CN101783795B - Security level authentication method and system - Google Patents
Security level authentication method and system Download PDFInfo
- Publication number
- CN101783795B CN101783795B CN 200910243948 CN200910243948A CN101783795B CN 101783795 B CN101783795 B CN 101783795B CN 200910243948 CN200910243948 CN 200910243948 CN 200910243948 A CN200910243948 A CN 200910243948A CN 101783795 B CN101783795 B CN 101783795B
- Authority
- CN
- China
- Prior art keywords
- service
- application
- application system
- user
- operation system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a security level authentication method and system. The method comprises the following steps: a third-party system is divided into a business system and an application system, BOSS is used to define the business system information, formulate billing strategy and update the information to SASE, SASE completes the registration of the business system; SASE defines the application system information, and defines and manages the security level strategy of each system; SASE classifies the systems according to business models and distributes corresponding security level strategies for different kinds of systems; and a user accesses the third-party system through a portal system, a single sign-on system distinguishes the system accessed by the user and performs corresponding safety verification flows according to the security level strategies corresponding to different kinds of systems and the corresponding security level strategies of the systems. By adopting the technical scheme of the invention, the extensible security level strategies can be provided and the security strategies can be classified so that the systems can flexibly integrated to the current architecture and the safety of each system can be ensured.
Description
Technical field
The present invention relates to the digital television techniques field, relate in particular to a kind of method and system of security level authentication.
Background technology
In digital TV field, exist huge architectural framework and numerous physical systems, these systems support different operation systems by various forms, finally show the user in digital television gateway.In this architectural framework, fail safe becomes one of important composition.Because numerous systems of compositional system framework may be developed by many companies, and do not have unified safety standard in architectural framework, so that diverse security architecture is arranged in the system of each.Simultaneously, because each technical merit and business model is different, to the requirement of safety the understanding of different brackets can appear, so that security context need to be processed the verifying work of different level of securitys when integrated each side operation system, and convenient follow-up workflow work.
The general technology that adopts mostly is the mode of single-sign-on now.
Single Sign-On Technology Used be so that the user after at the beginning by authentication, need not show login during other system of subsequent access again, but replaces the user to do proof of identity work by single-node login system.Simultaneously, the fail safe in order to guarantee to access third party's operation system all can be adopted further oppositely proof of identity mode.
When processing the integrated work of multi-service, no matter be B/S pattern or C/S model, all be to adopt the mode of single-sign-on to carry out undoubtedly, so really can reach the mode of a plurality of operation systems of sign-on access.Main flow process is as follows:
1, the user logins by identify label (forms such as user name, password or certificate).
2, single-node login system provides multiple authentication mode authenticated user identity.
In case behind the 3 success identity user identity, single-node login system can be recorded user's identify label, and return a with it secure ID of correspondence.
4, at this moment the user just can access direct login system (for example: the portal gate system) operate.
If system and other system integration of 5 users access, the user does not need again to show login when accessing other third party's operation system by gate system, the substitute is, and single-node login system is finished the reverse verifying work of identity automatically.
6, after this user can access third party's operation system normally.
Although the business integration mode of carrying out in the mode of single-sign-on has become security model very general on the market, employed technology and implementation strategy also can be integrated into various systems (heterogeneous system, system of foreign lands) within the security system, but along with the increase of third party's operation system, the business model that the third party realizes different (decision security strategy) has become more and more distinct issues to the management of third party's operation system and the safety check of different brackets.Be mainly manifested in following some:
1, there is not unified definition for operation system, can not all third party systems of unified management.
2, third party's operation system mostly is ripe product, and employed safe mode is different, can not unify to utilize a kind of mode to carry out safety check; And existing single-node login system has just been done checking and has not been verified two kinds of safe modes for fail safe, does not consider the territory security problems under the business strategy, and Validation Mode is relatively single.
3, single Validation Mode also can reduce the performance (at every turn all needing through safety certification such as all systems) of system to a certain extent greatly.
4, integrated under the large-scale integrated system architecture of security system, the problem that embodies is more simply after the safety certification, it is so simple to enter the third party system, the substitute is the integration of safe procedures, charging flow and workflow, this does not have unified flow process control function after will appearing at different security level authentications.
Summary of the invention
The object of the invention is to propose a kind of method and system of security level authentication, open-ended safe class strategy and classification security strategy can be provided, so that system easily is integrated in the existing architectural framework, guarantee simultaneously each Security of the system.
