Embodiment
Along with public key architecture (PKI, Public Key Infrastructure) technology reaches its maturity, bring into use public key certificate to carry out authentication in many application.Public key certificate is to be that sign and issue at certificate verification CA center (server) by the just third-party institution of authority, is the encryption technology of core with the public key certificate, the authenticity of checking entity identities, thus guarantee safety.
The embodiment of the invention is utilized wireless network to carry out authentication and is obtained the public key certificate of wireless terminal by wireless network access CA server, thereby wireless terminal is authenticated, but authentication and the authentication by after just the logging in network terminal operate, improved the level of security of network terminal access control like this, made the user more safe and reliable the accessing operation of the network terminal.
Embodiment one
In the embodiment of the invention, implement the embodiment of the invention method the system group network pattern as shown in Figure 1, this system comprises: wireless terminal (as Wireless USB-Modem), the network terminal (as, PC or portable terminal) and certificate verification CA server.
The wireless terminal and the network terminal interconnect, and wherein wireless terminal is used to accept wireless network side to its authentication; After the authentication of described wireless terminal was passed through, wireless terminal used the private key of self preserving and authenticates public key certificate corresponding on the CA server and carries out ca authentication; And after described ca authentication is passed through, authorize visit to the described network terminal.
Comprise SIM/UIM card or flash memory Flash in the described wireless terminal, described SIM/UIM card or flash memory Flash can be used for preserving described private key.
Comprise special-purpose application programming interface api interface in the described wireless terminal, be used for controlling the visit of the described private key that described wireless terminal is preserved.
Spread its tail at the sign-on access network terminal, network terminal screen locking, the network terminal moment such as curtain guarantor, computer obtains the connection status of wireless terminal and PC by interrupting or inquiry mode, utilizes this opportunity, by wireless network, carries out authentication.
With reference to Fig. 2, a kind of method of controlling the accesses network terminal that the embodiment of the invention provides utilizes wireless terminal to realize the authentication of PC login or visit.
S201, wireless network is to the wireless terminal authentication;
Particularly, wireless terminal sends the request of access of radio network, accepts the authentication of wireless network side to the User Recognition SIM card of this wireless terminal; Pass through when this SIM card authentication, described wireless terminal inserts described wireless network.
S202, after the authentication of described wireless terminal was passed through, described wireless terminal used private key of self preserving and the public key certificate that authenticates the corresponding described wireless terminal on the CA server to carry out ca authentication;
In order to obtain the public key certificate of described wireless terminal, need to apply for public key certificate before, particularly, the process of application public key certificate, wireless terminal by cryptographic algorithm (as, RSA) produce key to (PKI-private key), private key is kept at the secure storage section of wireless terminal, and sends PKI and part personally identifiable information to authentication center (CA server).Authentication center will carry out some necessary steps after examining identity, sent by the user really to be sure of request, then, authentication center will issue public key certificate of user, comprise user's personal information and his public key information in this certificate, also have the signing messages of authentication center simultaneously.The various encrypting and authenticatings that the user just can use the public key certificate of oneself to be correlated with.
Described wireless terminal obtains the public key certificate of described wireless terminal from described CA server, is specially:
After described wireless terminal is activated, to described CA server application public key certificate;
Described wireless terminal is kept at the public key certificate that is received in the wireless terminal after receiving the public key certificate that the CA server sends, and uses for subsequent authentication.
Particularly, the public key certificate after encrypting with the private key of described wireless terminal with by eating dishes without rice or wine deposits in SIM/UIM card or the flash memory Flash.
For the purpose of safe and reliable, special-purpose application programming interface api interface can be set, described api interface is used for controlling private key and public key certificate that described wireless terminal is preserved and conducts interviews.
In the time of the CA authentication, the network terminal authenticates the private key in the wireless terminal, by wireless network access CA server, utilizes the public key certificate on the CA server and the private key of wireless terminal that wireless terminal is authenticated.If PKI in the public key certificate and the private key of wireless terminal coupling are then by authentication.This mode is also referred to as on-line authentication.
Although private key and " public key certificate (PKI) " have been kept in the wireless terminal, PC can directly visit by relevant interfaces such as USB, but also need whether expired at the line justification public key certificate, whether effective etc., so all be to go to visit that the CA server determines one's identity, authority by wireless network when authenticating at every turn, could guarantee safe and reliable like this.
