message to the Certificate Authority executor, indication Certificate Authority executor carries out follow-up authentication.

In the practical application, if the authentication policy module inquires the user need carry out the outer authentication of tolerance authentication and band the time, can be that subscriber equipment authentication strategy sign is carried in the tolerance authentication challenge request response message, in follow-up when tolerance authentication is passed through, no longer authentication query requests information outside the authentication policy module sends band is with outer authentication but directly carry out; Certainly, in the practical application, also can be that authentication query requests information outside the authentication policy module sends band is obtained the information whether user needs to carry out the outer authentication of band again when follow-up vacuum metrics authentication is passed through.

Step 206b, the authentication policy module receives tolerance authentication challenge request response message, determines to measure authentication, sends tolerance authentication request information;

In this step, do not need reauthentication information if comprise in the tolerance authentication challenge request response message that receives, notifying user equipment can enter operation system; Otherwise,,, send tolerance authentication request information to subscriber equipment tolerance engine as subscriber equipment authentication strategy sign according to the indication information that comprises in the tolerance authentication challenge request response message.

Step 207, subscriber equipment tolerance engine receives tolerance authentication request information, carries out the tolerance authentication to subscriber equipment, returns tolerance authentication request response message to the Certificate Authority executor;

In this step, subscriber equipment tolerance engine receives tolerance authentication request information, obtain the tolerance authentication information of this subscriber equipment, this tolerance authentication information is measured processing, for example, to the processing of tolerance authentication information complete, form metric, to carry out matching ratio right with the metric of user's registration of storage in advance, if matching ratio is to unanimity, then return tolerance authentication request response message, carry the binding successful information to the Certificate Authority executor; If matching ratio to inconsistent, then returns tolerance authentication request response message to the Certificate Authority executor, carry Bind Failed information or registration information.

Subscriber equipment tolerance engine receives tolerance authentication request information, when carrying out the tolerance authentication to subscriber equipment, can be the tolerance authentication information of initiatively collecting subscriber equipment; Also can be that subscriber equipment tolerance engine monitors after subscriber equipment powers on, initiatively collect the tolerance authentication information of subscriber equipment and store.Preferably, the tolerance authentication information of collecting subscriber equipment adopts nonstandard protocol, like this, increases the difficulty that the assailant knows that subscriber equipment tolerance engine is collected the time of origin of metric behavior.

The tolerance authentication information of subscriber equipment includes but not limited to: geographical location information, subscriber equipment name information or the user behavior information at network interface card information, operation system information, browser information, place, IP address, or combination in any.

If matching ratio is to unanimity, for example with the network interface card information of collecting, operation system information, browser informations etc. carry out integrality and calculate, obtain integrity value, to make matching ratio right with the integrity value of registering in the database, if it is consistent, subscriber equipment identity and subscriber equipment are bound, like this, owing to be the subscriber equipment tolerance engine active collection subscriber equipment metric of authentication service side, for an assailant, can't stop or forge the authentication service side metric of subscriber equipment is collected, thereby, strengthen the fail safe of subscriber equipment authentication, can effectively stop replay attack, man-in-the-middle attack etc.

Specifically, after user's common authentication is finished, according to subscriber equipment authentication strategy, subscriber equipment tolerance engine by the authentication side initiatively initiates the tolerance authentication information of subscriber equipment is collected, and the assailant is difficult to determine to collect the time of origin (unless server of control service for checking credentials side) of tolerance authentication information behavior; And the tolerance authentication information of collecting subscriber equipment adopts nonstandard protocol, has also increased the assailant and has known the difficulty that subscriber equipment tolerance engine is collected the time of origin of measuring the authentication information behavior.

Step 208, the Certificate Authority executor receives tolerance authentication request response message, if determine to need to carry out the outer authentication of band, authentication server sends ID authentication request outside the band outside band;

In this step, if carry the binding successful information in the tolerance authentication request response message, then the Certificate Authority executor identifies according to fixed subscriber equipment authentication strategy, or, authentication strategy situation outside the user that the certification policy server lookup is obtained is with, if determine that subscriber equipment does not need to carry out subsequent authentication, notifying user equipment can enter operation system; If determine that subscriber equipment need carry out subsequent authentication, authentication server sends ID authentication request outside the band outside band.

