CN101552672A - A method to realize a global network real name system based on ID authentication - Google Patents

A method to realize a global network real name system based on ID authentication Download PDF

Info

Publication number
CN101552672A
CN101552672A CNA2009100818743A CN200910081874A CN101552672A CN 101552672 A CN101552672 A CN 101552672A CN A2009100818743 A CNA2009100818743 A CN A2009100818743A CN 200910081874 A CN200910081874 A CN 200910081874A CN 101552672 A CN101552672 A CN 101552672A
Authority
CN
China
Prior art keywords
authentication
state
network user
real
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2009100818743A
Other languages
Chinese (zh)
Inventor
胡祥义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CNA2009100818743A priority Critical patent/CN101552672A/en
Publication of CN101552672A publication Critical patent/CN101552672A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

A method to realize a global network real name system based on ID authentication is to classify network user identity authentication at each network into two types, establish one-to-one domestic authentication center at each website to provide authentication service for domestic network users when they logon domestic websites, establish 10-30 international authentication centers in the country to provide third-party centralized authentication service for foreign network users (from other countries or regions) when they access and logon domestic websites, adopt ID authentication means to solve the 'bottleneck' of mass authentication of authentication centers, update and maintain the network user authentication parameters of domestic authentication centers through the encrypted transmission established between the network real name system association (or society) of each country and domestic website technicians, and meanwhile update and maintain the network user authentication parameters of international authentication center of each country through encrypted transmission established between the network real name system associations (or societies) of different countries, thus realizing a global network real time system.

