CN102378170A - Method, device and system of authentication and service calling - Google Patents

Method, device and system of authentication and service calling Download PDF

Info

Publication number
CN102378170A
CN102378170A CN2010102659180A CN201010265918A CN102378170A CN 102378170 A CN102378170 A CN 102378170A CN 2010102659180 A CN2010102659180 A CN 2010102659180A CN 201010265918 A CN201010265918 A CN 201010265918A CN 102378170 A CN102378170 A CN 102378170A
Authority
CN
China
Prior art keywords
authentication
client
module
client application
api
Prior art date
Application number
CN2010102659180A
Other languages
Chinese (zh)
Other versions
CN102378170B (en
Inventor
江为强
左敏
Original Assignee
中国移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司 filed Critical 中国移动通信有限公司
Priority to CN201010265918.0A priority Critical patent/CN102378170B/en
Publication of CN102378170A publication Critical patent/CN102378170A/en
Application granted granted Critical
Publication of CN102378170B publication Critical patent/CN102378170B/en

Links

Abstract

The invention discloses a method, device and system of authentication and service calling, used for realizing legality authentication of an authentication server in a service platform to a client side application and promoting the safety reliability of a calling mechanism of a platform capacity API (Application Programming Interface). The authentication server realizes the safe distribution of a clientKey by displacing a test authentication module in the client side application to a client side authentication module preset with an MAC (Media Access Control) fingerprint and the clientKey. When the client side application satisfies a trigger condition, the client side authentication module firstly passes an integrity check based on an MAC fingerprint mechanism and applies for registration to the authentication server based on an MAC1 generated by the shared clientKey and obtains a random authentication factor. When the client side application needs to call the platform capacity API, a dynamic token is generated based on the authentication factor to be carried in a service request. After the dynamic token authentication passes, the platform capacity API is allowed to be called.

Description

A kind of authentication and service calling method, device and system

Technical field

The present invention relates to the data service technical field, relate in particular to a kind of method for authenticating and device and a kind of service calling method and system.

Background technology

Along with 3-G (Generation Three mobile communication system) (3rd Generation; Be called for short 3G) and the carrying forward vigorously of mobile Internet business; When Virtual network operator provides the value-added service of more and more enriching for the user; Also be third party SP (Service Provider; The service provider) business integration provides more and more abundanter network capabilities resource; For example location-based service ability, GIS (Geographic Information System, GIS-Geographic Information System) ability, game services ability, for charging ability, IMS (IP Multimedia Subsystem, IP multimedia system) ability, short message ability, Multimedia Message ability, search engine capability, cloud computing ability, Presence (appearing) ability, Widget service ability, instant messaging ability etc.In general, above-mentioned network capabilities resource is that form through Service (network service) or API (ApplicationProgramming Interface, application programming interfaces) provides service for user or third party SP basically.In the present specification; Above-mentioned Service or API are referred to as platform capabilities API; And platform capabilities API major part all is to offer the user's through on the terminal, disposing with the mode of client application; Be that the user is before using corresponding business; A client application relevant with this business need be installed on user terminal carry out business and use and promote, for example locations services client application, game client application, MobileMarket application, Widget application, the application of music walkman, Fetion application etc., these business forms all are different from STK (SIM Tool Kit in the past; STK) business or WAP (WirelessApplication Protocol, WAP) business.

But, dispose business through mode on user terminal with client application, itself exist great potential safety hazard: for example, platform capabilities API possibly used by disabled user or illegal third party SP; The client application that platform capabilities API possibly palmed off is called; Illegal third party SP possibly provide the platform capabilities API of personation to supply the user to use; Or the like.Therefore, demand providing a kind of high-efficiency reliable safety protecting mechanism urgently, in order to ensure security deployment and operation based on the mobile Internet business of platform capabilities API.

At present; Virtual network operator generally adopts the authentication mechanism of transmitting based on static token to ensure the security deployment and the operation of mobile Internet business; The right discriminating system of mobile Internet business mainly comprises client application, application server, three entities of authentication server, and is as shown in Figure 1, wherein:

Client application is mounted in the client application on the user terminal, and client application can be passed through specific interface accessing authentication server, accomplishes the operation of obtaining token;

The service request of the client application that application server processes is transmitted by Service Gateway, and service is provided for client application;

User's order relations and service order status data that authentication server storage service authentication is relevant have the service authentication function, and to client application the professional token that uses are provided according to authenticating result.

The authorizing procedure of mobile Internet business, as shown in Figure 2, comprise the steps:

Step 1, client application are initiated the service authentication request to authentication server;

Step 2, authentication server inspection are initiated service authentication requesting users ID (identifier) corresponding service and are ordered state, if the service order state is legal, then produces this client application of indication and can use application server that professional token is provided;

Client application is follow-up must carry this token when access application server, serve accordingly with normal acquisition; And in order to guarantee the fail safe of token, token is generated by authentication server and carries out safeguard protection in the authentication server side;

Step 3, authentication server are carried at the token that produces and return to client application in the authenticating result;

Step 4, client application are initiated service request to application server, wherein carry the token that obtains from authentication server;

Step 5, application server are verified the token in the service request;

After step 6, checking were passed through, application server provided service for client application in the subsequent applications session;

Step 7, application server are announced authentication server, and in notice message, are carried this token after receiving legal token, and authentication server can judge in view of the above whether service takes place.

In the prior art, there is following shortcoming based on the authentication mechanism of static token transmission:

1, the existing authentication mechanism of transmitting based on static token; Obtain the stage at token; Only authentication server carries out authentication to ID corresponding service subscription status, and does not have to consider the legitimacy of client application is carried out authentication, and the client application that causes palming off possibly initiated illegal service request; For example initiate illegal charging request, thereby cause the generation of malice subscription event.

2, the existing authentication mechanism of transmitting based on static token; At professional mounting phase; Only application server token that client application is carried carries out authentication, and does not consider the authentication of client application application server, and the application server that causes palming off possibly provide illegal service to the user.

3, the existing authentication mechanism poor stability that transmits based on static token, the token that user terminal obtains can be applied in all service request, can't prevent to be applied in the illegal service request after the token victim from illegally obtaining.

Summary of the invention

The embodiment of the invention provides a kind of method for authenticating and device, in order to the legitimacy authentication of the authentication server in the realization business platform to client application.

The embodiment of the invention also provides a kind of service calling method and system, in order to the security reliability of the call-by mechanism of lifting platform ability API.

The embodiment of the invention provides a kind of method for authenticating, comprising:

When the client application in downloading to user terminal satisfied trigger condition, the client authentication module in the said client application generated the first message authentication code MAC1 according to the local storage of client authentication module with the shared client application key clientKey of authentication server; And

Send the register requirement of carrying said MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.

The embodiment of the invention provides another kind of method for authenticating, comprising:

Authentication server receives the register requirement that the client authentication module in the client application is sent, and wherein carries the first message authentication code MAC1 that generates according to the local client application key clientKey that shares with authentication server that store of client authentication module;

The clientKey that said authentication server basis and said client authentication module are shared carries out the legitimacy authentication to the MAC1 that carries in the register requirement that receives, if authentication through confirm that said client application is legal.

The embodiment of the invention provides a kind of client application, comprises the client authentication module in the said client application, comprises in the said client authentication module:

Secure storage unit is used to store the client application key clientKey that shares with authentication server;

Generation unit is used for when the client application that downloads to user terminal satisfies trigger condition, generates the first message authentication code MAC1 according to the clientKey that stores in the said secure storage unit;

Control unit; Be used for sending the register requirement of carrying said MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.

