CN101714921A - Hardware token based method and system for confirming identity of website visitor - Google Patents
Hardware token based method and system for confirming identity of website visitor Download PDFInfo
- Publication number
- CN101714921A CN101714921A CN200810216364A CN200810216364A CN101714921A CN 101714921 A CN101714921 A CN 101714921A CN 200810216364 A CN200810216364 A CN 200810216364A CN 200810216364 A CN200810216364 A CN 200810216364A CN 101714921 A CN101714921 A CN 101714921A
- Authority
- CN
- China
- Prior art keywords
- website
- hardware token
- data
- identity
- hypervisor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to hardware token based method and system for confirming the identity of a website visitor, so that the identity of the website visitor can be confirmed through a hardware token by only developing a web page according to a special web page design criterion without developing a special page control for a website. The hardware token is stored with certification data corresponding to the website visitor one by one and a supervisory program file capable of running on a computer. After the hardware token is connected with a computer terminal, a supervisory program is started, the website is started, a web page developed according to the special web page design criterion is intervened, the data in the hardware token is read by the supervisory program, certification result data is generated and submitted to a server end through the web page, and the identity of the visitor is confirmed by a website server according to the certification result data.
Description
Technical field
The present invention relates to identity authorization system, relate in particular to identity authorization system at website caller.
Background technology
The website needs to confirm end-user access person's identity in the process that information service or interactive operation externally are provided.On the one hand can stop the disabled user to use the service of this website, the aspect can also provide differential service according to the difference of its identity for validated user in addition.Most typical is exactly some websites that the information service of paying type is provided, and only allows the charges paid user to use special services, can also provide different other services of level according to the difference of defrayment for the user who pays.
Number of the account and password can be used in the identity of confirming the website user, and each paying customer can obtain a unique account, and provides when access websites to prove the identity of oneself.But the greatest problem that the account number cipher pattern exists is that it can share between a plurality of users, even the website adds the restriction that can only have a people to land simultaneously, can not stop shared this class charge type service of timesharing between the friend.For web site operator,, also just mean and lacked a potential income in case can share.
Use the identity that hardware token can unique definite user.For each validated user distributes a hardware token, can solve the illegal problem of sharing.But in many occasions, the solution of existing hardware token also has weak point, at first, hardware has specificity, that is to say that this hardware can only be used for the authentication of this website, allow the user think that practical value is lower, need install driver and application program to bring inconvenience in the use in addition, also increased extra and the irrelevant after-sale service of website operation to web site operator to the user.Most importantly, owing to need to visit the hardware token that is connected on the terminal on the terminal page, need to break through the restriction that the page is applied in secure context, the website generally uses control to finish visit to the terminal local hardware.For control can be moved in terminal, often need to carry out the control signature, perhaps adjust the security set of terminal.These have all increased the cost and the difficulty of disposing.The security set on the terminal particularly has multinomial setting can both influence the normal operation of control, causes the situation of user terminal may be very complicated, has increased the workload of disposing the back technical support.
As seen, at using hardware token to confirm the identity of website visiting, prior art does not provide more complete solution, also has some defectives.
Summary of the invention
The technical problem to be solved in the present invention is to avoid above-mentioned the deficiencies in the prior art part, need not develop the webpage control and propose a kind of website, just can pass through the page access hardware token, thereby realizes confirming method of terminal user ID.
