The application is to be that October 23, application number in 2008 are 200810224837.9 the applying date, and denomination of invention is divided an application for the application of " a kind of device, system and method for realizing authentication ".
Embodiment
For making the object of the invention, technical scheme and advantage clearer, the present invention is done to describe in detail further below in conjunction with accompanying drawing and specific embodiment.
The device of realization authentication provided by the invention, system and method; On the basis of existing identity identifying technology; The mode of the tolerance authentication of subscriber equipment is realized the binding of the subscriber equipment that user identity and user use through increase; Can stop on the network major part of implementing to authentication to be attacked, perhaps, assailant's difficulty of attacking is strengthened; Further, increase the outer authentication of band and block on the network the attack of user identity, further improve authentication fail safe, ensure the interests of validated user, fundamentally solve assailant's problems such as middle attack, connection hijack attack.
In the practical application,, in describing below, user and subscriber equipment are bound because the user always carries out authentication through subscriber equipment.
Fig. 1 a realizes the system configuration sketch map of authentication for the present invention, and referring to Fig. 1 a, this system comprises: subscriber equipment, Certificate Authority executor, authentication policy module, common authentication server, subscriber equipment tolerance engine, wherein,
Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to subscriber equipment;
The Certificate Authority executor is used at definite subscriber equipment through common authentication, when knowing alternately that with the authentication policy module subscriber equipment need be carried out the tolerance authentication, sends tolerance authentication request information to subscriber equipment tolerance engine, measures authentication; If confirm the tolerance authentication success, notifying user equipment gets into operation system;
In the practical application, can be to confirm to comprise the binding successful information in the tolerance authentication request response message that subscriber equipment tolerance engine returns, think the tolerance authentication success.
The authentication policy module is used for the Certificate Authority executor alternately, comprises the tolerance authentication registration information of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the tolerance authentication to subscriber equipment;
Subscriber equipment tolerance engine is used for receiving tolerance authentication request information, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; Metric to obtaining carries out processing such as integrality, forms metric, and to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio to unanimity, then gets into operation system through Certificate Authority executor notifying user equipment;
If matching ratio is to unanimity, subscriber equipment tolerance engine is thought the tolerance authentication success, returns to the Certificate Authority executor and carries the tolerance authentication request response message of binding successful information;
Subscriber equipment is used for subscriber equipment tolerance engine alternately, and self tolerance authentication information is sent to subscriber equipment tolerance engine.
Subscriber equipment tolerance engine is further used for receiving tolerance authentication registration information; According to the metric strategy that is provided with in advance; Tolerance authentication registration information is obtained in generation; Be sent to subscriber equipment, and the tolerance authentication registration information that subscriber equipment returns carried out integrality handle, form registered user's equipment metric and storage.
The tolerance authentication registration information comprises the geographical location information, subscriber equipment name information, user behavior information at the corresponding network interface card information of each subscriber equipment, operation system information, browser information, place, IP address etc.;
The metric strategy that sets in advance can be one or more in the tolerance authentication registration information.
Generation is obtained tolerance authentication registration information and is comprised: generate and the metric strategy information corresponding that is provided with in advance; For example; The metric strategy that is provided with in advance comprises network interface card information and operation system information; Then generate comprise subscriber equipment network interface card information and operation system information obtain tolerance authentication registration information, subscriber equipment is carried at self network interface card information and operation system information and measures in the authentication registration information.
In the practical application, this system also can only comprise Certificate Authority executor, subscriber equipment tolerance engine, authentication policy module, and the user utilizes this system directly to measure authentication, and need not carry out common authentication.
Common authentication server and subscriber equipment, Certificate Authority executor are mutual; Execution is to user's common authentication; The identity identifying technology that common authentication server adopts can be dynamic password ID authentication, digital certificate authentication, biometric identity authentication, trusted terminal authentication etc.; Similar with existing authentication, briefly describe below:
The Certificate Authority executor is used to receive the access request that subscriber equipment sends, and sends common ID authentication request to common authentication server; Receive common authentication requirement information, the authenticating identity information and the common authentication requirement information that self generate are carried in the access request response message, be sent to subscriber equipment;
Subscriber equipment is used to receive the access request response message, confirms that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;
Common authentication server is used to receive common ID authentication request, returns common authentication requirement information to the Certificate Authority executor; Require response message to carry out authentication according to the common authentication that receives, confirm subscriber equipment, return to the Certificate Authority executor and carry the subscriber equipment authenticating identity response message of subscriber equipment through common authentication information through common authentication.