The embodiment of the invention provides a kind of authentication server, comprising:

Memory cell is used to store the clientKey that shares with each client authentication module;

Receiving element; Be used for receiving the register requirement that the client authentication module of client application is sent, wherein carry the first message authentication code MAC1 that the client application key clientKey that shares according to local storage of client authentication module and authentication server generates;

The authentication unit is used for the clientKey that basis and said client authentication module are shared, and the MAC1 that carries in the register requirement that receives is carried out the legitimacy authentication, if authentication through confirm that said client application is legal.

The embodiment of the invention provides a kind of service calling method, comprising:

Application programming interfaces API Access control module receives the service request that client application is sent, and wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;

The API Access control module according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API.

The embodiment of the invention provides a kind of calling service system, comprises client application, application programming interfaces API Access control module and authentication server, wherein:

Said client application is used to send service request, wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;

Said API Access control module is used to receive after the said service request, according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API;

Said authentication server is used for the said dynamic token that said API Access control module is transmitted is carried out authentication.

The embodiment of the invention provides another kind of service calling method, comprising:

Application programming interfaces API Access control module receives the service request that client application is sent, and wherein carries the effectively interim token that gets access to from the API Access control module;

The API Access control module is mated the interim token that carries in the said service request according to the interim token of the said client authentication module of this locality storage;

If coupling is consistent, then allow said API Calls module invokes platform capabilities API.

The embodiment of the invention provides another kind of calling service system, comprises client application and application programming interfaces API Access control module, wherein:

Said client application is used to send service request, wherein carries the effectively interim token that gets access to from the API Access control module;

Said API Access control module is used to receive after the said service request, according to the interim token of the said client authentication module of this locality storage the interim token that carries in the said service request is mated; If coupling is consistent, then allow said API Calls module invokes platform capabilities API.

Method for authenticating that the embodiment of the invention provides and device; Authentication server in the supporting business platform is to the legitimacy authentication of client application; Only carry out the authentication authentication in the prior art to user terminal; The client application of not considering personation or being distorted is to the security threat of platform capabilities API, and the embodiment of the invention realizes the legitimacy authentication of authentication server to client application based on the MAC1 that clientKey generated that shares.

Service calling method that the embodiment of the invention provides and system have solved the security breaches problem in the existing scheme.Based on static token mechanism, the token that user terminal obtained is applied in all service request, and can't prevent to be applied in the illegal service request after the token victim from illegally obtaining in the existing scheme, and existing maybe by Replay Attack.In the embodiment of the invention, when client application was initiated service request, client application generated dynamic token based on the authentication factor or gets access to interim token and add in the business request information according to dynamic token, to prevent Replay Attack etc.

Other features and advantages of the present invention will be set forth in specification subsequently, and, partly from specification, become obvious, perhaps understand through embodiment of the present invention.The object of the invention can be realized through the structure that in the specification of being write, claims and accompanying drawing, is particularly pointed out and obtained with other advantages.

Description of drawings

Fig. 1 is the right discriminating system block diagram of mobile Internet business in the prior art;

Fig. 2 is the authorizing procedure figure of mobile Internet business in the prior art;

Fig. 3 is business platform and a client application system architecture diagram in the embodiment of the invention one;

Fig. 4 is the method for authenticating flow chart for the register flow path of client application in the embodiment of the invention two;

Fig. 5 is the structured flowchart of client authentication module in the embodiment of the invention two;

Fig. 6 is the structured flowchart of authentication server in the embodiment of the invention two;

Fig. 7 is a service calling method flow chart in the embodiment of the invention three;

Fig. 8 obtains the process chart in stage for interim token in the embodiment of the invention four;

Fig. 9 is the process chart of safety service request stage in the embodiment of the invention four.

Embodiment

The embodiment of the invention is based on the login mechanism and the dynamic token mechanism of client application, but proposition platform capabilities API protection mechanism a kind of bi-directional authentification, that can realize user terminal, client application and business platform are carried out authentication.In the embodiment of the invention; In illegal client application, illegally abuse, reuse client application key (being called clientKey in the present specification) for fear of developer or third party SP; After the test audit of client application is passed through; By business platform this client application key clientKey is stored securely in the client authentication module of client application; And through based on the integrity protection scheme of the MAC fingerprint of client application mechanism client authentication module and this client application being bound, thereby realization client application key clientKey is unknowable to the developer; Simultaneously; Test authentication module through client application that the developer is submitted to is replaced into the client authentication module; To test perhaps that preassigned file is replaced into the file that presets MAC fingerprint and clientKey (client application key) in the authentication module; Obtain the client authentication module, thereby realized the secure distribution of clientKey.Download to client application in the user terminal at first through login mechanism, based on ID (identifier) thereby and the authentication server in the realization business platform such as client application key clientKey to the bi-directional authentification between authentication authentication, client application and the business platform of user terminal, obtain corresponding session id and obtain the authentication factor again.Client application generated dynamic token and adds in the service request of platform capabilities API through the authentication factor, to realize the visit protection to platform capabilities API before calling platform ability API; Simultaneously, the embodiment of the invention also provides a kind of efficiently based on the call-by mechanism of the platform capabilities API of the reusable token mechanism that dynamically updates.

Below in conjunction with Figure of description the preferred embodiments of the present invention are described; Be to be understood that; Preferred embodiment described herein only is used for explanation and explains the present invention; And be not used in qualification the present invention, and under the situation of not conflicting, embodiment and the characteristic among the embodiment among the present invention can make up each other.

Embodiment one

At first introduce the system architecture that the embodiment of the invention relates to, as shown in Figure 3, comprising:

Platform capabilities API; Wherein platform capabilities API is divided into " running environment platform capabilities API " and " development environment platform capabilities API "; " running environment platform capabilities API " mainly used by user terminal in the service operation process; And " development environment platform capabilities API " is mainly used by developer and Virtual network operator in the development and testing process, mainly in development environment SDK, calls test;

Authentication server is used to store the identity information of user terminal and client application, and safe identity information and dynamic token is provided for the operation phase;

The API Access control module realizes in the open engine of business platform ability, is used for client application is carried out the legitimacy authentication, with the safety of protection platform capabilities API, avoids platform capabilities API illegally to be called or override call;

The client authentication module; Be used to encapsulate client application and the mutual all functions of platform capabilities API authentication; Wherein comprise secure storage unit in the client authentication module, be mainly used in the safe storage of sensitive informations such as association key, the authentication factor and dynamic token, safe storage can be based on the software security reinforcement technique; Also can deposit in like sensitive information in the smart card of encryption based on hardware technology;

The API Calls module is used for calling platform ability API (for example location-based service API);

Service Gateway in present specification, is used for to other network entity identity informations such as ID being provided, and for example, WAP gateway can provide MSISDN with the identifying user identity based on the radius module.

Wherein, platform capabilities API, API Access control module, authentication server and Service Gateway belong to the network entity in the business platform, and client authentication module and API Calls module belong to the functional module in the client application.

Since client application built-in important customers end authentication module and API Calls module, thus very important by oneself safety protection, and main security hardening can comprise the following aspects:

Integrity protection: client application realizes integrity protection through obscuring methods such as (in order to prevent that whole client application from being implemented regurgitation and attacking to engineering) based on MAC fingerprint mechanism software oneself integrality detection method (in order to protection other module except that " client authentication module " by illegal or replacement) and code, and the code obfuscation mechanisms can link environment and accomplish automatically through the editor in SDK;

The sensitive information confidentiality: client application is through the Confidentiality protection that code is obscured, mechanism realization sensitive informations such as trackings, security algorithm conversion, sensitive information conversion are carried out in anti-static de-edit analysis, reaction attitude, the relevant secret information in the protective capability API authentication mechanism (like clientkey, the authentication factor, token temporarily);

Local API protection: client application can ensure the safety of calling between the different assemblies through mechanism such as the transfer of input and output inlet, security algorithm conversion, sensitive information conversions;

Security capabilities update mechanism: when monitoring after client application attacked; Can in time forbid by the terminal access platform capabilities API after attacking, to guarantee that platform capabilities API is by legal use through the security component in the security capabilities update mechanism renewal terminal applies or through the platform safety strategy.