If carry Bind Failed information or registration information in the tolerance authentication request response message, Certificate Authority executor notifying user equipment Bind Failed or register again then, refusing user's equipment enters operation system.

Step 209 is with the outer ID authentication request of outer authentication server receiving belt, generates the outer authentication credential information of band, is sent to subscriber equipment;

In this step, be with the outer ID authentication request of outer authentication server receiving belt, generate the outer authentication credential information of band, as password, phone, short message, mail etc., and by transmission system, for example, modes such as short-message system, phone or mail are sent to the user.

Step 210, the outer authentication credential information of subscriber equipment receiving belt also returns to the outer authentication server of band;

In this step, the outer authentication credential information of subscriber equipment receiving belt, by with the outer same transmission system of authentication credential information of receiving belt, for example, modes such as short-message system, phone or mail are sent to the outer authentication server of band with the outer authentication credential information of the band that receives.

Step 211 is with the outer authentication credential information of outer authentication server receiving belt, ID authentication request response message outside the Certificate Authority executor returns band;

In this step, be with the outer authentication credential information of outer authentication server receiving belt, with the outer authentication credential information of the band that receives and the band that self is sent to the user outward the authentication credential information verify, if it is consistent, then the outer authentication of band is passed through, ID authentication request response message outside the Certificate Authority executor returns band is carried the outer authentication successful information of band; If in the preset time window mouth, do not receive user's feedback information (authentication credential information outside the band), or the outer authentication credential information of the band that returns of user the authentication credential information is inconsistent outward with the band that self is sent to the user, then to the Certificate Authority executor return the band outside the ID authentication request response message, carry the outer authentication failure information of band, or the registration information.

Step 212, the outer ID authentication request response message of Certificate Authority executor receiving belt determines to be with outer authentication to pass through, and notifying user equipment can enter operation system.

In this step, if the outer ID authentication request response message of the band that returns comprises the outer authentication failure information of band, or the registration information, the outer authentication of notifying user equipment band is failed or is registered again, and refusing user's equipment enters operation system.

So far, this flow process finishes.

Fig. 3 realizes the schematic flow sheet that the authentication strategy is registered for the present invention, and referring to Fig. 3, this flow process comprises:

Step 301, subscriber equipment (visiting user) is asked visit to the Certificate Authority executor, and requires the Certificate Authority executor is carried out the trusted identity authentication;

Step 302, the Certificate Authority executor is to the authentication of common authentication server request to visiting user, common authentication server returns corresponding authentication requirement by subscriber equipment to visiting user, the Certificate Authority executor generates the identity trust information of oneself simultaneously, and returns to visiting user;

In this step, it can be dynamic password ID authentication information, USB Key digital certificate authentication information, biometric identity authentication information or IC-card authentication information that authentication requires.

The signing messages that the identity trust information utilizes the private key of self to generate for the Certificate Authority executor.

Step 303, subscriber equipment receives information, determines that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;

In this step, subscriber equipment receives the access request response message, the Certificate Authority executor's that comprises authenticating identity information is verified, for example, the signing messages that utilizes Certificate Authority executor's public key verifications to receive,

If by checking, show that this Certificate Authority executor is believable, then, require information according to the common authentication that receives, send common authentication requirement response message by the Certificate Authority executor to common authentication server, for example, common authentication requirement information is for requiring subscriber equipment input encrypted message, then subscriber equipment input encrypted message requires response message as common authentication, is sent to common authentication server.

If not by checking, then process ends.

Step 304, common authentication server receive common authentication requirement response message, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;

This step and step 205 are similar.

Step 305, the Certificate Authority executor sends tolerance authentication registration information to subscriber equipment tolerance engine;

In this step, the Certificate Authority executor determines that authenticating user identification passes through, and sends tolerance authentication registration information to subscriber equipment tolerance engine.

Step 306, subscriber equipment tolerance engine receives tolerance authentication registration information, carries out the tolerance authentication registration to subscriber equipment;

In this step, subscriber equipment tolerance engine receives tolerance authentication registration information, triggering is to the active collection of subscriber equipment tolerance authentication registration information, according to the metric strategy of storing in advance, as network interface card information, operation system information, browser information, the geographical location information at place, IP address, the subscriber equipment name information, a kind of or combination in any such as user behavior information, collect and the metric strategy information corresponding of storing in advance, for example, Cun Chu metric strategy comprises network interface card information and operation system information in advance, then the network interface card information and the operation system information of subscriber equipment tolerance engine active collection subscriber equipment.

