CN101388777B - Third party authentication method and system for cross-system access in communication system - Google Patents
Third party authentication method and system for cross-system access in communication system Download PDFInfo
- Publication number
- CN101388777B CN101388777B CN200810216759.8A CN200810216759A CN101388777B CN 101388777 B CN101388777 B CN 101388777B CN 200810216759 A CN200810216759 A CN 200810216759A CN 101388777 B CN101388777 B CN 101388777B
- Authority
- CN
- China
- Prior art keywords
- application server
- authentication
- server
- user terminal
- attribution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Abstract
The invention provides third-party identification method of cross-system access in a communication system and a system, wherein the method comprises the following steps: making an identification request to a home server through an application server before a user end logs on the network, processing obtained identification results, obtaining temporary codes by the user end and making a logging request with the codes, logging on the application server without carrying out the third-party identification through the home server, and when the user end is logged out, eliminating the temporary codes by the application server. With the method, the performances and the real-time of the application server are increased, the development of the application server in the third-party identification aspect is simplified, and the stability and the versatility of the application server are increased.
Description
Technical field
The present invention relates to the authentication service method and system of system for cross-system access in communication, in particular, is to provide a kind of simple, general and efficient third party authentication method and system for cross-system.
Background technology
In the prior art, along with the Internet application constantly enlarges, 3G begins extensive commercialization and fixed network services and mobile service and constantly merges, and can get more and more for user and the business of accessing, function.
But the user name and password only exists on the respective home server HSS (Home Subscriber Server), be used for preserving the userspersonal information, so when the user uses a certain business (as logging in a certain application server), then will arrive attribution server HSS the user will be authenticated.
Business for non-conversation class may only need once to authenticate to get final product, but then also to frequently carry out the cross-system authentication for the business that frequent mutual non-conversation class and existing conversation class have again non-conversation class, this will not only affect performance and the real-time of application server, and the user experiences also relatively poor simultaneously.
So prior art haves much room for improvement.
Summary of the invention
The objective of the invention is, a kind of third party authentication method and system of system for cross-system access in communication are provided for the defective of above-mentioned prior art existence, so that the impact of Third Party Authentication application server systematic function is less, reach simple, general and efficient purpose.
Technical scheme of the present invention is as follows:
A kind of method of Third Party Authentication of system for cross-system access in communication wherein, may further comprise the steps:
A, user terminal carry out authentication request by application server to attribution server, and described application server is processed the authentication result that obtains, and generates a temporary password and sends to described user terminal;
B, described user terminal are initiated logging request according to described interim password, sign in to described application server.
Described method wherein, also comprises after the described step B: after C, the login of described user terminal finished, described user terminal was canceled, the described interim password when described application server is removed described user terminal login.。
Described method, wherein, described steps A specifically comprises:
Before A1, the described user terminal logging in network, initiate the request first time of described authentication request to described application server, described application server obtains the attribution server information under the user and replies to described user terminal;
A2, described user terminal are according to the described attribution server Information generation authentication information of replying, initiate the request second time of described authentication request to described application server, described application server is sent to described attribution server with described authentication information, and described attribution server authenticates described authentication information.
Described method, wherein, described step B also comprises:
Reply authentication result behind B1, the Certificate Authority to described application server, described application server is notified described user terminal with the interim password of authentication result and generation;
B2, described user terminal are initiated logging request according to described interim password to described application server and are logined.
Described method, wherein, described attribution server information comprises classification, private key, the random code of described attribution server.
Described method, wherein, described attribution server information also comprises the information of carrying out password encryption with cryptographic algorithm.
Described method, wherein, the described request second time is with answer code and authentication code, and described answer code and described authentication code obtain according to described attribution server information calculations, and described answer code is through the encrypted message after encrypting; The summary info of described authentication code for going out according to described user account number, described answer code, indications information calculations is used for preventing that summary info is modified or makes mistakes when Internet Transmission.
Described method, wherein, described steps A 2 also comprises:
A21, described application server are transparent to interface message processor (IMP) with described authentication information;
A22, described interface message processor (IMP) send to corresponding described attribution server according to the type of the attribution server under the described user with described authentication information;
A23, described attribution server authenticate described authentication information.
A24, described interface message processor (IMP) are received the authentication result that described attribution server is replied, and described authentication result is translated, and described authentication result is translated into unified result be sent to described application server.