Subscriber equipment tolerance engine comprises surveys middleware module, metric collection module, metric verification module and tolerance log-on message module,
Survey middleware module, be used for receiving tolerance authentication request information, notice metric collection module is collected the metric of subscriber equipment; The metric of the subscriber equipment that reception metric collection module returns; From tolerance log-on message module, obtain registered user's equipment metric of this subscriber equipment of storage in advance, the metric of subscriber equipment and registered user's equipment metric of this subscriber equipment are sent to metric verification module; The information that metric verification module is returned is sent;
The metric collection module is used to receive the information of collecting the metric of subscriber equipment from the notice of surveying middleware module, according to the metric strategy of storing in advance, collects the tolerance authentication information of subscriber equipment;
Metric verification module; Be used for the tolerance authentication information of the subscriber equipment that receives is measured processing; And the registered user's equipment metric that will handle the subscriber equipment of metric that the back forms and reception to carry out matching ratio right; If matching ratio to unanimity, returns the information of said subscriber equipment through authentication of notifying to surveying middleware module.
Survey middleware module and also receive tolerance authentication registration information, correspondingly, subscriber equipment tolerance engine further comprises tolerance log-on message module,
The metric collection module is further used for the metric strategy of basis storage in advance and the information of collecting the tolerance log-on message of subscriber equipment from the notice of surveying middleware module, the tolerance authentication registration information of collecting subscriber equipment,
Tolerance log-on message module is used for the tolerance authentication registration information according to the subscriber equipment of surveying the middleware module transmission, measures processing, forms the registered user equipment metric of metric as said subscriber equipment.
0.737838
The metric strategy comprises: a kind of or combination in any in the geographical location information at the network interface card information that each subscriber equipment is corresponding, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.
In another embodiment of the present invention, subscriber equipment tolerance engine comprises metric collection module, metric verification module, tolerance log-on message module and behavioural analysis judge module,
The metric collection module is used for collecting the metric of subscriber equipment according to the metric strategy of storage in advance and the information of reception;
In the practical application, the metric collection module is collected the metric with metric policy-related (noun) subscriber equipment according to the tolerance authentication registration information of reception or the metric strategy of measuring authentication request information and storing in advance.Be specially; The metric collection module will be sent to tolerance log-on message module based on the tolerance authentication registration information with the metric policy-related (noun) subscriber equipment of storing in advance that tolerance authentication register requirement is collected, and will be sent to metric verification module based on the tolerance authentication information with metric policy-related (noun) subscriber equipment that the tolerance authentication request is collected;
The metric of subscriber equipment comprises information such as the geographical location information, subscriber equipment name information, user behavior information at network interface card information, operation system information, browser information, place, IP address.Corresponding to tolerance authentication registration information, the metric of subscriber equipment is the tolerance authentication registration information; Corresponding to tolerance authentication request information, the metric of subscriber equipment is the tolerance authentication information.
In advance the metric strategy of storage be used in reference to indication amount information gathering module the metric of the subscriber equipment that should collect; For example, one or more information in the information such as the geographical location information at the network interface card information of collection subscriber equipment, operation system information, browser information, place, IP address, machine name information, visitor's behavioural information.
The metric strategy can be directed against all subscriber equipmenies, also can different metric strategies be set according to different user equipment.
Preferably; The metric collection module according to the tolerance authentication registration information that receives that collect with tolerance authentication registration information metric policy-related (noun) subscriber equipment; With identical according to the tolerance authentication information with metric policy-related (noun) subscriber equipment of the tolerance authentication request information gathering that receives; That is, the tolerance authentication registration information is identical with the content that the tolerance authentication information comprises.Different is that it collects the time point difference of the metric of subscriber equipment.
Metric verification module; Be used for metric according to the subscriber equipment of metric collection module collection; Measure processing, and the registered user's equipment metric that will handle this subscriber equipment in metric that the back forms and the tolerance log-on message module to carry out matching ratio right, if matching ratio is to unanimity; The tolerance authentication request response message of binding successful information is carried in generation, is sent to the Certificate Authority executor; If matching ratio, generates the tolerance authentication request response message of carrying Bind Failed information or registration information to inconsistent, be sent to the Certificate Authority executor.
In the practical application; If metric verification module confirms that matching ratio is to unanimity; Be equivalent to the subscriber equipment of user and user's use is bound; This binding is not unique, can increase flexibly according to the conversion of environment for use and change, but carry out necessary before changing through common authentication.
Tolerance log-on message module is used for the metric according to the subscriber equipment of metric collection module collection, measures processing, forms the registered user equipment metric of metric as this subscriber equipment;
Tolerance is handled the metric comprise the subscriber equipment chosen and is carried out integrality and handle, perhaps data compression process, perhaps encryption etc.
The behavioural analysis judge module is used to collect the behavioural characteristic with recording user, and user's behavioural characteristic is judged and is analyzed according to predefined behavioural analysis algorithm.
In the practical application, subscriber equipment tolerance engine also can not comprise the behavioural analysis judge module.