Subscriber equipment tolerance engine generates the registration metric value to the tolerance authentication registration information complete processing of active collection, and registration metric value object information is stored.

Step 307, subscriber equipment tolerance engine is sent to the authentication policy module with the tolerance certification policy information of subscriber equipment;

In this step, subscriber equipment tolerance engine writes requirement subscriber equipment is carried out the tolerance certification policy that tolerance authenticates in the authentication policy module, require to carry out the tolerance certification policy as subscriber equipment.

Step 308, authentication policy module receive tolerance certification policy information, store, and send tolerance authentication registration response message to the Certificate Authority executor;

Step 309, subscriber equipment tolerance engine will be measured authentication registration response message and be sent to the Certificate Authority executor;

In the practical application, step 307 and step 309 be the branch of sequencing not.

Step 310, the Certificate Authority executor receives the tolerance authentication registration response message of subscriber equipment tolerance engine and authentication policy module transmission, to whether register the outer certification policy information of band and be carried in the tolerance authentication registration response message, be sent to subscriber equipment;

Step 311, subscriber equipment receive tolerance authentication registration response message, know that measuring authentication succeeds in registration, and confirm the outer certification policy of renewal of registration band, will be with outer certification policy log-on message to be sent to the Certificate Authority executor;

In this step, subscriber equipment need be registered the outer certification policy of band and carry out respective handling.

Step 312, the outer certification policy log-on message of the band that the Certificate Authority executor will receive is forwarded to the authentication policy module;

Step 313, the outer certification policy log-on message of authentication policy module receiving belt, for this user carries out the outer certification policy registration of band, certification policy registration response message outside the Certificate Authority executor returns band;

Step 314, the Certificate Authority executor will be with outer certification policy registration response message to be transmitted to subscriber equipment.

So far, authentication strategy register flow path finishes.

In the practical application, according to the needs of subscriber equipment, can be in the authentication policy module registration metric certification policy, the also outer certification policy of registration band only, also can be while registration metric certification policy and the outer certification policy of band, can also be directly to measure authentication outside authentication or the band.

After finishing registration, follow-up in, can authenticate the subscriber equipment identity carry out business operation so that enter operation system.Institute it should be noted that if register with authentication with once carrying out, then register and the authentication process in, need carry out common authentication respectively.

Below to obtain the authentication that subscriber equipment need carry out alternately with Certificate Authority executor and authentication policy module be example, authentication of the present invention is described in detail.

Fig. 4 realizes the method idiographic flow schematic diagram of authentication for the present invention, and referring to Fig. 4, this flow process comprises:

Step 401, subscriber equipment (visiting user) is asked visit to the Certificate Authority executor, and requires the Certificate Authority executor is carried out the trusted identity authentication;

Step 402, the Certificate Authority executor is to the authentication of common authentication server request to visiting user, common authentication server returns corresponding authentication requirement by subscriber equipment to visiting user, the Certificate Authority executor generates the identity trust information of oneself simultaneously, and returns to visiting user;

Step 403, subscriber equipment receives the access request response message, determines that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;

If by checking, show that this Certificate Authority executor is believable, then, require information according to the common authentication that receives, send common authentication requirement response message to common authentication server, for example, common authentication requirement information is imported encrypted message for requiring the user, then the user imports encrypted message as common authentication requirement response message, is sent to common authentication server by subscriber equipment.

If not by checking, then process ends.

Step 404, common authentication server receive common authentication requirement response message, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;

This step and step 205 are similar.

Step 405, the Certificate Authority executor sends tolerance authentication challenge solicited message to the authentication policy module;

In this step, the Certificate Authority executor determines that domestic consumer's authentication passes through, and sends tolerance authentication challenge solicited message to the authentication policy module.

Step 406, authentication policy module receive tolerance authentication challenge solicited message, and the authentication strategy of inquiry storage returns tolerance authentication challenge request response message to the Certificate Authority executor;

In this step, the authentication policy module receives tolerance authentication challenge solicited message, inquire about the authentication strategy of self storing, if this user's authentication strategy does not comprise the tolerance authentication registration information, return tolerance authentication challenge request response message to the Certificate Authority executor, notifying user equipment can enter operation system; If comprise the tolerance authentication registration information, return tolerance authentication challenge request response message to the Certificate Authority executor, notification authentication mandate executor carries out the tolerance authentication.