A kind of Third Party Authentication system of system for cross-system access in communication, comprise: at least one is by communicating the attribution server that is connected with network, described attribution server, preserve user profile, be used to described user that authentication service is provided, it is characterized in that, also comprise user terminal and application server, wherein
Described user terminal links to each other with described application server by described network, is used for initiating authentication request to described application server, according to authentication result information and the interim password that described application server provides, initiates to log in request;
Described application server links to each other with described attribution server with described user terminal respectively by described network, is used for by described attribution server described user terminal being authenticated, and to the interim password of described user terminal return authentication result and generation.
Described system, wherein, also comprise an interface message processor (IMP), described interface message processor (IMP) is between described application server and described attribution server, be used for receiving the authentication information that comes from described application server, described authentication information is transmitted to described attribution server, and replys authentication result to described application server.
Beneficial effect of the present invention is: the third party authentication method and the system that adopt a kind of system for cross-system access in communication of the present invention, because user terminal carries out the authentication request by application server to attribution server before logging in, access authentication passes through the result, generate a temporary password at application server, user terminal initiates to log in request with interim password, need not to carry out again Third Party Authentication by attribution server, therefore the impact of the performance of application server and real-time is less, has strengthened stability and the versatility of application server.
Description of drawings
Fig. 1 is the networking diagram of cross-system authentication of the present invention;
Fig. 2 is cross-system authentication signaling process figure of the present invention.
Embodiment
The invention provides a kind of method of Third Party Authentication of system for cross-system access in communication, clearer, clear and definite for making purpose of the present invention, technical scheme and advantage, developing simultaneously referring to accompanying drawing, the present invention is described in more detail for embodiment.
In order to solve existing application server performance and the problems such as real-time and poor user experience of affecting in the service of cross-system access Third Party Authentication, the invention provides a kind of simple, the third party authentication method of general and efficient system for cross-system access in communication, the core concept of the method is: the networking structure that adopts general Third Party Authentication system, before logging in, user terminal carries out the authentication request by application server to attribution server, attribution server is to user's Certificate Authority, the result is replied in the authentication that obtains send to application server, authentication is by generating a temporary password, application server notifies authentication result and interim password to user terminal, user terminal initiates to log in request with interim password, application server authenticates by interim password, need not to carry out again Third Party Authentication by attribution server, when user terminal was nullified, application server was removed interim password; Said method has strengthened performance and the real-time of application server, has simplified the exploitation of application server aspect Third Party Authentication.
According to above-mentioned method, the present invention has adopted the networking structure of general Third Party Authentication system as shown in Figure 1, this system comprises a user terminal (UE) 10 that links to each other by network 20, it is client, one application server AS (Application Server) 30, interface message processor (IMP) IMP (Interface Machine) 40 and user's attribution server HSS 50; Wherein user terminal 10, application server 30, interface message processor (IMP) 40 and attribution server 50 communicate connection by network 20 respectively, user terminal, the service of using application server to provide, be used for initiating authentication request to application server, according to authentication result information and the interim password that application server provides, initiate to log in request; Application server is used for by attribution server user terminal being authenticated, and to the interim password of user terminal return authentication result and generation; Attribution server, preservation user's details comprising user account, password etc., are used to user terminal that authentication service is provided; Interface message processor (IMP) is between application server and attribution server, shield the details of Signalling exchange between application server and the attribution server with this, interface message processor (IMP) is used for receiving the authentication information that comes from application server, form attribution server authentication message body according to auth type and node, this authentication information is transmitted to corresponding attribution server, and replys authentication result to application server.Interface between application server 30 and the interface message processor (IMP) 40 can be internal interface, has guaranteed like this versatility and the stability of application server.
Utilize this system, the present invention has adopted the method for a kind of Third Party Authentication as shown in Figure 2, wherein the method mainly comprises: the first step, client (user terminal (UE)) formally log in the forward direction application server and initiate the Third Party Authentication request, and server is replied the attribution server at its encrypted message place of notice client; Second step, client belong to according to self, and producing authentication information also sends to application server, and application server is sent to authentication information the attribution server at user cipher place simultaneously; The 3rd step, attribution server are to user's Certificate Authority, simultaneously authentication result is notified to application server, other authentication node in the notice application system if authentication success, application server generate a temporary password is notified client with authentication result and interim password afterwards; The 4th step, client logs in or the business that provides of application service is provided, and then use the interim password of application server this moment in the authentication of application server, need not Third Party Authentication; Application server is removed interim password when the 5th step, client cancellation.