The technical scheme that the present invention solves the problems of the technologies described above employing comprises, manufacture a kind of hardware token of representing identity of website visitor, the hypervisor file that is used to realize that identity of website visitor is confirmed is installed on it, and can stores the personal information of representing visitor's identity and other are used to confirm the verify data of visitor's identity.This hardware token is described to have data communication interface, links to each other with computer system by data communication interface, supports the communication interface that uses to comprise: USB interface, 1394 interfaces, WI-FI interface or blue tooth interface; This hardware token has data storage device, and storage and website caller be verify data one to one, and can run on the series management program file on the computer; This hardware token with after computer links to each other, is mapped as a memory device by data communication interface on computer system, have above-mentioned management software; This hardware token has the exclusive number data, and after write-access person personal information by the website person that distributes to the Lawful access, above-mentioned exclusive number data and visitor's personal information write the Website server client database as a data record;
The technical scheme that the present invention solves the problems of the technologies described above employing also comprises, formulates a webpage design standard, stipulates one group of page elements, is used for the flow process required various verify datas of the page to management software delivery confirmation terminal access person identity; Stipulate another group page elements, be used for management software to the flow process of page delivery confirmation terminal access person identity required various verify datas, authentication state and authentication result data;
The technical scheme that the present invention solves the problems of the technologies described above employing also comprises, proposes to confirm based on hardware token the method for identity of website visitor, and the step of existing network website access person identity validation comprises in fact:
A, be stored in the hypervisor that must move on computers on the hardware token, with after computer system links to each other, operation on computers starts web browser program and also opens default website user's certification page at hardware token;
B, hypervisor read the content of pages of above-mentioned website according to the development interface that web browser program provided, and understand page code according to the webpage design canonical parse, obtain the verify data that is used to confirm terminal access person's identity;
C, hypervisor are obtained the exclusive number data of preserving in the hardware token and other can be used for confirming the verify data of terminal access person's identity, use unidirectional sampling algorithm to generate the authentication result data, and will number data and the authentication result data are committed to server;
D, Website server obtain the user profile record that is stored in the server database according to the exclusive number data, generate the authentication result data according to this record and other verify datas, the authentication result data of these authentication result data and hypervisor submission are compared, confirm terminal access person's identity of hardware token representative.
Compare with prior art, adopt the method and system of confirming identity of website visitor based on hardware token of the present invention, the website need not to develop special-purpose page control, only needs to carry out the exploitation of webpage according to the particular webpage design specification, can confirm the identity of website caller by hardware token.
Description of drawings
Fig. 1 is a hardware token basic block diagram of the present invention.
The memory device that Fig. 2 shines upon in the website visiting terminal for hardware token of the present invention.
Fig. 3 is the customer data base record example of the inventive method embodiment.
Fig. 4 is the webpage standard partial content of the inventive method embodiment.
Fig. 5 is the authentification of user page part code sample of the inventive method embodiment.
Fig. 6 is the unilateral authentication algorithm flow of the inventive method embodiment.
Fig. 7 is the authentification of user flow process of the inventive method embodiment.
Fig. 8 is the hypervisor operational process of the inventive method embodiment.
Embodiment
Below, the most preferred embodiment shown in is described in further detail in conjunction with the accompanying drawings.
As shown in Figure 1, be the basic logical structure of hardware token A.Hardware token A mainly comprises interface control unit A1 and data storage cell A2, interface control unit A1 is used to realize and being connected of website visiting terminal, connected mode comprises the information system interfacing that USB, UWB, IEEE1394, bluetooth, infrared ray etc. are ripe, data storage cell A2 is used for application storing A5 and application data, according to present technical development, use memory technologies such as EEPROM or FLASH to realize.Interface control unit A1 realizes the data interaction with the website visiting terminal simultaneously, is responsible for accepting the command request of website visiting terminal and makes response, for example report condition or transmission network website access terminal desired data.For realizing the authentication to owner of a token, hardware token also needs to have two item number certificate: exclusive number A3 and user authentication data A4.The website visiting terminal is meant various hardware terminals that can runs web browser, comprises computer, PC, smart mobile phone and other handheld devices etc.
Hardware token A is with after the website visiting terminal is connected, on the website visiting terminal, become a memory device, this memory device possesses the ability that starts hypervisor A5 voluntarily, and allows to start the program file A5 that is pre-stored in data storage cell A2 on user's slave unit function menu.If consideration based on cost, hardware token uses the low capacity memory cell, master monitor is installed on the website visiting terminal in advance by the operation installation procedure, and the hypervisor A5 that prestores is a program start unit, only is responsible for starting the master monitor that is positioned at the website visiting terminal.As shown in Figure 2, hardware token A is with after the website visiting terminal is connected, and the content that becomes a memory device on the website visiting terminal for example.
