CN102316110A - Authentication method for data terminal to access to server - Google Patents
Authentication method for data terminal to access to server Download PDFInfo
- Publication number
- CN102316110A CN102316110A CN201110273263A CN201110273263A CN102316110A CN 102316110 A CN102316110 A CN 102316110A CN 201110273263 A CN201110273263 A CN 201110273263A CN 201110273263 A CN201110273263 A CN 201110273263A CN 102316110 A CN102316110 A CN 102316110A
- Authority
- CN
- China
- Prior art keywords
- data
- server
- security module
- data terminal
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides an authentication method for a data terminal to access to a server, which comprises the following steps that: an access authentication key is implanted into a security module, and the key and the identification (ID) of the security module are bound and stored in the database of the server; the security module is installed into the data terminal, the data terminal is connected to the server, and the time point of success access to the server is recorded; the time point is transmitted to the access authentication key of the security module to conduct encryption to obtain ciphertext data (DCI); the DCI and the ID of the security module are uploaded to the server; the authentication center of the server conducts decryption to the DCI according to the ID of the security module to obtain plaintext data (DPL); and the server judges the time difference between the DPL and the current time point of the authentication center, if the time difference is within a preset time range, the authentication succeeds, and if the time difference exceeds the preset time range, the authentication is failed. The authentication method for the access of the data terminal to the server has the advantages that the data interaction is less, the operation is not limited by the model of the data terminal, the authentication process is greatly simplified, the safety is high and the data cannot be cracked easily.
Description
[technical field]
The present invention relates to a kind of method for authenticating of data terminal access server.
[background technology]
Cellphone subscriber's authentication cut-in method commonly used is: authentication network element and SIM are all held key K i (Authentication key KI; Ki is exactly the key in the encrypting and decrypting in the gsm system); Produce a random number by the authentication network element and issue mobile phone end; Mobile phone end is carried out cryptographic calculation with the key K i inside the SIM to this random number and is obtained XRES (Expected response Expected Response), and then XRES is uploaded to the authentication network element, said authentication network element deciphering XRES; And judge whether to form, thereby accomplish access authentication by key K i encryption.The access authentication method weak point that is present in the 2G network is to be produced random number and to be sent to mobile phone by the authentication network element; After key K i through SIM encrypts then again loopback judge its legitimacy for the authentication network element, such identifying procedure needs 1.5 data interactions back and forth to accomplish at least.
[summary of the invention]
The technical problem that the present invention will solve is to provide a kind of method for authenticating of data terminal access server, and it can simplify authorizing procedure, and safe.
The present invention is achieved in that a kind of method for authenticating of data terminal access server, specifically comprises the steps:
Step 10, the access authentication key is implanted to security module, and the ID of this access authentication key and this security module bound is saved in the data in server storehouse;
Step 20, said security module is installed to data terminal, data terminal is connected to server, and notes the successful time point of Connection Service device;
Step 30, the access authentication key that above-mentioned time point is sent into security module carry out cryptographic calculation and obtain enciphered data DCI (ciphertext data encrypt data);
Step 40, the ID of enciphered data DCI and this security module is uploaded onto the server;
The AUC of step 50, server deciphers said enciphered data DCI according to the ID of security module and obtains data DPL (plaintext data clear data);
Step 60, server are judged the time difference of DPL and AUC's current point in time, if the time difference in preset time range, then authentication success, if the time difference surpass the time range of presetting, then failed authentication.
Further, in the said step 50, AUC deciphers said enciphered data DCI and obtains data DPL, if data DPL is invalid, and failed authentication then.
Further, the access authentication key of said security module is the long symmetric encipherment algorithm of 112bit, and the AES that said symmetric encipherment algorithm uses is 3DES algorithm (Data Encryption Standard data encryption standard).
Further; But said data terminal is provided with a RTC (Real TimeClock real-time clock) of power down operation; Said data terminal is through the successful time point of said RTC record Connection Service device; Said AUC also is provided with the 2nd RTC, and the current point in time after DCI obtains data DPL is deciphered through the 2nd RTC record by said AUC.