The below's Signalling exchange flow chart according to the present invention is described in detail method concrete steps of the present invention, this flow process has been described user terminal UE and the mutual signaling process of application server AS, application server AS and interface message processor (IMP) interaction flow, and interface message processor (IMP) and user attaching server interaction signaling process; For ease of statement, information between user terminal UE and the application server AS transmits with XCAP agreement (XML configuration access agreement, Extensible Markup Language Configuration AccessProtocol), information between interface message processor (IMP) and the attribution server HSS transmits with soap protocol (Simple Object Access Protocol, Simple Object Access Protocol) the Third Party Authentication flow process of this patent is described for example, but be not limited in this, wherein:
Certain service or business function that step 201, user terminal UE will use application server AS to provide, at first initiate the Third Party Authentication request to application server, the AUID of XML configuration access agreement request (Application Unique ID) is identifier remote-auth;
Step 202, application server AS are obtained the attribution server classification under the user, namely obtain auth type and the node of user terminal UE;
Step 203, according to the information of obtaining, the 401 message informing user terminal UE of HTTP by expansion, the information of obtaining comprises: the classification of attribution server, private key, Random random code, and will carry out with which kind of cryptographic algorithm the information such as encryption of password;
Step 204, user terminal UE are according to the information calculations such as the classification of returning attribution server of application server AS, private key, random code meet with a response code (Response Code) and an authentication code (Authenticator), and answer code is the authentication information that user's the information calculations such as password, account number and random code go out; Attribution server HSS uses identical algorithm to calculate authentication information with the information such as user cipher, account number and random code (random code is to comprise in the AS request message) of preserving within it, two identical then users of authentication information authenticate by; Answer code is the password through encrypting;
Authentication code, application server AS sends in the authentication message of attribution server HSS and comprises: the information such as account number, answer code, request ID (indications), for preventing that these information from makeing mistakes by malicious modification or when the Internet Transmission, with a summary of these information of calculating as authentication code.
Be technology well known to those skilled in the art according to meet with a response code and authentication code of the information calculations such as the classification of attribution server, private key, random code, no longer describe herein;
For the consideration that alleviates the application server burden, authentication code can be realized by client;
Step 205, user terminal UE initiate the Third Party Authentication request again to application server AS, and described request is the Third Party Authentication request with answer code and authentication code
Step 206, application server AS are transparent to interface message processor (IMP) with the information such as attribution server of authentication information and user terminal UE; If user terminal UE is the native system user, then directly reply 200 OK, user terminal UE will log in the username and password of user's input;
Step 207, interface message processor (IMP) form corresponding Third Party Authentication SOAP (Simple Object Access Protocol) message according to user's attribution server classification and authentication interface standard, namely form attribution server authentication message body;
Step 208, authentication message is sent to corresponding attribution server;
Step 209, attribution server are received authentication information, and the user is carried out Certificate Authority;
Step 210, attribution server are notified transmit leg with authentication result, i.e. interface message processor (IMP);
Step 211, interface message processor (IMP) are received user's authentication result that attribution server is replied, and authentication result translated (different attribution server authentication result codes there are differences, translate into unified result by interface message processor (IMP)), will reply simultaneously authentication result and notify application server; Because the attribution server HSS that application server AS is faced may have a lot of, different attribution server HSS represents that mode is not quite similar for authentication result; For authentication by, password mistake, user do not exist, the result such as authentication code mistake, interface message processor (IMP) is unified is translated as unified result (being exemplified below): 0: authentication is passed through;-3: the password mistake;-5 account numbers do not exist;-100: other mistake;
Step 212, application server are received the authentication result of client, if the authentication by generate a temporary password;
Step 213, application server are replied authentication result, interim password, interim account number (if the account number form between application server and the attribution server there are differences, then need to distribute interim account number) etc. information to user terminal UE, and can be encrypted interim password for the purpose of safety, can use the cryptographic algorithm such as Base64, DES, 3DES according to the grade of safety; If comprise a plurality of authentication nodes in the application server AS system, then notify all authentication nodes in this system with this user's account number and password;
Step 214: user terminal UE logs on application server with interim account number, interim password, brings into use the function of this application server;
Step 215, user terminal are nullified;
Other authentication node is removed interim password in step 216, application server and the system.
User terminal of the present invention need not know that the information such as account number and password specifically belonged to that attribution server HSS when the user logined when exploitation, only need know that all possible attribution server and identifying algorithm get final product, and increases the uniformity of client release; The exploitation of application server aspect Third Party Authentication also simplified in the standardization of the Third Party Authentication interface between application server AS and the user terminal UE; This system has increased interface message processor (IMP) in interface simultaneously, has shielded the various authentication interface between application server and the attribution server, has strengthened stability and the versatility of application server.