Step 407, the Certificate Authority executor receives tolerance authentication challenge request response message, determines to measure authentication, sends tolerance authentication request information to subscriber equipment tolerance engine;

Step 408, subscriber equipment tolerance engine receives tolerance authentication request information, sends acquisition request tolerance authentication information to subscriber equipment;

In this step, subscriber equipment tolerance engine sends corresponding acquisition request tolerance authentication information according to the predefined information of strategy to subscriber equipment.

Step 409, subscriber equipment receive acquisition request tolerance authentication information, and self tolerance authentication information of correspondence is sent to subscriber equipment tolerance engine;

Step 410, subscriber equipment tolerance engine receives the tolerance authentication information, carries out the tolerance authentication to subscriber equipment, returns tolerance authentication request response message to the Certificate Authority executor;

In this step, subscriber equipment tolerance engine is according to the metric of this subscriber equipment that obtains, this metric is carried out integrality to be handled, form metric, to carry out matching ratio right with the metric of the user registration of storage in advance, if matching ratio to unanimity, then returns tolerance authentication request response message to the Certificate Authority executor, carry the binding successful information; If matching ratio to inconsistent, then returns tolerance authentication request response message to the Certificate Authority executor, carry Bind Failed information or registration information.

Step 411, the Certificate Authority executor receives tolerance authentication request response message, if determine to comprise the binding successful information, authentication query requests information outside the authentication policy module sends band;

Step 412, the outer authentication query requests information of authentication policy module receiving belt, the authentication strategy of inquiry storage, authentication query requests response message outside the Certificate Authority executor returns band;

In this step, the outer authentication query requests information of authentication policy module receiving belt, inquire about the authentication strategy of self storing, if this user's authentication strategy does not comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notifying user equipment can enter operation system; If comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notification authentication mandate executor carries out the outer authentication of band.

Step 413, the outer authentication query requests response message of Certificate Authority executor receiving belt is determined to be with outer authentication, and authentication server sends ID authentication request information outside the band outside band;

Step 414 is with the outer ID authentication request information of outer authentication server receiving belt, generates the outer authentication credential information of band, is sent to subscriber equipment;

In this step, be with the outer ID authentication request of outer authentication server receiving belt, generate the outer authentication credential information of band, as password, phone, short message, mail etc., and by transmission system, for example, modes such as short-message system, phone or mail are sent to subscriber equipment.

In the practical application, for the fail safe of message transmission, the transmission system network that sends the outer authentication credential information of band is different with the network of authentication.

Step 415, the outer authentication credential information of subscriber equipment receiving belt also returns to the outer authentication server of band;

In this step, the outer authentication credential information of subscriber equipment receiving belt is by being sent to the outer authentication server of band with the same transmission system of the outer authentication credential information of receiving belt.

Step 416 is with the outer authentication credential information of outer authentication server receiving belt, ID authentication request response message outside the Certificate Authority executor returns band;

In this step, be with outer authentication credential information of band that outer authentication server will receive and the band that self is sent to the user outward the authentication credential information verify, if it is consistent, then the outer authentication of band is passed through, ID authentication request response message outside the Certificate Authority executor returns band is carried the outer authentication successful information of band; If in the preset time window mouth, do not receive user's feedback information, or the information returned of user and the information inconsistency that self is sent to the user, then to the Certificate Authority executor return the band outside the ID authentication request response message, carry the outer authentication failure information of band, or the registration information.

Step 417, the outer ID authentication request response message of Certificate Authority executor receiving belt determines to be with outer authentication to pass through, and notifying user equipment can enter operation system;

Step 418, subscriber equipment enters operation system, carries out business operation, and operation system is returned the corresponding business operating result to subscriber equipment.

So far, this flow process finishes.