Description

A kind of global network system of real name implementation method based on ID authentication
Technical field:
The present invention relates to information security field, is utilization computer network, password and chip technology, sets up authentication and digital signature protocol, and the present invention is applicable in whole world various countries or area and sets up the global network system of real name.
Background technology:
At present; the network ID authentication technology that use countries in the world has two classes; one class is based on authentication protocol that non-cryptographic algorithm technology sets up as RADIUS; password protection (dynamic password) etc.; second class is based on the authentication protocol that the cryptographic algorithm technology is set up; as: KERBEROS; PPP; PKI and IBE; first kind authentication protocol is because the algorithm that do not access to your password; security performance is lower; the uncomfortable incompatible international network system of real name of setting up; the second class authentication protocol algorithm that accesses to your password; security performance is than higher; the authentication protocol that KERBEROS is based on " ticket " and adopts symmetric cryptographic algorithm to set up; has higher safety performance; but; " ticket " daily registration management is loaded down with trivial details among the KERBEROS; the key updating maintenance cost is higher; PPP is based on the authentication protocol of MD5; there are security breaches in authentication protocol; PKI; the IBE security performance is higher; especially PKI has become the mainstream technology of national governments and army's Real-name Registration; relatively universal; but; authentication center's construction cost is higher, and the scale of leading subscriber is not enough, especially the user is reached more than the hundreds of thousands; need to set up a lot of authentication center's cross-certification; influence authentication efficient, authentication center authenticates the slow concurrent user of speed and measures for a short time, can not support the Real-name Registration of super large userbase.IBE is similar to PKI, and it is slower that authentication center authenticates speed, and authentication center's construction cost is higher, can not support the authentication of super large userbase, and therefore, above technology all can not satisfy the technical need of global network system of real name.
Summary of the invention:
A kind of global network system of real name implementation method based on ID authentication is to adopt symmetric cryptographic algorithm and chip technology, sets up classification authentication center, and the network user provides authentication service for home and overseas, and implementation step is as follows:
At first; for all-network user in the world sets up unique user ID; with the country area code of telephone number and the identification card number combination of user the country one belongs to; sign as the network user; and a respective user name and cover " key seed " table KK; all to set up internal and international two class authentication centers in each state; the national network user carries out authentication at this state authentication home center; the external network user carries out authentication in the international authentication center of this state; all set up man-to-man authentication home center on every website of various countries; all simultaneously corresponding 10~30 the international authentication centers in all websites of various countries; the authentication protocol of each website is according to the area code of telephone number in user's the sign; authentication tasks is given to corresponding home or overseas authentication center to be finished; network user's staff one of various countries is the network authentication hardware device; visit and login the website of global All Countries; domestic or international authentication center in various countries; client computer and various countries' Real-name Registration association all set up encryption system; and adopt symmetric cryptographic algorithm to set up authentication agreement and digital signature protocol; utilization combination key technology encrypts one group of timestamp and random number generation authenticate password carries out authentication; or encrypt one group " summary " and carry out digital signature; realize authenticate key and one time one change of signature key; adopt the ID authentication mode to solve " bottleneck " of authentication center's scale authentication; Real-name Registration association by various countries; come production home network user's parameters for authentication; and set up the security update maintaining method of various countries network user parameters for authentication; thereby; realize the global network system of real name; all processes realizes that with the software and hardware combination concrete grammar is as follows:
1, Real-name Registration is that the network user enters and the access destination website by authentication, and the main task of last net operation (or main process) non-repudiation, for the network user, the international network system of real name is that the network user with each website of global all-access is divided into, domestic network user and the external network user's two classes, the system of real name of each website all needs this two classes network user is carried out authentication, for this reason, set up the system of real name framework of system of real name framework that the domestic network user logins national website and external network user login this country website.
2, set up the system of real name framework that the domestic network user logins national website, the whole world has the country to be approximately 210, on the website of each Gi state (i=1~210), set up an authentication home center, that is: set up and man-to-man authentication home center, website, leave the parameters for authentication of domestic all network user SS (SS≤300,000,000) in the authentication home center, for Gi state all network user login Gi state website provides authentication service.
3, the authentication home center technical staff of various countries is responsible for the maintenance work to the network user of this authentication center parameters for authentication, Gi state overall network user's parameters for authentication is all deposited at each authentication home center in Gi state, comprising: user ID, user name and " key seed ".
4, the network user's sign is made up of the international telephone number area code and the identification card number in various countries or area, that is: add the international telephone number area code of country in the identification card number front, as: 0028XXXXXXXXXXXXXXXXXX, expression: the network user of China.
5, the network user's user ID is made up of 22~36 numerals or letter, bits per inch word or letter account for 4 or 8 bits, account for 11~36 bytes altogether, and each network user's user ID is all different, and having uniqueness, the network user's user name is made up of 10~30 letters of Chinese phonetic.
6, the overseas call area code guide of the country in the network user identifier is all passed through in each website of Gi state (i=1~210), network user identity identification mission with the whole world, the authentication home center or the international authentication center of giving each website correspondence of Gi state finish, the legal network user can visit and login Gi state website and carry out the system of real name operation, and the illegal network user can not visit and login Gi state website and carry out the system of real name operation.
7, " key seed " in the parameters for authentication is made up of binary number, produce " 0 " with randomizer, " 1 " mess code, and has randomness, each network user has cover " key seed " KK, that is: each user ID corresponding is overlapped " key seed ", each network user's " key seed " is all different, each network user's " key seed " accounts for 1.31KB~2.62B byte, and form M * N " key seed " KK and show, each element of KK table is 0.5 or 1 byte