The behavioural analysis judge module is through the behavioural characteristic of collection and recording user; And judge and analyze; Reinforcement is to the user's security authentication, and for example, record metric collection module is according to the users' such as temporal information of the metric of tolerance authentication register requirement collection subscriber equipment behavioural characteristic; When the behavioural characteristic of behavioural analysis judge module judges was unusual, it was legal to confirm this user to require the user to carry out further authentication.
In the practical application, the system of authentication shown in Figure 1 can further include the outer authentication server of band,
The Certificate Authority executor is used for passing through the tolerance authentication at definite subscriber equipment, when knowing alternately that with the authentication policy module subscriber equipment need be carried out the outer authentication of band, and ID authentication request information outside authentication server sends and is with outside band; If confirm to comprise the outer authentication successful information of band in the outer ID authentication request response message of the band of being with outer authentication server to return, notifying user equipment gets into operation system;
The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment;
Be with outer authentication server, be used for receiving the outer ID authentication request information of band, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment; If consistent, ID authentication request response message outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band.
Be with outer authentication server to comprise: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein,
Information receiving module, authentication credential information outside the band that is used for ID authentication request information and subscriber equipment outside the band that receives are returned is sent to message processing module;
Message processing module is used for receiving the outer ID authentication request information of band, generates the outer authentication credential information of band, is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;
Be with outer authentication credential information memory module, be used for the outer authentication credential information of band that the stored information processing module generates;
Be with outer authentication credential information comparing module; Whether consistently be used to verify from the outer authentication credential information of the band of message processing module with the outer authentication credential information of the band that carries outer authentication credential information memory module storage; If consistent, ID authentication request response message outside information sending module is sent the band that comprises authentication successful information outside the band;
Information sending module be used for the outer authentication credential information of the band that receives is sent to subscriber equipment, and the outer ID authentication request response message of the band that will receive is sent to the Certificate Authority executor.
In the present embodiment; The authentication policy module is actual to be a database server; Deposit each user's authentication strategy, the corresponding authentication strategy of user, authentication strategy form can be expressed as: the user-common authentication-tolerance authentication-outer authentication of band; Also can be expressed as: user-common authentication-tolerance authentication can also be expressed as: the user-common authentication-outer authentication of band.Metric can be that metric is carried out the integrity value that obtains behind the integrity operations.
Fig. 1 b realizes another structural representation of system of authentication for the present invention, and referring to Fig. 1 b, this system comprises: subscriber equipment, Certificate Authority executor, authentication policy module, common authentication server, the outer authentication server of band, wherein,
Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to the user;
The Certificate Authority executor; Be used at definite subscriber equipment through common authentication; When knowing alternately that with the authentication policy module subscriber equipment need be carried out the outer authentication of band, authentication server sends ID authentication request information outside the band outside band, is with outer authentication; If confirm the outer authentication success of band, notifying user equipment gets into operation system;
In the practical application; Confirm the outer authentication success of band if be with outer authentication server; ID authentication request response message outside the Certificate Authority executor returns band comprises the outer authentication successful information of band, and the Certificate Authority executor receives the outer ID authentication request response message of band; According to the outer authentication successful information of the band that comprises, notifying user equipment gets into operation system.
The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment;
Be with outer authentication server, be used for receiving the outer ID authentication request information of band, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment, if consistent, gets into operation system through Certificate Authority executor notifying user equipment.
In the practical application, be with outer authentication server to confirm the outer authentication success of band, ID authentication request response message outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band.Be with the outer authentication server structure similar of band among outer authentication server structure and Fig. 1 a, repeat no more at this.
In the practical application, subscriber equipment can be accomplished the outer authentication registration of band through this system.
Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to the user;
The Certificate Authority executor is used for after definite subscriber equipment is through common authentication, whether registers certification policy outside the band to the subscriber equipment inquiry; Receive the outer certification policy log-on message of band that subscriber equipment sends, be sent to the authentication policy module;
The authentication policy module is used for receiving the outer certification policy log-on message of band, for this subscriber equipment is carried out the outer certification policy registration of band.
In the present embodiment, also user application equipment tolerance engine or the outer authentication server of band are accomplished authentication separately.
Fig. 2 realizes the method flow sketch map of authentication for the present invention, and referring to Fig. 2, this flow process comprises:
Step 201, subscriber equipment sends access request to the Certificate Authority executor;
Step 202; The Certificate Authority executor receives access request, sends common ID authentication request to common authentication server, receives the common authentication of returning and requires information; Send the access request response message to subscriber equipment, carry self authenticating identity information;
In this step, the Certificate Authority executor receives access request, the customer equipment identification that can comprise according to access request; Confirm the authentication strategy to this subscriber equipment, the authentication strategy can be that subscriber equipment is arranged among the Certificate Authority executor, for example in advance; It is 1 that common identity identifier is set; The tolerance authentication is designated 2, and being with outer identity identifier is 3, identifies high authentication and comprises simultaneously identifying low authentication.For instance, if the authentication strategy that subscriber equipment is provided with in advance is designated 3, represent that then subscriber equipment need carry out common authentication, tolerance authentication and the outer authentication of band successively; Also can be that the authentication strategy is arranged in the authentication policy module; Be the necessary flow process of carrying out and give tacit consent to common authentication; After common authentication is passed through; Inquire about the authentication strategy in the authentication policy module by the Certificate Authority executor, whether also need carry out tolerance authentication or the outer authentication of band or tolerance authentication and the outer authentication of band thereby obtain.