As seen from the above-described embodiment, a kind of method and system that realize authentication provided by the invention, on the basis of existing common identity identifying technology, send tolerance authentication request information by the Certificate Authority executor to subscriber equipment tolerance engine, subscriber equipment tolerance engine and subscriber equipment obtain the tolerance authentication information of subscriber equipment alternately, the metric that obtains is carried out integrality to be handled, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio is to unanimity, then enter operation system by Certificate Authority executor notifying user equipment, thereby, can stop the major part of implementing at authentication on the network to be attacked by increasing the binding that the mode of the tolerance authentication of subscriber equipment is realized the subscriber equipment that user identity and user use, assailant's difficulty of attacking is strengthened; Perhaps, on the basis of existing common identity identifying technology, send ID authentication request information outside the band by Certificate Authority executor authentication server outside band, be with outer authentication server to generate the outer authentication credential information of band, be sent to subscriber equipment, and whether the outer authentication credential information of verifying user equipment outer authentication credential information of band that returns and the band that self is sent to subscriber equipment is consistent, if it is consistent, enter operation system by Certificate Authority executor notifying user equipment, thereby to the attack of user identity, solve assailant's middle attack on the blocking-up network, connect problems such as hijack attack; Perhaps, on the basis of existing common identity identifying technology, attack by increasing the binding that the tolerance authentication mode of subscriber equipment is realized the subscriber equipment that user identity and user use, stop the major part of implementing at authentication on the network; Further, increase the outer authentication of band again and block on the network attack user identity, thus improved authentication fail safe, ensure the interests of validated user, fundamentally solve assailant's problems such as middle attack, connection hijack attack.And the method and system of authentication provided by the invention can need not during enforcement original Verification System is done excessive modification, and can promote the fail safe of identity authorization system greatly with to have various identity authorization systems compatible mutually.In addition, this system's input cost is low, management maintenance is easy, the user is easy to use, can be according to the safety requirements phase in of reality, progressively improve level of security, can be applied to various requirement to the scene that user identity carries out strong authentication, be particularly useful for the strong identity authentication requirement of various Web banks, Mobile banking, valuable source visit.

More than lift preferred embodiment; the purpose, technical solutions and advantages of the present invention are further described; institute is understood that; the above only is preferred embodiment of the present invention; not in order to restriction the present invention; within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims

1. a subscriber equipment tolerance engine of realizing authentication is characterized in that, this subscriber equipment tolerance engine comprises: survey middleware module, metric collection module and metric verification module, wherein,

2. subscriber equipment tolerance engine as claimed in claim 1, it is characterized in that, described metric collection module is further used for the metric strategy of basis storage in advance and the information of collecting the tolerance log-on message of subscriber equipment from the notice of surveying middleware module, collect the tolerance authentication registration information of subscriber equipment, described subscriber equipment tolerance engine further comprises tolerance log-on message module, be used for tolerance authentication registration information according to the subscriber equipment of surveying the middleware module transmission, measure processing, form the registered user equipment metric of metric as described subscriber equipment.

3. subscriber equipment tolerance engine as claimed in claim 2, it is characterized in that, described subscriber equipment tolerance engine further comprises the behavioural analysis judge module, be used to collect the behavioural characteristic with recording user, and user's behavioural characteristic is judged and analyzed according to predefined behavioural analysis algorithm.

4. subscriber equipment tolerance engine as claimed in claim 1, it is characterized in that described metric strategy comprises: a kind of or combination in any in the geographical location information at the network interface card information of each subscriber equipment correspondence, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.

5. outer authentication server of the band of realizing authentication, it is characterized in that, the outer authentication server of described band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein

6. a system that realizes authentication is characterized in that, this system comprises: Certificate Authority executor, subscriber equipment tolerance engine, authentication policy module, wherein,

7. system as claimed in claim 6 is characterized in that, described system further comprises the outer authentication server of band, correspondingly,

8. system as claimed in claim 6 is characterized in that, described subscriber equipment tolerance engine comprises: survey middleware module, metric collection module and metric verification module, wherein,

9. system as claimed in claim 6, it is characterized in that described metric strategy comprises: a kind of or combination in any in the geographical location information at the network interface card information of each subscriber equipment correspondence, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.

10. system as claimed in claim 6, it is characterized in that, described metric collection module is further used for the metric strategy of basis storage in advance and the information of collecting the tolerance log-on message of subscriber equipment from the notice of surveying middleware module, collect the tolerance authentication registration information of subscriber equipment, described subscriber equipment tolerance engine further comprises tolerance log-on message module, be used for tolerance authentication registration information according to the subscriber equipment of surveying the middleware module transmission, measure processing, form the registered user equipment metric of metric as described subscriber equipment.