Hardware token is distributed to specify the visitor before, the hardware token initialization need be write user authentication data A4, and will hardware token concern with specifying to set up one to one between the visitor.As shown in Figure 3, the example of customer data base record, the hardware token of numbering 2008010100010001 has been distributed to Zhang San's by name website caller, for Website server, if the hardware token that links to each other with certain access terminal is numbered 2008010100010001, and institute's deposit data and interior preserve consistent of server segments database in the hardware token are confirmed in comparison through one-way algorithm flow process C, the visitor that just can think Zhang San by name can provide service according to default authority at the request accessed web page.
The website need be carried out the page of authentication according to the webpage standard developing web of appointment to the visitor, the partial content of this webpage standard as shown in Figure 4, require the page to possess some page elements, Figure 5 shows that the page code example that the visitor is carried out authentication, realized all processes that reads the token hardware number and use one-way algorithm flow process C to compare according to page standard exploitation.
As shown in Figure 6, one-way algorithm flow process C, server end generates random number C1, and is passed to terminal by webpage, the hypervisor A5 that operates in terminal reads token hardware number A3 and is pre-stored in the interior user authentication data A4 of hardware token, finishes calculating according to the individual event algorithm:
C2=F(C1,A3,A4)
And arithmetic result C2 ' is sent to server end, server end then finds out corresponding user record according to token numbering A3 in database, and the user authentication data A4 ' that preserves in the database is used for one-way algorithm calculates:
C2’=F(C1,A3,A4’)
If C2 equates with C2 ', then the A3, the A4 ' that are preserved of the A3, the A4 that are preserved of terminal token and server end database is consistent, show that the hardware token that terminal connects distributes to visitor Zhang San by this website, the user of current accessed website is Zhang San, thereby has realized the authentication to website caller.If inconsistent, show that the hardware holder does not have visitor's authority.One-way algorithm F can use general-purpose algorithms such as MD5 or HMAC.
Because verification process has used the C1 random number to participate in unidirectional computing, each authentication result data all can be different, can prevent effectively that like this terminal disabled user from forging the authentication result data and finishing authentication.
Hardware token A can also access to your password by setting and prevent that the token lost or the people that had nothing to do from falsely using.When A links to each other with access terminal, hypervisor can eject the input window that accesses to your password after starting, and requires the holder to import and accesses to your password, if the accessing to your password with default inconsistent of input, hypervisor can not enter next step flow process.
After finishing Website development according to webpage standard B provide hardware token A to the visitor who possesses the authority access websites website.As shown in Figure 7, when the visitor after terminal is inserted hardware token, the present invention realizes that the step that identity of website visitor is confirmed comprises:
A, be stored in the hypervisor that must move on computers on the hardware token, with after computer system links to each other, operation on computers starts web browser program and also opens default website user's certification page at hardware token;
B, hypervisor read the content of pages of above-mentioned website according to the development interface that web browser program provided, and understand page code according to the webpage design canonical parse, obtain the verify data that is used to confirm terminal access person's identity;
C, hypervisor are obtained the exclusive number data of preserving in the hardware token and other can be used for confirming the verify data of terminal access person's identity, use unidirectional sampling algorithm to generate the authentication result data, and will number data and the authentication result data are committed to server;
D, Website server obtain the user profile record that is stored in the server database according to the exclusive number data, generate the authentication result data according to this record and other verify datas, the authentication result data of these authentication result data and hypervisor submission are compared, confirm the terminal user ID of hardware token representative.