It should be noted that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although with reference to preferred embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (10)
1. the third party authentication method of a system for cross-system access in communication is characterized in that, may further comprise the steps:
A, user terminal obtain attribution server information under the user terminal by application server, specifically comprise: before the described user terminal logging in network, initiate the request first time of described authentication request to described application server, described application server obtains the attribution server information under the user and replies to described user terminal;
Described user terminal is initiated authentication request by described application server to described attribution server; Described application server is processed the authentication result of the described authentication request that the described attribution server that obtains returns, when described authentication result represent the authentication by the time generate a temporary password, and transmit described authentication result and described interim password to described user terminal, simultaneously described interim password is preserved;
B, described user terminal are initiated logging request according to described interim password, sign in to described application server.
2. method according to claim 1 is characterized in that, also comprises after the described step B: after C, the login of described user terminal finished, described user terminal was canceled, the described interim password when described application server is removed described user terminal login.
3. method according to claim 1 is characterized in that, user terminal carries out authentication request to attribution server and specifically comprises in the described steps A:
Before A1, the described user terminal logging in network, initiate the request first time of described authentication request to described application server, described application server obtains the attribution server information under the user and replies to described user terminal;
A2, described user terminal are according to the described attribution server Information generation authentication information of replying, initiate the request second time of described authentication request to described application server, described application server is sent to described attribution server with described authentication information, and described attribution server authenticates described authentication information.
4. method according to claim 3 is characterized in that:
Application server is processed authentication result in the described steps A, generate a temporary password and be sent to user terminal and be: reply authentication result behind A3, the Certificate Authority to described application server, described application server is notified described user terminal with the interim password of authentication result and generation;
Described step B is: described user terminal is initiated logging request according to described interim password to described application server and is logined.
5. method according to claim 4 is characterized in that, described attribution server information comprises classification, private key, the random code of described attribution server.
6. method according to claim 5 is characterized in that, described attribution server information also comprises the information of carrying out password encryption with cryptographic algorithm.
7. method according to claim 3 is characterized in that, the described request second time is with answer code and authentication code, and described answer code and described authentication code obtain according to described attribution server information calculations, and described answer code is through the encrypted message after encrypting; Described authentication code is used for preventing that described user account number, answer code, indications information are modified or make mistakes when Internet Transmission for the summary of the user account number that obtains according to the information calculations of preserving in the described attribution server, answer code, indications information.
8. method according to claim 3 is characterized in that, described steps A 2 also comprises:
A21, described application server are transparent to interface message processor (IMP) with described authentication information;
A22, described interface message processor (IMP) send to corresponding described attribution server according to the type of the attribution server under the described user with described authentication information;
A23, described attribution server authenticate described authentication information;
A24, described interface message processor (IMP) are received the authentication result that described attribution server is replied, and described authentication result is translated, and described authentication result is translated into unified result be sent to described application server.
9. the Third Party Authentication system of a system for cross-system access in communication, comprise: at least one is by communicating the attribution server that is connected with network, described attribution server, preserve user profile, be used to described user that authentication service is provided, it is characterized in that, also comprise user terminal and application server, wherein
Described user terminal, link to each other with described application server by described network, be used for obtaining attribution server information under the user by application server, specifically comprise: before the described user terminal logging in network, initiate the request first time of described authentication request to described application server, described application server obtains the attribution server information under the user and replies to described user terminal; Also be used for initiating authentication request by described application server to described attribution server; According to the interim password that described application server provides, initiate to log in request to described application server;
Described application server, link to each other with described attribution server with described user terminal respectively by described network, be used for by described attribution server described user terminal being authenticated, and the authentication result of the described authentication request that the described attribution server that obtains is returned is processed, when described authentication result represent authentication by the time generate a temporary password, and return described authentication result and described interim password to described user terminal.