In the present embodiment, need carry out common authentication, tolerance authentication and the outer authentication of band successively to subscriber equipment.
The Certificate Authority executor receives access request; After confirming subscriber equipment authentication strategy sign; Send common ID authentication request to common authentication server, receive the common authentication that common authentication server returns and require information, send the access request response message to subscriber equipment; Carry self authenticating identity information, self authenticating identity information digital signature information that can be the Certificate Authority executor generate with self private key.
In the practical application; The identity identifying technology that the Certificate Authority executor supports according to the different application and the subscriber equipment of subscriber equipment; Can adopt the authentication of corresponding dynamic password, the authentication of USB Key digital certificate, biometric identity authentication or IC-card authentication mode, send corresponding authenticating identity information to subscriber equipment.
Step 203, subscriber equipment receives the access request response message, and authentication verification mandate executor's authenticating identity information is passed through like checking, returns common authentication requirement response message to authentication verification mandate executor;
In this step, subscriber equipment receives the access request response message, according to the authenticating identity information of Certificate Authority executor transmission; Adopt corresponding authentication mode; For example, the Certificate Authority executor adopts dynamic password ID authentication to send authenticating identity information, and then subscriber equipment adopts corresponding dynamic password ID authentication technical identification Certificate Authority executor's authenticating identity information; Checking flow process and existing procedure are similar, repeat no more at this.
If subscriber equipment is through the authenticating identity Information Authentication to the Certificate Authority executor; Think that then this Certificate Authority executor is trusty; Subscriber equipment is handled self authenticating identity information; Like password, signing messages, biological characteristic etc., and the authenticating identity information of handling is carried at common authentication requires in the response message; Otherwise, return the common authentication of carrying authentification failure to the Certificate Authority executor and require response message.
Step 204, the Certificate Authority executor receives common identity and requires response message, and the subscriber equipment authenticating identity information that will comprise is sent to common authentication server;
Step 205, common authentication server receive subscriber equipment authenticating identity information, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;
In this step, common authentication server receives subscriber equipment authenticating identity information, and the flow process and the existing flow for authenticating ID of carrying out authentication are similar, repeat no more at this.
If authentication is passed through, then in the subscriber equipment authenticating identity response message of returning, carry the authenticating identity successful information, otherwise, in the subscriber equipment authenticating identity response message of returning, carry the authenticating identity failure information, the authentication request of refusing user's equipment.
Step 206, the Certificate Authority executor receives subscriber equipment authenticating identity response message, and the authentication that determines one's identity is passed through, and sends tolerance authentication request information;
In this step,, in present embodiment, need successively subscriber equipment to be measured authentication and the outer authentication of band again, send tolerance authentication request information to subscriber equipment tolerance engine if the Certificate Authority executor has confirmed subscriber equipment authentication strategy sign.
If user's authentication policy store in the authentication policy module, is then sent tolerance authentication challenge solicited message, execution in step 206a~step 206b (not shown) to the authentication policy module.
Step 206a, the authentication policy module receives tolerance authentication challenge solicited message, and the authentication strategy of inquiry storage returns tolerance authentication challenge request response message to the Certificate Authority executor;
In this step; The authentication policy module receives tolerance authentication challenge solicited message; According to the authentication strategy that inquiry obtains, determining whether needs to carry out further authentication, as not needing; Return tolerance authentication challenge request response message to the Certificate Authority executor, notifying user equipment can get into operation system; If desired, return tolerance authentication challenge request response message to the Certificate Authority executor, indication Certificate Authority executor carries out follow-up authentication.
In the practical application; If the authentication policy module inquires the user need carry out the tolerance authentication with the outer authentication of band the time; Can be that subscriber equipment authentication strategy sign is carried in the tolerance authentication challenge request response message; In follow-up when the tolerance authentication through the time, no longer send the outer authentication query requests information of band, but directly outer authentication is with in execution to the authentication policy module; Certainly, in the practical application, also can be when follow-up metrics authentication is passed through, authentication query requests information outside band is sent in the authentication policy module is obtained the information whether user need carry out the outer authentication of band again.
Step 206b, the authentication policy module receives tolerance authentication challenge request response message, confirms to measure authentication, sends tolerance authentication request information;
In this step, do not need reauthentication information if comprise in the tolerance authentication challenge request response message that receives, notifying user equipment can get into operation system; Otherwise,,, send tolerance authentication request information to subscriber equipment tolerance engine like subscriber equipment authentication strategy sign according to the indication information that comprises in the tolerance authentication challenge request response message.
Step 207, subscriber equipment tolerance engine receives tolerance authentication request information, carries out the tolerance authentication to subscriber equipment, returns tolerance authentication request response message to the Certificate Authority executor;
In this step, subscriber equipment tolerance engine receives tolerance authentication request information, obtains the tolerance authentication information of this subscriber equipment; This tolerance authentication information is measured processing, for example, to the processing of tolerance authentication information complete property; Form metric, to carry out matching ratio right with the metric of user's registration of storage in advance, if matching ratio is to unanimity; Then return tolerance authentication request response message, carry the binding successful information to the Certificate Authority executor; If matching ratio to inconsistent, then returns tolerance authentication request response message to the Certificate Authority executor, carry Bind Failed information or registration information.
Subscriber equipment tolerance engine receives tolerance authentication request information, when carrying out the tolerance authentication to subscriber equipment, can be the tolerance authentication information of initiatively collecting subscriber equipment; Also can be that subscriber equipment tolerance engine monitors after subscriber equipment powers on, initiatively collect the tolerance authentication information of subscriber equipment and store.Preferably, the tolerance authentication information of collecting subscriber equipment adopts nonstandard protocol, like this, increases the difficulty that the assailant knows that subscriber equipment tolerance engine is collected the time of origin of metric behavior.
The tolerance authentication information of subscriber equipment includes but not limited to: geographical location information, subscriber equipment name information or the user behavior information at network interface card information, operation system information, browser information, place, IP address, or combination in any.
If matching ratio to unanimity, for example carries out integrality with the network interface card information of collecting, operation system information, browser information etc. and calculates, obtain integrity value; To make matching ratio right with the integrity value of registering in the database, if consistent, subscriber equipment identity and subscriber equipment bound; Like this, owing to be the subscriber equipment tolerance engine active collection subscriber equipment metric of authentication service side, for an assailant; Can't stop or forge the authentication service side collects the metric of subscriber equipment; Thereby, strengthened the fail safe of subscriber equipment authentication, can effectively stop replay attack, man-in-the-middle attack etc.
Specifically; After user's common authentication is accomplished; According to subscriber equipment authentication strategy; Subscriber equipment tolerance engine by the authentication side initiatively initiates the tolerance authentication information of subscriber equipment is collected, and the assailant is difficult to confirm to collect the time of origin (only if server of control service for checking credentials side) of tolerance authentication information behavior; And the tolerance authentication information of collecting subscriber equipment adopts nonstandard protocol, has also increased the assailant and has known the difficulty that subscriber equipment tolerance engine is collected the time of origin of measuring the authentication information behavior.
Step 208, the Certificate Authority executor receives tolerance authentication request response message, if confirm to need to carry out the outer authentication of band, authentication server sends ID authentication request outside the band outside band;
In this step; If carry the binding successful information in the tolerance authentication request response message; Then the Certificate Authority executor identifies based on fixed subscriber equipment authentication strategy, or, authentication strategy situation outside the user that the certification policy server lookup is obtained is with; If confirm that subscriber equipment need not carry out subsequent authentication, notifying user equipment can get into operation system; If confirm that subscriber equipment need carry out subsequent authentication, authentication server sends ID authentication request outside the band outside band.
If carry Bind Failed information or registration information in the tolerance authentication request response message, Certificate Authority executor notifying user equipment Bind Failed or register again then, refusing user's equipment gets into operation system.
Step 209 is with outer authentication server to receive the outer ID authentication request of band, generates the outer authentication credential information of band, is sent to subscriber equipment;
In this step, be with outer authentication server to receive the outer ID authentication request of band, generate the outer authentication credential information of band; Like password, phone, short message, mail etc.; And through transmission system, for example, modes such as short-message system, phone or mail are sent to the user.
Step 210, subscriber equipment receive the outer authentication credential information of band and return to the outer authentication server of band;
In this step; Subscriber equipment receives the outer authentication credential information of band, through being with the same transmission system of outer authentication credential information with reception, for example; Modes such as short-message system, phone or mail are sent to the outer authentication server of band with the outer authentication credential information of the band that receives.
Step 211 is with outer authentication server to receive the outer authentication credential information of band, ID authentication request response message outside the Certificate Authority executor returns band;
In this step; Be with outer authentication server to receive the outer authentication credential information of band; Outer authentication credential information of the band that receives and the outer authentication credential information of the band that self is sent to the user are verified,, then be with outer authentication to pass through if consistent; ID authentication request response message outside the Certificate Authority executor returns band is carried the outer authentication successful information of band; If in the preset time window mouth, do not receive user's feedback information (authentication credential information outside the band); Or the outer authentication credential information of the band that returns of user the authentication credential information is inconsistent outward with the band that self is sent to the user; Then to the Certificate Authority executor return the band outside the ID authentication request response message; Carry the outer authentication failure information of band, or the registration information.
Step 212, the Certificate Authority executor receives the outer ID authentication request response message of band, confirms to be with outer authentication to pass through, and notifying user equipment can get into operation system.
In this step, if the outer ID authentication request response message of the band that returns comprises the outer authentication failure information of band, or the registration information, the outer authentication of notifying user equipment band is failed or is registered again, and refusing user's equipment gets into operation system.
So far, this flow process finishes.
Fig. 3 realizes the schematic flow sheet that the authentication strategy is registered for the present invention, and referring to Fig. 3, this flow process comprises:
Step 301, subscriber equipment (visiting user) is asked visit to the Certificate Authority executor, and requires the Certificate Authority executor is carried out the trusted identity authentication;
Step 302; The Certificate Authority executor is to the authentication of common authentication server request to visiting user; Common authentication server returns corresponding authentication requirement through subscriber equipment to visiting user; The Certificate Authority executor generates the identity trust information of oneself simultaneously, and returns to visiting user;
In this step, it can be dynamic password ID authentication information, USB Key digital certificate authentication information, biometric identity authentication information or IC-card authentication information that authentication requires.
The signing messages that the identity trust information utilizes the private key of self to generate for the Certificate Authority executor.
Step 303, subscriber equipment receives information, confirms that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;
In this step, subscriber equipment receives the access request response message, the Certificate Authority executor's that comprises authenticating identity information is verified, for example, the signing messages that utilizes Certificate Authority executor's public key verifications to receive,
If, show that this Certificate Authority executor is believable, then through checking; Common authentication according to receiving requires information; Send common authentication requirement response message through the Certificate Authority executor to common authentication server, for example, common authentication requirement information is for requiring subscriber equipment input encrypted message; Then subscriber equipment input encrypted message requires response message as common authentication, is sent to common authentication server.
If not through checking, then process ends.
Step 304, common authentication server receive common authentication requirement response message, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;
This step and step 205 are similar.
Step 305, the Certificate Authority executor sends tolerance authentication registration information to subscriber equipment tolerance engine;
In this step, the Certificate Authority executor confirms that authenticating user identification passes through, and sends tolerance authentication registration information to subscriber equipment tolerance engine.
Step 306, subscriber equipment tolerance engine receives tolerance authentication registration information, carries out the tolerance authentication registration to subscriber equipment;
In this step; Subscriber equipment tolerance engine receives tolerance authentication registration information; Triggering is to the active collection of subscriber equipment tolerance authentication registration information, according to the metric strategy of storage in advance, like a kind of or combination in any such as the geographical location information at network interface card information, operation system information, browser information, place, IP address, subscriber equipment name information, user behavior information; Collect and the metric strategy information corresponding of storing in advance; For example, the metric strategy of storage comprises network interface card information and operation system information in advance, then the network interface card information and the operation system information of subscriber equipment tolerance engine active collection subscriber equipment.
Subscriber equipment tolerance engine generates the registration metric value to the tolerance authentication registration information complete processing of active collection, and registration metric value object information is stored.
Step 307, subscriber equipment tolerance engine is sent to the authentication policy module with the tolerance certification policy information of subscriber equipment;
In this step, subscriber equipment tolerance engine writes requirement subscriber equipment is carried out the tolerance certification policy of measuring authentication in the authentication policy module, require to carry out the tolerance certification policy like subscriber equipment.
Step 308, authentication policy module receive tolerance certification policy information, store, and send tolerance authentication register response information to the Certificate Authority executor;
Step 309, subscriber equipment tolerance engine will be measured authentication register response information and be sent to the Certificate Authority executor;
In the practical application, step 307 and step 309 be the branch of sequencing not.
Step 310; The Certificate Authority executor receives the tolerance authentication register response information of subscriber equipment tolerance engine and authentication policy module transmission; To whether register the outer certification policy information of band and be carried in the tolerance authentication register response information, be sent to subscriber equipment;
Step 311, subscriber equipment receive tolerance authentication register response information, know that measuring authentication succeeds in registration, and confirm the outer certification policy of renewal of registration band, will be with outer certification policy log-on message to be sent to the Certificate Authority executor;
In this step, subscriber equipment need be registered the outer certification policy of band and carry out handled.