As shown in Figure 8, operate in the operational process of the hypervisor A5 of access terminal.Hypervisor A5 at first starts web browser program after starting on the website visiting terminal, Microsoft Internet Exporer or Mozilla Firefox browser connect default website and webpage.After the browser program operation, A5 just gets involved (injection) browser program by HOOK (hook) technology, waits for page download then.After the page is downloaded and is finished, A5 judges whether the page belongs to certification page, searching belongs to the page elements of page standard B definition, read the verify data of hardware token class storage then, finishing authentication result calculates, and result of calculation and other verify datas A3 etc. are filled to a corresponding output page surface element, finish verification process.
Hypervisor A5 gets involved the web browser program example of all operations simultaneously, comprises the browser instances that the user opens voluntarily, and the web page monitored content, to support that the user uses the hardware token of being held to login other websites.
Basic ideas of the present invention are: according to a cover webpage design standard design webpage, then by operating in the hypervisor on the access terminal, use hardware token that identity of website visitor is confirmed in the mode that gets involved web browser program, avoid the access authority limitation that the terminal page is run into hardware token.Enforcement of the present invention is not limited to above-mentioned open embodiment.Any based on above-mentioned basic ideas, and make at the foregoing description need not creative work replacement, improvement, all belong to enforcement of the present invention.
Claims (6)
1. the system based on hardware token affirmation identity of website visitor (describing for simplifying, hereinafter to be referred as identification confirmation system) has: hardware token and webpage design standard; Wherein,
Hardware token, storage and website caller be verify data one to one;
Webpage design standard, the website mandatory technical specification of visitor's identity validation webpage of being correlated with.
2. identification confirmation system as claimed in claim 1, wherein,
Described hardware token has data communication interface, links to each other with computer system by data communication interface;
Described hardware token has data storage device, and storage and website caller be verify data one to one, and can run on the series management program file (hereinafter to be referred as management software) on the computer;
Described hardware token with after computer links to each other, is mapped as a memory device by data communication interface on computer system, have above-mentioned management software;
Described hardware token has the exclusive number data, and after write-access person personal information by the website person that distributes to the Lawful access, above-mentioned exclusive number data and visitor's personal information write the Website server client database as a data record.
3. identification confirmation system as claimed in claim 1, wherein,
The webpage design regulation and stipulation one group of page elements, be used for the flow process required various verify datas of the page to management software delivery confirmation terminal access person identity;
The webpage design regulation and stipulation one group of page elements, be used for management software to the flow process of page delivery confirmation terminal access person identity required various verify datas, authentication state and authentication result data.
4. identification confirmation system as claimed in claim 2, wherein,
Hypervisor is one group and is stored in the program file that can move in the hardware token on computer system;
Hardware token can start hypervisor automatically with after computer links to each other by data communication interface, and on the other hand, the user can start hypervisor voluntarily;
After hypervisor starts, open web browser program, open default website;
Hypervisor reads the content of pages of above-mentioned website by the development interface that web browser program provided, and generates the authentication result data, is committed to web site server end, is confirmed the identity of terminal website caller by server end.
5. identification confirmation system as claimed in claim 4, wherein,
Hypervisor is understood content of pages according to the described webpage design canonical parse of claim 3, obtain the verify data that web site server end transmits to management software by the specific webpage element, read the verify data of hardware token stored, hypervisor generates the authentication result data in conjunction with parameters for authentication and verify data according to unidirectional sampling algorithm, and give the specific webpage element with these data, the verify data from verification process to page transmission, authentication state and the authentication result data that this time generate in;
Website server obtains the userspersonal information's record that is stored in the server database according to the exclusive number data of hypervisor transmission, generate the authentication result data according to this record and other verify datas, the authentication result data of these authentication result data and hypervisor submission are compared, confirm the terminal user ID of hardware token representative.