Figure A20091008187400091
Wherein: the element of KK table is: V I j, i=0~M-1, with regard to j=0~N-1, M=66~164, N=16 or 32.
8, set up the system of real name framework of network user login Gi state website, global various countries (not containing Gi state), if: G1 state, Gj state, (j ≠ i) is external 209 countries (being different from Gi state) in G210 state, set up 10~30 international authentication centers in Gi state, the network user's parameters for authentication with these 209 countries (not containing Gi state), the whole world, leave in respectively in 10~30 international authentication centers of Gi state foundation, that is: what deposit in 10~30 international authentication centers of Gi state is the parameters for authentication of all network user S (3,000,000,000≤S≤6,000,000,000) of other 209 countries (not containing Gi state), the whole world, for the network user login Gi state website of other 209 countries (not containing Gi state), the whole world provides authentication service.
9, by the Real-name Registration association of Gi state (i=1~210) category of language and number of network users according to other 209 countries (not containing Gi state), the whole world, network user's parameters for authentication of other 209 countries (not containing Gi state), the whole world is left in respectively in 10~30 international authentication centers of Gi state, that is: network user S1 (1.5 hundred million≤S1≤300,000,000) parameters for authentication of a country may be deposited by an international authentication center, also may deposit network user S2 (1.5 hundred million≤S2≤300,000,000) parameters for authentication of a plurality of countries, as: the parameters for authentication of the U.S. network user with about more than 200,000,000 leaves an international authentication center in, makes network user's parameters for authentication of all African countries in English leave an international authentication center in about 2~300,000,000.
10, international authentication center in the foundation of Gi state, for the network user of other 209 countries (not containing Gi state), the whole world visits Gi state website the service of third party's Collective qualification is provided, that is: will login the external Gj (network user's the authentication task of j ≠ i) of all websites of Gi state, by G1 state, Gj state, these 209 country network users' of G210 state (not containing Gi state) sign is guided, (the international authentication center of i ≠ j) finishes to give the international authentication center of 10~30 of Gi state corresponding Gj states, the technical staff of Gi state Real-name Registration association is responsible for the updating maintenance work of 10~30 the international network user of authentication center parameters for authentication of this country.
11, the foundation of client-side encryption system, on client computer, adopt a brace that the cipher key (being smart card) of standard USB interface is arranged, or on user's identity, embed an intelligent chip, authentication and digital signature hardware device as the client-side network user, with symmetric cryptographic algorithm, a symmetric key generating algorithm and cover " key seed " table KK, leave in advance in the chip of smart card, wherein: each network user's cover " key seed " table KK is different, in authentication and digital signature protocol, symmetric key, authenticate password and digital signature all generate in chip, thereby, improve the safe class of authentication and digital signature protocol, transmission over networks be can disclosed identification authentication data, comprising: through the user ID of coding, timestamp, random number, the IP address number of authenticate password (or digital signature) and client.
12; the foundation of authentication center's encryption system; at home or the certificate server end of international each authentication center use the pci interface of standard; combine with one or more encrypted card; authentication hardware device as the certificate server end of each authentication center; in the encrypted card chip; deposit a cover symmetric cryptographic algorithm; symmetric key generating algorithm and one group of specific symmetric keys K; wherein: each symmetric key K domestic or each international authentication center has nothing in common with each other; at home or in international each authentication center's certificate server; deposit the home or overseas network user's parameters for authentication: user ID; user name and " key seed " table KK; wherein: with " key seed " table KK of all-network user; be encrypted to ciphertext in advance respectively with the specific symmetric keys K in each authentication center's encrypted card chip; with the corresponding home or overseas network user's sign and user name together; leave the lane database of authentication center's certificate server in; each network user's " key seed " accounts for 1.31KB~2.62KB byte; 300,000,000 network users' parameters for authentication is greater than being: 400~800GB byte; every energy supervising the network user SS (SS≤300,000,000) of authentication center, the mode of this employing ID authentication has solved " bottleneck " of authentication center's scale authentication.
13, in the encrypted card at each authentication home center of same country, also deposit identical " key seed " table KKi (i=1~210) of a cover, to show KKi identical for a cover " key seed " in the encryption system of this cover " key seed " table KKi and domestic network IPCA (or association), various countries (that is: G1 state, G210 state) Real-name Registration association uses cover " key seed " table KKi (i=1~210), encrypt the domestic network authentification of user parameter that domestic network system of real name association makes, carry out the data security transmission between the network authentication association (or association) in each authentication home center and this state or area, realize the updating maintenance of the domestic network authentification of user parameter that deposit at each authentication home center of same country.
14, Real-name Registration association encryption system is set up:
(1) in the encryption system hardware device of various countries' Real-name Registration association, deposit a cover symmetric encipherment algorithm in advance, one cover symmetric key generating algorithm, one cover " key seed " table KKi (i=1~210) and 210 cover " key seed " table (KEY1, KEY2, KEY210), because 210 countries are arranged in the world, so 210 cover " key seed " tables need be set, the two sets up one-to-one relationship to this 210 cover " key seed " table with 210 countries, all corresponding cover " key seed " the table KEY i (i=1~210) of various countries Real-name Registration association, that is: Gi state correspondence " key seed " is shown KEYi, and all there is identical " key seed " table (KEY1 of 210 covers in Real-name Registration association in various countries', KEY2, KEY210);
(2) Gi state (i=1~210) Real-name Registration association uses cover " key seed " table KKi (i=1~210), encrypt the domestic network authentification of user parameter that domestic network system of real name association makes, safeguard for the authentication home center provides the security update of domestic network authentification of user parameter;
(3) whole world has 210 countries to be made as: G1 state, ..., Gi state, ..., Gj state, ..., G210 (Gi ≠ Gj), Gj state (j=1~210) Real-name Registration association uses cover " key seed " table KEY j (j=1~210) of corresponding this country, encrypt the network user's of home network system of real name association making parameters for authentication, generate a kind of ciphertext of Gj state network user parameters for authentication, leave in the website of Gj state Real-name Registration association, for other 209 countries, the whole world (that is: G1 state, Gi state, G210 state, i ≠ j) Real-name Registration association downloads, thereby, realize the secure exchange of network user's parameters for authentication between the global various countries Real-name Registration association.