Step 312, the outer certification policy log-on message of the band that the Certificate Authority executor will receive is forwarded to the authentication policy module;
Step 313, authentication policy module receive the outer certification policy log-on message of band, for this user carries out the outer certification policy registration of band, certification policy register response information outside the Certificate Authority executor returns band;
Step 314, the Certificate Authority executor will be with outer certification policy register response information to be transmitted to subscriber equipment.
So far, authentication strategy register flow path finishes.
In the practical application; According to the needs of subscriber equipment, can be in the authentication policy module registration metric certification policy, the also outer certification policy of registration band only; Also can be while registration metric certification policy and the outer certification policy of band, can also be directly to measure authentication or the outer authentication of band.
After accomplishing registration, follow-up in, can carry out authentication to the subscriber equipment identity carry out business operation so that get into operation system.Should explain be, if registration and authentication with once carrying out, then in registration and authentication process, need be carried out common authentication respectively.
Below to obtain the authentication that subscriber equipment need carry out alternately with Certificate Authority executor and authentication policy module be example, authentication of the present invention is described in detail.
Fig. 4 realizes the method idiographic flow sketch map of authentication for the present invention, and referring to Fig. 4, this flow process comprises:
Step 401, subscriber equipment (visiting user) is asked visit to the Certificate Authority executor, and requires the Certificate Authority executor is carried out the trusted identity authentication;
Step 402; The Certificate Authority executor is to the authentication of common authentication server request to visiting user; Common authentication server returns corresponding authentication requirement through subscriber equipment to visiting user; The Certificate Authority executor generates the identity trust information of oneself simultaneously, and returns to visiting user;
In this step, it can be dynamic password ID authentication information, USB Key digital certificate authentication information, biometric identity authentication information or IC-card authentication information that authentication requires.
The signing messages that the identity trust information utilizes the private key of self to generate for the Certificate Authority executor.
Step 403, subscriber equipment receives the access request response message, confirms that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;
In this step, subscriber equipment receives the access request response message, the Certificate Authority executor's that comprises authenticating identity information is verified, for example, the signing messages that utilizes Certificate Authority executor's public key verifications to receive,
If, show that this Certificate Authority executor is believable, then through checking; Common authentication according to receiving requires information; Send common authentication requirement response message to common authentication server, for example, common authentication requirement information is imported encrypted message for requiring the user; Then the user imports encrypted message as common authentication requirement response message, is sent to common authentication server through subscriber equipment.
If not through checking, then process ends.
Step 404, common authentication server receive common authentication requirement response message, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;
This step and step 205 are similar.
Step 405, the Certificate Authority executor sends tolerance authentication challenge solicited message to the authentication policy module;
In this step, the Certificate Authority executor confirms that domestic consumer's authentication passes through, and sends tolerance authentication challenge solicited message to the authentication policy module.
Step 406, authentication policy module receive tolerance authentication challenge solicited message, and the authentication strategy of inquiry storage returns tolerance authentication challenge request response message to the Certificate Authority executor;
In this step; The authentication policy module receives tolerance authentication challenge solicited message; Inquire about the authentication strategy of self storing; If this user's authentication strategy does not comprise the tolerance authentication registration information, return tolerance authentication challenge request response message to the Certificate Authority executor, notifying user equipment can get into operation system; If comprise the tolerance authentication registration information, return tolerance authentication challenge request response message to the Certificate Authority executor, notification authentication mandate executor carries out the tolerance authentication.
Step 407, the Certificate Authority executor receives tolerance authentication challenge request response message, confirms to measure authentication, sends tolerance authentication request information to subscriber equipment tolerance engine;
Step 408, subscriber equipment tolerance engine receives tolerance authentication request information, sends acquisition request tolerance authentication information to subscriber equipment;
In this step, subscriber equipment tolerance engine sends corresponding acquisition request tolerance authentication information according to the predefined information of strategy to subscriber equipment.
Step 409, subscriber equipment receive acquisition request tolerance authentication information, and self tolerance authentication information of correspondence is sent to subscriber equipment tolerance engine;
Step 410, subscriber equipment tolerance engine receives the tolerance authentication information, carries out the tolerance authentication to subscriber equipment, returns tolerance authentication request response message to the Certificate Authority executor;
In this step; Subscriber equipment tolerance engine carries out integrality to this metric and handles according to the metric of this subscriber equipment that obtains, and forms metric; To carry out matching ratio right with the metric of the user registration of storage in advance; If matching ratio to unanimity, then returns tolerance authentication request response message to the Certificate Authority executor, carry the binding successful information; If matching ratio to inconsistent, then returns tolerance authentication request response message to the Certificate Authority executor, carry Bind Failed information or registration information.