For reaching this purpose, the present invention by the following technical solutions:
A kind of method of security level authentication may further comprise the steps:
A, third party's system divides is become operation system and application system;
B, service operation and support system define operation system information, and charging policy is formulated in the service of operation system definition;
C, service operation and support system arrive multi-service automotive engine system, the registration of multi-service automotive engine system finishing service system with the operation system information synchronization;
D, multi-service automotive engine system definition application system information;
E, the definition of multi-service automotive engine system are also managed the safe class strategy of each described operation system and each described application system;
F, multi-service automotive engine system are classified according to business model to operation system and application system, according to classification results, are different classes of operation system and safe class strategy corresponding to application system distribution;
G, user through safety certification after, portal entry system, and by operation system or application system in the gate system access third party system;
Operation system or the application system of H, single-node login system identification user access, according to safe class strategy corresponding to described different classes of operation system and application system and the safe class strategy of described operation system or application system self correspondence, carry out corresponding safety verification flow process.
The safe class strategy of described operation system or application system self correspondence comprises following grade:
Do not need the application system of safety verification, the user directly accesses;
For the business model of safety in the default domain environment, operation system can be by the transmission of the user name charging flow of being correlated with, and application system can utilize user name to login;
For unsafe business model in the default domain environment, operation system and application system all need to finish further safety verification flow process by single-sign-on front end processor and single-node login system, obtain corresponding User Identity, carry out again follow-up charging or browsing process.
Described different classes of operation system and safe class strategy corresponding to application system comprise following grade:
After independent operation system or application system obtained identify label, the user can access service wherein;
After other operation system of middle grade or application system obtained identify label, the user can unify to enter the classification entrance, and does not need again safety verification just can access other operation systems or the application system of this classification;
After the operation system of high-grade or application system obtained identify label, the user can unify to enter the classification entrance, and the user accesses other operation systems or the application system of this classification, need to again carry out safety verification.
Do not need the application system of safety verification to comprise search system, weather system or announcement systems; Business model for safety in the default domain environment needs the application system of user identity to comprise collection system or bookmarking system, needs the operation system of user identity to comprise integrating system or video on-demand system; For unsafe business model in the default domain environment, comprise figure bell system or stock system.
The management that the management that the multi-service automotive engine system is enabled operation system or stopped using, multi-service automotive engine system are added, delete, enabled the application system or stop using.
A kind of system of security level authentication comprises user terminal, service operation and support system, multi-service automotive engine system, single-node login system, single-sign-on front end processor, gate system, operation system and application system,
Wherein user terminal is used for by gate system access service system or application system;
Service operation and support system are used for defining operation system information, charging policy is formulated in the service of operation system definition, and the operation system information synchronization is arrived the multi-service automotive engine system;
The multi-service automotive engine system is used for registration and the definition application system information of finishing service system, definition is also managed the safe class strategy of each operation system and application system self, and operation system and application system classified according to business model, according to classification results, be different classes of operation system and safe class strategy corresponding to application system distribution;
Single-node login system is used for operation system or the application system of identification user access, according to described operation system or safe class strategy corresponding to application system, carries out corresponding safety verification flow process;
The single-sign-on front end processor is used for the safety verification flow process of finishing service system and application system;
Operation system and application system are used for providing service.
Operation system comprises integrating system or video on-demand system, and application system comprises search system, weather system, announcement systems, collection system or bookmarking system.
Adopted technical scheme of the present invention, by definition and the classification to operation system and application system, can be so that environmental system be unified to system management, efficient so that operator with more various, mode is organized door pattern and workflow flexibly; For operator provides open-ended safe class strategy and classification security strategy, can so that system easily is integrated in the existing architectural framework, guarantee simultaneously each Security of the system; By various authentication policy, can also greatly improve the performance of total system; And the single-sign-on front end processor of employing chain type technique construction, not only can guarantee flexible expansion and the configuration of security strategy and workflow, can also greatly reduce the workload of secondary development, guarantee the stable of system configuration.
Description of drawings
Fig. 1 is the system construction drawing of security level authentication in the specific embodiment of the invention.
Fig. 2 is the flow chart of security level authentication in the specific embodiment of the invention.
Embodiment
Further specify technical scheme of the present invention below in conjunction with accompanying drawing and by embodiment.
Fig. 1 is the system construction drawing of security level authentication in the specific embodiment of the invention.As shown in Figure 1, this security level authentication system comprises user terminal 101, service operation and support system 102, multi-service automotive engine system 103, single-node login system 104, single-sign-on front end processor 105, gate system 106, operation system 107 and application system 108.