15, symmetric key generating algorithm, it is the symmetric key generating algorithm of forming by with timestamp and random number, " key seed " table is chosen, that is: come " OK " of " key seed " KK table controlled with timestamp and choose, come " row " of " key seed " KK table controlled with random number and choose, from " key seed " KK table, choose N " key seed " table element and merge into one group of symmetric key, symmetric key is generated automatically by algorithm, it is non-maintaining to realize that symmetric key upgrades, thereby, reduced the operation cost of authentication center.
16, timestamp in the symmetric key generating algorithm can effectively be cut apart the row of " key seed " table, the element of showing as KK is 0.5 bit, timestamp is got year, month, day, the time and branch, when random number is got 32 16 systems, corresponding 10 row elements of " year " row of the timestamp in the KK table, corresponding 12 row elements of " moon " row, corresponding 31 row elements of " day " row, " time " corresponding 24 row elements of row, corresponding 60 row elements of " branch " row, totally 137 row elements, timestamp gets " year "~" branch " totally 5 parts, and 32 (position)-5 (part)=27 (OK), 137 (OK)+27 (OK)=164 (OK), M * N=164 * 32, in 1 minute " key seed " to get the probability of repetition very little: 1/2 80, guarantee one time one change of combination key, do not reuse, thereby, guarantee authenticate password, authenticate key and all one time one changes of signature key, realize key updating Administrative Security, efficient.
17, one group of specific symmetric keys K in each encrypted card is different in twos, different with the ciphertext that K refined net user identical " key seed " generates, realize the safe storage of different authentication center identical network user " key seed ", simultaneously, the parameters for authentication of effectively cutting apart the network user at different authentication center.
18, key is produced and management, each network user identifier of various countries is unique, " key seed " table KK also is unique, set up relation one to one between the two, home network user's parameters for authentication: user ID, user name and " key seed " table KK, association is responsible for providing by the home network system of real name, and generate manufacturer by the commercial cipher of national appointment and be responsible for unified the making, authentication home center for national website correspondence, home network user's parameters for authentication is provided, also comprise the updating maintenance of parameters for authentication, the whole world various countries network user's parameters for authentication, commercial cipher by various countries' appointment generates manufacturer according to the responsible making of unified standard respectively, is responsible for regularly providing mutually by various countries' Real-name Registration association again.
19, the process that Real-name Registration is implemented, be that the network user visits and login the targeted website by the authentication agreement, and enter application system and browse for information about, if the network user also needs remit money (or stating one's views), must carry out digital signature to the money order (or speech of delivering) that this user fills in, and in the chip of client-side, leave timestamp in the digital signature data in, random number, the IP address number of digital signature and client computer, in addition, in authentication center's server, deposit digital signature data, that is: user's sign, timestamp, random number, digital signature, the IP address number of client computer and money order (or stating one's views), by storage part in the server of the chip of client-side and authentication center or whole digital signature data, realize user's operating process non-repudiation.
Description of drawings:
Fig. 1: the procedure chart of authentication agreement
Fig. 2: the procedure chart of digital signature protocol
Fig. 3: the topological diagram of the authentication home central site network user's of various countries parameters for authentication updating maintenance process
Fig. 4: the topological diagram of the international network user's of authentication center of various countries parameters for authentication updating maintenance process
Embodiment:
Performing step below in conjunction with description of drawings international network system of real name:
Fig. 1: the implementation process that authentication agreement in the Real-name Registration technology is described is as follows:
(1) sends authentication request by client-side;
(2), calculate authentication life cycle T simultaneously by WEB server generation time stamp and random number and send to client-side;
(3) be transferred in the chip of client-side hardware device after client computer time of receipt (T of R) stamp and the random number, symmetric key generating algorithm according to timestamp, random number composition, element to " key seed " table KK is chosen, select one group of symmetric key 1, encrypt timestamp and random number generation authenticate password 1 with this symmetric key 1, with verify data such as user ID, authenticate password 1, random number, timestamp and client computer IP number, and send to the WEB server;
(4) whether the WEB server at first calculates T and finishes, if T finishes, WEB server notification client-side authentification failure then, if T does not finish, then the WEB server is transferred to domestic or international authentication center according to user's sign with verify data, this authentication center finds cover " key seed " table KK who leaves this user's correspondence in the authentication service hard disk in according to user's sign again, should overlap " key seed " table KK again passes in the encrypted card chip, should overlap " key seed " table in chip is decrypted into expressly, according to selecting one group of symmetric key 2 this cover " key seed " table KK of symmetric key generating algorithm after deciphering, encrypt timestamp and random number and generate authenticate password 2, contrast again that authenticate password 1 and authenticate password 2 be whether identical determines whether user's identity is legal;
(5) if the authenticating user identification success, notify the success of WEB server authentication with authentication result, the WEB server is sent the user into application server, application server enters the application corresponding system according to this user of user right mandate, if authentication failure, then refuse this user capture application system, and with authentication result process WEB server notification client-side authentification failure.
Fig. 2: the implementation process that digital signature protocol in the Real-name Registration technology is described is as follows:
(1) client-side sends digital signature request (that is: the network user clicks remittance or states one's views and really appoints button);
(2) WEB server generation time stamp and random number and send to client-side;
(3) be transferred in the chip of client-side hardware device after client computer time of receipt (T of R) stamp and the random number, and the content of Net silver user's money order (or stating one's views) taken out and combine in this chip of input, in chip, digital signature system uses the HASH function that the content that money order (or stating one's views) combines is made a summary, obtain its " digital finger-print 1 ", symmetric key generating algorithm according to timestamp and random number composition, " key seed " table KK element is chosen, select one group of symmetric key 1, encrypt " digital finger-print 1 " with this symmetric key 1, the ciphertext that obtains " digital finger-print 1 " is promptly: digital signature, again promptly: user's sign with digital signature data, timestamp, random number, digital signature, the IP address number of client computer and money order (or stating one's views), send to the WEB server in the lump, simultaneously, in the chip of client-side, leave the timestamp in the digital signature data in, random number, the IP address number of digital signature and client computer, wherein: preserve preceding 30 times digital signature data in this chip, new digital signature data comes in old digital signature data is removed;