Embodiment two

In order to realize the legitimacy authentication of authentication server (authentication server belongs to the part of business platform) to client application; The embodiment of the invention is based on the login mechanism of client application; A kind of method for authenticating is proposed; Realize business platform to the legitimacy authentication of user terminal and the bi-directional authentification between client application and the business platform, realized that simultaneously client application is to the obtaining of the authentication factor, for subsequent calls platform capabilities API provides the basis.

At first introduce the development and testing stage of client application.

In the SDK environment, comprise " the test authentication module " that be used for development and testing.The developer carries out the development and testing of client application based on " test authentication module ", comprises " test authentication module " in the client application.Need the support of development environment platform capabilities API in the test process.

At first introduce the launch phase of client application.

After the developer will develop the client application of accomplishing in based on the SDK environment and be submitted to business platform; Business platform will carry out the strictness test to client application; To guarantee that this client application meets the security strategy requirement, does not have built-in malicious code and illegal accounting code etc.

Authentication server in the business platform will independently generate the client authentication module that is used to move for this client application simultaneously; MAC fingerprint and the safe storage of determining other functional module except that the client authentication module in the client application (for example information generally can not upgrade key modules) are in the client authentication module, so that user terminal carries out local completeness check in using the client application process.Wherein, described MAC fingerprint can be definite through multiple computational methods of the prior art, for example HMAC value or HASH value calculating method; Described safe storage can adopt means such as encryption storage, code are obscured, AES conversion to realize.The MAC fingerprint has been realized the binding relationship of client authentication module and this client application, prevents that the client authentication module from illegally being used by other client application.

Client authentication module in each client application and authentication server are shared client application key clientKey, and each client application all has one or more clientKey.In the stage that user terminal uses client application, business platform is realized the legitimacy authentication to client application based on clientKey.In illegal client application, illegally abuse, reuse this client application key clientKey for fear of developer or third party SP; After client application test audit is passed through, this clientKey is stored securely in the newly-built client authentication module by the authentication server in the business platform.Because clientKey has carried out safe storage in the client authentication module, therefore remove authentication server, clientKey all is unknowable as far as anyone (comprising the developer).

Client authentication module safe storage after MAC fingerprint and the clientKey; Need to prove; Both do not have special demands at the order of storage, and authentication server will be replaced the developer employed test authentication module of development and testing stage (all test authentication module that are used for development and testing all can adopt the identical Test clientkey that is used to test) with it.Authentication server has been realized the secure distribution to clientKey through the displacement to the client authentication module.In addition; Authentication server also can be replaced into the file that presets MAC fingerprint and client application key clientKey and realizes the secure distribution to clientKey through testing in the authentication module certain preassigned file, thereby realizes that the test authentication module need not to replace whole test authentication module to the displacement of client authentication module.

Based on development and testing stage and launch phase, introduce the operation registration phase of client application in detail.

After the user downloads to client application on the user terminal; Need to install and operation; If client application is moved for the first time or user terminal is changed user smart card (for example SIM, usim card), perhaps preassigned parameter is expired; Then client application need be carried out following register flow path and realize authentication, and is as shown in Figure 4, comprises the steps:

S401~S402, client authentication module carry out after the local integrity detection (confirming the MAC fingerprint again and mating with the MAC fingerprint that is stored securely in the client authentication module to client application; And coupling is consistent); Send register requirement to authentication server, comprise in the login request message: traffic ID, business release, timestamp, the first message authentication code MAC1 and other optional parameters.MAC1 adopts clientkey or its derivation value that the isoparametric hashed value of traffic ID, business release and timestamp is encrypted generation, perhaps the parameter that comprises clientkey, traffic ID, business release and timestamp is calculated that hashed value generates.Register requirement must be through Service Gateway (like WAP gateway) so that carry ID (like MSISDN).After authentication server is received register requirement; MAC1 is carried out authentication to guarantee that whether this register requirement comes from legal client application (client application of promptly licensing through Virtual network operator), has so far realized the legitimacy authentication of authentication server to client application; Come from the user terminal of legal Virtual network operator through authenticated ID to guarantee this register requirement;

In general; If authentication server can't be is directly acquired unique identifying number (the IMSI:International MobileStation Equipment Identity for example of user smart card according to ID (for example MSISDN) from business platform; International Mobile Station Equipment Identity), then in register requirement, also need comprise the ciphertext value of encrypting unique identifying number He other optional parameters of the user smart card that obtains through the derivation value of clientkey or clientkey;

In the practical implementation; Requirement based on security strategy; The client authentication module is carried out local integrity detection to client application and can be used as possibility; Be can only store in the client authentication module with the shared clientKey of authentication server to need not store M AC fingerprint, when the client application in downloading to user terminal satisfied trigger condition, the client authentication module generated MAC1 according to clientKey; And send the register requirement carry MAC1 to authentication server;

After S403~S404, authentication server generate session id at random, return session id to the client authentication module through Service Gateway (like WAP gateway);

S405, client authentication module are directly set up HTTPS with authentication server and are connected; This HTTPS is connected to unilateral authentication (client authentication module authentication server); The root certificate that the PKI of authentication server (PublicKey Infrastructure, PKIX) certificate is corresponding is preset in the client authentication module in the development phase.Then; The client authentication module is sent the authentication factor of carrying session id to authentication server and is obtained request, and the authentication factor comprises in obtaining and asking: the unique identifying number of traffic ID, business release, timestamp, session id, user smart card, second message authentication code (MAC2) and other optional parameters.The generation method of MAC2 is with step 1, and the request of obtaining of this authentication factor need not through Service Gateway;

After S406, authentication server receive that the authentication factor is obtained request; According to before record the unique identifying number of session id and user smart card etc. is verified to guarantee the legitimacy of user terminal, simultaneously MAC2 is carried out authentication and comes from legal client application to guarantee this request.After authentication was passed through, authentication server generated an authentication factor (the authentication factor of each user terminal is all inequality, and is also inequality to the authentication factor that same user terminal issues at every turn) at random and returns to the client authentication module through HTTS secure data transmission passage.The client authentication module is carried out safe storage by secure storage unit to it after receiving the authentication factor.

Need to prove that at regular hour week after date, or after user terminal changes user smart card (like usim card), or some preassigned parameter crosses after date, requires client application to initiate register flow path again according to security strategy.Described preassigned parameter is expired, uses the HOTP dynamic token in the for example follow-up process according to authentication factor generation dynamic token, and then this preassigned parameter can be counter counter.The generation of MAC2 and MAC1 can be adopted different clientkey, at this moment, is not to preset a clientkey just in the client authentication module, but presets at least two clientkey.

Based on same technical conceive; Present embodiment also provides a kind of right discriminating system; Comprise client application and authentication server; Comprise the client authentication module in the said client application, the storage client application key clientKey shared in the said client authentication module with authentication server, wherein:

Said client authentication module is used for when the client application that downloads to user terminal satisfies trigger condition, and the clientKey that stores according to this locality generates MAC1, and sends the register requirement of carrying this MAC1 to authentication server;

Said authentication server is used for the clientKey that basis and said client authentication module are shared, and the MAC1 that carries in the register requirement that receives is carried out the legitimacy authentication, if authentication through confirm that said client application is legal.

Wherein, comprise the client authentication module in the client application, a kind of possibility structure of said client authentication module, as shown in Figure 5, comprising:

Secure storage unit 501 is used to store the clientKey (client application key) that shares with authentication server;

Generation unit 502 is used for when the client application that downloads to user terminal satisfies trigger condition, according to the clientKey generation MAC1 of storage in the secure storage unit 501;

Control unit 503; Be used for when the matching unit coupling is consistent; Send the register requirement of carrying this MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.

A kind of possibility structure of authentication server, as shown in Figure 6, comprising:

Memory cell 601 is used to store the clientKey that shares with each client authentication module;

Receiving element 602; Be used for receiving the register requirement that the client authentication module of client application is sent, wherein carry the first message authentication code MAC1 that the client application key clientKey that shares according to local storage of client authentication module and authentication server generates;

Authentication unit 603 is used for the clientKey that basis and said client authentication module are shared, and the MAC1 that carries in the register requirement that receives is carried out the legitimacy authentication, if authentication through confirm that said client application is legal.

Embodiment three

When the API Calls module needs calling platform ability API; The API Calls module is at first handed to the client authentication module with service request; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively, generates dynamic token in real time and token purposes parameter is set alternatively, and be sent to business platform through the HTTPS secure data transmission passage with the foundation of API Access control module again among dynamic token and token purposes parameter made an addition to former service request; After API Access control module in the business platform receives service request; Confirm the type of service request or the regulation that priority level satisfies token purposes parameter, then dynamic token be forwarded to authentication server and verify, if dynamic token through authentication server checking return correct information; The API Access control module allows calling platform ability API; That concrete is running environment platform capabilities API, otherwise, return error message.

Service calling method as shown in Figure 7, that present embodiment provides comprises the steps:

S701~S702, API Calls module will at first be forwarded to the client authentication module and handle to the service request that business platform sends; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively; The authentication factor that gets access to from authentication server according to the register requirement stage generates dynamic token; The dynamic token that for example generates can be the HOTP dynamic token, and then the authentication factor can be served as the Seed parameter that generates the HOTP dynamic token;

S703~S704, client authentication module are set up unidirectional HTTPS (client authentication module authentication API Access control module) with the API Access control module and are connected; And the unique identifying number parameters such as (like IMSI) that will comprise dynamic token, token purposes parameter, traffic ID, business release, client application ID, user smart card is (if for the HOTP dynamic token; Need comprise reader counter parameter) service request be forwarded to business platform; After the API Access control module is truncated to service request; Confirm the type of service request or the regulation that priority level satisfies token purposes parameter, then dynamic token is forwarded to authentication server and carries out authentication;

The dynamic token that carries in S705, the authentication factor pair service request of authentication server according to the relative users terminal of this locality preservation carries out authentication, and the return authentication result gives the API Access control module;

S706~S707, API Access control module receive authentication result, if authentication result then allows to call running environment platform capabilities API for passing through, otherwise return error message to API Calls module through the client authentication module.

Above token purposes parameter is used to stipulate the type or the level of security of the adaptable service request of this dynamic token; For example only can be used in the service request of Location Service Platform ability API; Or only can be used in the platform capabilities API class of common level of security, to realize protection to the platform capabilities API of dissimilar or different level of securitys.

In addition, in above-mentioned call flow, reach the safe and secret demand to service request and response message if need not the demand for security of client application authentication business platform, then unidirectional HTTPS secure data transmission passage is optional.

Based on same technical conceive, present embodiment also provides a kind of calling service system, comprises client application, API Access control module and authentication server, wherein:

Said client application is used to send service request, wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;

Said API Access control module is used to receive after the said service request, according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API;

Said authentication server is used for the said dynamic token that said API Access control module is transmitted is carried out authentication.

Embodiment four

In the calling service flow process that embodiment three provides, send service request at every turn, authentication server all need be verified dynamic token.In order to alleviate the burden of authentication server, in the calling service stage, it is a kind of efficiently based on the call-by mechanism of the platform capabilities API of the reusable token mechanism that dynamically updates that the embodiment of the invention also provides.It is two stages that this mechanism is divided into: interim token obtains stage and safety service request stage.

A. interim token obtains the stage

The purpose in this stage is that the client authentication module is obtained interim token through dynamic token.When the API Calls module need be called access platform ability API; The API Calls module is at first handed to the client authentication module with request message; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively; Generate dynamic token in real time and token purposes parameter is set; Comprise that to the transmission of API Access control module the interim token of dynamic token obtains request through the HTTPS passage of setting up simultaneously, after the API Access control module is received request, transmit dynamic token to authentication server.If authentication server checking dynamic token passes through, then return interim token to API Access control module (interim token also can be generated by the API Access control module), otherwise return error code.At last, return interim token or error code to the client authentication module, simultaneously to API Calls module return state value by the API Access control module.Interim token carries out safe storage by the API Access control module; This interim token promptly can be used for protecting in a plurality of business request information of follow-up same type; Also can be used for protecting in certain type of ability API request message of identical safe class; And effective in the definition of certain security strategy (as effective in 10 minutes or 1 hour), cross after date when this interim token, then the client authentication module will be obtained new interim token again.

As shown in Figure 8, interim token obtains the handling process in stage and comprises the steps:

S801~S802, API Calls module will at first be forwarded to the client authentication module and handle to the service request that business platform sends; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively; The authentication factor that gets access to from authentication server according to the register requirement stage generates dynamic token; The dynamic token that for example generates can be the HOTP dynamic token, and then the authentication factor can be served as the Seed parameter that generates the HOTP dynamic token;

S803~S804, client authentication module and API Access control module are set up unidirectional HTTPS (client authentication module authentication API Access control module) secure data transmission passage; And the unique identifying number parameters such as (like IMSI) that will comprise dynamic token, token purposes parameter, traffic ID, business release, client application ID, user smart card is (if for the HOTP token; Need comprise reader counter parameter) the request of obtaining of interim token be forwarded to business platform; The API Access control module is truncated to interim token obtain request after; Confirm the type of service request or the regulation that level of security satisfies token purposes parameter, then dynamic token is forwarded to authentication server and carries out authentication;

S805, authentication server are verified according to the authentication factor pair dynamic token at the relative users terminal that preserve this locality; If checking through return at random the interim token that generates; Otherwise return error message, need to prove, interim token also can be generated by the API Access control module;

S806~S807, API Access control mould return interim token or error message to the client authentication module, and the client authentication module is to API Calls module return state value.

B. safety service request stage

The API Calls module is initiated the service request of access platform ability API once more; Likewise; The API Calls module is at first handed to request message in the client authentication module; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively, takes out corresponding interim token and also makes an addition among the former request message, is sent to business platform through the HTTPS secure data transmission passage of setting up again.After API Access control module in the business platform receives service request; According to the interim token of being preserved the interim token in the business request information is mated; If coupling is consistent; Then allow calling platform ability API (being specially running environment platform capabilities API), otherwise, error message returned.

As shown in Figure 9, the handling process of safety service request stage comprises the steps:

S901, API Calls module will at first be forwarded to the client authentication module and handle to the service request that business platform sends, the client authentication module is carried out local integrity detection to client application alternatively according to security strategy;

S902, client authentication module and API Access control module are set up unidirectional HTTPS (client authentication module authentication API Access control module) secure data transmission passage, and will comprise that the isoparametric service request of interim token is forwarded to business platform;

After S903~S904, API Access control module are truncated to service request; According to the interim token of being preserved the interim token in the business request information is mated; If coupling is consistent; Then allow calling platform ability API (being specially running environment platform capabilities API), otherwise, otherwise return error message to API Calls module through the client authentication module.

Based on same technical conceive, present embodiment also provides a kind of calling service system, comprises client application and API Access control module, wherein:

Client application is used to send service request, wherein carries the effectively interim token that gets access to from the API Access control module;

The API Access control module is used to receive after the said service request, according to the interim token of the said client authentication module of this locality storage the interim token that carries in the said service request is mated; If coupling is consistent, then allow said API Calls module invokes platform capabilities API.

Need to prove:

1, in the calling service flow process, (comprises embodiment three and embodiment four); The service request of API Calls module can be transmitted after the client authentication module is handled again; But the API Calls module obtains parameters such as corresponding dynamic token or interim token from the client authentication module before sending service request after, re-send to business platform in the service request from adding to by the API Calls module;

2, in first kind of calling service flow process (embodiment three); Client application sends to the service request of business platform can be all through authentication server; By authentication server to dynamic token wherein verify pass through after; Be transmitted to business platform again, transmit the flow process that dynamic token is verified to authentication server to reduce business platform.But in service request, need the URL parameter of interpolation service server etc., after the success of checking dynamic token, the service request that will not contain security parameters such as dynamic token according to service server URL is forwarded to the corresponding business platform for authentication server;

3, the protection mechanism of the described platform capabilities API of the embodiment of the invention can be used as a general security capabilities, reuses in a plurality of business platforms.

The technical scheme that the embodiment of the invention provides; The supporting business platform is to the legitimacy authentication of client application; Only carry out the authentication authentication in the prior art to user terminal; The client application of not considering personation or being distorted is to the security threat of platform capabilities API; The embodiment of the invention reaches the secure distribution that " client authentication module displacement mechanism " has realized the integrity protection and the client application key (cipher key shared between client application and authentication server) of client application based on " MAC fingerprint mechanism ", and generates message authentication code to realize the authentication of business platform to client application by client application according to the client application key.Simultaneously, can prevent that developer or third party from using central illegal abuse at the unauthorized client end and reusing this client application key.

The technical scheme that the embodiment of the invention provides is supported the authentication of client application to business platform.Prior art is unidirectional authentication, does not consider that business platform itself also maybe be by the service request of personation or user terminal transmission by reorientation.Root certificate and fill order that the embodiment of the invention is based on built-in business platform in the client application realize that to HTTPS client application is to the authentication of business platform and both sides' secure communication.Avoided complicated PKI certificate management simultaneously to client application.

The technical scheme that the embodiment of the invention provides has solved the security breaches problem in the existing scheme.Based on static token mechanism, the token that user terminal obtained is applied in all service request, and can't prevent to be applied in the illegal service request after the token victim from illegally obtaining in the existing scheme, and existing maybe by Replay Attack.In the embodiment of the invention, when client application was initiated service request, client application generated dynamic token temporarily and adds in the business request information, to prevent Replay Attack etc.

The technical scheme that the embodiment of the invention provides is supported the platform capabilities API of dissimilar or different security level requireds is managed respectively.In the existing scheme, User Token is applied in all service request, and the leakage that causes User Token easily is also by illegal or the use of going beyond one's commission.In the embodiment of the invention,, realize fine granularity safeguard protection to implementation platform ability API based on the dynamic token that identifies through " token purposes parameter " to the platform capabilities API of dissimilar or different security level requireds.

Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (22)

1. a method for authenticating is characterized in that, comprising:
When the client application in downloading to user terminal satisfied trigger condition, the client authentication module in the said client application generated the first message authentication code MAC1 according to the local storage of client authentication module with the shared client application key clientKey of authentication server; And
Send the register requirement of carrying said MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.
2. the method for claim 1 is characterized in that, also stores the MAC fingerprint of the functional module except that the client authentication module in the said client application that said authentication server determines in the said client authentication module; And said method also comprises:
Said client authentication module is sent before the said register requirement; Confirm the MAC fingerprint of the functional module except that the client authentication module in the said client application, and the MAC fingerprint of determining is consistent with the MAC fingerprint matching of the local storage of client authentication module.
3. according to claim 1 or claim 2 method; It is characterized in that; Said client authentication module sends to authentication server through Service Gateway with said register requirement; Also carry the corresponding user identifier ID of said user terminal that said Service Gateway adds in the said register requirement, the ID that carries in the said register requirement supplies authentication server that said user terminal is carried out the authentication authentication.
4. method as claimed in claim 3 is characterized in that, also comprises:
Said client authentication module receive said authentication server to said client application and subscriber terminal authority through after the session id that returns; Based on the corresponding root certificate of the PKIX PKI certificate of the authentication server that is provided with in advance; Set up the secure data transmission passage with said authentication server, and verify the legitimacy of said authentication server;
The secure data transmission passage of said client authentication module through setting up with said authentication server sends the authentication factor of carrying said session id and obtains request; And
Receive said authentication server according to the session id that generates at random for said user terminal that writes down in advance; The authentication factor that receives is obtained after the session id authentication of carrying in the request passes through the authentication factor of returning through the secure data transmission passage of setting up that generates at random for said user terminal.
5. the method for claim 1 is characterized in that, saidly satisfies trigger condition and comprises: said client application moves for the first time, or said user terminal change user smart card, or preassigned parameter expired.
6. method as claimed in claim 2 is characterized in that, also comprises:
Test authentication module in the client application of developer's submission is replaced into said client authentication module; Perhaps
Preassigned file in the test authentication module is replaced into the file that presets MAC fingerprint and client application key clientKey, obtains said client authentication module.
7. a method for authenticating is characterized in that, comprising:
Authentication server receives the register requirement that the client authentication module in the client application is sent, and wherein carries the first message authentication code MAC1 that generates according to the local client application key clientKey that shares with authentication server that store of client authentication module;
The clientKey that said authentication server basis and said client authentication module are shared carries out the legitimacy authentication to the MAC1 that carries in the register requirement that receives, if authentication through confirm that said client application is legal.
8. method as claimed in claim 7; It is characterized in that; Said register requirement sends to authentication server through Service Gateway, also carries the corresponding user identifier ID of said user terminal that said Service Gateway adds in the register requirement that said authentication server receives; And
Said method also comprises:
Said authentication server carries out the authentication authentication to the ID that carries in the register requirement that receives, if authentication through confirm that said user terminal is legal;
Generate Session ID ID at random after said client application and subscriber terminal authority passed through, and the session id that generates is returned to said client authentication module through said Service Gateway;
Said authentication server receives said client authentication module and obtains request through the authentication factor of carrying said session id that the secure data transmission passage with said authentication server foundation sends;
According to the session id that generates at random for said user terminal that writes down in advance; The authentication factor that receives is obtained the session id that carries in the request carries out authentication, if authentication through generate the authentication factor at random and return to said client authentication module for said user terminal through the secure data transmission passage of setting up.
9. method as claimed in claim 8; It is characterized in that the said authentication factor is obtained unique identification that also carries user smart card in the user terminal in the request and the second message authentication code MAC2 that generates according to the local clientKey that stores of client authentication module; And
Said authentication server is that said user terminal generates before the authentication factor at random, also comprises:
According to the unique identification of user smart card in the said user terminal that gets access in advance, the unique identification of user smart card in the user terminal that carries in the register requirement that receives is carried out authentication; And according to the clientKey shared with said client authentication module, the MAC2 that carries in the register requirement that receives is carried out authentication, and the affirmation authentication is passed through.
10. method as claimed in claim 9 is characterized in that, said authentication server obtains the uniquely identified step of user smart card in the said user terminal, specifically comprises:
The ID that said authentication server is corresponding according to the user terminal that carries in the said register requirement, inquiry be the ID of record and the uniquely identified corresponding relation of user smart card in advance, obtains the unique identification of user smart card in the said user terminal;
Perhaps,
Also carry in the said register requirement according to clientKey and the unique identification of user smart card in the said user terminal is encrypted the ciphertext value that obtains according to the local storage of client authentication module; And the said authentication server basis clientKey shared with said client authentication module, the ciphertext value of carrying in the register requirement that receives is deciphered, obtain the unique identification of user smart card in the said user terminal.
11. a client application is characterized in that, comprises the client authentication module in the said client application, comprises in the said client authentication module:
Secure storage unit is used to store the client application key clientKey that shares with authentication server;
Generation unit is used for when the client application that downloads to user terminal satisfies trigger condition, generates the first message authentication code MAC1 according to the clientKey that stores in the said secure storage unit;
Control unit; Be used for sending the register requirement of carrying said MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.
12. an authentication server is characterized in that, comprising:
Memory cell is used to store the clientKey that shares with each client authentication module;
Receiving element; Be used for receiving the register requirement that the client authentication module of client application is sent, wherein carry the first message authentication code MAC1 that the client application key clientKey that shares according to local storage of client authentication module and authentication server generates;
The authentication unit is used for the clientKey that basis and said client authentication module are shared, and the MAC1 that carries in the register requirement that receives is carried out the legitimacy authentication, if authentication through confirm that said client application is legal.
13. a service calling method is characterized in that, comprising:
Application programming interfaces API Access control module receives the service request that client application is sent, and wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;
The API Access control module according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API.
14. method as claimed in claim 13 is characterized in that,
Said service request is sent by the client authentication module in the client application; And said client authentication module sends the step of said service request, specifically comprises:
Said client authentication module receives the service request that the API Calls module in the said client application generates; Generate dynamic token according to the authentication factor that from authentication server, gets access to, said dynamic token is added in the said service request and sends to the API Access control module;
Perhaps,
Said service request is sent by the API Calls module in the client application; And said API Calls module sends the step of said service request, specifically comprises:
The client authentication module of said API Calls module from said client application obtained dynamic token, and said dynamic token is generated according to the authentication factor that from authentication server, gets access to by the client authentication module; And said dynamic token is carried at sends to the API Access control module in the service request.
15. method as claimed in claim 14 is characterized in that, also comprises:
The client authentication module is provided with token purposes parameter for the dynamic token that generates, the type or the level of security of the service request that said token purposes parameter is used to stipulate that said dynamic token can be used; And
Said API Access control module is according to the token purposes parameter of carrying in the service request that receives; Confirm the type of said service request or the regulation that level of security satisfies token purposes parameter; Then the dynamic token that carries in the said service request is transmitted to authentication server and carries out authentication, and receive the authentication result that said authentication server returns.
16. method as claimed in claim 14 is characterized in that, also comprises:
Said client authentication module generates before the dynamic token according to the authentication factor that from authentication server, gets access to; Confirm the MAC fingerprint of the functional module except that the client authentication module in the said client application; And mate with the MAC fingerprint of this locality storage; And confirm that coupling is consistent, the MAC fingerprint of the functional module in the said client application that the storage authentication server is determined in the said client authentication module except that the client authentication module.
17. a calling service system is characterized in that, comprises client application, application programming interfaces API Access control module and authentication server, wherein:
Said client application is used to send service request, wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;
Said API Access control module is used to receive after the said service request, according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API;
Said authentication server is used for the said dynamic token that said API Access control module is transmitted is carried out authentication.
18. a service calling method is characterized in that, comprising:
Application programming interfaces API Access control module receives the service request that client application is sent, and wherein carries the effectively interim token that gets access to from the API Access control module;
The API Access control module is mated the interim token that carries in the said service request according to the interim token of the said client authentication module of this locality storage;
If coupling is consistent, then allow said API Calls module invokes platform capabilities API.
19. method as claimed in claim 18 is characterized in that,
Said service request is sent by the client authentication module in the client application; And said client authentication module sends the step of said service request, specifically comprises:
Said client authentication module receives the service request that the API Calls module in the said client application generates; If the local effectively interim token that gets access to from the API Access control module that stores; Then said interim token is added in the said service request, and send to said API Access control module;
Perhaps,
Said service request is sent by the API Calls module in the client application; And said API Calls module sends the step of said service request, specifically comprises:
The client authentication module of said API Calls module from said client application obtained effectively interim token, and said effectively interim token is obtained from the API Access control module by the client authentication module; And said effectively interim token is carried at sends to the API Access control module in the service request.
20. method as claimed in claim 19 is characterized in that, also comprises:
If storage is not invalid from interim token or the said interim token that the API Access control module gets access in the client authentication module; Then generate dynamic token, and the interim token request of obtaining that will carry said dynamic token sends to the API Access control module according to the authentication factor that from authentication server, gets access to;
The API Access control module receives said interim token and obtains after the request, said interim token is obtained the dynamic token that carries in the request be transmitted to authentication server and carry out authentication; And
The authentication result of returning according to authentication server confirm authentication through the time, interim token is returned to the client authentication module.
21. method as claimed in claim 20 is characterized in that, also comprises:
Said interim token is generated and is carried at by authentication server and returns to said API Access control module in the authentication result; Perhaps,
Said interim token is generated when the authentication result of returning according to authentication server confirms that authentication is passed through by the API Access control module.
22. a calling service system is characterized in that, comprises client application and application programming interfaces API Access control module, wherein:
Said client application is used to send service request, wherein carries the effectively interim token that gets access to from the API Access control module;
Said API Access control module is used to receive after the said service request, according to the interim token of the said client authentication module of this locality storage the interim token that carries in the said service request is mated; If coupling is consistent, then allow said API Calls module invokes platform capabilities API.
CN201010265918.0A 2010-08-27 2010-08-27 Method, device and system of authentication and service calling CN102378170B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010265918.0A CN102378170B (en) 2010-08-27 2010-08-27 Method, device and system of authentication and service calling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010265918.0A CN102378170B (en) 2010-08-27 2010-08-27 Method, device and system of authentication and service calling

Publications (2)

Publication Number Publication Date
CN102378170A true CN102378170A (en) 2012-03-14
CN102378170B CN102378170B (en) 2014-12-10

Family

ID=45795993

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010265918.0A CN102378170B (en) 2010-08-27 2010-08-27 Method, device and system of authentication and service calling

Country Status (1)

Country Link
CN (1) CN102378170B (en)

Cited By (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710631A (en) * 2012-05-28 2012-10-03 华为技术有限公司 Data transmission method, equipment and system
CN102752319A (en) * 2012-07-31 2012-10-24 广州市品高软件开发有限公司 Cloud computing secure access method, device and system
CN103281187A (en) * 2013-05-17 2013-09-04 北京网秦天下科技有限公司 Security authentication method, equipment and system
CN103701761A (en) * 2012-09-28 2014-04-02 中国电信股份有限公司 Authentication method for invoking open interface and system
CN103780396A (en) * 2014-01-27 2014-05-07 华为软件技术有限公司 Token obtaining method and device
WO2014173361A1 (en) * 2013-07-31 2014-10-30 中兴通讯股份有限公司 Method and corresponding device for authenticating smart home terminal
CN104199654A (en) * 2014-08-27 2014-12-10 百度在线网络技术(北京)有限公司 Open platform calling method and device
CN104199657A (en) * 2014-08-27 2014-12-10 百度在线网络技术(北京)有限公司 Call method and device for open platform
CN104243415A (en) * 2013-06-17 2014-12-24 中国移动通信集团公司 Capacity calling method and device
CN104320389A (en) * 2014-10-11 2015-01-28 南京邮电大学 Fusion identify protection system and fusion identify protection method based on cloud computing
CN104348616A (en) * 2013-07-26 2015-02-11 中国移动通信集团公司 Method for visiting terminal security component, device thereof and system thereof
CN104426894A (en) * 2013-09-09 2015-03-18 中国移动通信集团公司 Registration method of terminal application, business platform equipment and terminal
CN104540129A (en) * 2014-12-29 2015-04-22 广州唯品会信息科技有限公司 Registration and login method and system for third party application
CN104717648A (en) * 2013-12-12 2015-06-17 中国移动通信集团公司 Unified authentication method and device based on SIM card
CN104734849A (en) * 2013-12-19 2015-06-24 阿里巴巴集团控股有限公司 Method and system for conducting authentication on third-party application
CN104753674A (en) * 2013-12-31 2015-07-01 中国移动通信集团公司 Application identity authentication method and device
CN104753953A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Access control system
CN104836784A (en) * 2014-09-25 2015-08-12 腾讯科技(北京)有限公司 Information processing method, client, and server
CN105210345A (en) * 2013-08-30 2015-12-30 华为技术有限公司 Network capability information transmitting method and device
CN105306466A (en) * 2015-10-29 2016-02-03 东莞酷派软件技术有限公司 Execution method of service, execution system of service, and mobile terminal
CN105491058A (en) * 2015-12-29 2016-04-13 Tcl集团股份有限公司 API access distributed authorization method and system
CN105592083A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Method and device for terminal to have access to server by using token
CN105930177A (en) * 2015-10-30 2016-09-07 中国银联股份有限公司 Method and device for installing application
CN105991514A (en) * 2015-01-28 2016-10-05 阿里巴巴集团控股有限公司 Service request authentication method and device
WO2016188231A1 (en) * 2015-10-19 2016-12-01 中兴通讯股份有限公司 Verification method and apparatus
CN106209746A (en) * 2015-05-07 2016-12-07 阿里巴巴集团控股有限公司 A kind of safety service provides method and server
CN106255105A (en) * 2016-07-26 2016-12-21 惠州市斯坦利科技有限公司 Automatic vending equipment
WO2016202200A1 (en) * 2015-06-17 2016-12-22 阿里巴巴集团控股有限公司 Data verification method and apparatus, and smart television system
CN106412899A (en) * 2016-10-11 2017-02-15 江苏电力信息技术有限公司 Network request method for saving flow of mobile terminal
CN103795712B (en) * 2014-01-17 2017-05-17 歌尔股份有限公司 Method and device for authentication during Web Service calling
CN107261502A (en) * 2017-05-10 2017-10-20 珠海金山网络游戏科技有限公司 A kind of anti-external store system of game on line based on procotol and method
CN107302526A (en) * 2017-06-07 2017-10-27 努比亚技术有限公司 System interface call method, equipment and computer-readable recording medium
CN108259437A (en) * 2016-12-29 2018-07-06 北京神州泰岳软件股份有限公司 A kind of http access methods, http-server and system
CN108259432A (en) * 2016-12-29 2018-07-06 亿阳安全技术有限公司 A kind of management method of API Calls, equipment and system
CN108476207A (en) * 2015-11-16 2018-08-31 万事达卡国际股份有限公司 System and method for certification internet message
CN108989420A (en) * 2018-07-12 2018-12-11 上海携程商务有限公司 The method and system of registration service, the method and system for calling service
CN109361639A (en) * 2017-12-27 2019-02-19 广州Tcl智能家居科技有限公司 Dynamic shares HTTPS request method for authenticating, storage medium and mobile terminal
CN109408250A (en) * 2018-09-27 2019-03-01 天津字节跳动科技有限公司 Call application programming interface API approach, device, electronic equipment
CN110535957A (en) * 2019-09-02 2019-12-03 珠海格力电器股份有限公司 The data of service application platform transfer method and service application plateform system
CN110809011A (en) * 2020-01-08 2020-02-18 医渡云(北京)技术有限公司 Access control method and system, and storage medium
CN108476207B (en) * 2015-11-16 2021-02-02 万事达卡国际股份有限公司 System and method for authenticating network messages

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1767429A (en) * 2004-10-29 2006-05-03 大唐移动通信设备有限公司 Mobile communication user certification and key negotiation method
US20060126848A1 (en) * 2004-12-15 2006-06-15 Electronics And Telecommunications Research Institute Key authentication/service system and method using one-time authentication code
WO2008002102A1 (en) * 2006-06-30 2008-01-03 Posdata Co., Ltd. Dvr server and method for controlling access to monitoring device in network-based dvr system
CN101185311A (en) * 2005-04-14 2008-05-21 诺基亚公司 Utilizing generic authentication architecture for mobile internet protocol key distribution
CN101217367A (en) * 2007-01-04 2008-07-09 中国移动通信集团公司 An operation right judgment system and method realized by introducing right judgment client end
CN101351027A (en) * 2007-07-19 2009-01-21 中国移动通信集团公司 Method and system for processing service authentication
WO2010085813A2 (en) * 2009-01-26 2010-07-29 Qualcomm Incorporated Communications methods and apparatus for use in communicating with communications peers
CN101815290A (en) * 2010-03-08 2010-08-25 北京英福生科技有限公司 Method for safely transmitting physical activity monitoring data

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1767429A (en) * 2004-10-29 2006-05-03 大唐移动通信设备有限公司 Mobile communication user certification and key negotiation method
US20060126848A1 (en) * 2004-12-15 2006-06-15 Electronics And Telecommunications Research Institute Key authentication/service system and method using one-time authentication code
CN101185311A (en) * 2005-04-14 2008-05-21 诺基亚公司 Utilizing generic authentication architecture for mobile internet protocol key distribution
WO2008002102A1 (en) * 2006-06-30 2008-01-03 Posdata Co., Ltd. Dvr server and method for controlling access to monitoring device in network-based dvr system
CN101217367A (en) * 2007-01-04 2008-07-09 中国移动通信集团公司 An operation right judgment system and method realized by introducing right judgment client end
CN101351027A (en) * 2007-07-19 2009-01-21 中国移动通信集团公司 Method and system for processing service authentication
WO2010085813A2 (en) * 2009-01-26 2010-07-29 Qualcomm Incorporated Communications methods and apparatus for use in communicating with communications peers
CN101815290A (en) * 2010-03-08 2010-08-25 北京英福生科技有限公司 Method for safely transmitting physical activity monitoring data

Cited By (60)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710631A (en) * 2012-05-28 2012-10-03 华为技术有限公司 Data transmission method, equipment and system
CN102752319A (en) * 2012-07-31 2012-10-24 广州市品高软件开发有限公司 Cloud computing secure access method, device and system
CN102752319B (en) * 2012-07-31 2015-02-11 广州市品高软件开发有限公司 Cloud computing secure access method, device and system
CN103701761A (en) * 2012-09-28 2014-04-02 中国电信股份有限公司 Authentication method for invoking open interface and system
CN103701761B (en) * 2012-09-28 2017-07-18 中国电信股份有限公司 Authentication method and system that open interface is called
CN103281187A (en) * 2013-05-17 2013-09-04 北京网秦天下科技有限公司 Security authentication method, equipment and system
CN103281187B (en) * 2013-05-17 2016-12-28 北京网秦天下科技有限公司 Safety certifying method, equipment and system
CN104243415B (en) * 2013-06-17 2017-11-14 中国移动通信集团公司 A kind of capacity calling method and equipment
CN104243415A (en) * 2013-06-17 2014-12-24 中国移动通信集团公司 Capacity calling method and device
CN104348616A (en) * 2013-07-26 2015-02-11 中国移动通信集团公司 Method for visiting terminal security component, device thereof and system thereof
CN104348616B (en) * 2013-07-26 2018-02-23 中国移动通信集团公司 A kind of method, apparatus and system for accessing terminal security component
WO2014173361A1 (en) * 2013-07-31 2014-10-30 中兴通讯股份有限公司 Method and corresponding device for authenticating smart home terminal
CN104348620A (en) * 2013-07-31 2015-02-11 中兴通讯股份有限公司 Method for authenticating intelligent household terminals, and corresponding devices
CN105210345A (en) * 2013-08-30 2015-12-30 华为技术有限公司 Network capability information transmitting method and device
CN105210345B (en) * 2013-08-30 2019-03-19 华为技术有限公司 A kind of capability information transmission method and device
CN104426894A (en) * 2013-09-09 2015-03-18 中国移动通信集团公司 Registration method of terminal application, business platform equipment and terminal
CN104426894B (en) * 2013-09-09 2017-12-22 中国移动通信集团公司 A kind of register method of terminal applies, business platform equipment and terminal
CN104717648A (en) * 2013-12-12 2015-06-17 中国移动通信集团公司 Unified authentication method and device based on SIM card
CN104717648B (en) * 2013-12-12 2018-08-17 中国移动通信集团公司 A kind of uniform authentication method and equipment based on SIM card
CN104734849A (en) * 2013-12-19 2015-06-24 阿里巴巴集团控股有限公司 Method and system for conducting authentication on third-party application
CN104734849B (en) * 2013-12-19 2018-09-18 阿里巴巴集团控股有限公司 The method and system that third-party application is authenticated
CN104753674B (en) * 2013-12-31 2018-10-12 中国移动通信集团公司 A kind of verification method and equipment of application identity
CN104753674A (en) * 2013-12-31 2015-07-01 中国移动通信集团公司 Application identity authentication method and device
CN103795712B (en) * 2014-01-17 2017-05-17 歌尔股份有限公司 Method and device for authentication during Web Service calling
CN103780396A (en) * 2014-01-27 2014-05-07 华为软件技术有限公司 Token obtaining method and device
CN103780396B (en) * 2014-01-27 2017-08-25 华为软件技术有限公司 Token acquisition methods and device
CN104199657A (en) * 2014-08-27 2014-12-10 百度在线网络技术(北京)有限公司 Call method and device for open platform
CN104199654A (en) * 2014-08-27 2014-12-10 百度在线网络技术(北京)有限公司 Open platform calling method and device
CN104836784B (en) * 2014-09-25 2018-05-15 腾讯科技(北京)有限公司 A kind of information processing method, client and server
CN104836784A (en) * 2014-09-25 2015-08-12 腾讯科技(北京)有限公司 Information processing method, client, and server
CN104320389A (en) * 2014-10-11 2015-01-28 南京邮电大学 Fusion identify protection system and fusion identify protection method based on cloud computing
CN104320389B (en) * 2014-10-11 2018-04-27 南京邮电大学 A kind of fusion identity protection system and method based on cloud computing
CN104540129B (en) * 2014-12-29 2018-08-03 广州品唯软件有限公司 The registering and logging method and system of third-party application
CN104540129A (en) * 2014-12-29 2015-04-22 广州唯品会信息科技有限公司 Registration and login method and system for third party application
CN105991514B (en) * 2015-01-28 2019-10-01 阿里巴巴集团控股有限公司 A kind of service request authentication method and device
CN105991514A (en) * 2015-01-28 2016-10-05 阿里巴巴集团控股有限公司 Service request authentication method and device
CN104753953A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Access control system
CN106209746A (en) * 2015-05-07 2016-12-07 阿里巴巴集团控股有限公司 A kind of safety service provides method and server
CN106209746B (en) * 2015-05-07 2019-12-27 阿里巴巴集团控股有限公司 Security service providing method and server
WO2016202200A1 (en) * 2015-06-17 2016-12-22 阿里巴巴集团控股有限公司 Data verification method and apparatus, and smart television system
WO2016188231A1 (en) * 2015-10-19 2016-12-01 中兴通讯股份有限公司 Verification method and apparatus
CN105306466A (en) * 2015-10-29 2016-02-03 东莞酷派软件技术有限公司 Execution method of service, execution system of service, and mobile terminal
CN105930177A (en) * 2015-10-30 2016-09-07 中国银联股份有限公司 Method and device for installing application
CN108476207B (en) * 2015-11-16 2021-02-02 万事达卡国际股份有限公司 System and method for authenticating network messages
CN108476207A (en) * 2015-11-16 2018-08-31 万事达卡国际股份有限公司 System and method for certification internet message
CN105592083A (en) * 2015-12-18 2016-05-18 北京奇虎科技有限公司 Method and device for terminal to have access to server by using token
CN105491058B (en) * 2015-12-29 2020-01-14 Tcl集团股份有限公司 API access distributed authorization method and system
CN105491058A (en) * 2015-12-29 2016-04-13 Tcl集团股份有限公司 API access distributed authorization method and system
CN106255105A (en) * 2016-07-26 2016-12-21 惠州市斯坦利科技有限公司 Automatic vending equipment
CN106412899A (en) * 2016-10-11 2017-02-15 江苏电力信息技术有限公司 Network request method for saving flow of mobile terminal
CN108259432A (en) * 2016-12-29 2018-07-06 亿阳安全技术有限公司 A kind of management method of API Calls, equipment and system
CN108259437A (en) * 2016-12-29 2018-07-06 北京神州泰岳软件股份有限公司 A kind of http access methods, http-server and system
CN107261502A (en) * 2017-05-10 2017-10-20 珠海金山网络游戏科技有限公司 A kind of anti-external store system of game on line based on procotol and method
CN107302526A (en) * 2017-06-07 2017-10-27 努比亚技术有限公司 System interface call method, equipment and computer-readable recording medium
CN109361639A (en) * 2017-12-27 2019-02-19 广州Tcl智能家居科技有限公司 Dynamic shares HTTPS request method for authenticating, storage medium and mobile terminal
CN108989420A (en) * 2018-07-12 2018-12-11 上海携程商务有限公司 The method and system of registration service, the method and system for calling service
CN109408250A (en) * 2018-09-27 2019-03-01 天津字节跳动科技有限公司 Call application programming interface API approach, device, electronic equipment
CN110535957A (en) * 2019-09-02 2019-12-03 珠海格力电器股份有限公司 The data of service application platform transfer method and service application plateform system
CN110809011A (en) * 2020-01-08 2020-02-18 医渡云(北京)技术有限公司 Access control method and system, and storage medium
CN110809011B (en) * 2020-01-08 2020-06-19 医渡云(北京)技术有限公司 Access control method and system, and storage medium

Also Published As

Publication number Publication date
CN102378170B (en) 2014-12-10

Similar Documents

Publication Publication Date Title
KR102026612B1 (en) Method for Creating Trust Relationship and Embedded UICC
US20180294977A1 (en) System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same
US10285050B2 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
US9867043B2 (en) Secure device service enrollment
CN105027493B (en) Safety moving application connection bus
US20160226877A1 (en) Methods and apparatus for large scale distribution of electronic access clients
CN103329501B (en) The method of the content on the safety element that management is connected to equipment
KR20140107168A (en) Apparatus and methods for storing electronic access clients
CN102257505B (en) For providing the equipment and method that access through authorization device
US20140310528A1 (en) Digital rights management using trusted processing techniques
EP1687953B1 (en) Method for the authentication of applications
TWI507005B (en) Virtual subscriber identity module
EP1476980B1 (en) Requesting digital certificates
EP2340654B1 (en) Method for securely changing a mobile device from an old owner to a new owner.
US7610056B2 (en) Method and system for phone-number discovery and phone-number authentication for mobile communications devices
CN100591003C (en) Enabling stateless server-based pre-shared secrets
US9197639B2 (en) Method for sharing data of device in M2M communication and system therefor
CN102394887B (en) OAuth protocol-based safety certificate method of open platform and system thereof
CN103037312B (en) Information push method and device
EP1997291B1 (en) Method and arrangement for secure authentication
KR20170139093A (en) A method for a network access device to access a wireless network access point, a network access device, an application server, and a non-volatile computer readable storage medium
CN103812871B (en) Development method and system based on mobile terminal application program security application
DE602004012233T2 (en) Method of providing a signing key for digital signing, verification or encryption of data
EP1394982B1 (en) Methods and apparatus for secure data communication links
US8347361B2 (en) Distributed network management hierarchy in a multi-station communication network

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model