6. the method based on hardware token affirmation identity of website visitor confirms that based on hardware token the system of identity of website visitor confirms identity of website visitor with a kind of, and this system has: hardware token and webpage design standard; Wherein, based on the method for hardware token affirmation identity of website visitor, its step comprises:
A, be stored in the hypervisor that must move on computers on the hardware token, with after computer system links to each other, operation on computers starts web browser program and also opens default website user's certification page at hardware token;
B, hypervisor read the content of pages of above-mentioned website according to the development interface that web browser program provided, and understand page code according to the webpage design canonical parse, obtain the verify data that is used to confirm terminal access person's identity;
C, hypervisor are obtained the exclusive number data of preserving in the hardware token and other can be used for confirming the verify data of terminal access person's identity, use unidirectional sampling algorithm to generate the authentication result data, and will number data and the authentication result data are committed to server;
D, Website server obtain the user profile record that is stored in the server database according to the exclusive number data, generate the authentication result data according to this record and other verify datas, the authentication result data of these authentication result data and hypervisor submission are compared, confirm the terminal user ID of hardware token representative.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810216364A CN101714921A (en) | 2008-10-06 | 2008-10-06 | Hardware token based method and system for confirming identity of website visitor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810216364A CN101714921A (en) | 2008-10-06 | 2008-10-06 | Hardware token based method and system for confirming identity of website visitor |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101714921A true CN101714921A (en) | 2010-05-26 |
Family
ID=42418214
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810216364A Pending CN101714921A (en) | 2008-10-06 | 2008-10-06 | Hardware token based method and system for confirming identity of website visitor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101714921A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109417574A (en) * | 2016-09-23 | 2019-03-01 | 苹果公司 | Manage the authority of multiple users on electronic equipment |
-
2008
- 2008-10-06 CN CN200810216364A patent/CN101714921A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109417574A (en) * | 2016-09-23 | 2019-03-01 | 苹果公司 | Manage the authority of multiple users on electronic equipment |
| CN109417574B (en) * | 2016-09-23 | 2021-10-29 | 苹果公司 | Managing credentials of multiple users on an electronic device |
| US11277394B2 (en) | 2016-09-23 | 2022-03-15 | Apple Inc. | Managing credentials of multiple users on an electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11405395B2 (en) | Accessing an internet of things device using blockchain metadata | |
| US10417396B2 (en) | System and methods for provisioning and monitoring licensing of applications or extensions to applications on a multi-tenant platform | |
| US11218478B1 (en) | Security platform | |
| CN103988169B (en) | Secure data based on tactful accordance is accessed | |
| CN108804906B (en) | System and method for application login | |
| US9754091B2 (en) | Restricted accounts on a mobile platform | |
| RU2524868C2 (en) | Controlling user authentication | |
| US20180060868A1 (en) | Systems and methods for remote verification of users | |
| WO2019052496A1 (en) | Account authentication method for cloud storage, and server | |
| US9712542B1 (en) | Permissions decisions in a service provider environment | |
| US10033763B2 (en) | Centralized mobile application management system and methods of use | |
| US20200145421A1 (en) | Method for authentication and authorization and authentication server using the same | |
| CN102930199A (en) | Safe machine registration in a multi-tenant subscription enviroment | |
| CN106664291A (en) | Systems and methods for providing secure access to local network devices | |
| CN103597494A (en) | Method and device for managing digital usage rights of documents | |
| US20170235936A1 (en) | Secure credential service for cloud platform applications | |
| US10938814B2 (en) | Unified authentication software development kit | |
| US11604864B2 (en) | Indexable authentication system with group access control and method | |
| EP3777082B1 (en) | Trusted platform module-based prepaid access token for commercial iot online services | |
| CN103827811A (en) | Managing basic input/output system (BIOS) access | |
| CN112231667B (en) | Identity verification method, device, storage medium, system and equipment | |
| CN110049048A (en) | A kind of data access method, equipment and the readable medium of government affairs public service | |
| CN111523102A (en) | Applet login method, device, equipment and computer readable storage medium | |
| CN110517372B (en) | Biological characteristic information processing method and device | |
| US20150134818A1 (en) | Data sharing method and data sharing gateway configuration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| DD01 | Delivery of document by public notice |
Addressee: Xu Xiancai Document name: Notification that Application Deemed to be Withdrawn |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100526 |