S203 after ca authentication is passed through, authorizes the visit to the described network terminal.
In the technical scheme that the embodiment of the invention provides, wireless terminal user is when activating this terminal equipment, be connected to the CA server by wireless network, to CA server application public key certificate, after the user receives public key certificate, be saved in SIM card/UIM card (or be saved in the terminal flash appointed area, certificate is preserved and decided on the form of wireless terminal, can guarantee that private key is not stolen in the certificate by special purpose interface) by the terminal-specific interface.Wireless terminal device is connected with the PC main frame, reports the USB mouth to be connected to wireless network and CA server interaction automatically to the PC main frame and by default parameters after powering on, and need carry out the SIM card authentication when connecting wireless network, if authentication is passed through then the wireless network successful connection.PC utilizes the public key certificate information that the CA server provides in the wireless network, and this user is carried out authentication, if the verification passes, then authorizes login PC main frame.
Hence one can see that, the embodiment of the invention is utilized the wireless network authentication and is obtained the public key certificate of wireless terminal by wireless network from the CA server, wireless terminal is carried out double authentication, improved the reliability of authentication, realized safety operation management the network terminal.
Embodiment two
As shown in Figure 3, a kind of method of controlling the accesses network terminal that the embodiment of the invention provides is used to realize comprise the steps: the authentication of PC or other network terminals start login
Step S301 is connected to PC with wireless terminal, and passes through network access by wireless terminal;
Wireless terminal device starts, and wireless terminal passes through the default parameters access of radio network, and reports USB port to arrive PC;
Step S302, wireless network carries out authentication to wireless terminal;
Wireless terminal is connected with the PC main frame, need carry out User Recognition (SIM, Subscriber Identity Model) card authentication when connecting wireless network, if authentication is passed through, then wireless network successful connection, by wireless network access CA server, and with the CA server interaction.
Wireless terminal is connected the mode that adopts modal USB connecting line usually with PC.Can certainly the time PCMCIA or Express interface, interaction protocol then can adopt usb protocol.
If, then proceed subsequent step S303 by authentication, otherwise, the prompting failed authentication, and forward step S306 to;
Step S303 obtains the public key certificate that wireless terminal is carried out ca authentication;
Particularly, when wireless terminal activated, wireless terminal was pressed flow process to CA server application public key certificate, and this public key certificate is built in wireless terminal, can take to deposit in the SIM/UIM card or deposit in the Flash, but consider the safety of storage, need special API to conduct interviews;
Perhaps, the PC main frame is connected to the CA server by wireless network, to obtain public key certificate;
Particularly, the PC main frame also is connected to wireless network and CA server interaction automatically by default parameters, can obtain the public key certificate that is used for described wireless terminal is carried out ca authentication like this.
Wherein the start shooting sign-on access network terminal, network terminal screen locking, the network terminal separated in the operating process such as screen lock, the PC authentication need be revised interface at the Logon.dll module of Windows system and realize, and for linux system (MAC OS is similar), this module adopts logon.lib, forms such as logon.so, in starting script/etc/rc.d/rc x.d/, utilize the startup script to call operation, the login authentication of starting shooting.
Step S304, PC utilize the public key certificate information that the CA server provides in the wireless network, and this wireless terminal user is carried out authentication;
If, then carry out follow-up step S105 by authentication to this wireless terminal, otherwise prompting ca authentication failure, and forward step S106 to;
Step S305 enters licensing mode, can login/visit the PC operation;
Step S306 enters unauthorized mode of operation, forbids logining this PC, as screen locking.
Hence one can see that, and the embodiment of the invention is utilized the wireless network authentication and wireless terminal is carried out double authentication, improved the reliability of authentication, carries out effective authentication during start logging in network terminal, realizes the safety operation management to the network terminal.
Embodiment three
In addition, a kind of method of controlling the accesses network terminal that the embodiment of the invention provides also comprises after the disconnection of wireless terminal, forbids the step of logging in network terminal, and is specific as follows:
When the physical connection of user's disconnection of wireless terminal and PC, the PC authentication need detect this wireless terminal and not exist at the Logon.dll module of Windows system, then the direct lock-screen of PC main frame.
As shown in Figure 4, a kind of method of controlling the accesses network terminal that the embodiment of the invention provides comprises that also the PC main frame is in lock state of screen, separates the step of screen protection flow process, and is specific as follows:
Step S401, wireless terminal device starts, and wireless terminal reports USB port to arrive PC and connects online by default parameters;
Step S402, wireless network carries out authentication to wireless terminal;
Wireless terminal device is connected with the PC main frame, reports the USB mouth to the PC main frame after powering on, and is connected to wireless network and CA server interaction automatically by default parameters, need carry out the SIM card authentication when connecting wireless network, if authentication is passed through then wireless network successful connection.
Wireless terminal is connected the mode that can adopt modal USB connecting line with PC.Can certainly the time PCMCIA or Express interface, interaction protocol then can adopt usb protocol.
If, then proceed subsequent step S403 by authentication, otherwise, the prompting failed authentication, and forward step S406 to;
Step S403 obtains the public key certificate that wireless terminal is carried out ca authentication;
Particularly, when wireless terminal activates, press flow process to CA server application public key certificate, public key certificate is built in wireless terminal, its built-in mode can be taked to deposit in the SIM/UIM card or deposit in the Flash, but consider the safety of storage, need special application programming interface (API, Application Programming Interface) to conduct interviews;
Perhaps, the PC main frame is connected to the CA server by wireless network, to obtain public key certificate;
Particularly, the PC main frame also is connected to wireless network and CA server interaction automatically by default parameters, can obtain the public key certificate that is used for described wireless terminal is carried out ca authentication like this.
Step S404, PC utilize the public key certificate information that the CA server provides in the wireless network, and this wireless terminal user is carried out authentication;
If, then carry out follow-up step S405 by authentication to this wireless terminal, otherwise prompting ca authentication failure, and forward step S406 to;
Step S405 enters licensing mode, can login PC and operate;
Step S406 enters unauthorized mode of operation, as, PC is in screen locking.
In order to have prevented that the people from illegally usurping wireless terminal login PC main frame, can be wireless terminal exploitation vertical application DLL (dynamic link library) api interface, control is to the visit of public key certificate, the built-in public key certificate of every visit wireless terminal, all need to import Personal Identification Number (PIN, Personal IdentificationNumber) sign indicating number.
Hence one can see that, and the present invention utilizes the wireless network authentication and wireless terminal is authenticated, and improved the reliability of authentication, effectively controls in the operational network terminal procedures, realizes the safety operation management to the network terminal.
Embodiment four
The embodiment of the invention also provides a kind of system that controls the accesses network terminal, and with reference to Fig. 1, this system comprises: wireless terminal, the network terminal (as, PC main frame or other network-termination devices) and digital authenticating CA server.
Digital authenticating CA server is used to provide the public key certificate that described wireless terminal is authenticated;
The wireless terminal and the network terminal interconnect, and wireless terminal is used to the PC main frame that the link that communicates to connect of access network is provided; Be used to accept wireless network side to its authentication; After the authentication of described wireless terminal is passed through, use private key of self preserving and the public key certificate that authenticates the corresponding described wireless terminal on the CA server to carry out ca authentication; And after described ca authentication is passed through, authorize visit to the described network terminal.
Comprise SIM/UIM card or flash memory Flash in the described wireless terminal, described SIM/UIM card or flash memory Flash are used to preserve described public key certificate and described private key.
Comprise special-purpose application programming interface api interface in the described wireless terminal, be used for controlling the described private key that described wireless terminal is preserved and the visit of public key certificate.
Wireless terminal is connected to the CA server by wireless network, provide public key certificate to the application of CA server, after wireless terminal receives public key certificate, SIM card/UIM the card that is saved in wireless terminal by the wireless terminal special purpose interface (or is saved in the terminal flash appointed area, certificate is preserved and is decided on the form of wireless terminal, and key is to guarantee that private key is not stolen in the certificate by special purpose interface).
Wireless terminal device adopts wired mode to be connected with the PC main frame, after powering on, wireless terminal report the USB mouth to be connected to wireless network and CA server interaction automatically to the PC main frame and by default parameters, need carry out the SIM card authentication when connecting wireless network, if authentication is passed through then the wireless network successful connection.Afterwards, PC utilizes the public key certificate information that the CA server provides in the wireless network, and this user is carried out authentication, if the verification passes, then authorizes login PC main frame.