The present invention has following advantage:
The present invention utilizes the time difference of data terminal and server that the characteristics than large deviation can not be arranged; Utilize the distinctive encryption function of security module to accomplish the identification of access authentication again; Data interaction of the present invention is few, does not receive the restriction of the model of data terminal own, has simplified authorizing procedure greatly; Safe, be not easy to be cracked, because the time is unique; Can not repeat; The key of access authentication is stored in the security module the inside, and the storage of key is safe, and the employing time is as the foundation of access authentication; Number of times of attack in the primary network link, can effectively limiting during this period of time prevents malicious attack.
[description of drawings]
Combine embodiment that the present invention is further described with reference to the accompanying drawings.
Fig. 1 implants the method sketch map of key for security module of the present invention.
Fig. 2 is the method sketch map of security module inactivation key of the present invention.
Fig. 3 is the access authentication schematic flow sheet of data terminal of the present invention and server.
[embodiment]
See also Fig. 1 to shown in Figure 3, embodiments of the invention are carried out detailed explanation.
The method for authenticating of a kind of data terminal access server of the present invention; It comprises some data terminals that connect through GPRS network, server, and the security module key is implanted software, security module disabled software; Said data terminal is equipped with a security module; Said server is provided with AUC, and said security module is implanted software through the security module key and implanted access authentication key K i, carries out inactivation access authentication key K i through the security module disabled software.
Like Fig. 1, generated an access authentication key at first at random, the ID binding with this access authentication key and current safety module is saved in the inside, data in server storehouse then, under security context, the access authentication key is implanted security module, then implantation success.Like Fig. 2, at first read the ID of security module, remove the binding relationship of security module ID and access authentication key then, the information of access authentication data and security module ID in the deletion server database is carried out the inactivation operation to security module, then inactivation success.
When the access authentication key has been implanted in the security module mandate, and the ID of this access authentication key and this security module bound be saved in the data in server storehouse,, said security module is installed to data terminal.Carry out the access authentication between server and the data terminal then.
In conjunction with Fig. 3, data terminal is connected to server, and notes the successful time point of Connection Service device; The access authentication key that above-mentioned time point is sent into security module carries out cryptographic calculation and obtains enciphered data DCI; The ID of enciphered data DCI and this security module is uploaded onto the server; The AUC of server deciphers said enciphered data DCI according to the ID of security module and obtains data DPL; If data DPL is invalid, failed authentication then, AUC initiatively breaks off network and connects; If DPL is effective, then server is judged the time difference of DPL and AUC's current point in time, if the time difference is in preset time range; Then authentication success; AUC continues to keep network to connect and data communication link is consigned to server, if the time difference surpasses preset time range, then failed authentication; AUC to data terminal send to the time order, break off network then and connect.Time range preset among the present invention is a variable, by actual network environment decision of layouting, if network environment is good, can shorten the time, if network environment is abominable, suitably time of delay, takes in the present embodiment 5 minutes.
The access authentication key of security module described in the present embodiment is the long symmetric encipherment algorithm of 112bit, and the AES that said symmetric encipherment algorithm uses is the 3DES algorithm.But said data terminal is provided with a RTC of power down operation; Said data terminal is through the successful time point of said RTC record Connection Service device; Said AUC also is provided with the 2nd RTC, and the current point in time after DCI obtains data DPL is deciphered through the 2nd RTC record by said AUC.If data terminal receive AUC to time order, then need carry out a RTC and the 2nd RTC to the time operate after once more the Connection Service device carry out access authentication.
The present invention has simplified authorizing procedure greatly; Safe, be not easy to be cracked, because the time is unique; Can not repeat; The key of access authentication is stored in the security module the inside, and the storage of key is safe, and the employing time is as the foundation of access authentication; Number of times of attack in the primary network link, can effectively limiting during this period of time prevents malicious attack.
The above is merely preferred embodiment of the present invention, so can not limit the scope that the present invention implements according to this, the equivalence of promptly doing according to claim of the present invention and description changes and modifies, and all should still belong in the scope that the present invention contains.
Claims (4)
1. the method for authenticating of a data terminal access server is characterized in that: specifically comprise the steps:
Step 10, the access authentication key is implanted to security module, and the ID of this access authentication key and this security module bound is saved in the data in server storehouse;
Step 20, said security module is installed to data terminal, data terminal is connected to server, and notes the successful time point of Connection Service device;
Step 30, the access authentication key that above-mentioned time point is sent into security module carry out cryptographic calculation and obtain enciphered data DCI;
Step 40, the ID of enciphered data DCI and this security module is uploaded onto the server;
The AUC of step 50, server deciphers said enciphered data DCI according to the ID of security module and obtains data DPL;
Step 60, server are judged the time difference of DPL and AUC's current point in time, if the time difference in preset time range, then authentication success, if the time difference surpass the time range of presetting, then failed authentication.
2. the method for authenticating of a kind of data terminal access server according to claim 1 is characterized in that: in the said step 50, AUC deciphers said enciphered data DCI and obtains data DPL, if data DPL is invalid, and failed authentication then.
3. the method for authenticating of a kind of data terminal access server according to claim 1 is characterized in that: the access authentication key of said security module is the long symmetric encipherment algorithm of 112bit, and the AES that said symmetric encipherment algorithm uses is the 3DES algorithm.
4. the method for authenticating of a kind of data terminal access server according to claim 1; It is characterized in that: but said data terminal is provided with a RTC of power down operation; Said data terminal is through the successful time point of said RTC record Connection Service device; Said AUC also is provided with the 2nd RTC, and the current point in time after DCI obtains data DPL is deciphered through the 2nd RTC record by said AUC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110273263A CN102316110A (en) | 2011-09-14 | 2011-09-14 | Authentication method for data terminal to access to server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110273263A CN102316110A (en) | 2011-09-14 | 2011-09-14 | Authentication method for data terminal to access to server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102316110A true CN102316110A (en) | 2012-01-11 |
Family
ID=45428926
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110273263A Pending CN102316110A (en) | 2011-09-14 | 2011-09-14 | Authentication method for data terminal to access to server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102316110A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701797A (en) * | 2013-12-23 | 2014-04-02 | 江苏物联网研究发展中心 | Light-weight node and gateway two-way identity authentication method |
| CN104283937A (en) * | 2013-07-05 | 2015-01-14 | 歌乐株式会社 | Information distribution system, and server, on-board terminal and communication terminal used therefor |
| CN105917629A (en) * | 2014-01-15 | 2016-08-31 | 宝马股份公司 | Secure network access protection using authenticated time measurement |
| CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
| CN111262889A (en) * | 2020-05-06 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Authority authentication method, device, equipment and medium for cloud service |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1929367A (en) * | 2005-09-10 | 2007-03-14 | 腾讯科技(深圳)有限公司 | Game data-transmission method and system |
| CN101005359A (en) * | 2006-01-18 | 2007-07-25 | 华为技术有限公司 | Method and device for realizing safety communication between terminal devices |
| CN101350718A (en) * | 2008-09-05 | 2009-01-21 | 清华大学 | Method for protecting play content authority range base on user identification module |
| CN101420587A (en) * | 2008-11-13 | 2009-04-29 | 北京中星微电子有限公司 | Network video collecting device, network video monitoring system and method |
| US20090208016A1 (en) * | 2008-02-18 | 2009-08-20 | Sungkyunkwan University Foundation For Corporate Collaboration | Domain digital rights management system, license sharing method for domain digital rights management system, and license server |
| CN101729871A (en) * | 2009-12-24 | 2010-06-09 | 公安部第一研究所 | Method for safe cross-domain access to SIP video monitoring system |
| CN101848084A (en) * | 2009-03-25 | 2010-09-29 | 黄金富 | Method and system for authenticating user computer server ISP identity by using SIM cards |
-
2011
- 2011-09-14 CN CN201110273263A patent/CN102316110A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1929367A (en) * | 2005-09-10 | 2007-03-14 | 腾讯科技(深圳)有限公司 | Game data-transmission method and system |
| CN101005359A (en) * | 2006-01-18 | 2007-07-25 | 华为技术有限公司 | Method and device for realizing safety communication between terminal devices |
| US20090208016A1 (en) * | 2008-02-18 | 2009-08-20 | Sungkyunkwan University Foundation For Corporate Collaboration | Domain digital rights management system, license sharing method for domain digital rights management system, and license server |
| CN101350718A (en) * | 2008-09-05 | 2009-01-21 | 清华大学 | Method for protecting play content authority range base on user identification module |
| CN101420587A (en) * | 2008-11-13 | 2009-04-29 | 北京中星微电子有限公司 | Network video collecting device, network video monitoring system and method |
| CN101848084A (en) * | 2009-03-25 | 2010-09-29 | 黄金富 | Method and system for authenticating user computer server ISP identity by using SIM cards |
| CN101729871A (en) * | 2009-12-24 | 2010-06-09 | 公安部第一研究所 | Method for safe cross-domain access to SIP video monitoring system |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104283937A (en) * | 2013-07-05 | 2015-01-14 | 歌乐株式会社 | Information distribution system, and server, on-board terminal and communication terminal used therefor |
| US9853973B2 (en) | 2013-07-05 | 2017-12-26 | Clarion Co., Ltd | Information distribution system, and server, on-board terminal and communication terminal used therefor |
| CN104283937B (en) * | 2013-07-05 | 2018-06-15 | 歌乐株式会社 | Information distribution system and the server wherein used, car-mounted terminal, communication terminal |
| CN103701797A (en) * | 2013-12-23 | 2014-04-02 | 江苏物联网研究发展中心 | Light-weight node and gateway two-way identity authentication method |
| CN103701797B (en) * | 2013-12-23 | 2017-01-25 | 江苏物联网研究发展中心 | Light-weight node and gateway two-way identity authentication method |
| CN105917629A (en) * | 2014-01-15 | 2016-08-31 | 宝马股份公司 | Secure network access protection using authenticated time measurement |
| CN107122678A (en) * | 2017-04-28 | 2017-09-01 | 上海与德科技有限公司 | Protect the method and device of product parameters |
| CN111262889A (en) * | 2020-05-06 | 2020-06-09 | 腾讯科技(深圳)有限公司 | Authority authentication method, device, equipment and medium for cloud service |
| CN111262889B (en) * | 2020-05-06 | 2020-09-04 | 腾讯科技(深圳)有限公司 | Authority authentication method, device, equipment and medium for cloud service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102594555B (en) | Security protection method for data, entity on network side and communication terminal | |
| CN106130982B (en) | Intelligent household appliance remote control method based on PKI system | |
| CN102572817B (en) | Method and intelligent memory card for realizing mobile communication confidentiality | |
| CN104821944A (en) | Hybrid encrypted network data security method and system | |
| CN105871920A (en) | Communication system and method of terminal and cloud server as well as terminal and cloud server | |
| EP2549778B1 (en) | Method and system for encrypting short message | |
| CN104579679B (en) | Wireless public network data forwarding method for agriculture distribution communication equipment | |
| CN102685739B (en) | Authentication method and system for Android enterprise applications | |
| CN112311533B (en) | Terminal identity authentication method, system and storage medium | |
| CN112672342B (en) | Data transmission method, device, equipment, system and storage medium | |
| CN109905869A (en) | Data transmission method between a kind of charging equipment and smart machine | |
| CN102316110A (en) | Authentication method for data terminal to access to server | |
| WO2015003512A1 (en) | Concentrator, ammeter, and message processing method therefor | |
| CN115396121A (en) | Security authentication method for security chip OTA data packet and security chip device | |
| CN101888626B (en) | Method and terminal equipment for realizing GBA key | |
| CN114765534A (en) | Private key distribution system based on national password identification cryptographic algorithm | |
| CN101895881A (en) | Method for realizing GBA secret key and pluggable equipment of terminal | |
| CN104796399A (en) | Key negotiation method of data encryption transmission | |
| CN102916810A (en) | Method, system and apparatus for authenticating sensor | |
| CN111064752B (en) | Preset secret key sharing system and method based on public network | |
| CN102088692B (en) | Method and equipment for locking subscriber identity module (SIM) | |
| CN111489462B (en) | Personal Bluetooth key system | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device | |
| CN106603486B (en) | Method and system for security authorization of mobile terminal | |
| KR20160146090A (en) | Communication method and apparatus in smart-home system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120111 |