10. system according to claim 9, it is characterized in that, also comprise an interface message processor (IMP), described interface message processor (IMP) is between described application server and described attribution server, be used for receiving the authentication information that comes from described application server, described authentication information is transmitted to described attribution server, and replys authentication result to described application server.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810216759.8A CN101388777B (en) | 2008-10-16 | 2008-10-16 | Third party authentication method and system for cross-system access in communication system |
| PCT/CN2009/073270 WO2010043134A1 (en) | 2008-10-16 | 2009-08-14 | Method and system for realizing third party authentication of trans-system access in a communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810216759.8A CN101388777B (en) | 2008-10-16 | 2008-10-16 | Third party authentication method and system for cross-system access in communication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101388777A CN101388777A (en) | 2009-03-18 |
| CN101388777B true CN101388777B (en) | 2013-01-16 |
Family
ID=40477973
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810216759.8A Expired - Fee Related CN101388777B (en) | 2008-10-16 | 2008-10-16 | Third party authentication method and system for cross-system access in communication system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101388777B (en) |
| WO (1) | WO2010043134A1 (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388777B (en) * | 2008-10-16 | 2013-01-16 | 中兴通讯股份有限公司 | Third party authentication method and system for cross-system access in communication system |
| CN102055754B (en) * | 2009-10-30 | 2013-11-06 | 中国移动通信集团公司 | Method, system and device for initializing card-free hard terminal |
| JP5521736B2 (en) * | 2010-04-23 | 2014-06-18 | 富士ゼロックス株式会社 | COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL PROGRAM, AND COMMUNICATION CONTROL SYSTEM |
| US9202016B2 (en) * | 2012-08-15 | 2015-12-01 | Verizon Patent And Licensing Inc. | Management of private information |
| CN103780584A (en) * | 2012-10-22 | 2014-05-07 | 上海俊悦智能科技有限公司 | Cloud computing-based identity authentication fusion method |
| CN104518876B (en) * | 2013-09-29 | 2019-01-04 | 腾讯科技(深圳)有限公司 | Service login method and device |
| CN105099683A (en) * | 2014-05-08 | 2015-11-25 | 中兴通讯股份有限公司 | Account distribution method and device |
| CN105227320B (en) * | 2015-10-28 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Authorization method, server, terminal and system |
| CN112751800B (en) * | 2019-10-29 | 2023-11-24 | 杭州海康威视系统技术有限公司 | Authentication method and device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1588850A (en) * | 2004-06-30 | 2005-03-02 | 大唐微电子技术有限公司 | Network identifying method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100576797C (en) * | 2007-10-25 | 2009-12-30 | 王松 | Network identity validation method based on fingerprint |
| CN101388777B (en) * | 2008-10-16 | 2013-01-16 | 中兴通讯股份有限公司 | Third party authentication method and system for cross-system access in communication system |
-
2008
- 2008-10-16 CN CN200810216759.8A patent/CN101388777B/en not_active Expired - Fee Related
-
2009
- 2009-08-14 WO PCT/CN2009/073270 patent/WO2010043134A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1588850A (en) * | 2004-06-30 | 2005-03-02 | 大唐微电子技术有限公司 | Network identifying method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2010043134A1 (en) | 2010-04-22 |
| CN101388777A (en) | 2009-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101388777B (en) | Third party authentication method and system for cross-system access in communication system | |
| Zhang et al. | Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card | |
| CN111050314B (en) | Client registration method, device and system | |
| US8639929B2 (en) | Method, device and system for authenticating gateway, node and server | |
| CN103188207B (en) | A kind of cross-domain single sign-on realization method and system | |
| CN105530253B (en) | Wireless sensor network access authentication method under Restful framework based on CA certificate | |
| US20140298037A1 (en) | Method, apparatus, and system for securely transmitting data | |
| CN104756458B (en) | For protecting the method and apparatus of the connection in communication network | |
| CN105307108A (en) | Internet of things information interactive communication method and system | |
| US10158608B2 (en) | Key establishment for constrained resource devices | |
| CN101317359A (en) | Method and device for generating local interface cryptographic key | |
| CN101651666A (en) | Method and device for identity authentication and single sign-on based on virtual private network | |
| CN103428221A (en) | Safety logging method, system and device of mobile application | |
| EP2365679A1 (en) | Secret interest groups in online social networks | |
| CN101217512B (en) | A client-end state maintenance method, system, client-end and application server | |
| CN105577612A (en) | Identity authentication method, third party server, merchant server, and user terminal | |
| CN101039181B (en) | Method for preventing service function entity of general authentication framework from attack | |
| CN103906052A (en) | Mobile terminal authentication method, service access method and equipment | |
| CN108667601A (en) | A kind of method, apparatus and equipment of transmission data | |
| Huang et al. | A token-based user authentication mechanism for data exchange in RESTful API | |
| CN104753937A (en) | SIP (System In Package)-based security certificate registering method | |
| Nikooghadam et al. | Secure communication in CloudIoT through design of a lightweight authentication and session key agreement scheme | |
| CN104468618A (en) | Sensor network based XMPP security access method | |
| He et al. | Strong roaming authentication technique for wireless and mobile networks | |
| KR20130039745A (en) | System and method for authentication interworking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130116 Termination date: 20161016 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |