CN101951321B - Device, system and method for realizing identity authentication - Google Patents
Device, system and method for realizing identity authentication Download PDFInfo
- Publication number
- CN101951321B CN101951321B CN2010105072489A CN201010507248A CN101951321B CN 101951321 B CN101951321 B CN 101951321B CN 2010105072489 A CN2010105072489 A CN 2010105072489A CN 201010507248 A CN201010507248 A CN 201010507248A CN 101951321 B CN101951321 B CN 101951321B
- Authority
- CN
- China
- Prior art keywords
- authentication
- band
- information
- subscriber equipment
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000004044 response Effects 0.000 claims description 91
- 238000012545 processing Methods 0.000 claims description 32
- 238000003860 storage Methods 0.000 claims description 26
- 230000005540 biological transmission Effects 0.000 claims description 19
- 238000012795 verification Methods 0.000 claims description 19
- 230000006399 behavior Effects 0.000 claims description 9
- 230000010365 information processing Effects 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 24
- 230000008901 benefit Effects 0.000 abstract description 4
- 238000012986 modification Methods 0.000 abstract description 4
- 230000004048 modification Effects 0.000 abstract description 4
- 238000012423 maintenance Methods 0.000 abstract description 3
- 238000005259 measurement Methods 0.000 abstract 2
- 230000008569 process Effects 0.000 description 15
- 230000003542 behavioural effect Effects 0.000 description 12
- 238000004458 analytical method Methods 0.000 description 6
- 238000013475 authorization Methods 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000002427 irreversible effect Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000008676 import Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000005094 computer simulation Methods 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- PWPJGUXAGUPAHP-UHFFFAOYSA-N lufenuron Chemical compound C1=C(Cl)C(OC(F)(F)C(C(F)(F)F)F)=CC(Cl)=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F PWPJGUXAGUPAHP-UHFFFAOYSA-N 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000002459 sustained effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Abstract
The invention discloses a device, a system and a method for realizing identity authentication. On the basis of the conventional common identity authentication technology, user identity and user equipment used by a user are bound in a mode of increasing the measurement authentication of the user equipment or out-of-band identity authentication; or attack on the user identity on a network is blocked in a mode of combining the increase of the measurement authentication of the user equipment and the out-of-band identity authentication so as to improve identity authentication safety, guarantee the benefit of a legal user and solve the problems of man-in-the-middle attack, connection hijacking attack and the like. Furthermore, the identity authentication system provided by the invention can be compatible with various existing identity authentication systems, does not need to perform overlarge modification on the conventional authentication system during implementation, has the advantages of low investment cost and easy management and maintenance and can greatly improve the safety of the identity authentication system.
Description
The application is to be that October 23, application number in 2008 are 200810224837.9 the applying date, and denomination of invention is divided an application for the application of " a kind of device, system and method for realizing authentication ".
Technical field
The present invention relates to authentication techniques, particularly a kind of device, system and method for realizing authentication.
Background technology
At present, along with the develop rapidly of Internet technology, during online transaction had been deep into daily life and has worked, wherein, " Web bank " was the most representative application with the application of " ecommerce ".For instance; " Web bank " submits channel to as a kind of brand-new bank client service; No matter the client stays at home, office, still can handle various bankings such as comprise inquiry, transfer accounts, pay the fees on the road through the internet, manages the assets of oneself.
But Internet technology is bringing people simultaneously greatly easily; The safety issue of internet displays with also becoming increasingly conspicuous, for example, and for Web bank; When the client concludes the business through the internet; Data such as client's CUSTOMER ID (for example account number) and password are very easily victim interception or steal in process of exchange, and the assailant utilizes interception or CUSTOMER ID and the password stolen carry out illegal operation, has directly encroached on client's interests; This not only directly has influence on the prestige of online transaction, also the online transaction development is produced disadvantageous negative effect.
In order to strengthen the fail safe of internet message transmission, need set up the security system of internet message transmission, can only there be the people of corresponding authority to visit to guarantee the data in the internet system; Simultaneously; Also certain Authentication mechanism need be provided; Client's the user identity that guarantees to be stored in the internet system is consistent with the identity that the client declared of internet usage network system, has only the user through authentication, could access system resources with operate.Therefore; For the internet; The authentication management is the basis of whole information security system; If do not have effective identity verification management means, method and measure, the client identity authentication of access internet network system just is easy to victim and forges, and causes the assailant to be able to get into the safety precaution system.For example, domestic in recent years " fake site " and the main cause of the stolen case of clients fund that repeatedly takes place is exactly because client's user identity is stolen.
Several kinds of authentication techniques setting up the security system of internet message transmission in the face of prior art are down described, and mainly comprise:
One, dynamic password ID authentication
The dynamic password ID authentication technology is also referred to as " one-time pad " technology, and promptly the each password that uses of user all waits dynamically generation according to time or access times, and each password can only use once.
Subscriber equipment can use proprietary token to produce dynamic password, and the user only need be with the current password input that shows on the token in use, and the certificate server end adopts the identical current valid password of algorithm computation can realize the affirmation of identity.
Specifically, the principle of dynamic password ID authentication is that the each password that uses of user is produced by proprietary token; And each password that uses is all inequality; Because password uses once the back just to lose efficacy, thereby, even the assailant intercepts and captures this password; The certificate server end also can't use the counterfeit validated user identity of this password, so as long as just can think that through password authentification this user's identity is reliable.Through adopting the method for one-time pad; The dynamic password ID authentication technology has guaranteed the fail safe of user identity effectively; And compare with the follow-up IC-card authentication of mentioning, USB Key authentication, biological characteristic authentication; Cost is lower, and present dynamic password mode adopts hardware mode mostly, based on the token of time synchronized or incident.
Though the dynamic password ID authentication technology is easy to use, its fail safe is unsatisfactory.For example; When meeting with virus or assailant's attack; If the user imports dynamic password and transmits through network; The assailant who is positioned between subscriber equipment and certificate server communication port just can monitor or internal memory reads etc. and to attack after mode intercepted and captured dynamic password through keyboard, can make the user can't accomplish login, and cause network to connect and break off, connect illusions such as overtime; The assailant can also utilize the dynamic password fake user of intercepting and capturing to sign in to certificate server on the other hand, carries out illegal operation, and the user is sustained a loss.
Two, USB (USB, Universal Serial Bus) Key digital certificate authentication
The authentication of USB Key digital certificate is carried out authentication through USB interface-based USB key hardware device, is a kind of identity identifying technology that grew up in recent years.USB Key adopts built-in single-chip microcomputer or intelligent card chip, and the storage user is based on the digital certificate of PKIX (PKI, Public Key Infrastructure) framework.This digital certificate is one group of data structure that comprises subscriber identity information (key) being issued by third party trusty certification authority, and the PKI framework has made up identity and data security that a cover perfect flow process guarantees the holder of digital certificate through adopting cryptographic algorithm.Specifically; The principle of digital certificate authentication is: transmit leg produces passage information and this section Word message is carried out unidirectional irreversible conversion; Then; Transmit leg is encrypted the text transform that carries out unidirectional irreversible conversion and generate with own privacy key again, and with the original character information that produces with encrypt after the text transform result send the recipient of appointment to, the text transform result of this section after through encryption just is called digital signature.Text transform result after the recipient receives original character information and encrypts; The original character information that receives is carried out the irreversible conversion of same individual event; The public-key cryptography that utilizes transmit leg is simultaneously deciphered the text transform result of the encryption that receives; If the irreversible text transform result of individual event that text transform result and recipient after the deciphering carry out self is consistent, then the recipient thinks that transmit leg has passed through authentication, can believe the other side's identity.
Yet; The digital certificate of USB Key digital certificate authentication itself also is a kind of digital identity; Still exist by the danger of bootlegging; So prior USB Key has increased a lot of self-destruction measures as the digital certificate store medium, to guarantee when being cracked, destroying institute's stored numbers certificate automatically; And, strengthened some safety measures of PKI frame system, make USB Key can guarantee that customer digital certificate can't be replicated.
But,, and need cause customer using cost higher at subscriber equipment for each user disposes a USB KEY owing to the cost at the CA center of disposing and safeguarding the authentication of USB Key digital certificate is very huge; In addition, all need USB KEY be inserted in the USB interface of subscriber equipment when using, if subscriber equipment does not have USB interface or USB interface damages or USB KEY damages, the user can't visit the CA center at every turn; And, no matter be signing messages, or digital certificate, when transmission through network, still can't stop the man-in-the-middle attack in the authentication each time.
Existing a kind of the improving one's methods that proposes is that the communication link channel is encrypted; Like socket layer (SSL safe in utilization; Security Socket Layer) protocol protection; Can stop network interception signing messages or digital certificate, but this encryption channel still can't stop the connection hijack attack in the authentication each time.For instance, when browser points to https: //when xxx.com connected, digital certificate can exchange during SSL shakes hands, and the PKI of preserving in the digital certificate is used to the encryption of session.If the user does not have the PKI at CA center during connection, browser will point out the user to accept or refuse this digital certificate, and for the certificate of a large amount of websites distribution; The PKI that the user does not have a respective site is checked the legitimacy of certificate, thereby, for common interactive CLIENT PROGRAM; For example; Browser possibly cause SSL to be connected lose meaning, is really or oneself has suffered the connection hijack attack thereby make the user can't differentiate the information that website uses unknown CA center; Further, even the user once browsed this website in the past and preserved its digital certificate, also still possibly succeed by victim; In addition, because present attack technology can be broken through ssl protocol at an easy rate, so, in authentication, still can suffer the attack that similar connection is kidnapped even the user can check the legitimacy of website digital certificate.
Three, biometric identity authentication
The biometric identity authentication is based on the unique biological characteristic of user, and for example, fingerprint recognition, iris recognition wait the technology of identifying user identity.Because its direct end user's physical features is represented everyone digital identity, different people has the possibility of identical biological characteristic and can ignore, and therefore, in theory, the biometric identity authentication is reliable identity authentication mode.But the authentication of prior biological characteristic based on the influence of biometrics identification technology maturity, also has bigger limitation.At first, the accuracy of living things feature recognition and stability are still waiting to improve, if particularly user's body receives the influence of sick and wounded or spot, often cause and can't normally discern, the situation that causes validated user to land; Secondly, because that research and development drop into is big less with output, the cost of biological characteristic authentication system is very high, only is suitable for the very high occasion of some security requirements at present, like uses such as armies, also can't accomplish the large tracts of land popularization; In addition, if carry out authentication, then can't stop replay attack, man-in-the-middle attack etc. at the transmission over networks biological information.Replay attack, the information that is about to intercept and capture resends to authentication server carries out authentication, thereby obtains the attack of accesses identity; Go-between (MITM; Man-in-the-Middle Attack) attacks; The invasion that is a kind of " indirectly " is attacked; This attack mode is to be placed between two communication computers in the network connection through the computer virtual that various technological means will be controlled by the invador, and this computer just is called " go-between ".The invador is one of this computer simulation or two primitive compuers then; " go-between " can set up be flexibly connected with primitive compuer and allow it to read or revise the information of transmission, yet two primitive compuer users think that but they are in mutual communication.Usually, the process of this " data interception---is revised data---and sent data " just is called as " Session Hijack " (Session Hijack).
Four, integrated circuit (IC, Integrate Circuit) card authentication
What the IC-card authentication was based on IC-card hardware can not guarantee that user identity can be by counterfeit technology by duplication characteristic.The IC-card built-in integrated circuit has the data relevant with user identity in the card, through special device fabrication, can think not reproducible hardware by special manufacturer.IC-card is carried by validated user, during login IC-card is inserted special-purpose card reader and reads information wherein, with checking user's identity.Because the data that from IC-card, read are static at every turn, than the authentication information that is easier to be truncated to the user, therefore there is bigger potential safety hazard through technology such as internal memory scanning or network monitorings in the assailant.
By above-mentioned visible, existing identity identifying method commonly used, the authentication fail safe is lower, has damaged the interests of validated user, in addition, also has following defective:
(1), identity identifying technology is realized complicated.Like the authentication of USB KEY digital certificate;
(2), cost is higher.Like the authentication of USB KEY digital certificate, biometric identity authentication;
(3), safeguard complicacy.Like USB KEY digital certificate authentication;
(4), suitable scene is limited, convenience is poor.Like biological characteristic authentication, the authentication of USB KEY digital certificate.
Summary of the invention
In view of this, a main purpose of the present invention is to provide a kind of device of realizing authentication, improves the fail safe of authentication, the interests of guarantee validated user.
Another main purpose of the present invention is to provide a kind of system that realizes authentication, improves the fail safe of authentication, the interests of guarantee validated user.
Another main purpose of the present invention is to provide a kind of method that realizes authentication, improves the fail safe of authentication, the interests of guarantee validated user.
For achieving the above object; The invention provides a kind of outer authentication server of band of realizing authentication; The outer authentication server of said band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module; Wherein
Information receiving module is used for the outer authentication credential information of band that the outer ID authentication request information of the band from the Certificate Authority executor that receives and subscriber equipment are returned, is sent to message processing module;
Message processing module is used for generating the outer authentication credential information of band according to the outer ID authentication request information of the band that receives, and is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;
Be with outer authentication credential information memory module, be used for the outer authentication credential information of band that the stored information processing module generates;
Be with outer authentication credential information comparing module; Be used to receive from the outer authentication credential information of the band of message processing module; Whether checking is consistent with the outer authentication credential information of band of the outer authentication credential information memory module storage of band; If consistent, ID authentication request response message outside information sending module is sent the band that comprises authentication successful information outside the band;
Information sending module is used for outer ID authentication request response message of the band that receives and the outer authentication credential information of band are sent.
A kind of system that realizes authentication, this system comprises: Certificate Authority executor, the outer authentication server of band, authentication policy module, wherein,
The Certificate Authority executor is used at definite subscriber equipment through common authentication, and knows that ID authentication request information outside the outer authentication server transmission of band is with was with outer authentication when subscriber equipment need be carried out the outer authentication of band; If confirm the outer authentication success of band, notifying user equipment gets into operation system;
Be with outer authentication server, be used for receiving the outer ID authentication request information of band, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment, if consistent, gets into operation system through Certificate Authority executor notifying user equipment;
The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment.
Said system further comprises subscriber equipment tolerance engine, is used for the tolerance authentication request information of sending according to the Certificate Authority executor, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; Tolerance authentication information to obtaining is measured processing; Form metric; To carry out matching ratio right with registered user's equipment metric of storage in advance; If matching ratio to unanimity, then confirms alternately through Certificate Authority executor and authentication policy module whether subscriber equipment is with outer authentication.
The outer authentication server of said band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein,
Information receiving module is used for the outer authentication credential information of band that the outer ID authentication request information of the band from the Certificate Authority executor that receives and subscriber equipment are returned, is sent to message processing module;
Message processing module is used for generating the outer authentication credential information of band according to the outer ID authentication request information of the band that receives, and is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;
Be with outer authentication credential information memory module, be used for the outer authentication credential information of band that the stored information processing module generates;
Be with outer authentication credential information comparing module; Be used to receive from the outer authentication credential information of the band of message processing module; Whether checking is consistent with the outer authentication credential information of band of the outer authentication credential information memory module storage of band; If consistent, ID authentication request response message outside information sending module is sent the band that comprises authentication successful information outside the band;
Information sending module be used for the outer authentication credential information of the band that receives is sent to subscriber equipment, and the outer ID authentication request response message of the band that will receive is sent to the Certificate Authority executor.
Said system further comprises: common authentication server, be used for subscriber equipment, Certificate Authority executor alternately, and carry out common authentication to the user.
Said subscriber equipment tolerance engine comprises: metric collection module and metric verification module, wherein,
The metric collection module is used for collecting the tolerance authentication information of subscriber equipment according to the metric strategy of storage in advance and the tolerance authentication request information of reception;
Metric verification module; Be used for the tolerance authentication information of subscriber equipment is measured processing; And will handling metric that the back forms and registered user's equipment metric of the said subscriber equipment of storage in advance, to carry out matching ratio right; If matching ratio to unanimity, notifies said subscriber equipment through authentication.
A kind of method that realizes authentication, this method comprises:
After definite subscriber equipment is through common authentication, when the Certificate Authority executor knows that from the authentication policy module subscriber equipment need be carried out the outer authentication of band, ID authentication request information outside the outer authentication server transmission of band is with;
Be with outer authentication server to receive the outer ID authentication request information of band; Generate the outer authentication credential information of band; Be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self generates, if consistent, then gets into operation system through Certificate Authority executor notifying user equipment.
Send the outer authentication credential information of said band to said subscriber equipment through short-message system, phone or lettergram mode.
Visible by above-mentioned technical scheme; A kind of device, system and method for realizing authentication provided by the invention; On the basis of existing common identity identifying technology; Attack through increasing the binding that the tolerance authentication mode of subscriber equipment is realized the subscriber equipment that user identity and user use, stop the major part of implementing to authentication on the network; Perhaps, on the basis of existing common identity identifying technology, increase the outer authentication of band and block on the network attack user identity; Perhaps; On the basis of existing common identity identifying technology; Through increasing the attack to user identity is blocked on the network in the tolerance authentication of subscriber equipment and the outer authentication of band; Thereby the fail safe of authentication, the interests of guarantee validated user have been improved, problems such as solution assailant's middle attack, connection hijack attack.And; The system of authentication provided by the invention can be with to have various identity authorization systems compatible mutually; Need not during enforcement original Verification System is done excessive modification, input cost is low, management maintenance is easy and can promote the fail safe of identity authorization system greatly.
Description of drawings
Fig. 1 a realizes the system configuration sketch map of authentication for the present invention;
Fig. 1 b realizes another structural representation of system of authentication for the present invention;
Fig. 2 realizes the method flow sketch map of authentication for the present invention;
Fig. 3 realizes the schematic flow sheet of authentication strategy registration for the present invention;
Fig. 4 realizes the method idiographic flow sketch map of authentication for the present invention.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, the present invention is done to describe in detail further below in conjunction with accompanying drawing and specific embodiment.
The device of realization authentication provided by the invention, system and method; On the basis of existing identity identifying technology; The mode of the tolerance authentication of subscriber equipment is realized the binding of the subscriber equipment that user identity and user use through increase; Can stop on the network major part of implementing to authentication to be attacked, perhaps, assailant's difficulty of attacking is strengthened; Further, increase the outer authentication of band and block on the network the attack of user identity, further improve authentication fail safe, ensure the interests of validated user, fundamentally solve assailant's problems such as middle attack, connection hijack attack.
In the practical application,, in describing below, user and subscriber equipment are bound because the user always carries out authentication through subscriber equipment.
Fig. 1 a realizes the system configuration sketch map of authentication for the present invention, and referring to Fig. 1 a, this system comprises: subscriber equipment, Certificate Authority executor, authentication policy module, common authentication server, subscriber equipment tolerance engine, wherein,
Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to subscriber equipment;
The Certificate Authority executor is used at definite subscriber equipment through common authentication, when knowing alternately that with the authentication policy module subscriber equipment need be carried out the tolerance authentication, sends tolerance authentication request information to subscriber equipment tolerance engine, measures authentication; If confirm the tolerance authentication success, notifying user equipment gets into operation system;
In the practical application, can be to confirm to comprise the binding successful information in the tolerance authentication request response message that subscriber equipment tolerance engine returns, think the tolerance authentication success.
The authentication policy module is used for the Certificate Authority executor alternately, comprises the tolerance authentication registration information of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the tolerance authentication to subscriber equipment;
Subscriber equipment tolerance engine is used for receiving tolerance authentication request information, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; Metric to obtaining carries out processing such as integrality, forms metric, and to carry out matching ratio right with registered user's equipment metric of storage in advance, if matching ratio to unanimity, then gets into operation system through Certificate Authority executor notifying user equipment;
If matching ratio is to unanimity, subscriber equipment tolerance engine is thought the tolerance authentication success, returns to the Certificate Authority executor and carries the tolerance authentication request response message of binding successful information;
Subscriber equipment is used for subscriber equipment tolerance engine alternately, and self tolerance authentication information is sent to subscriber equipment tolerance engine.
Subscriber equipment tolerance engine is further used for receiving tolerance authentication registration information; According to the metric strategy that is provided with in advance; Tolerance authentication registration information is obtained in generation; Be sent to subscriber equipment, and the tolerance authentication registration information that subscriber equipment returns carried out integrality handle, form registered user's equipment metric and storage.
The tolerance authentication registration information comprises the geographical location information, subscriber equipment name information, user behavior information at the corresponding network interface card information of each subscriber equipment, operation system information, browser information, place, IP address etc.;
The metric strategy that sets in advance can be one or more in the tolerance authentication registration information.
Generation is obtained tolerance authentication registration information and is comprised: generate and the metric strategy information corresponding that is provided with in advance; For example; The metric strategy that is provided with in advance comprises network interface card information and operation system information; Then generate comprise subscriber equipment network interface card information and operation system information obtain tolerance authentication registration information, subscriber equipment is carried at self network interface card information and operation system information and measures in the authentication registration information.
In the practical application, this system also can only comprise Certificate Authority executor, subscriber equipment tolerance engine, authentication policy module, and the user utilizes this system directly to measure authentication, and need not carry out common authentication.
Common authentication server and subscriber equipment, Certificate Authority executor are mutual; Execution is to user's common authentication; The identity identifying technology that common authentication server adopts can be dynamic password ID authentication, digital certificate authentication, biometric identity authentication, trusted terminal authentication etc.; Similar with existing authentication, briefly describe below:
The Certificate Authority executor is used to receive the access request that subscriber equipment sends, and sends common ID authentication request to common authentication server; Receive common authentication requirement information, the authenticating identity information and the common authentication requirement information that self generate are carried in the access request response message, be sent to subscriber equipment;
Subscriber equipment is used to receive the access request response message, confirms that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;
Common authentication server is used to receive common ID authentication request, returns common authentication requirement information to the Certificate Authority executor; Require response message to carry out authentication according to the common authentication that receives, confirm subscriber equipment, return to the Certificate Authority executor and carry the subscriber equipment authenticating identity response message of subscriber equipment through common authentication information through common authentication.
Subscriber equipment tolerance engine comprises surveys middleware module, metric collection module, metric verification module and tolerance log-on message module,
Survey middleware module, be used for receiving tolerance authentication request information, notice metric collection module is collected the metric of subscriber equipment; The metric of the subscriber equipment that reception metric collection module returns; From tolerance log-on message module, obtain registered user's equipment metric of this subscriber equipment of storage in advance, the metric of subscriber equipment and registered user's equipment metric of this subscriber equipment are sent to metric verification module; The information that metric verification module is returned is sent;
The metric collection module is used to receive the information of collecting the metric of subscriber equipment from the notice of surveying middleware module, according to the metric strategy of storing in advance, collects the tolerance authentication information of subscriber equipment;
Metric verification module; Be used for the tolerance authentication information of the subscriber equipment that receives is measured processing; And the registered user's equipment metric that will handle the subscriber equipment of metric that the back forms and reception to carry out matching ratio right; If matching ratio to unanimity, returns the information of said subscriber equipment through authentication of notifying to surveying middleware module.
Survey middleware module and also receive tolerance authentication registration information, correspondingly, subscriber equipment tolerance engine further comprises tolerance log-on message module,
The metric collection module is further used for the metric strategy of basis storage in advance and the information of collecting the tolerance log-on message of subscriber equipment from the notice of surveying middleware module, the tolerance authentication registration information of collecting subscriber equipment,
Tolerance log-on message module is used for the tolerance authentication registration information according to the subscriber equipment of surveying the middleware module transmission, measures processing, forms the registered user equipment metric of metric as said subscriber equipment.
0.737838
The metric strategy comprises: a kind of or combination in any in the geographical location information at the network interface card information that each subscriber equipment is corresponding, operation system information, browser information, place, IP address, subscriber equipment name information, the user behavior information.
In another embodiment of the present invention, subscriber equipment tolerance engine comprises metric collection module, metric verification module, tolerance log-on message module and behavioural analysis judge module,
The metric collection module is used for collecting the metric of subscriber equipment according to the metric strategy of storage in advance and the information of reception;
In the practical application, the metric collection module is collected the metric with metric policy-related (noun) subscriber equipment according to the tolerance authentication registration information of reception or the metric strategy of measuring authentication request information and storing in advance.Be specially; The metric collection module will be sent to tolerance log-on message module based on the tolerance authentication registration information with the metric policy-related (noun) subscriber equipment of storing in advance that tolerance authentication register requirement is collected, and will be sent to metric verification module based on the tolerance authentication information with metric policy-related (noun) subscriber equipment that the tolerance authentication request is collected;
The metric of subscriber equipment comprises information such as the geographical location information, subscriber equipment name information, user behavior information at network interface card information, operation system information, browser information, place, IP address.Corresponding to tolerance authentication registration information, the metric of subscriber equipment is the tolerance authentication registration information; Corresponding to tolerance authentication request information, the metric of subscriber equipment is the tolerance authentication information.
In advance the metric strategy of storage be used in reference to indication amount information gathering module the metric of the subscriber equipment that should collect; For example, one or more information in the information such as the geographical location information at the network interface card information of collection subscriber equipment, operation system information, browser information, place, IP address, machine name information, visitor's behavioural information.
The metric strategy can be directed against all subscriber equipmenies, also can different metric strategies be set according to different user equipment.
Preferably; The metric collection module according to the tolerance authentication registration information that receives that collect with tolerance authentication registration information metric policy-related (noun) subscriber equipment; With identical according to the tolerance authentication information with metric policy-related (noun) subscriber equipment of the tolerance authentication request information gathering that receives; That is, the tolerance authentication registration information is identical with the content that the tolerance authentication information comprises.Different is that it collects the time point difference of the metric of subscriber equipment.
Metric verification module; Be used for metric according to the subscriber equipment of metric collection module collection; Measure processing, and the registered user's equipment metric that will handle this subscriber equipment in metric that the back forms and the tolerance log-on message module to carry out matching ratio right, if matching ratio is to unanimity; The tolerance authentication request response message of binding successful information is carried in generation, is sent to the Certificate Authority executor; If matching ratio, generates the tolerance authentication request response message of carrying Bind Failed information or registration information to inconsistent, be sent to the Certificate Authority executor.
In the practical application; If metric verification module confirms that matching ratio is to unanimity; Be equivalent to the subscriber equipment of user and user's use is bound; This binding is not unique, can increase flexibly according to the conversion of environment for use and change, but carry out necessary before changing through common authentication.
Tolerance log-on message module is used for the metric according to the subscriber equipment of metric collection module collection, measures processing, forms the registered user equipment metric of metric as this subscriber equipment;
Tolerance is handled the metric comprise the subscriber equipment chosen and is carried out integrality and handle, perhaps data compression process, perhaps encryption etc.
The behavioural analysis judge module is used to collect the behavioural characteristic with recording user, and user's behavioural characteristic is judged and is analyzed according to predefined behavioural analysis algorithm.
In the practical application, subscriber equipment tolerance engine also can not comprise the behavioural analysis judge module.
The behavioural analysis judge module is through the behavioural characteristic of collection and recording user; And judge and analyze; Reinforcement is to the user's security authentication, and for example, record metric collection module is according to the users' such as temporal information of the metric of tolerance authentication register requirement collection subscriber equipment behavioural characteristic; When the behavioural characteristic of behavioural analysis judge module judges was unusual, it was legal to confirm this user to require the user to carry out further authentication.
In the practical application, the system of authentication shown in Figure 1 can further include the outer authentication server of band,
The Certificate Authority executor is used for passing through the tolerance authentication at definite subscriber equipment, when knowing alternately that with the authentication policy module subscriber equipment need be carried out the outer authentication of band, and ID authentication request information outside authentication server sends and is with outside band; If confirm to comprise the outer authentication successful information of band in the outer ID authentication request response message of the band of being with outer authentication server to return, notifying user equipment gets into operation system;
The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment;
Be with outer authentication server, be used for receiving the outer ID authentication request information of band, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment; If consistent, ID authentication request response message outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band.
Be with outer authentication server to comprise: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein,
Information receiving module, authentication credential information outside the band that is used for ID authentication request information and subscriber equipment outside the band that receives are returned is sent to message processing module;
Message processing module is used for receiving the outer ID authentication request information of band, generates the outer authentication credential information of band, is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;
Be with outer authentication credential information memory module, be used for the outer authentication credential information of band that the stored information processing module generates;
Be with outer authentication credential information comparing module; Whether consistently be used to verify from the outer authentication credential information of the band of message processing module with the outer authentication credential information of the band that carries outer authentication credential information memory module storage; If consistent, ID authentication request response message outside information sending module is sent the band that comprises authentication successful information outside the band;
Information sending module be used for the outer authentication credential information of the band that receives is sent to subscriber equipment, and the outer ID authentication request response message of the band that will receive is sent to the Certificate Authority executor.
In the present embodiment; The authentication policy module is actual to be a database server; Deposit each user's authentication strategy, the corresponding authentication strategy of user, authentication strategy form can be expressed as: the user-common authentication-tolerance authentication-outer authentication of band; Also can be expressed as: user-common authentication-tolerance authentication can also be expressed as: the user-common authentication-outer authentication of band.Metric can be that metric is carried out the integrity value that obtains behind the integrity operations.
Fig. 1 b realizes another structural representation of system of authentication for the present invention, and referring to Fig. 1 b, this system comprises: subscriber equipment, Certificate Authority executor, authentication policy module, common authentication server, the outer authentication server of band, wherein,
Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to the user;
The Certificate Authority executor; Be used at definite subscriber equipment through common authentication; When knowing alternately that with the authentication policy module subscriber equipment need be carried out the outer authentication of band, authentication server sends ID authentication request information outside the band outside band, is with outer authentication; If confirm the outer authentication success of band, notifying user equipment gets into operation system;
In the practical application; Confirm the outer authentication success of band if be with outer authentication server; ID authentication request response message outside the Certificate Authority executor returns band comprises the outer authentication successful information of band, and the Certificate Authority executor receives the outer ID authentication request response message of band; According to the outer authentication successful information of the band that comprises, notifying user equipment gets into operation system.
The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment;
Be with outer authentication server, be used for receiving the outer ID authentication request information of band, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment, if consistent, gets into operation system through Certificate Authority executor notifying user equipment.
In the practical application, be with outer authentication server to confirm the outer authentication success of band, ID authentication request response message outside the Certificate Authority executor returns the band that comprises authentication successful information outside the band.Be with the outer authentication server structure similar of band among outer authentication server structure and Fig. 1 a, repeat no more at this.
In the practical application, subscriber equipment can be accomplished the outer authentication registration of band through this system.
Common authentication server is used for subscriber equipment, Certificate Authority executor alternately, carries out the common authentication to the user;
The Certificate Authority executor is used for after definite subscriber equipment is through common authentication, whether registers certification policy outside the band to the subscriber equipment inquiry; Receive the outer certification policy log-on message of band that subscriber equipment sends, be sent to the authentication policy module;
The authentication policy module is used for receiving the outer certification policy log-on message of band, for this subscriber equipment is carried out the outer certification policy registration of band.
In the present embodiment, also user application equipment tolerance engine or the outer authentication server of band are accomplished authentication separately.
Fig. 2 realizes the method flow sketch map of authentication for the present invention, and referring to Fig. 2, this flow process comprises:
In this step, the Certificate Authority executor receives access request, the customer equipment identification that can comprise according to access request; Confirm the authentication strategy to this subscriber equipment, the authentication strategy can be that subscriber equipment is arranged among the Certificate Authority executor, for example in advance; It is 1 that common identity identifier is set; The tolerance authentication is designated 2, and being with outer identity identifier is 3, identifies high authentication and comprises simultaneously identifying low authentication.For instance, if the authentication strategy that subscriber equipment is provided with in advance is designated 3, represent that then subscriber equipment need carry out common authentication, tolerance authentication and the outer authentication of band successively; Also can be that the authentication strategy is arranged in the authentication policy module; Be the necessary flow process of carrying out and give tacit consent to common authentication; After common authentication is passed through; Inquire about the authentication strategy in the authentication policy module by the Certificate Authority executor, whether also need carry out tolerance authentication or the outer authentication of band or tolerance authentication and the outer authentication of band thereby obtain.
In the present embodiment, need carry out common authentication, tolerance authentication and the outer authentication of band successively to subscriber equipment.
The Certificate Authority executor receives access request; After confirming subscriber equipment authentication strategy sign; Send common ID authentication request to common authentication server, receive the common authentication that common authentication server returns and require information, send the access request response message to subscriber equipment; Carry self authenticating identity information, self authenticating identity information digital signature information that can be the Certificate Authority executor generate with self private key.
In the practical application; The identity identifying technology that the Certificate Authority executor supports according to the different application and the subscriber equipment of subscriber equipment; Can adopt the authentication of corresponding dynamic password, the authentication of USB Key digital certificate, biometric identity authentication or IC-card authentication mode, send corresponding authenticating identity information to subscriber equipment.
In this step, subscriber equipment receives the access request response message, according to the authenticating identity information of Certificate Authority executor transmission; Adopt corresponding authentication mode; For example, the Certificate Authority executor adopts dynamic password ID authentication to send authenticating identity information, and then subscriber equipment adopts corresponding dynamic password ID authentication technical identification Certificate Authority executor's authenticating identity information; Checking flow process and existing procedure are similar, repeat no more at this.
If subscriber equipment is through the authenticating identity Information Authentication to the Certificate Authority executor; Think that then this Certificate Authority executor is trusty; Subscriber equipment is handled self authenticating identity information; Like password, signing messages, biological characteristic etc., and the authenticating identity information of handling is carried at common authentication requires in the response message; Otherwise, return the common authentication of carrying authentification failure to the Certificate Authority executor and require response message.
In this step, common authentication server receives subscriber equipment authenticating identity information, and the flow process and the existing flow for authenticating ID of carrying out authentication are similar, repeat no more at this.
If authentication is passed through, then in the subscriber equipment authenticating identity response message of returning, carry the authenticating identity successful information, otherwise, in the subscriber equipment authenticating identity response message of returning, carry the authenticating identity failure information, the authentication request of refusing user's equipment.
In this step,, in present embodiment, need successively subscriber equipment to be measured authentication and the outer authentication of band again, send tolerance authentication request information to subscriber equipment tolerance engine if the Certificate Authority executor has confirmed subscriber equipment authentication strategy sign.
If user's authentication policy store in the authentication policy module, is then sent tolerance authentication challenge solicited message, execution in step 206a~step 206b (not shown) to the authentication policy module.
Step 206a, the authentication policy module receives tolerance authentication challenge solicited message, and the authentication strategy of inquiry storage returns tolerance authentication challenge request response message to the Certificate Authority executor;
In this step; The authentication policy module receives tolerance authentication challenge solicited message; According to the authentication strategy that inquiry obtains, determining whether needs to carry out further authentication, as not needing; Return tolerance authentication challenge request response message to the Certificate Authority executor, notifying user equipment can get into operation system; If desired, return tolerance authentication challenge request response message to the Certificate Authority executor, indication Certificate Authority executor carries out follow-up authentication.
In the practical application; If the authentication policy module inquires the user need carry out the tolerance authentication with the outer authentication of band the time; Can be that subscriber equipment authentication strategy sign is carried in the tolerance authentication challenge request response message; In follow-up when the tolerance authentication through the time, no longer send the outer authentication query requests information of band, but directly outer authentication is with in execution to the authentication policy module; Certainly, in the practical application, also can be when follow-up metrics authentication is passed through, authentication query requests information outside band is sent in the authentication policy module is obtained the information whether user need carry out the outer authentication of band again.
Step 206b, the authentication policy module receives tolerance authentication challenge request response message, confirms to measure authentication, sends tolerance authentication request information;
In this step, do not need reauthentication information if comprise in the tolerance authentication challenge request response message that receives, notifying user equipment can get into operation system; Otherwise,,, send tolerance authentication request information to subscriber equipment tolerance engine like subscriber equipment authentication strategy sign according to the indication information that comprises in the tolerance authentication challenge request response message.
In this step, subscriber equipment tolerance engine receives tolerance authentication request information, obtains the tolerance authentication information of this subscriber equipment; This tolerance authentication information is measured processing, for example, to the processing of tolerance authentication information complete property; Form metric, to carry out matching ratio right with the metric of user's registration of storage in advance, if matching ratio is to unanimity; Then return tolerance authentication request response message, carry the binding successful information to the Certificate Authority executor; If matching ratio to inconsistent, then returns tolerance authentication request response message to the Certificate Authority executor, carry Bind Failed information or registration information.
Subscriber equipment tolerance engine receives tolerance authentication request information, when carrying out the tolerance authentication to subscriber equipment, can be the tolerance authentication information of initiatively collecting subscriber equipment; Also can be that subscriber equipment tolerance engine monitors after subscriber equipment powers on, initiatively collect the tolerance authentication information of subscriber equipment and store.Preferably, the tolerance authentication information of collecting subscriber equipment adopts nonstandard protocol, like this, increases the difficulty that the assailant knows that subscriber equipment tolerance engine is collected the time of origin of metric behavior.
The tolerance authentication information of subscriber equipment includes but not limited to: geographical location information, subscriber equipment name information or the user behavior information at network interface card information, operation system information, browser information, place, IP address, or combination in any.
If matching ratio to unanimity, for example carries out integrality with the network interface card information of collecting, operation system information, browser information etc. and calculates, obtain integrity value; To make matching ratio right with the integrity value of registering in the database, if consistent, subscriber equipment identity and subscriber equipment bound; Like this, owing to be the subscriber equipment tolerance engine active collection subscriber equipment metric of authentication service side, for an assailant; Can't stop or forge the authentication service side collects the metric of subscriber equipment; Thereby, strengthened the fail safe of subscriber equipment authentication, can effectively stop replay attack, man-in-the-middle attack etc.
Specifically; After user's common authentication is accomplished; According to subscriber equipment authentication strategy; Subscriber equipment tolerance engine by the authentication side initiatively initiates the tolerance authentication information of subscriber equipment is collected, and the assailant is difficult to confirm to collect the time of origin (only if server of control service for checking credentials side) of tolerance authentication information behavior; And the tolerance authentication information of collecting subscriber equipment adopts nonstandard protocol, has also increased the assailant and has known the difficulty that subscriber equipment tolerance engine is collected the time of origin of measuring the authentication information behavior.
In this step; If carry the binding successful information in the tolerance authentication request response message; Then the Certificate Authority executor identifies based on fixed subscriber equipment authentication strategy, or, authentication strategy situation outside the user that the certification policy server lookup is obtained is with; If confirm that subscriber equipment need not carry out subsequent authentication, notifying user equipment can get into operation system; If confirm that subscriber equipment need carry out subsequent authentication, authentication server sends ID authentication request outside the band outside band.
If carry Bind Failed information or registration information in the tolerance authentication request response message, Certificate Authority executor notifying user equipment Bind Failed or register again then, refusing user's equipment gets into operation system.
Step 209 is with outer authentication server to receive the outer ID authentication request of band, generates the outer authentication credential information of band, is sent to subscriber equipment;
In this step, be with outer authentication server to receive the outer ID authentication request of band, generate the outer authentication credential information of band; Like password, phone, short message, mail etc.; And through transmission system, for example, modes such as short-message system, phone or mail are sent to the user.
In this step; Subscriber equipment receives the outer authentication credential information of band, through being with the same transmission system of outer authentication credential information with reception, for example; Modes such as short-message system, phone or mail are sent to the outer authentication server of band with the outer authentication credential information of the band that receives.
Step 211 is with outer authentication server to receive the outer authentication credential information of band, ID authentication request response message outside the Certificate Authority executor returns band;
In this step; Be with outer authentication server to receive the outer authentication credential information of band; Outer authentication credential information of the band that receives and the outer authentication credential information of the band that self is sent to the user are verified,, then be with outer authentication to pass through if consistent; ID authentication request response message outside the Certificate Authority executor returns band is carried the outer authentication successful information of band; If in the preset time window mouth, do not receive user's feedback information (authentication credential information outside the band); Or the outer authentication credential information of the band that returns of user the authentication credential information is inconsistent outward with the band that self is sent to the user; Then to the Certificate Authority executor return the band outside the ID authentication request response message; Carry the outer authentication failure information of band, or the registration information.
In this step, if the outer ID authentication request response message of the band that returns comprises the outer authentication failure information of band, or the registration information, the outer authentication of notifying user equipment band is failed or is registered again, and refusing user's equipment gets into operation system.
So far, this flow process finishes.
Fig. 3 realizes the schematic flow sheet that the authentication strategy is registered for the present invention, and referring to Fig. 3, this flow process comprises:
Step 301, subscriber equipment (visiting user) is asked visit to the Certificate Authority executor, and requires the Certificate Authority executor is carried out the trusted identity authentication;
In this step, it can be dynamic password ID authentication information, USB Key digital certificate authentication information, biometric identity authentication information or IC-card authentication information that authentication requires.
The signing messages that the identity trust information utilizes the private key of self to generate for the Certificate Authority executor.
Step 303, subscriber equipment receives information, confirms that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;
In this step, subscriber equipment receives the access request response message, the Certificate Authority executor's that comprises authenticating identity information is verified, for example, the signing messages that utilizes Certificate Authority executor's public key verifications to receive,
If, show that this Certificate Authority executor is believable, then through checking; Common authentication according to receiving requires information; Send common authentication requirement response message through the Certificate Authority executor to common authentication server, for example, common authentication requirement information is for requiring subscriber equipment input encrypted message; Then subscriber equipment input encrypted message requires response message as common authentication, is sent to common authentication server.
If not through checking, then process ends.
Step 304, common authentication server receive common authentication requirement response message, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;
This step and step 205 are similar.
Step 305, the Certificate Authority executor sends tolerance authentication registration information to subscriber equipment tolerance engine;
In this step, the Certificate Authority executor confirms that authenticating user identification passes through, and sends tolerance authentication registration information to subscriber equipment tolerance engine.
Step 306, subscriber equipment tolerance engine receives tolerance authentication registration information, carries out the tolerance authentication registration to subscriber equipment;
In this step; Subscriber equipment tolerance engine receives tolerance authentication registration information; Triggering is to the active collection of subscriber equipment tolerance authentication registration information, according to the metric strategy of storage in advance, like a kind of or combination in any such as the geographical location information at network interface card information, operation system information, browser information, place, IP address, subscriber equipment name information, user behavior information; Collect and the metric strategy information corresponding of storing in advance; For example, the metric strategy of storage comprises network interface card information and operation system information in advance, then the network interface card information and the operation system information of subscriber equipment tolerance engine active collection subscriber equipment.
Subscriber equipment tolerance engine generates the registration metric value to the tolerance authentication registration information complete processing of active collection, and registration metric value object information is stored.
Step 307, subscriber equipment tolerance engine is sent to the authentication policy module with the tolerance certification policy information of subscriber equipment;
In this step, subscriber equipment tolerance engine writes requirement subscriber equipment is carried out the tolerance certification policy of measuring authentication in the authentication policy module, require to carry out the tolerance certification policy like subscriber equipment.
Step 308, authentication policy module receive tolerance certification policy information, store, and send tolerance authentication register response information to the Certificate Authority executor;
Step 309, subscriber equipment tolerance engine will be measured authentication register response information and be sent to the Certificate Authority executor;
In the practical application, step 307 and step 309 be the branch of sequencing not.
Step 310; The Certificate Authority executor receives the tolerance authentication register response information of subscriber equipment tolerance engine and authentication policy module transmission; To whether register the outer certification policy information of band and be carried in the tolerance authentication register response information, be sent to subscriber equipment;
Step 311, subscriber equipment receive tolerance authentication register response information, know that measuring authentication succeeds in registration, and confirm the outer certification policy of renewal of registration band, will be with outer certification policy log-on message to be sent to the Certificate Authority executor;
In this step, subscriber equipment need be registered the outer certification policy of band and carry out handled.
Step 312, the outer certification policy log-on message of the band that the Certificate Authority executor will receive is forwarded to the authentication policy module;
Step 313, authentication policy module receive the outer certification policy log-on message of band, for this user carries out the outer certification policy registration of band, certification policy register response information outside the Certificate Authority executor returns band;
Step 314, the Certificate Authority executor will be with outer certification policy register response information to be transmitted to subscriber equipment.
So far, authentication strategy register flow path finishes.
In the practical application; According to the needs of subscriber equipment, can be in the authentication policy module registration metric certification policy, the also outer certification policy of registration band only; Also can be while registration metric certification policy and the outer certification policy of band, can also be directly to measure authentication or the outer authentication of band.
After accomplishing registration, follow-up in, can carry out authentication to the subscriber equipment identity carry out business operation so that get into operation system.Should explain be, if registration and authentication with once carrying out, then in registration and authentication process, need be carried out common authentication respectively.
Below to obtain the authentication that subscriber equipment need carry out alternately with Certificate Authority executor and authentication policy module be example, authentication of the present invention is described in detail.
Fig. 4 realizes the method idiographic flow sketch map of authentication for the present invention, and referring to Fig. 4, this flow process comprises:
Step 401, subscriber equipment (visiting user) is asked visit to the Certificate Authority executor, and requires the Certificate Authority executor is carried out the trusted identity authentication;
In this step, it can be dynamic password ID authentication information, USB Key digital certificate authentication information, biometric identity authentication information or IC-card authentication information that authentication requires.
The signing messages that the identity trust information utilizes the private key of self to generate for the Certificate Authority executor.
Step 403, subscriber equipment receives the access request response message, confirms that Certificate Authority executor's authentication is passed through, and sends common authentication requirement response message to common authentication server;
In this step, subscriber equipment receives the access request response message, the Certificate Authority executor's that comprises authenticating identity information is verified, for example, the signing messages that utilizes Certificate Authority executor's public key verifications to receive,
If, show that this Certificate Authority executor is believable, then through checking; Common authentication according to receiving requires information; Send common authentication requirement response message to common authentication server, for example, common authentication requirement information is imported encrypted message for requiring the user; Then the user imports encrypted message as common authentication requirement response message, is sent to common authentication server through subscriber equipment.
If not through checking, then process ends.
Step 404, common authentication server receive common authentication requirement response message, carry out authentication, return subscriber equipment authenticating identity response message to the Certificate Authority executor;
This step and step 205 are similar.
Step 405, the Certificate Authority executor sends tolerance authentication challenge solicited message to the authentication policy module;
In this step, the Certificate Authority executor confirms that domestic consumer's authentication passes through, and sends tolerance authentication challenge solicited message to the authentication policy module.
Step 406, authentication policy module receive tolerance authentication challenge solicited message, and the authentication strategy of inquiry storage returns tolerance authentication challenge request response message to the Certificate Authority executor;
In this step; The authentication policy module receives tolerance authentication challenge solicited message; Inquire about the authentication strategy of self storing; If this user's authentication strategy does not comprise the tolerance authentication registration information, return tolerance authentication challenge request response message to the Certificate Authority executor, notifying user equipment can get into operation system; If comprise the tolerance authentication registration information, return tolerance authentication challenge request response message to the Certificate Authority executor, notification authentication mandate executor carries out the tolerance authentication.
Step 407, the Certificate Authority executor receives tolerance authentication challenge request response message, confirms to measure authentication, sends tolerance authentication request information to subscriber equipment tolerance engine;
Step 408, subscriber equipment tolerance engine receives tolerance authentication request information, sends acquisition request tolerance authentication information to subscriber equipment;
In this step, subscriber equipment tolerance engine sends corresponding acquisition request tolerance authentication information according to the predefined information of strategy to subscriber equipment.
Step 409, subscriber equipment receive acquisition request tolerance authentication information, and self tolerance authentication information of correspondence is sent to subscriber equipment tolerance engine;
Step 410, subscriber equipment tolerance engine receives the tolerance authentication information, carries out the tolerance authentication to subscriber equipment, returns tolerance authentication request response message to the Certificate Authority executor;
In this step; Subscriber equipment tolerance engine carries out integrality to this metric and handles according to the metric of this subscriber equipment that obtains, and forms metric; To carry out matching ratio right with the metric of the user registration of storage in advance; If matching ratio to unanimity, then returns tolerance authentication request response message to the Certificate Authority executor, carry the binding successful information; If matching ratio to inconsistent, then returns tolerance authentication request response message to the Certificate Authority executor, carry Bind Failed information or registration information.