11. system as claimed in claim 8, it is characterized in that, described subscriber equipment tolerance engine further comprises the behavioural analysis judge module, is used to collect the behavioural characteristic with recording user, and user's behavioural characteristic is judged and is analyzed according to predefined behavioural analysis algorithm.

12. system as claimed in claim 7, it is characterized in that, the outer authentication server of described band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein

13. system as claimed in claim 6 is characterized in that, described system further comprises common authentication server, is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to subscriber equipment.

14. system as claimed in claim 13 is characterized in that, described Certificate Authority executor is further used for receiving the access request that subscriber equipment sends, and sends common ID authentication request to common authentication server; Receive common authentication requirement information, authenticating identity information and the common authentication requirement information that self generates is carried in the access request response message, be sent to subscriber equipment;

15. a system that realizes authentication is characterized in that, this system comprises: Certificate Authority executor, the outer authentication server of band, authentication policy module, wherein,

16. system as claimed in claim 15 is characterized in that, described system further comprises subscriber equipment tolerance engine, is used for the tolerance authentication request information that sends according to the Certificate Authority executor, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; The tolerance authentication information that obtains is measured processing, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio to unanimity, then determines alternately by Certificate Authority executor and authentication policy module whether subscriber equipment is with outer authentication.

17. system as claimed in claim 16, it is characterized in that, the outer authentication server of described band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein

18. system as claimed in claim 16 is characterized in that, described system further comprises: common authentication server, be used for subscriber equipment, Certificate Authority executor alternately, and carry out common authentication to the user.

19. system as claimed in claim 16 is characterized in that, described subscriber equipment tolerance engine comprises: metric collection module and metric verification module, wherein,

20. a method that realizes authentication is characterized in that, this method comprises:

21. method as claimed in claim 20 is characterized in that, described Certificate Authority executor knows that subscriber equipment need carry out tolerance authentication and comprise:

22. method as claimed in claim 21 is characterized in that, the step of described authentication policy module storage authentication strategy comprises:

23. method as claimed in claim 22 is characterized in that, described tolerance is handled and comprised: integrality is handled, perhaps data compression process, perhaps encryption.

24. method as claimed in claim 22 is characterized in that, the tolerance authentication information that described and subscriber equipment obtains subscriber equipment alternately specifically comprises:

25. method as claimed in claim 24, it is characterized in that described tolerance authentication information comprises: a kind of or combination in any in the geographical location information at the network interface card information of each subscriber equipment correspondence, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.

26. method as claimed in claim 21, it is characterized in that, described Certificate Authority executor knows that subscriber equipment need carry out tolerance authentication and further comprise: Certificate Authority executor and authentication policy module know that alternately subscriber equipment does not need to carry out tolerance and authenticates, and notifying user equipment enters operation system.

27. method as claimed in claim 20, it is characterized in that, if described matching ratio is to unanimity, then entering operation system by Certificate Authority executor notifying user equipment further comprises: if matching ratio is to inconsistent, then return the tolerance authentication request response message of carrying Bind Failed information or registration information to the Certificate Authority executor, notifying user equipment Bind Failed or register again, refusing user's equipment enters operation system.

28. method as claimed in claim 20 is characterized in that, the described step that enters operation system by Certificate Authority executor notifying user equipment further comprises:

29. method as claimed in claim 28 is characterized in that, described and authentication policy module know that alternately subscriber equipment need carry out the outer authentication of band and specifically comprise:

30. method as claimed in claim 29, it is characterized in that, if the authentication strategy of storage does not comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notifying user equipment enters operation system.

31. as any described method of claim 28 to 30, it is characterized in that, be with outer authentication credential information to comprise: password, phone, short message or a mail.

32. method as claimed in claim 31 is characterized in that, sends the outer authentication credential information of band to described subscriber equipment by short-message system, phone or lettergram mode.

33. method as claimed in claim 32 is characterized in that, if described consistent, the step of ID authentication request response message further comprises outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band:

34. method as claimed in claim 20 is characterized in that, described definite subscriber equipment comprises by common authentication:

35. a method that realizes authentication is characterized in that, this method comprises:

36. method as claimed in claim 35 is characterized in that, sends the outer authentication credential information of described band to described subscriber equipment by short-message system, phone or lettergram mode.