(4) the WEB server receives that digital signature data promptly: the IP address number of network user identifier, timestamp, random number, digital signature, client computer and money order (or stating one's views) are afterwards, according to the network user's sign, digital signature data is sent to corresponding home or overseas authentication center;
(5) in this authentication center, at first, the signature verification system location is left " key seed " table KK of this network user's correspondence in the authentication service hard disk in, import again in the encrypted card chip, symmetric key generating algorithm according to timestamp and random number composition, KK chooses to " key seed " table, select one group of symmetric key 2, obtain the plaintext of " digital finger-print 1 " with these symmetric key 2 decrypted digital signatures, use the HASH function that money order (or stating one's views) content is made a summary and obtain " digital finger-print 2 ", whether identical through contrast " digital finger-print 1 " with " digital finger-print 2 ", determine whether to be legitimate signature, if legitimate signature, then the signature verification system of this authentication center is directly exported to remittance (or stating one's views) system with the money order (or stating one's views) of legitimate signature, carry out money order (or stating one's views), and money order (or stating one's views) left in money order (or stating one's views) database as a record, and deposit digital signature data in authentication center, simultaneously, return client-side through the WEB server: " remittance (or the speech of delivering online) success ", if false signature, then the signature verification system of this authentication center passes through this client-side of WEB server feedback: " false signature, remittance (or the speech of delivering online) failure ".
Fig. 3: the authentication home central site network user's of various countries parameters for authentication updating maintenance process is described in the international network system of real name:
The technical staff of Gi state Real-name Registration association, at first start the encryption system of this Real-name Registration association, produce one group of timestamp and random number by this encryption system, produce one group of timestamp and random number by this encryption system, one cover " key seed " table KKi (i=1~210) of each site certificate centre punch one correspondence of control Gi state, combination generates one group of symmetric key, encrypt Gi state parameters for authentication all or the subnetwork user and generate ciphertext, and be stored in the website of Gi state Real-name Registration association with this group timestamp and random number, the technical staff of each domestic authentication center of Gi state, regularly login the website of Gi state Real-name Registration association through authentication, download the ciphertext of Gi state network user parameters for authentication, the encryption system at Gi state authentication home center, according to this group timestamp and random number of receiving, " key seed " table KKi (i=1~210) is made up and chooses, generate one group of symmetric key, the parameters for authentication ciphertext of deciphering the Gi state network user of this authentication home center acquisition obtains expressly, use the specific symmetric keys K in this authentication home center dies again, " key seed " table KK in all or subnetwork authentification of user parameter expressly encrypts the generation ciphertext to Gi state respectively, and leave this authentication center's lane database together in corresponding user ID and user name, thereby, realize in the authentication home of website in the country's correspondence of Gi state the updating maintenance of domestic network authentification of user parameter at heart.
Fig. 4: the international network user's of authentication center of various countries parameters for authentication updating maintenance process is described in the international network system of real name:
The technical staff of G1 state Real-name Registration association, at first start the encryption system of home network system of real name association, produce one group of timestamp 1 and random number 1 by this encryption system, one cover " key seed " table KEY, 1 combination of control G1 state correspondence generates one group of symmetric key, encrypt network user's parameters for authentication generation ciphertext that G1 state Real-name Registration association makes, leave in the lump on the website of G1 state Real-name Registration association with this group timestamp 1 and random number 1 again, Gi state (i=1~210, the technical staff of Real-name Registration association of i ≠ j), the website of login G1 state Real-name Registration association, download the network user's of G1 state parameters for authentication ciphertext, again with cover " key seed " table KEY 1 of corresponding G1 state and should group timestamp 1 and random number 1, combination generates one group of symmetric key, the parameters for authentication ciphertext of deciphering the G1 state network user generates expressly, afterwards, the technical staff of Real-name Registration association of Gi state, with one group of specific symmetric keys K in the international authentication center of corresponding G1 state in the Gi state (in totally 10~30 of the corresponding G1 state) encrypted card, encrypt " key seed " table KK in the G1 state all-network authentification of user parameter respectively, generate ciphertext promptly: " key seed " table KK ciphertext, and with corresponding G1 state's user ID and user name together, leave the lane database of the international authentication center of corresponding G1 state in the Gi state in, so far, having finished the security update of G1 state network user parameters for authentication in the international authentication center of Gi state safeguards, ..., the technical staff of Gj state Real-name Registration association, start the encryption system of home network system of real name association, produce one group of timestamp j and random number j by this encryption system, and " key seed " table KEY j combination of control Gj state correspondence generates one group of symmetric key, the home network user's that oneself is made parameters for authentication is encrypted to ciphertext, leave in the lump on the website of Gj state Real-name Registration association with this group timestamp j and random number j again, obtain with identical method for the technical staff of Gi state Real-name Registration association, finishing the security update of Gj state network user parameters for authentication in the international authentication center of Gi state safeguards, ..., the technical staff of G210 state Real-name Registration association, the home network user's who oneself is made of same procedure parameters for authentication is encrypted to ciphertext, leave on the website of G210 state Real-name Registration association, obtain with identical method for the technical staff of Gi state Real-name Registration association, finishing the security update of G210 state network user parameters for authentication in the international authentication center of Gi state safeguards, work as i=1,2,210, during i ≠ j, the technical staff of Gi state Real-name Registration association realizes the updating maintenance of external network authentification of user parameter in the international authentication center in various countries in order to last method.