Wherein user terminal is by gate system access service system or application system, service operation and support system definition operation system information, charging policy is formulated in service to the operation system definition, and with the operation system information synchronization to the multi-service automotive engine system, the registration of multi-service automotive engine system finishing service system and definition application system information, definition is also managed the safe class strategy of each operation system and application system self, and operation system and application system classified according to business model, according to classification results, be different classes of operation system and safe class strategy corresponding to application system distribution, operation system or the application system of single-node login system identification user access, according to described operation system or safe class strategy corresponding to application system, carry out corresponding safety verification flow process, the safety verification flow process of single-sign-on front end processor finishing service system and application system, operation system and application system are used for providing service.
Operation system mainly comprises integrating system or video on-demand system etc., and application system mainly comprises search system, weather system, announcement systems, collection system or bookmarking system etc.
Fig. 2 is the flow chart of security level authentication in the specific embodiment of the invention.As shown in Figure 2, the method for this security level authentication may further comprise the steps:
The management that the management that the multi-service automotive engine system is enabled operation system or stopped using, multi-service automotive engine system are added, delete, enabled the application system or stop using.
The safe class strategy of operation system or application system self correspondence comprises following grade:
Do not need the application system of safety verification, the user directly accesses;
For the business model of safety in the default domain environment, operation system can be by the transmission of the user name charging flow of being correlated with, and application system can utilize user name to login;
For unsafe business model in the default domain environment, operation system and application system all need to finish further safety verification flow process by single-sign-on front end processor and single-node login system, obtain corresponding User Identity, carry out again follow-up charging or browsing process.
Wherein, do not need the application system of safety verification to comprise search system, weather system or announcement systems, do not need can directly accessing of user identity.
Business model for safety in the default domain environment, need the application system of user identity to comprise collection system or bookmarking system, can directly transmit identify label, corresponding service (the many and same manufacturer of portal service, other system of low level security that also has the third party system to provide) is provided.
Need the operation system of user identity to comprise integrating system or video on-demand system, can directly transmit identify label, finish follow-up charging, watch etc. served (the many and same manufacturer of gate system, other system of low level security that also has the third party system to provide, there is not the capability development security system, then the default domain Environmental security).
For unsafe business model in the default domain environment, comprise figure bell system or stock system, need could to obtain identify label (mostly be the third party system, the system with the same manufacturer of gate system is also arranged partly, but the higher level of security of needs) by further safety certification.
Safe class strategy corresponding to different classes of operation system and application system comprises following grade:
After independent operation system or application system obtained identify label, the user can access service wherein;
After other operation system of middle grade or application system obtained identify label, the user can unify to enter the classification entrance, and does not need again safety verification just can access other operation systems or the application system of this classification;
After the operation system of high-grade or application system obtained identify label, the user can unify to enter the classification entrance, and the user accesses other operation systems or the application system of this classification, need to again carry out safety verification.
Operation system or the application system of step 208, single-node login system identification user access, at first according to different classes of operation system and safe class strategy corresponding to application system, carry out corresponding safety verification flow process, after entering classification, according to the safe class strategy of operation system or application system self correspondence, carry out corresponding safety verification flow process again.
By to the classification of operation system and application system (operation system and application system can hybrid classification), can be so that flow process jumps to corresponding entrance.As:
A) VOD film, TV play etc. all belong to the service of video entertainment class, and same video entry address then is provided;
B) services such as stock, fund, online transaction all belong to the service of high level of security, and the port address that is classified into of this class then is provided behind identity verification;
C) with respect to the safety verification of middle grade, such as third-party answer and integrating system, then behind identity verification, provide the port address that is classified into of this class, do not need corresponding safety certification when after this user visits again in this classification other system in a period of time;
D) do not have the system of grouping, then directly provide when registration corresponding entry address.
The above; only for the better embodiment of the present invention, but protection scope of the present invention is not limited to this, anyly is familiar with the people of this technology in the disclosed technical scope of the present invention; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (7)
1. the method for a security level authentication is characterized in that, may further comprise the steps:
A, third party's system divides is become operation system and application system;
B, service operation and support system define operation system information, and charging policy is formulated in the service of operation system definition;
C, service operation and support system arrive multi-service automotive engine system, the registration of multi-service automotive engine system finishing service system with the operation system information synchronization;
D, multi-service automotive engine system definition application system information;
E, the definition of multi-service automotive engine system are also managed the safe class strategy of each described operation system and each described application system;
F, multi-service automotive engine system are classified according to business model to operation system and application system, according to classification results, are different classes of operation system and safe class strategy corresponding to application system distribution;
G, user through safety certification after, portal entry system, and by operation system or application system in the gate system access third party system;
Operation system or the application system of H, single-node login system identification user access, according to safe class strategy corresponding to described different classes of operation system and application system and the safe class strategy of described operation system or application system self correspondence, carry out corresponding safety verification flow process.