Step 411, the Certificate Authority executor receives tolerance authentication request response message, if confirm to comprise the binding successful information, authentication query requests information outside band is sent in the authentication policy module;
Step 412, authentication policy module receive the outer authentication query requests information of band, the authentication strategy of inquiry storage, authentication query requests response message outside the Certificate Authority executor returns band;
In this step; The authentication policy module receives the outer authentication query requests information of band; Inquire about the authentication strategy of self storing; If this user's authentication strategy does not comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notifying user equipment can get into operation system; If comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notification authentication mandate executor carries out the outer authentication of band.
Step 413, the Certificate Authority executor receives the outer authentication query requests response message of band, confirms to be with outer authentication, and authentication server sends ID authentication request information outside the band outside band;
Step 414 is with outer authentication server to receive the outer ID authentication request information of band, generates the outer authentication credential information of band, is sent to subscriber equipment;
In this step, be with outer authentication server to receive the outer ID authentication request of band, generate the outer authentication credential information of band; Like password, phone, short message, mail etc.; And through transmission system, for example, modes such as short-message system, phone or mail are sent to subscriber equipment.
In the practical application, for the fail safe of message transmission, the transmission system network that sends the outer authentication credential information of band is different with the network of authentication.
Step 415, subscriber equipment receive the outer authentication credential information of band and return to the outer authentication server of band;
In this step, subscriber equipment receives the outer authentication credential information of band, through being sent to the outer authentication server of band with the same transmission system of the reception outer authentication credential information of band.
Step 416 is with outer authentication server to receive the outer authentication credential information of band, ID authentication request response message outside the Certificate Authority executor returns band;
In this step; Be with outer authentication credential information of band that outer authentication server will receive and the band that self is sent to the user outward the authentication credential information verify; If it is consistent; Then the outer authentication of band is passed through, and ID authentication request response message outside the Certificate Authority executor returns band is carried the outer authentication successful information of band; If in the preset time window mouth, do not receive user's feedback information; Or the information returned of user and the information inconsistency that self is sent to the user; Then to the Certificate Authority executor return the band outside the ID authentication request response message; Carry the outer authentication failure information of band, or the registration information.
Step 417, the Certificate Authority executor receives the outer ID authentication request response message of band, confirms to be with outer authentication to pass through, and notifying user equipment can get into operation system;
In this step, if the outer ID authentication request response message of the band that returns comprises the outer authentication failure information of band, or the registration information, the outer authentication of notifying user equipment band is failed or is registered again, and refusing user's equipment gets into operation system.
Step 418, subscriber equipment gets into operation system, carries out business operation, and operation system is returned the corresponding business operating result to subscriber equipment.
So far, this flow process finishes.
Visible by the foregoing description; A kind of method and system that realize authentication provided by the invention on the basis of existing common identity identifying technology, are sent tolerance authentication request information through the Certificate Authority executor to subscriber equipment tolerance engine; Subscriber equipment tolerance engine and subscriber equipment obtain the tolerance authentication information of subscriber equipment alternately; The metric that obtains is carried out integrality handle, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance; If matching ratio is to unanimity; Then get into operation system, thereby, can stop the major part of implementing to authentication on the network to attack, make the increasing of assailant's difficulty of attacking through increasing the binding that the mode of the tolerance authentication of subscriber equipment is realized the subscriber equipment that user identity and user use through Certificate Authority executor notifying user equipment; Perhaps; On the basis of existing common identity identifying technology, send ID authentication request information outside the band through Certificate Authority executor authentication server outside band, be with outer authentication server to generate the outer authentication credential information of band; Be sent to subscriber equipment; And whether the outer authentication credential information of verifying user equipment outer authentication credential information of band that returns and the band that self is sent to subscriber equipment is consistent, if consistent, gets into operation system through Certificate Authority executor notifying user equipment; Thereby on the blocking-up network to the attack of user identity, solve the assailant middle attack, connect problem such as hijack attack; Perhaps, on the basis of existing common identity identifying technology, attack through increasing the binding that the tolerance authentication mode of subscriber equipment is realized the subscriber equipment that user identity and user use, stop the major part of implementing to authentication on the network; Further, increase the outer authentication of band again and block on the network attack user identity, thus improved authentication fail safe, ensure the interests of validated user, fundamentally solve assailant's problems such as middle attack, connection hijack attack.And the method and system of authentication provided by the invention can need not during enforcement original Verification System is done excessive modification, and can promote the fail safe of identity authorization system greatly with to have various identity authorization systems compatible mutually.In addition; This system's input cost is low, management maintenance is easy, the user is easy to use; Can be according to the safety requirements phase in of reality; Progressively improve level of security, can be applied to various requirement, be particularly useful for the strong identity authentication requirement of various Web banks, Mobile banking, valuable source visit the scene that user identity carries out strong authentication.
More than lift preferred embodiment; The object of the invention, technical scheme and advantage have been carried out further explain, and institute it should be understood that the above is merely preferred embodiment of the present invention; Not in order to restriction the present invention; All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.