Claims (10)

1; a kind of global network system of real name implementation method based on ID authentication; be to adopt symmetric cryptographic algorithm and chip technology; set up classification authentication center; the network user provides authentication service for home and overseas; at first; for all-network user in the world sets up unique user ID; with the country area code of telephone number and the identification card number combination of user the country one belongs to; sign as the network user; and a respective user name and cover " key seed " table KK; all to set up internal and international two class authentication centers in each state; the national network user carries out authentication at this state authentication home center; the external network user carries out authentication in the international authentication center of this state; all set up man-to-man authentication home center on every website of various countries; all simultaneously corresponding 10~30 the international authentication centers in all websites of various countries; the authentication protocol of each website is according to the area code of telephone number in user's the sign; authentication tasks is given to corresponding home or overseas authentication center to be finished; network user's staff one of various countries is the network authentication hardware device; visit and login the website of global All Countries; domestic or international authentication center in various countries; client computer and various countries' Real-name Registration association all set up encryption system; and adopt symmetric cryptographic algorithm to set up authentication agreement and digital signature protocol; utilization combination key technology encrypts one group of timestamp and random number generation authenticate password carries out authentication; or encrypt one group " summary " and carry out digital signature; realize authenticate key and one time one change of signature key; adopt the ID authentication mode to solve " bottleneck " of authentication center's scale authentication; Real-name Registration association by various countries; come production home network user's parameters for authentication; and set up the security update maintaining method of various countries network user parameters for authentication; thereby, realize the global network system of real name.
2, according to the method for claim 1, it is characterized in that:
The international network system of real name is that the network user with each website of global all-access is divided into, domestic network user and the external network user's two classes, the system of real name of each website all needs this two classes network user is carried out authentication, for this reason, set up the system of real name framework of system of real name framework that the domestic network user logins national website and external network user login this country website.
3, according to the method for claim 2, it is characterized in that:
(1) sets up the system of real name framework that the domestic network user logins national website, the whole world has the country to be approximately 210, on the website of each Gi state (i=1~210), set up an authentication home center, that is: set up and man-to-man authentication home center, website, leave the parameters for authentication of domestic all network user SS (SS≤300,000,000) in the authentication home center, for Gi state all network user login Gi state website provides authentication service;
(2) set up the system of real name framework of network user login Gi state website, global various countries (not containing Gi state), if: G1 state, Gj state, (j ≠ i) is external 209 countries (being different from Gi state) in G210 state, set up 10~30 international authentication centers in Gi state, the network user's parameters for authentication with these 209 countries (not containing Gi state), the whole world, leave in respectively in 10~30 international authentication centers of Gi state foundation, that is: what deposit in 10~30 international authentication centers of Gi state is the parameters for authentication of all network user S (3,000,000,000≤S≤6,000,000,000) of other 209 countries (not containing Gi state), the whole world, for the network user login Gi state website of other 209 countries (not containing Gi state), the whole world provides authentication service.
4, according to the method for claim 3, it is characterized in that:
Each website of Gi state (i=1~210) is all passed through the overseas call area code of the country in the network user identifier and is guided, network user identity identification mission with the whole world, the authentication home center or the international authentication center of giving each website correspondence of Gi state finish, the legal network user can visit and login Gi state website and carry out the system of real name operation, and the illegal network user can not visit and login Gi state website and carry out the system of real name operation.
5, according to the method for claim 3, it is characterized in that:
(1) by the Real-name Registration association of Gi state (i=1~210) category of language and number of network users according to other 209 countries (not containing Gi state), the whole world, network user's parameters for authentication of other 209 countries (not containing Gi state), the whole world is left in respectively in 10~30 international authentication centers of Gi state, that is: network user S1 (1.5 hundred million≤S1≤300,000,000) parameters for authentication of a country may be deposited by an international authentication center, also may deposit network user S2 (1.5 hundred million≤S2≤300,000,000) parameters for authentication of a plurality of countries;
(2) the international authentication center that sets up in Gi state, for the network user of other 209 countries (not containing Gi state), the whole world visits Gi state website the service of third party's Collective qualification is provided, that is: (network user's the authentication task of j ≠ i), (the international authentication center of i ≠ j) finishes to give 10~30 international authentication center corresponding Gj states of Gi state will to login the external Gj of all websites of Gi state.
6, according to the method for claim 1, it is characterized in that:
(1) foundation of client-side encryption system, on client computer, adopt a brace that the smart card of standard USB interface is arranged, or on user's identity, embed an intelligent chip, authentication and digital signature hardware device as the client-side network user, with symmetric cryptographic algorithm, a symmetric key generating algorithm and cover " key seed " table KK, leave in advance in the chip of smart card, wherein: each network user's cover " key seed " table KK is inequality, in authentication and digital signature protocol, symmetric key, authenticate password and digital signature all generate in chip, thereby, the safe class of raising authentication and digital signature protocol;
(2) foundation of authentication center's encryption system, at home or the certificate server end of international each authentication center insert one or more encrypted card combination, authentication hardware device as the certificate server end of each authentication center, in the encrypted card chip, deposit a cover symmetric cryptographic algorithm, symmetric key generating algorithm and one group of specific symmetric keys K, wherein: each symmetric key K domestic or each international authentication center has nothing in common with each other, at home or in international each authentication center's certificate server, deposit the home or overseas network user's parameters for authentication: user ID, user name and " key seed " table KK, wherein: with " key seed " table KK of all-network user, be encrypted to ciphertext in advance respectively with the specific symmetric keys K in each authentication center's encrypted card chip, with the corresponding home or overseas network user's sign and user name together, leave the lane database of authentication center's certificate server in, every energy supervising the network user SS (SS≤300,000,000) of authentication center, the mode of this employing ID authentication has solved " bottleneck " of authentication center's scale authentication;
(3) Real-name Registration association encryption system is set up, in the encryption system hardware device of various countries' Real-name Registration association, deposit a cover symmetric encipherment algorithm in advance, one cover symmetric key generating algorithm, one cover " key seed " table KKi (i=1~210) and 210 cover " key seed " table (KEY1, KEY2, KEY210), because 210 countries are arranged in the world, so 210 cover " key seed " tables need be set, the two sets up one-to-one relationship to this 210 cover " key seed " table with 210 countries, all corresponding cover " key seed " the table KEYi (i=1~210) of various countries Real-name Registration association, that is: Gi state correspondence " key seed " is shown KEYi, and all there is identical " key seed " table (KEY1 of 210 covers in Real-name Registration association in various countries', KEY2, KEY210).
7, according to the method for claim 6, it is characterized in that:
(1) in the encrypted card at each authentication home center of same country, also deposit identical " key seed " table KKi (i=1~210) of a cover, to show KKi also identical for a cover " key seed " in the encryption system of this cover " key seed " table KKi and domestic network IPCA (or association), various countries (that is: G1 state, G210 state) Real-name Registration association uses cover " key seed " table KKi (i=1~210), encrypt the domestic network authentification of user parameter that domestic network system of real name association makes, carry out the data security transmission between the network authentication association (or association) in each authentication home center and this state or area, realize the updating maintenance of the domestic network authentification of user parameter that deposit at each authentication home center of same country;
(2) whole world has 210 countries to be made as: G1 state, Gi state, Gj state, G210 (Gi ≠ Gj), Gj state (j=1~210) Real-name Registration association uses cover " key seed " table KEYj (j=1~210) of corresponding this country, encrypt the network user's of home network system of real name association making parameters for authentication, generate a kind of ciphertext of Gj state network user parameters for authentication, leave in the website of Gj state Real-name Registration association, for other 209 countries, the whole world (that is: G1 state, Gi state, G210 state, i ≠ j) Real-name Registration association downloads, thereby, realize the secure exchange of network user's parameters for authentication between the global various countries Real-name Registration association.
8, according to the method for claim 6, it is characterized in that:
(1) symmetric key generating algorithm, it is the symmetric key generating algorithm of forming by with timestamp and random number, " key seed " table is chosen, that is: come " OK " of " key seed " KK table controlled with timestamp and choose, come " row " of " key seed " KK table controlled with random number and choose, from " key seed " KK table, choose N " key seed " table element and merge into one group of symmetric key, symmetric key is generated automatically by algorithm, it is non-maintaining to realize that symmetric key upgrades, thereby, reduced the operation cost of authentication center;
(2) timestamp in the symmetric key generating algorithm can effectively be cut apart the row of " key seed " table, the element of showing as KK is 0.5 bit, timestamp is got year, month, day, the time and branch, when random number is got 32 16 systems, corresponding 10 row elements of " year " row of the timestamp in the KK table, corresponding 12 row elements of " moon " row, corresponding 31 row elements of " day " row, " time " corresponding 24 row elements of row, corresponding 60 row elements of " branch " row, totally 137 row elements, timestamp gets " year "~" branch " totally 5 parts, and 32 (position)-5 (part)=27 (OK), 137 (OK)+27 (OK)=164 (OK), M * N=164 * 32, in 1 minute " key seed " to get the probability of repetition very little: 1/2 80, guarantee one time one change of combination key, do not reuse, thereby, guarantee authenticate password, authenticate key and all one time one changes of signature key, realize key updating Administrative Security, efficient;
(3) one group of specific symmetric keys K in each encrypted card is different in twos, different with the ciphertext that K refined net user identical " key seed " generates, realize the safe storage of different authentication center identical network user's key seed, simultaneously, the parameters for authentication of effectively cutting apart the network user at different authentication center.
9, according to the method for claim 7, it is characterized in that:
(1) technical staff of Gi state Real-name Registration association, at first start the encryption system of this Real-name Registration association, produce one group of timestamp and random number by this encryption system, produce one group of timestamp and random number by this encryption system, one cover " key seed " table KKi (i=1~210) of each site certificate centre punch one correspondence of control Gi state, combination generates one group of symmetric key, encrypt Gi state parameters for authentication all or the subnetwork user and generate ciphertext, and be stored in the website of Gi state Real-name Registration association with this group timestamp and random number, the technical staff of each domestic authentication center of Gi state, regularly login the website of Gi state Real-name Registration association through authentication, download the ciphertext of Gi state network user parameters for authentication, the encryption system at Gi state authentication home center, according to this group timestamp and random number of receiving, " key seed " table KKi (i=1~210) is made up and chooses, generate one group of symmetric key, the parameters for authentication ciphertext of deciphering the Gi state network user of this authentication home center acquisition obtains expressly, use the specific symmetric keys K in this authentication home center dies again, " key seed " table KK in all or subnetwork authentification of user parameter expressly encrypts the generation ciphertext to Gi state respectively, and leave this authentication center's lane database together in corresponding user ID and user name, thereby, realize in the authentication home of website in the country's correspondence of Gi state the updating maintenance of domestic network authentification of user parameter at heart;
(2) technical staff of G1 state Real-name Registration association, at first start the encryption system of home network system of real name association, produce one group of timestamp 1 and random number 1 by this encryption system, one cover " key seed " table KEY1 combination of control G1 state correspondence generates one group of symmetric key, encrypt network user's parameters for authentication generation ciphertext that G1 state Real-name Registration association makes, leave in the lump on the website of G1 state Real-name Registration association with this group timestamp 1 and random number 1 again, Gi state (i=1~210, the technical staff of Real-name Registration association of i ≠ j), the website of login G1 state Real-name Registration association, download the network user's of G1 state parameters for authentication ciphertext, again with cover " key seed " table KEY1 of corresponding G1 state and should group timestamp 1 and random number 1, combination generates one group of symmetric key, the parameters for authentication ciphertext of deciphering the G1 state network user generates expressly, afterwards, the technical staff of Real-name Registration association of Gi state, with one group of specific symmetric keys K in the international authentication center of corresponding G1 state in the Gi state (in totally 10~30 of the corresponding G1 state) encrypted card, encrypt " key seed " table KK in the G1 state all-network authentification of user parameter respectively, generate ciphertext promptly: " key seed " table KK ciphertext, and with corresponding G1 state's user ID and user name together, leave the lane database of the international authentication center of corresponding G1 state in the Gi state in, so far, having finished the security update of G1 state network user parameters for authentication in the international authentication center of Gi state safeguards, the technical staff of Gj state Real-name Registration association, start the encryption system of home network system of real name association, produce one group of timestamp j and random number j by this encryption system, and " key seed " table KEYj combination of control Gj state correspondence generates one group of symmetric key, the home network user's that oneself is made parameters for authentication is encrypted to ciphertext, leave in the lump on the website of Gj state Real-name Registration association with this group timestamp j and random number j again, obtain with identical method for the technical staff of Gi state Real-name Registration association, finishing the security update of Gj state network user parameters for authentication in the international authentication center of Gi state safeguards, the technical staff of G210 state Real-name Registration association, the home network user's who oneself is made of same procedure parameters for authentication is encrypted to ciphertext, leave on the website of G210 state Real-name Registration association, obtain with identical method for the technical staff of Gi state Real-name Registration association, finishing the security update of G210 state network user parameters for authentication in the international authentication center of Gi state safeguards, work as i=1,2,210, during i ≠ j, the technical staff of Gi state Real-name Registration association realizes the updating maintenance of external network authentification of user parameter in the international authentication center in various countries in order to last method.
10, according to the method for claim 2, it is characterized in that:
The process that Real-name Registration is implemented, be that the network user visits and login the targeted website by the authentication agreement, and enter application system and browse for information about, if the network user also needs remit money (or stating one's views), must carry out digital signature to the money order (or speech of delivering) that this user fills in, and in the chip of client-side, leave timestamp in the digital signature data in, random number, the IP address number of digital signature and client computer, in addition, in authentication center's server, deposit digital signature data, that is: user's sign, timestamp, random number, digital signature, the IP address number of client computer and money order (or stating one's views), by storage part in the server of the chip of client-side and authentication center or whole digital signature data, realize user's operating process non-repudiation.
CNA2009100818743A 2009-04-15 2009-04-15 A method to realize a global network real name system based on ID authentication Pending CN101552672A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2009100818743A CN101552672A (en) 2009-04-15 2009-04-15 A method to realize a global network real name system based on ID authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2009100818743A CN101552672A (en) 2009-04-15 2009-04-15 A method to realize a global network real name system based on ID authentication

Publications (1)

Publication Number Publication Date
CN101552672A true CN101552672A (en) 2009-10-07

Family

ID=41156681

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2009100818743A Pending CN101552672A (en) 2009-04-15 2009-04-15 A method to realize a global network real name system based on ID authentication

Country Status (1)

Country Link
CN (1) CN101552672A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023641A (en) * 2012-10-25 2013-04-03 浪潮电子信息产业股份有限公司 Serial number generating/verifying method
CN103716158A (en) * 2012-09-28 2014-04-09 卓望数码技术(深圳)有限公司 Service processing method, service processing device and corresponding retail terminal
CN104221412A (en) * 2012-01-12 2014-12-17 波音公司 A system and method for secure communication
WO2015018292A1 (en) * 2013-08-08 2015-02-12 天地融科技股份有限公司 Method and system for information monitoring
CN104506503A (en) * 2014-12-08 2015-04-08 北京北邮国安技术股份有限公司 Security certification system based on broadcast television one-way transmission network
CN104601593A (en) * 2015-02-04 2015-05-06 公安部第三研究所 Anti-tracking method in network electronic identity authentication process based on challenge modes
CN106790238A (en) * 2017-01-19 2017-05-31 北京神州绿盟信息安全科技股份有限公司 It is a kind of to forge CSRF defence authentication method and device across station request
CN108270575A (en) * 2018-04-20 2018-07-10 北京数字认证股份有限公司 A kind of digital signature method and device
CN108429730A (en) * 2018-01-22 2018-08-21 北京智涵芯宇科技有限公司 Feedback-less safety certification and access control method
CN109040100A (en) * 2018-08-24 2018-12-18 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of resource access method and its electronic equipment, system, readable medium
CN109067702A (en) * 2018-06-25 2018-12-21 兴唐通信科技有限公司 A kind of method that system of real name network identity is generated and protected
CN111190689A (en) * 2019-12-24 2020-05-22 腾讯科技(深圳)有限公司 Digital twin system simulation method and device

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104221412A (en) * 2012-01-12 2014-12-17 波音公司 A system and method for secure communication
CN104221412B (en) * 2012-01-12 2018-05-29 波音公司 Safe communication system and method
CN103716158A (en) * 2012-09-28 2014-04-09 卓望数码技术(深圳)有限公司 Service processing method, service processing device and corresponding retail terminal
CN103023641A (en) * 2012-10-25 2013-04-03 浪潮电子信息产业股份有限公司 Serial number generating/verifying method
CN103023641B (en) * 2012-10-25 2017-03-15 郑州云海信息技术有限公司 A kind of serial number generates verification method
WO2015018292A1 (en) * 2013-08-08 2015-02-12 天地融科技股份有限公司 Method and system for information monitoring
CN104506503A (en) * 2014-12-08 2015-04-08 北京北邮国安技术股份有限公司 Security certification system based on broadcast television one-way transmission network
CN104506503B (en) * 2014-12-08 2019-11-05 北京北邮国安技术股份有限公司 A kind of security certification system based on broadcasting and TV one-way transport network
CN104601593B (en) * 2015-02-04 2017-12-01 公安部第三研究所 The method that anti-tracking in network electronic authentication procedures is realized based on challenge mode
CN104601593A (en) * 2015-02-04 2015-05-06 公安部第三研究所 Anti-tracking method in network electronic identity authentication process based on challenge modes
CN106790238A (en) * 2017-01-19 2017-05-31 北京神州绿盟信息安全科技股份有限公司 It is a kind of to forge CSRF defence authentication method and device across station request
CN106790238B (en) * 2017-01-19 2020-07-10 北京神州绿盟信息安全科技股份有限公司 Cross-site request forgery CSRF defense authentication method and device
CN108429730A (en) * 2018-01-22 2018-08-21 北京智涵芯宇科技有限公司 Feedback-less safety certification and access control method
CN108270575A (en) * 2018-04-20 2018-07-10 北京数字认证股份有限公司 A kind of digital signature method and device
CN109067702A (en) * 2018-06-25 2018-12-21 兴唐通信科技有限公司 A kind of method that system of real name network identity is generated and protected
CN109067702B (en) * 2018-06-25 2021-05-04 兴唐通信科技有限公司 Method for generating and protecting real-name system network identity
CN109040100A (en) * 2018-08-24 2018-12-18 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of resource access method and its electronic equipment, system, readable medium
CN109040100B (en) * 2018-08-24 2021-08-17 下一代互联网重大应用技术(北京)工程研究中心有限公司 Resource access method and electronic equipment, system and readable medium thereof
CN111190689A (en) * 2019-12-24 2020-05-22 腾讯科技(深圳)有限公司 Digital twin system simulation method and device

Similar Documents

Publication Publication Date Title
CN101552672A (en) A method to realize a global network real name system based on ID authentication
CN101282222B (en) Digital signature method based on CSK
CN108964905B (en) Safe and efficient block chain implementation method
CN108092776B (en) System based on identity authentication server and identity authentication token
CN101969438B (en) Method for realizing equipment authentication, data integrity and secrecy transmission for Internet of Things
CN110868301B (en) Identity authentication system and method based on state cryptographic algorithm
CN104270338B (en) Method and its system that a kind of electronic identity registration and certification are logged in
US20070130463A1 (en) Single one-time password token with single PIN for access to multiple providers
CN109145540B (en) Intelligent terminal identity authentication method and device based on block chain
CN109450877B (en) Block chain-based distributed IDaaS identity unified authentication system
US8788836B1 (en) Method and apparatus for providing identity claim validation
CN1885771A (en) Method and apparatus for establishing a secure communication session
CN101136750A (en) Network real-name system implementing method
CN102693455A (en) Fully automatic system and method of data preparation based on financial IC card
CN101405759A (en) Method and apparatus for user centric private data management
CN111049835B (en) Unified identity management system of distributed public certificate service network
CN104580246B (en) Dynamic and intelligent safe key is produced and managing and control system and method under WiFi environment
CN107846394A (en) For providing the system and method for accessing the different services of service provider
CN202455386U (en) Safety system for cloud storage
CN112822255A (en) Block chain-based mail processing method, mail sending end, receiving end and equipment
JP2011003100A (en) Authentication request conversion apparatus, authentication request conversion method, and authentication request conversion program
CN104125230A (en) Short message authentication service system and authentication method
WO2019178440A1 (en) System and method for securing private keys behind a biometric authentication gateway
Peng et al. A multilevel access control scheme for data security in transparent computing
CN109981677A (en) A kind of credit management method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20091007