2. the method for a kind of security level authentication according to claim 1 is characterized in that, the safe class strategy of described operation system or application system self correspondence comprises following grade:
Do not need the application system of safety verification, the user directly accesses;
For the business model of safety in the default domain environment, operation system can be by the transmission of the user name charging flow of being correlated with, and application system can utilize user name to login;
For unsafe business model in the default domain environment, operation system and application system all need to finish further safety verification flow process by single-sign-on front end processor and single-node login system, obtain corresponding User Identity, carry out again follow-up charging or browsing process.
3. according to claim 1 or the method for 2 described a kind of security level authentications, it is characterized in that described different classes of operation system and safe class strategy corresponding to application system comprise following grade:
After independent operation system or application system obtained identify label, the user can access service wherein;
After other operation system of middle grade or application system obtained identify label, the user can unify to enter the classification entrance, and does not need again safety verification just can access other operation systems or the application system of this classification;
After the operation system of high-grade or application system obtained identify label, the user can unify to enter the classification entrance, and the user accesses other operation systems or the application system of this classification, need to again carry out safety verification.
4. the method for a kind of security level authentication according to claim 2 is characterized in that, does not need the application system of safety verification to comprise search system, weather system or announcement systems; Business model for safety in the default domain environment needs the application system of user identity to comprise collection system or bookmarking system, needs the operation system of user identity to comprise integrating system or video on-demand system; For unsafe business model in the default domain environment, comprise figure bell system or stock system.
5. the method for a kind of security level authentication according to claim 1, it is characterized in that, the management that the management that the multi-service automotive engine system is enabled operation system or stopped using, multi-service automotive engine system are added, delete, enabled the application system or stop using.
6. the system of a security level authentication, it is characterized in that, comprise user terminal, service operation and support system, multi-service automotive engine system, single-node login system, gate system, operation system and application system, described gate system comprises the single-sign-on front end processor;
Wherein user terminal is used for by gate system access service system or application system;
Service operation and support system are used for defining operation system information, charging policy is formulated in the service of operation system definition, and the operation system information synchronization is arrived the multi-service automotive engine system;
The multi-service automotive engine system is used for registration and the definition application system information of finishing service system, definition is also managed the safe class strategy of each operation system and application system self, and operation system and application system classified according to business model, according to classification results, be different classes of operation system and safe class strategy corresponding to application system distribution;
Single-node login system is used for operation system or the application system of identification user access, according to described operation system or safe class strategy corresponding to application system, carries out corresponding safety verification flow process;
The single-sign-on front end processor is used for the safety verification flow process of finishing service system and application system;
Operation system and application system are used for providing service.
7. the system of a kind of security level authentication according to claim 6 is characterized in that, operation system comprises integrating system or video on-demand system, and application system comprises search system, weather system, announcement systems, collection system or bookmarking system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910243948 CN101783795B (en) | 2009-12-25 | 2009-12-25 | Security level authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910243948 CN101783795B (en) | 2009-12-25 | 2009-12-25 | Security level authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101783795A CN101783795A (en) | 2010-07-21 |
| CN101783795B true CN101783795B (en) | 2013-02-13 |
Family
ID=42523614
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910243948 Expired - Fee Related CN101783795B (en) | 2009-12-25 | 2009-12-25 | Security level authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101783795B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103116858A (en) * | 2011-11-17 | 2013-05-22 | 银视通信息科技有限公司 | Control method and system of automatic adjustment of transaction risk levels in set top boxes |