Step 411, the Certificate Authority executor receives tolerance authentication request response message, if confirm to comprise the binding successful information, authentication query requests information outside band is sent in the authentication policy module;
Step 412, authentication policy module receive the outer authentication query requests information of band, the authentication strategy of inquiry storage, authentication query requests response message outside the Certificate Authority executor returns band;
In this step; The authentication policy module receives the outer authentication query requests information of band; Inquire about the authentication strategy of self storing; If this user's authentication strategy does not comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notifying user equipment can get into operation system; If comprise the outer authentication log-on message of band, authentication query requests response message outside the Certificate Authority executor returns band, notification authentication mandate executor carries out the outer authentication of band.
Step 413, the Certificate Authority executor receives the outer authentication query requests response message of band, confirms to be with outer authentication, and authentication server sends ID authentication request information outside the band outside band;
Step 414 is with outer authentication server to receive the outer ID authentication request information of band, generates the outer authentication credential information of band, is sent to subscriber equipment;
In this step, be with outer authentication server to receive the outer ID authentication request of band, generate the outer authentication credential information of band; Like password, phone, short message, mail etc.; And through transmission system, for example, modes such as short-message system, phone or mail are sent to subscriber equipment.
In the practical application, for the fail safe of message transmission, the transmission system network that sends the outer authentication credential information of band is different with the network of authentication.
Step 415, subscriber equipment receive the outer authentication credential information of band and return to the outer authentication server of band;
In this step, subscriber equipment receives the outer authentication credential information of band, through being sent to the outer authentication server of band with the same transmission system of the reception outer authentication credential information of band.
Step 416 is with outer authentication server to receive the outer authentication credential information of band, ID authentication request response message outside the Certificate Authority executor returns band;
In this step; Be with outer authentication credential information of band that outer authentication server will receive and the band that self is sent to the user outward the authentication credential information verify; If it is consistent; Then the outer authentication of band is passed through, and ID authentication request response message outside the Certificate Authority executor returns band is carried the outer authentication successful information of band; If in the preset time window mouth, do not receive user's feedback information; Or the information returned of user and the information inconsistency that self is sent to the user; Then to the Certificate Authority executor return the band outside the ID authentication request response message; Carry the outer authentication failure information of band, or the registration information.
Step 417, the Certificate Authority executor receives the outer ID authentication request response message of band, confirms to be with outer authentication to pass through, and notifying user equipment can get into operation system;
In this step, if the outer ID authentication request response message of the band that returns comprises the outer authentication failure information of band, or the registration information, the outer authentication of notifying user equipment band is failed or is registered again, and refusing user's equipment gets into operation system.
Step 418, subscriber equipment gets into operation system, carries out business operation, and operation system is returned the corresponding business operating result to subscriber equipment.
So far, this flow process finishes.
Visible by the foregoing description; A kind of method and system that realize authentication provided by the invention on the basis of existing common identity identifying technology, are sent tolerance authentication request information through the Certificate Authority executor to subscriber equipment tolerance engine; Subscriber equipment tolerance engine and subscriber equipment obtain the tolerance authentication information of subscriber equipment alternately; The metric that obtains is carried out integrality handle, form metric, to carry out matching ratio right with registered user's equipment metric of storage in advance; If matching ratio is to unanimity; Then get into operation system, thereby, can stop the major part of implementing to authentication on the network to attack, make the increasing of assailant's difficulty of attacking through increasing the binding that the mode of the tolerance authentication of subscriber equipment is realized the subscriber equipment that user identity and user use through Certificate Authority executor notifying user equipment; Perhaps; On the basis of existing common identity identifying technology, send ID authentication request information outside the band through Certificate Authority executor authentication server outside band, be with outer authentication server to generate the outer authentication credential information of band; Be sent to subscriber equipment; And whether the outer authentication credential information of verifying user equipment outer authentication credential information of band that returns and the band that self is sent to subscriber equipment is consistent, if consistent, gets into operation system through Certificate Authority executor notifying user equipment; Thereby on the blocking-up network to the attack of user identity, solve the assailant middle attack, connect problem such as hijack attack; Perhaps, on the basis of existing common identity identifying technology, attack through increasing the binding that the tolerance authentication mode of subscriber equipment is realized the subscriber equipment that user identity and user use, stop the major part of implementing to authentication on the network; Further, increase the outer authentication of band again and block on the network attack user identity, thus improved authentication fail safe, ensure the interests of validated user, fundamentally solve assailant's problems such as middle attack, connection hijack attack.And the method and system of authentication provided by the invention can need not during enforcement original Verification System is done excessive modification, and can promote the fail safe of identity authorization system greatly with to have various identity authorization systems compatible mutually.In addition; This system's input cost is low, management maintenance is easy, the user is easy to use; Can be according to the safety requirements phase in of reality; Progressively improve level of security, can be applied to various requirement, be particularly useful for the strong identity authentication requirement of various Web banks, Mobile banking, valuable source visit the scene that user identity carries out strong authentication.
More than lift preferred embodiment; The object of the invention, technical scheme and advantage have been carried out further explain, and institute it should be understood that the above is merely preferred embodiment of the present invention; Not in order to restriction the present invention; All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1. outer authentication server of the band of realizing authentication; It is characterized in that; The outer authentication server of said band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module; Wherein
Information receiving module; The outer authentication credential information of band that outer ID authentication request information of the band from the Certificate Authority executor that is used for receiving and subscriber equipment return; Be sent to message processing module, the outer authentication credential information of said band comprises password, phone, short message and mail one time;
Message processing module is used for generating the outer authentication credential information of band according to the outer ID authentication request information of the band that receives, and is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;
Be with outer authentication credential information memory module, be used for the outer authentication credential information of band that the stored information processing module generates;
Be with outer authentication credential information comparing module; Be used to receive from the outer authentication credential information of the band of message processing module; Whether checking is consistent with the outer authentication credential information of band of the outer authentication credential information memory module storage of band; If consistent, ID authentication request response message outside information sending module is sent the band that comprises authentication successful information outside the band;
Information sending module is used for outer ID authentication request response message of the band that receives and the outer authentication credential information of band are sent.
2. a system that realizes authentication is characterized in that, this system comprises: Certificate Authority executor, the outer authentication server of band, authentication policy module, wherein,
The Certificate Authority executor is used at definite subscriber equipment through common authentication, and knows that ID authentication request information outside the outer authentication server transmission of band is with was with outer authentication when subscriber equipment need be carried out the outer authentication of band; If confirm the outer authentication success of band, notifying user equipment gets into operation system;
Be with outer authentication server, be used for receiving the outer ID authentication request information of band, generate the outer authentication credential information of band, be sent to subscriber equipment; Whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self is sent to subscriber equipment; If it is consistent; Get into operation system through Certificate Authority executor notifying user equipment, the outer authentication credential information of said band comprises password, phone, short message and mail one time;
The authentication policy module is used for the Certificate Authority executor alternately, comprises the outer authentication log-on message of band of subscriber equipment in the authentication strategy of confirming self to store in advance, and notification authentication mandate executor carries out the outer authentication of the band of subscriber equipment.
3. system as claimed in claim 2 is characterized in that, said system further comprises subscriber equipment tolerance engine, is used for the tolerance authentication request information of sending according to the Certificate Authority executor, obtains the tolerance authentication information of subscriber equipment alternately with subscriber equipment; Tolerance authentication information to obtaining is measured processing; Form metric; To carry out matching ratio right with registered user's equipment metric of storage in advance; If matching ratio is to unanimity; Then confirm alternately through Certificate Authority executor and authentication policy module whether subscriber equipment is with outer authentication, said tolerance authentication information comprises geographical location information, subscriber equipment name information and the user behavior information at the corresponding network interface card information of each subscriber equipment, operation system information, browser information, place, IP address.
4. system as claimed in claim 3; It is characterized in that; The outer authentication server of said band comprises: information receiving module, message processing module, the outer authentication credential information memory module of band, the outer authentication credential information comparing module of band and information sending module, wherein
Information receiving module is used for the outer authentication credential information of band that the outer ID authentication request information of the band from the Certificate Authority executor that receives and subscriber equipment are returned, is sent to message processing module;
Message processing module is used for generating the outer authentication credential information of band according to the outer ID authentication request information of the band that receives, and is sent to outer authentication credential information memory module of band and information sending module; The outer authentication credential information of the band that the subscriber equipment that the reception information receiving module sends returns is sent to the outer authentication credential information comparing module of band;
Be with outer authentication credential information memory module, be used for the outer authentication credential information of band that the stored information processing module generates;
Be with outer authentication credential information comparing module; Be used to receive from the outer authentication credential information of the band of message processing module; Whether checking is consistent with the outer authentication credential information of band of the outer authentication credential information memory module storage of band; If consistent, ID authentication request response message outside information sending module is sent the band that comprises authentication successful information outside the band;
Information sending module be used for the outer authentication credential information of the band that receives is sent to subscriber equipment, and the outer ID authentication request response message of the band that will receive is sent to the Certificate Authority executor.