Be provided with SIM/UIM card or flash memory Flash in the described wireless terminal, described public key certificate is kept in SIM/UIM card or the flash memory Flash.
Be provided with special-purpose application programming interface api interface in the described wireless terminal, be used for controlling the visit of the public key certificate that described wireless terminal is preserved.
In the system that the embodiment of the invention provides, utilize the wireless network authentication and wireless terminal is carried out double authentication, improved the reliability of authentication, in network terminal start login or operating process, can effectively control, realized safety operation management the network terminal.
Embodiment five
With reference to Fig. 5, a kind of wireless terminal 500 that the embodiment of the invention provides comprises:
Authentication module 510 is used to accept the authentication of wireless network side to described wireless terminal;
Particularly, wireless terminal sends the request of access of radio network, and this authentication module is accepted the authentication of wireless network side to the User Recognition SIM card of this wireless terminal;
Judge module 520 is used to judge whether the authentication to described wireless terminal is passed through;
Pass through when this SIM card authentication, described wireless terminal inserts described wireless network.
Acquisition module 530 is used for obtaining from the CA server public key certificate of described wireless terminal;
Authentication module 540 is used for when described judge module 520 judges that the authentication of described wireless terminal is passed through, and uses the private key of described wireless terminal preservation and the public key certificate of the corresponding described wireless terminal on the authentication CA server to carry out ca authentication;
Described judge module 520 is used to also judge whether described ca authentication is passed through;
In the time of each CA authentication, the network terminal authenticates the private key in the wireless terminal, by wireless network access CA server, utilizes the public key certificate on the CA server and the private key of wireless terminal that wireless terminal is authenticated.If PKI in the described public key certificate and the private key of wireless terminal coupling, then described judge module 520 are determined ca authentication and are passed through.
Authorization module 550 is used for authorizing the visit to the described network terminal when described judge module judges that described ca authentication is passed through.
Wherein, described acquisition module 530 comprises application module 531, receiver module 532 and preserves module 533.
Described application module 531 is used for when described wireless terminal activates, to described CA server application public key certificate;
Particularly, described application module 531 described PKIs of transmission and wireless terminal identity information are to the ca authentication server, with the application public key certificate.
Described receiver module 532 is used to receive the public key certificate that described CA server sends;
Described preservation module 533 is used for after receiving the public key certificate that the CA server sends the public key certificate that is received being kept in the wireless terminal.
For the purpose of safe and reliable, special-purpose application programming interface api interface is set in wireless terminal, this api interface is used for controlling the visit of the public key certificate that described wireless terminal is preserved.
Preferably, the described public key certificate after described preservation module 533 will be encrypted by eating dishes without rice or wine deposits in SIM/UIM card or the flash memory Flash.
Before carrying out ca authentication, described acquisition module 530 obtains the public key certificate of corresponding described wireless terminal from the CA server by wireless network.
Described wireless terminal also comprises:
Key generation module 560, it is right to be used for producing public, private key by cryptographic algorithm;
Described preservation module 533 is kept at the private key that is produced in the described wireless terminal;
For safety, must just can obtain described private key by the described wireless terminal of application programming interface API Access of described special use.
In sum, the embodiment of the invention is connected wireless terminal with the network terminal, thereby by wireless terminal being carried out authentication and utilizing wireless network access CA server to carry out ca authentication, but authentication and the authentication by after just the logging in network terminal operate, improved the authentication reliability of network terminal access control like this, made the user safer the accessing operation of the network terminal.Compare with USB key authentication login of the prior art, improved the level of security of logging in network terminal, and user's operation is more flexible.When the embodiment of the invention had overcome employing CA server authentication public key certificate, USBKey can't be used for the shortcoming of mobile authentication.Can make PC that can't the access cable network or the portable terminal that moves in using operate safer convenience according to the embodiment of the invention.
Obviously, it will be appreciated by those skilled in the art that, each module of the above-mentioned embodiment of the invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the embodiment of the invention is not restricted to any specific hardware and software combination.
The above is embodiments of the invention only, is not to be used to limit protection scope of the present invention.All any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.