| CN102510338B (en) * | 2011-12-31 | 2015-01-07 | 中国工商银行股份有限公司 | System, device and method for security certificate for multi-organization interconnection system |
| CN103841130A (en) * | 2012-11-21 | 2014-06-04 | 深圳市腾讯计算机系统有限公司 | Verification information pushing method and device, and identity authentication method and device |
| CN104980429A (en) * | 2015-05-06 | 2015-10-14 | 努比亚技术有限公司 | Method, device and system for unified account login based on virtual user identification card |
| CN106453205B (en) * | 2015-08-07 | 2019-12-10 | 阿里巴巴集团控股有限公司 | identity verification method and device |
| CN108241803B (en) * | 2016-12-23 | 2019-03-08 | 中科星图股份有限公司 | A kind of access control method of heterogeneous system |
| CN110874185B (en) * | 2018-09-04 | 2021-12-17 | 杭州海康威视系统技术有限公司 | Data storage method and storage device |
| CN111859362A (en) * | 2020-06-09 | 2020-10-30 | 中国科学院数据与通信保护研究教育中心 | Multi-stage identity authentication method in mobile environment and electronic device |
| CN112287326B (en) * | 2020-09-28 | 2024-05-24 | 珠海大横琴科技发展有限公司 | Security authentication method and device, electronic equipment and storage medium |
| CN115102717B (en) * | 2022-05-25 | 2023-10-27 | 杭州易和互联软件技术有限公司 | Interconnection and intercommunication data transmission method and system based on user system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101094225A (en) * | 2006-11-24 | 2007-12-26 | 中兴通讯股份有限公司 | Network, system and method of differentiated security service |
| CN101193432A (en) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | Method and system for realizing mobile value-added secure service |
| CN101431654A (en) * | 2008-12-12 | 2009-05-13 | 天柏宽带网络科技(北京)有限公司 | Method and system for implementing authentication |
-
2009
- 2009-12-25 CN CN 200910243948 patent/CN101783795B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101193432A (en) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | Method and system for realizing mobile value-added secure service |
| CN101094225A (en) * | 2006-11-24 | 2007-12-26 | 中兴通讯股份有限公司 | Network, system and method of differentiated security service |
| CN101431654A (en) * | 2008-12-12 | 2009-05-13 | 天柏宽带网络科技(北京)有限公司 | Method and system for implementing authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101783795A (en) | 2010-07-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101783795B (en) | Security level authentication method and system | |
| CN102761551B (en) | System and method for multilevel cross-domain access control | |
| US20190273784A1 (en) | Internet of things system | |
| CN103136627B (en) | Area real estate intelligent management system | |
| CN106412896A (en) | Authorization management method and system of wireless router | |
| CN102970292A (en) | Single sign on system and method based on cloud management and key management | |
| CN109817347A (en) | Inline diagnosis platform, its right management method and Rights Management System | |
| CN106792692A (en) | A kind of physics dicing method based on SDN technologies | |
| CN103391274B (en) | A kind of integral network safety management method and device | |
| CN113114632A (en) | Can peg graft formula intelligence financial audit platform | |
| CN102137102B (en) | Realizing method of service supporting platform for supporting multiclass information publishing modes | |
| CN109891822A (en) | Electric signing system, electronic signature server and electric endorsement method | |
| CN102420808A (en) | Method for realizing single signon on telecom on-line business hall | |
| CN101471939A (en) | Multitime user authentication method for fusion business system with SOA architecture | |
| CN102299945A (en) | Gateway configuration page registration method, system thereof and portal certificate server | |
| CN102255904A (en) | Communication network and terminal authentication method thereof | |
| CN105100088B (en) | A kind of method and system for preventing illegally clone CM accesses DOCSIS networks | |
| CN106355706A (en) | Intelligent door lock system | |
| CN101364870A (en) | System and method realizing IPTV unified authentication by gateway mode | |
| CN109918430B (en) | 5G user data disassociation storage system and access method | |
| CN107181747A (en) | A kind of Handle resolution systems comprising top mode | |
| KR20150053070A (en) | Unusual action decision system | |
| CN110457897A (en) | A kind of database security detection method based on communication protocol and SQL syntax | |
| CN116155543A (en) | Industrial control system access control method based on rights and blockchain | |
| CN103795708A (en) | Terminal access method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: DVN BEIJING CO., LTD. Free format text: FORMER OWNER: BEIJING HUSEN TECHNOLOGY CO., LTD. Effective date: 20121025 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20121025 Address after: 100086, room 2, peony building, No. 1302 peony, Haidian District, Beijing, Huayuan Road Applicant after: Beijing Huixin Bosi Technology Co., Ltd Address before: 100086, 19 floor, block A, digital building, No. 2 South Avenue, Beijing, Haidian District, Zhongguancun Applicant before: Beijing Husen Technology Co., Ltd. |
|
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20100721 Assignee: Beijing Huixin Bosi Technology Co., Ltd Assignor: Beijing Husen Technology Co., Ltd. Contract record no.: 2012990000746 Denomination of invention: Security level authentication method and system License type: Exclusive License Record date: 20121010 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130213 Termination date: 20181225 |