5. system as claimed in claim 3 is characterized in that, said system further comprises: common authentication server, be used for subscriber equipment, Certificate Authority executor alternately, and carry out common authentication to the user.
6. system as claimed in claim 3 is characterized in that, said subscriber equipment tolerance engine comprises: metric collection module and metric verification module, wherein,
The metric collection module is used for collecting the tolerance authentication information of subscriber equipment according to the metric strategy of storage in advance and the tolerance authentication request information of reception;
Metric verification module; Be used for the tolerance authentication information of subscriber equipment is measured processing; And will handling metric that the back forms and registered user's equipment metric of the said subscriber equipment of storage in advance, to carry out matching ratio right; If matching ratio to unanimity, notifies said subscriber equipment through authentication.
7. a method that realizes authentication is characterized in that, this method comprises:
After definite subscriber equipment is through common authentication, when the Certificate Authority executor knows that from the authentication policy module subscriber equipment need be carried out the outer authentication of band, ID authentication request information outside the outer authentication server transmission of band is with;
Be with outer authentication server to receive the outer ID authentication request information of band; Generate the outer authentication credential information of band; Be sent to subscriber equipment, whether the outer authentication credential information of the band that verifying user equipment returns is consistent with the outer authentication credential information of the band that self generates, if consistent; Then get into operation system through Certificate Authority executor notifying user equipment, the outer authentication credential information of said band comprises password, phone, short message and mail one time.
8. method as claimed in claim 7 is characterized in that, sends the outer authentication credential information of said band to said subscriber equipment through short-message system, phone or lettergram mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105072489A CN101951321B (en) | 2008-10-23 | 2008-10-23 | Device, system and method for realizing identity authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105072489A CN101951321B (en) | 2008-10-23 | 2008-10-23 | Device, system and method for realizing identity authentication |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102248379A Division CN101374050B (en) | 2008-10-23 | 2008-10-23 | Apparatus, system and method for implementing identification authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101951321A CN101951321A (en) | 2011-01-19 |
| CN101951321B true CN101951321B (en) | 2012-11-14 |
Family
ID=43454685
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105072489A Expired - Fee Related CN101951321B (en) | 2008-10-23 | 2008-10-23 | Device, system and method for realizing identity authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101951321B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873445A (en) * | 2012-12-17 | 2014-06-18 | 钟海燕 | Biological recognition authentication-based network access control system and method thereof |
| CN104219664B (en) * | 2013-05-31 | 2019-04-12 | 上海评驾科技有限公司 | Identity identifying method based on device geographical location coordinate information |
| CN103888257B (en) * | 2013-11-03 | 2017-01-18 | 北京工业大学 | Network camera identity authentication method based on TPCM |
| CN104618402A (en) * | 2015-03-10 | 2015-05-13 | 四川省宁潮科技有限公司 | Out-of-band authentication-based virtual desktop cloud connecting method |
| CN106911627B (en) * | 2015-12-22 | 2019-09-17 | 中国科学院软件研究所 | A kind of true identity method of controlling security and its system based on eID |
| CN105939520A (en) * | 2016-03-18 | 2016-09-14 | 李明 | Method, device and system for establishing communication connection |
| CN106453415B (en) * | 2016-12-01 | 2020-09-29 | 江苏通付盾科技有限公司 | Block chain-based equipment authentication method, authentication server and user equipment |
| GB2562454B (en) * | 2017-02-20 | 2019-05-29 | Trustonic Ltd | Anonymous attestation |
| CN107483416A (en) * | 2017-07-27 | 2017-12-15 | 湖南浩丰文化传播有限公司 | The method and device of authentication |
| CN107749844A (en) * | 2017-10-16 | 2018-03-02 | 维沃移动通信有限公司 | Auth method and mobile terminal |
| CN108282461B (en) * | 2017-12-22 | 2020-08-14 | 中国电子科技集团公司第三十研究所 | Method for improving EAP protocol supporting biological characteristics |
| CN109905369B (en) * | 2019-01-24 | 2022-11-04 | 平安科技(深圳)有限公司 | Early warning method and device for employee account number theft and computer readable storage medium |
| CN112906752A (en) * | 2021-01-26 | 2021-06-04 | 山西三友和智慧信息技术股份有限公司 | User identity authentication method based on browsing history sequence |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
| CN101155033A (en) * | 2006-09-26 | 2008-04-02 | 中兴通讯股份有限公司 | Method for confirming client identity |
-
2008
- 2008-10-23 CN CN2010105072489A patent/CN101951321B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136748A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Identification authentication method and system |
| CN101155033A (en) * | 2006-09-26 | 2008-04-02 | 中兴通讯股份有限公司 | Method for confirming client identity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101951321A (en) | 2011-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101374050B (en) | Apparatus, system and method for implementing identification authentication | |
| CN101951321B (en) | Device, system and method for realizing identity authentication | |
| CN106664208B (en) | System and method for establishing trust using secure transport protocol | |
| CN108989346B (en) | Third-party valid identity escrow agile authentication access method based on account hiding | |
| CN101873331B (en) | Safety authentication method and system | |
| TW201741922A (en) | Biological feature based safety certification method and device | |
| JP2018532301A (en) | User authentication method and apparatus | |
| KR20170041657A (en) | System and method for carrying strong authentication events over different channels | |
| US20150350211A1 (en) | Securely integrating third-party applications with banking systems | |
| CN109325342A (en) | Identity information management method, apparatus, computer equipment and storage medium | |
| CN103297437A (en) | Safety server access method for mobile intelligent terminal | |
| CN104969528A (en) | Query system and method to determine authentication capabilities | |
| CN102201915A (en) | Terminal authentication method and device based on single sign-on | |
| CN101547095A (en) | Application service management system and management method based on digital certificate | |
| CN101808077B (en) | Information security input processing system and method and smart card | |
| CN102195932A (en) | Method and system for realizing network identity authentication based on two pieces of isolation equipment | |
| CN112953970A (en) | Identity authentication method and identity authentication system | |
| CN109150547A (en) | A kind of system and method for the digital asset real name registration based on block chain | |
| JP2001186122A (en) | Authentication system and authentication method | |
| CN103401686B (en) | A kind of user's OTP WEB Authentication System and application process thereof | |
| CN101521576B (en) | Method and system for identity authentication of internet user | |
| CN102083066B (en) | Unified safety authentication method and system | |
| KR102118556B1 (en) | Method for providing private blockchain based privacy information management service | |
| US20120290483A1 (en) | Methods, systems and nodes for authorizing a securized exchange between a user and a provider site | |
| Pampori et al. | Securely eradicating cellular dependency for e-banking applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: CHINA POTEVIO CO., LTD. Free format text: FORMER OWNER: PUTIAN IT TECH INST CO., LTD. Effective date: 20130923 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20130923 Address after: 100080, No. two, 2 street, Zhongguancun science and Technology Park, Beijing, Haidian District Patentee after: CHINA POTEVIO CO.,LTD. Address before: 100080 Beijing, Haidian, North Street, No. two, No. 6, No. Patentee before: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd. |
|
| ASS | Succession or assignment of patent right |
Owner name: PUTIAN IT TECH INST CO., LTD. Free format text: FORMER OWNER: CHINA POTEVIO CO., LTD. Effective date: 20131202 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20131202 Address after: 100080 Beijing, Haidian, North Street, No. two, No. 6, No. Patentee after: PETEVIO INSTITUTE OF TECHNOLOGY Co.,Ltd. Address before: 100080, No. two, 2 street, Zhongguancun science and Technology Park, Beijing, Haidian District Patentee before: CHINA POTEVIO CO.,LTD. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121114 Termination date: 20211023 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |