CN102378170A - Method, device and system of authentication and service calling - Google Patents
Method, device and system of authentication and service calling Download PDFInfo
- Publication number
- CN102378170A CN102378170A CN2010102659180A CN201010265918A CN102378170A CN 102378170 A CN102378170 A CN 102378170A CN 2010102659180 A CN2010102659180 A CN 2010102659180A CN 201010265918 A CN201010265918 A CN 201010265918A CN 102378170 A CN102378170 A CN 102378170A
- Authority
- CN
- China
- Prior art keywords
- authentication
- client
- module
- client application
- api
- Prior art date
Links
- 101710032010 CDC5L Proteins 0.000 claims abstract description 36
- 101710021012 mac-1 Proteins 0.000 claims abstract description 36
- 230000005540 biological transmission Effects 0.000 claims description 14
- 230000000875 corresponding Effects 0.000 claims description 13
- 230000001808 coupling Effects 0.000 claims description 10
- 238000010168 coupling process Methods 0.000 claims description 10
- 238000005859 coupling reactions Methods 0.000 claims description 10
- 101710068373 CPI9 Proteins 0.000 claims description 2
- 102100011540 Galectin-3 Human genes 0.000 claims 2
- 101710031050 LGALS3 Proteins 0.000 claims 2
- 101710021014 MAC2 Proteins 0.000 claims 2
- 101710035511 prl1 Proteins 0.000 claims 2
- 230000001737 promoting Effects 0.000 abstract 1
- 238000000034 methods Methods 0.000 description 17
- 230000003068 static Effects 0.000 description 7
- 238000006243 chemical reactions Methods 0.000 description 5
- 238000006073 displacement reactions Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000006011 modification reactions Methods 0.000 description 3
- 238000009795 derivation Methods 0.000 description 2
- 238000010586 diagrams Methods 0.000 description 2
- 238000005516 engineering processes Methods 0.000 description 2
- 241000208365 Celastraceae Species 0.000 description 1
- 281000125156 Fetion companies 0.000 description 1
- 281000096489 Hutchison 3G companies 0.000 description 1
- 206010067171 Regurgitation Diseases 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 239000008264 clouds Substances 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000023298 conjugation with cellular fusion Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000001681 protective Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000021037 unidirectional conjugation Effects 0.000 description 1
Abstract
Description
Technical field
The present invention relates to the data service technical field, relate in particular to a kind of method for authenticating and device and a kind of service calling method and system.
Background technology
Along with 3-G (Generation Three mobile communication system) (3rd Generation; Be called for short 3G) and the carrying forward vigorously of mobile Internet business; When Virtual network operator provides the value-added service of more and more enriching for the user; Also be third party SP (Service Provider; The service provider) business integration provides more and more abundanter network capabilities resource; For example location-based service ability, GIS (Geographic Information System, GIS-Geographic Information System) ability, game services ability, for charging ability, IMS (IP Multimedia Subsystem, IP multimedia system) ability, short message ability, Multimedia Message ability, search engine capability, cloud computing ability, Presence (appearing) ability, Widget service ability, instant messaging ability etc.In general, above-mentioned network capabilities resource is that form through Service (network service) or API (ApplicationProgramming Interface, application programming interfaces) provides service for user or third party SP basically.In the present specification; Above-mentioned Service or API are referred to as platform capabilities API; And platform capabilities API major part all is to offer the user's through on the terminal, disposing with the mode of client application; Be that the user is before using corresponding business; A client application relevant with this business need be installed on user terminal carry out business and use and promote, for example locations services client application, game client application, MobileMarket application, Widget application, the application of music walkman, Fetion application etc., these business forms all are different from STK (SIM Tool Kit in the past; STK) business or WAP (WirelessApplication Protocol, WAP) business.
But, dispose business through mode on user terminal with client application, itself exist great potential safety hazard: for example, platform capabilities API possibly used by disabled user or illegal third party SP; The client application that platform capabilities API possibly palmed off is called; Illegal third party SP possibly provide the platform capabilities API of personation to supply the user to use; Or the like.Therefore, demand providing a kind of high-efficiency reliable safety protecting mechanism urgently, in order to ensure security deployment and operation based on the mobile Internet business of platform capabilities API.
At present; Virtual network operator generally adopts the authentication mechanism of transmitting based on static token to ensure the security deployment and the operation of mobile Internet business; The right discriminating system of mobile Internet business mainly comprises client application, application server, three entities of authentication server, and is as shown in Figure 1, wherein:
Client application is mounted in the client application on the user terminal, and client application can be passed through specific interface accessing authentication server, accomplishes the operation of obtaining token;
The service request of the client application that application server processes is transmitted by Service Gateway, and service is provided for client application;
User's order relations and service order status data that authentication server storage service authentication is relevant have the service authentication function, and to client application the professional token that uses are provided according to authenticating result.
The authorizing procedure of mobile Internet business, as shown in Figure 2, comprise the steps:
Step 1, client application are initiated the service authentication request to authentication server;
Step 2, authentication server inspection are initiated service authentication requesting users ID (identifier) corresponding service and are ordered state, if the service order state is legal, then produces this client application of indication and can use application server that professional token is provided;
Client application is follow-up must carry this token when access application server, serve accordingly with normal acquisition; And in order to guarantee the fail safe of token, token is generated by authentication server and carries out safeguard protection in the authentication server side;
Step 3, authentication server are carried at the token that produces and return to client application in the authenticating result;
Step 4, client application are initiated service request to application server, wherein carry the token that obtains from authentication server;
Step 5, application server are verified the token in the service request;
After step 6, checking were passed through, application server provided service for client application in the subsequent applications session;
Step 7, application server are announced authentication server, and in notice message, are carried this token after receiving legal token, and authentication server can judge in view of the above whether service takes place.
In the prior art, there is following shortcoming based on the authentication mechanism of static token transmission:
1, the existing authentication mechanism of transmitting based on static token; Obtain the stage at token; Only authentication server carries out authentication to ID corresponding service subscription status, and does not have to consider the legitimacy of client application is carried out authentication, and the client application that causes palming off possibly initiated illegal service request; For example initiate illegal charging request, thereby cause the generation of malice subscription event.
2, the existing authentication mechanism of transmitting based on static token; At professional mounting phase; Only application server token that client application is carried carries out authentication, and does not consider the authentication of client application application server, and the application server that causes palming off possibly provide illegal service to the user.
3, the existing authentication mechanism poor stability that transmits based on static token, the token that user terminal obtains can be applied in all service request, can't prevent to be applied in the illegal service request after the token victim from illegally obtaining.
Summary of the invention
The embodiment of the invention provides a kind of method for authenticating and device, in order to the legitimacy authentication of the authentication server in the realization business platform to client application.
The embodiment of the invention also provides a kind of service calling method and system, in order to the security reliability of the call-by mechanism of lifting platform ability API.
The embodiment of the invention provides a kind of method for authenticating, comprising:
When the client application in downloading to user terminal satisfied trigger condition, the client authentication module in the said client application generated the first message authentication code MAC1 according to the local storage of client authentication module with the shared client application key clientKey of authentication server; And
Send the register requirement of carrying said MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.
The embodiment of the invention provides another kind of method for authenticating, comprising:
Authentication server receives the register requirement that the client authentication module in the client application is sent, and wherein carries the first message authentication code MAC1 that generates according to the local client application key clientKey that shares with authentication server that store of client authentication module;
The clientKey that said authentication server basis and said client authentication module are shared carries out the legitimacy authentication to the MAC1 that carries in the register requirement that receives, if authentication through confirm that said client application is legal.
The embodiment of the invention provides a kind of client application, comprises the client authentication module in the said client application, comprises in the said client authentication module:
Secure storage unit is used to store the client application key clientKey that shares with authentication server;
Generation unit is used for when the client application that downloads to user terminal satisfies trigger condition, generates the first message authentication code MAC1 according to the clientKey that stores in the said secure storage unit;
Control unit; Be used for sending the register requirement of carrying said MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.
The embodiment of the invention provides a kind of authentication server, comprising:
Memory cell is used to store the clientKey that shares with each client authentication module;
Receiving element; Be used for receiving the register requirement that the client authentication module of client application is sent, wherein carry the first message authentication code MAC1 that the client application key clientKey that shares according to local storage of client authentication module and authentication server generates;
The authentication unit is used for the clientKey that basis and said client authentication module are shared, and the MAC1 that carries in the register requirement that receives is carried out the legitimacy authentication, if authentication through confirm that said client application is legal.
The embodiment of the invention provides a kind of service calling method, comprising:
Application programming interfaces API Access control module receives the service request that client application is sent, and wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;
The API Access control module according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API.
The embodiment of the invention provides a kind of calling service system, comprises client application, application programming interfaces API Access control module and authentication server, wherein:
Said client application is used to send service request, wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;
Said API Access control module is used to receive after the said service request, according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API;
Said authentication server is used for the said dynamic token that said API Access control module is transmitted is carried out authentication.
The embodiment of the invention provides another kind of service calling method, comprising:
Application programming interfaces API Access control module receives the service request that client application is sent, and wherein carries the effectively interim token that gets access to from the API Access control module;
The API Access control module is mated the interim token that carries in the said service request according to the interim token of the said client authentication module of this locality storage;
If coupling is consistent, then allow said API Calls module invokes platform capabilities API.
The embodiment of the invention provides another kind of calling service system, comprises client application and application programming interfaces API Access control module, wherein:
Said client application is used to send service request, wherein carries the effectively interim token that gets access to from the API Access control module;
Said API Access control module is used to receive after the said service request, according to the interim token of the said client authentication module of this locality storage the interim token that carries in the said service request is mated; If coupling is consistent, then allow said API Calls module invokes platform capabilities API.
Method for authenticating that the embodiment of the invention provides and device; Authentication server in the supporting business platform is to the legitimacy authentication of client application; Only carry out the authentication authentication in the prior art to user terminal; The client application of not considering personation or being distorted is to the security threat of platform capabilities API, and the embodiment of the invention realizes the legitimacy authentication of authentication server to client application based on the MAC1 that clientKey generated that shares.
Service calling method that the embodiment of the invention provides and system have solved the security breaches problem in the existing scheme.Based on static token mechanism, the token that user terminal obtained is applied in all service request, and can't prevent to be applied in the illegal service request after the token victim from illegally obtaining in the existing scheme, and existing maybe by Replay Attack.In the embodiment of the invention, when client application was initiated service request, client application generated dynamic token based on the authentication factor or gets access to interim token and add in the business request information according to dynamic token, to prevent Replay Attack etc.
Other features and advantages of the present invention will be set forth in specification subsequently, and, partly from specification, become obvious, perhaps understand through embodiment of the present invention.The object of the invention can be realized through the structure that in the specification of being write, claims and accompanying drawing, is particularly pointed out and obtained with other advantages.
Description of drawings
Fig. 1 is the right discriminating system block diagram of mobile Internet business in the prior art;
Fig. 2 is the authorizing procedure figure of mobile Internet business in the prior art;
Fig. 3 is business platform and a client application system architecture diagram in the embodiment of the invention one;
Fig. 4 is the method for authenticating flow chart for the register flow path of client application in the embodiment of the invention two;
Fig. 5 is the structured flowchart of client authentication module in the embodiment of the invention two;
Fig. 6 is the structured flowchart of authentication server in the embodiment of the invention two;
Fig. 7 is a service calling method flow chart in the embodiment of the invention three;
Fig. 8 obtains the process chart in stage for interim token in the embodiment of the invention four;
Fig. 9 is the process chart of safety service request stage in the embodiment of the invention four.
Embodiment
The embodiment of the invention is based on the login mechanism and the dynamic token mechanism of client application, but proposition platform capabilities API protection mechanism a kind of bi-directional authentification, that can realize user terminal, client application and business platform are carried out authentication.In the embodiment of the invention; In illegal client application, illegally abuse, reuse client application key (being called clientKey in the present specification) for fear of developer or third party SP; After the test audit of client application is passed through; By business platform this client application key clientKey is stored securely in the client authentication module of client application; And through based on the integrity protection scheme of the MAC fingerprint of client application mechanism client authentication module and this client application being bound, thereby realization client application key clientKey is unknowable to the developer; Simultaneously; Test authentication module through client application that the developer is submitted to is replaced into the client authentication module; To test perhaps that preassigned file is replaced into the file that presets MAC fingerprint and clientKey (client application key) in the authentication module; Obtain the client authentication module, thereby realized the secure distribution of clientKey.Download to client application in the user terminal at first through login mechanism, based on ID (identifier) thereby and the authentication server in the realization business platform such as client application key clientKey to the bi-directional authentification between authentication authentication, client application and the business platform of user terminal, obtain corresponding session id and obtain the authentication factor again.Client application generated dynamic token and adds in the service request of platform capabilities API through the authentication factor, to realize the visit protection to platform capabilities API before calling platform ability API; Simultaneously, the embodiment of the invention also provides a kind of efficiently based on the call-by mechanism of the platform capabilities API of the reusable token mechanism that dynamically updates.
Below in conjunction with Figure of description the preferred embodiments of the present invention are described; Be to be understood that; Preferred embodiment described herein only is used for explanation and explains the present invention; And be not used in qualification the present invention, and under the situation of not conflicting, embodiment and the characteristic among the embodiment among the present invention can make up each other.
Embodiment one
At first introduce the system architecture that the embodiment of the invention relates to, as shown in Figure 3, comprising:
Platform capabilities API; Wherein platform capabilities API is divided into " running environment platform capabilities API " and " development environment platform capabilities API "; " running environment platform capabilities API " mainly used by user terminal in the service operation process; And " development environment platform capabilities API " is mainly used by developer and Virtual network operator in the development and testing process, mainly in development environment SDK, calls test;
Authentication server is used to store the identity information of user terminal and client application, and safe identity information and dynamic token is provided for the operation phase;
The API Access control module realizes in the open engine of business platform ability, is used for client application is carried out the legitimacy authentication, with the safety of protection platform capabilities API, avoids platform capabilities API illegally to be called or override call;
The client authentication module; Be used to encapsulate client application and the mutual all functions of platform capabilities API authentication; Wherein comprise secure storage unit in the client authentication module, be mainly used in the safe storage of sensitive informations such as association key, the authentication factor and dynamic token, safe storage can be based on the software security reinforcement technique; Also can deposit in like sensitive information in the smart card of encryption based on hardware technology;
The API Calls module is used for calling platform ability API (for example location-based service API);
Service Gateway in present specification, is used for to other network entity identity informations such as ID being provided, and for example, WAP gateway can provide MSISDN with the identifying user identity based on the radius module.
Wherein, platform capabilities API, API Access control module, authentication server and Service Gateway belong to the network entity in the business platform, and client authentication module and API Calls module belong to the functional module in the client application.
Since client application built-in important customers end authentication module and API Calls module, thus very important by oneself safety protection, and main security hardening can comprise the following aspects:
Integrity protection: client application realizes integrity protection through obscuring methods such as (in order to prevent that whole client application from being implemented regurgitation and attacking to engineering) based on MAC fingerprint mechanism software oneself integrality detection method (in order to protection other module except that " client authentication module " by illegal or replacement) and code, and the code obfuscation mechanisms can link environment and accomplish automatically through the editor in SDK;
The sensitive information confidentiality: client application is through the Confidentiality protection that code is obscured, mechanism realization sensitive informations such as trackings, security algorithm conversion, sensitive information conversion are carried out in anti-static de-edit analysis, reaction attitude, the relevant secret information in the protective capability API authentication mechanism (like clientkey, the authentication factor, token temporarily);
Local API protection: client application can ensure the safety of calling between the different assemblies through mechanism such as the transfer of input and output inlet, security algorithm conversion, sensitive information conversions;
Security capabilities update mechanism: when monitoring after client application attacked; Can in time forbid by the terminal access platform capabilities API after attacking, to guarantee that platform capabilities API is by legal use through the security component in the security capabilities update mechanism renewal terminal applies or through the platform safety strategy.
Embodiment two
In order to realize the legitimacy authentication of authentication server (authentication server belongs to the part of business platform) to client application; The embodiment of the invention is based on the login mechanism of client application; A kind of method for authenticating is proposed; Realize business platform to the legitimacy authentication of user terminal and the bi-directional authentification between client application and the business platform, realized that simultaneously client application is to the obtaining of the authentication factor, for subsequent calls platform capabilities API provides the basis.
At first introduce the development and testing stage of client application.
In the SDK environment, comprise " the test authentication module " that be used for development and testing.The developer carries out the development and testing of client application based on " test authentication module ", comprises " test authentication module " in the client application.Need the support of development environment platform capabilities API in the test process.
At first introduce the launch phase of client application.
After the developer will develop the client application of accomplishing in based on the SDK environment and be submitted to business platform; Business platform will carry out the strictness test to client application; To guarantee that this client application meets the security strategy requirement, does not have built-in malicious code and illegal accounting code etc.
Authentication server in the business platform will independently generate the client authentication module that is used to move for this client application simultaneously; MAC fingerprint and the safe storage of determining other functional module except that the client authentication module in the client application (for example information generally can not upgrade key modules) are in the client authentication module, so that user terminal carries out local completeness check in using the client application process.Wherein, described MAC fingerprint can be definite through multiple computational methods of the prior art, for example HMAC value or HASH value calculating method; Described safe storage can adopt means such as encryption storage, code are obscured, AES conversion to realize.The MAC fingerprint has been realized the binding relationship of client authentication module and this client application, prevents that the client authentication module from illegally being used by other client application.
Client authentication module in each client application and authentication server are shared client application key clientKey, and each client application all has one or more clientKey.In the stage that user terminal uses client application, business platform is realized the legitimacy authentication to client application based on clientKey.In illegal client application, illegally abuse, reuse this client application key clientKey for fear of developer or third party SP; After client application test audit is passed through, this clientKey is stored securely in the newly-built client authentication module by the authentication server in the business platform.Because clientKey has carried out safe storage in the client authentication module, therefore remove authentication server, clientKey all is unknowable as far as anyone (comprising the developer).
Client authentication module safe storage after MAC fingerprint and the clientKey; Need to prove; Both do not have special demands at the order of storage, and authentication server will be replaced the developer employed test authentication module of development and testing stage (all test authentication module that are used for development and testing all can adopt the identical Test clientkey that is used to test) with it.Authentication server has been realized the secure distribution to clientKey through the displacement to the client authentication module.In addition; Authentication server also can be replaced into the file that presets MAC fingerprint and client application key clientKey and realizes the secure distribution to clientKey through testing in the authentication module certain preassigned file, thereby realizes that the test authentication module need not to replace whole test authentication module to the displacement of client authentication module.
Based on development and testing stage and launch phase, introduce the operation registration phase of client application in detail.
After the user downloads to client application on the user terminal; Need to install and operation; If client application is moved for the first time or user terminal is changed user smart card (for example SIM, usim card), perhaps preassigned parameter is expired; Then client application need be carried out following register flow path and realize authentication, and is as shown in Figure 4, comprises the steps:
S401~S402, client authentication module carry out after the local integrity detection (confirming the MAC fingerprint again and mating with the MAC fingerprint that is stored securely in the client authentication module to client application; And coupling is consistent); Send register requirement to authentication server, comprise in the login request message: traffic ID, business release, timestamp, the first message authentication code MAC1 and other optional parameters.MAC1 adopts clientkey or its derivation value that the isoparametric hashed value of traffic ID, business release and timestamp is encrypted generation, perhaps the parameter that comprises clientkey, traffic ID, business release and timestamp is calculated that hashed value generates.Register requirement must be through Service Gateway (like WAP gateway) so that carry ID (like MSISDN).After authentication server is received register requirement; MAC1 is carried out authentication to guarantee that whether this register requirement comes from legal client application (client application of promptly licensing through Virtual network operator), has so far realized the legitimacy authentication of authentication server to client application; Come from the user terminal of legal Virtual network operator through authenticated ID to guarantee this register requirement;
In general; If authentication server can't be is directly acquired unique identifying number (the IMSI:International MobileStation Equipment Identity for example of user smart card according to ID (for example MSISDN) from business platform; International Mobile Station Equipment Identity), then in register requirement, also need comprise the ciphertext value of encrypting unique identifying number He other optional parameters of the user smart card that obtains through the derivation value of clientkey or clientkey;
In the practical implementation; Requirement based on security strategy; The client authentication module is carried out local integrity detection to client application and can be used as possibility; Be can only store in the client authentication module with the shared clientKey of authentication server to need not store M AC fingerprint, when the client application in downloading to user terminal satisfied trigger condition, the client authentication module generated MAC1 according to clientKey; And send the register requirement carry MAC1 to authentication server;
After S403~S404, authentication server generate session id at random, return session id to the client authentication module through Service Gateway (like WAP gateway);
S405, client authentication module are directly set up HTTPS with authentication server and are connected; This HTTPS is connected to unilateral authentication (client authentication module authentication server); The root certificate that the PKI of authentication server (PublicKey Infrastructure, PKIX) certificate is corresponding is preset in the client authentication module in the development phase.Then; The client authentication module is sent the authentication factor of carrying session id to authentication server and is obtained request, and the authentication factor comprises in obtaining and asking: the unique identifying number of traffic ID, business release, timestamp, session id, user smart card, second message authentication code (MAC2) and other optional parameters.The generation method of MAC2 is with step 1, and the request of obtaining of this authentication factor need not through Service Gateway;
After S406, authentication server receive that the authentication factor is obtained request; According to before record the unique identifying number of session id and user smart card etc. is verified to guarantee the legitimacy of user terminal, simultaneously MAC2 is carried out authentication and comes from legal client application to guarantee this request.After authentication was passed through, authentication server generated an authentication factor (the authentication factor of each user terminal is all inequality, and is also inequality to the authentication factor that same user terminal issues at every turn) at random and returns to the client authentication module through HTTS secure data transmission passage.The client authentication module is carried out safe storage by secure storage unit to it after receiving the authentication factor.
Need to prove that at regular hour week after date, or after user terminal changes user smart card (like usim card), or some preassigned parameter crosses after date, requires client application to initiate register flow path again according to security strategy.Described preassigned parameter is expired, uses the HOTP dynamic token in the for example follow-up process according to authentication factor generation dynamic token, and then this preassigned parameter can be counter counter.The generation of MAC2 and MAC1 can be adopted different clientkey, at this moment, is not to preset a clientkey just in the client authentication module, but presets at least two clientkey.
Based on same technical conceive; Present embodiment also provides a kind of right discriminating system; Comprise client application and authentication server; Comprise the client authentication module in the said client application, the storage client application key clientKey shared in the said client authentication module with authentication server, wherein:
Said client authentication module is used for when the client application that downloads to user terminal satisfies trigger condition, and the clientKey that stores according to this locality generates MAC1, and sends the register requirement of carrying this MAC1 to authentication server;
Said authentication server is used for the clientKey that basis and said client authentication module are shared, and the MAC1 that carries in the register requirement that receives is carried out the legitimacy authentication, if authentication through confirm that said client application is legal.
Wherein, comprise the client authentication module in the client application, a kind of possibility structure of said client authentication module, as shown in Figure 5, comprising:
Secure storage unit 501 is used to store the clientKey (client application key) that shares with authentication server;
Generation unit 502 is used for when the client application that downloads to user terminal satisfies trigger condition, according to the clientKey generation MAC1 of storage in the secure storage unit 501;
Control unit 503; Be used for when the matching unit coupling is consistent; Send the register requirement of carrying this MAC1 to said authentication server, the clientKey that the MAC1 that carries in the said register requirement supplies authentication server basis and said client application to share carries out the legitimacy authentication to said client application.
A kind of possibility structure of authentication server, as shown in Figure 6, comprising:
Memory cell 601 is used to store the clientKey that shares with each client authentication module;
Receiving element 602; Be used for receiving the register requirement that the client authentication module of client application is sent, wherein carry the first message authentication code MAC1 that the client application key clientKey that shares according to local storage of client authentication module and authentication server generates;
Authentication unit 603 is used for the clientKey that basis and said client authentication module are shared, and the MAC1 that carries in the register requirement that receives is carried out the legitimacy authentication, if authentication through confirm that said client application is legal.
Embodiment three
When the API Calls module needs calling platform ability API; The API Calls module is at first handed to the client authentication module with service request; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively, generates dynamic token in real time and token purposes parameter is set alternatively, and be sent to business platform through the HTTPS secure data transmission passage with the foundation of API Access control module again among dynamic token and token purposes parameter made an addition to former service request; After API Access control module in the business platform receives service request; Confirm the type of service request or the regulation that priority level satisfies token purposes parameter, then dynamic token be forwarded to authentication server and verify, if dynamic token through authentication server checking return correct information; The API Access control module allows calling platform ability API; That concrete is running environment platform capabilities API, otherwise, return error message.
Service calling method as shown in Figure 7, that present embodiment provides comprises the steps:
S701~S702, API Calls module will at first be forwarded to the client authentication module and handle to the service request that business platform sends; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively; The authentication factor that gets access to from authentication server according to the register requirement stage generates dynamic token; The dynamic token that for example generates can be the HOTP dynamic token, and then the authentication factor can be served as the Seed parameter that generates the HOTP dynamic token;
S703~S704, client authentication module are set up unidirectional HTTPS (client authentication module authentication API Access control module) with the API Access control module and are connected; And the unique identifying number parameters such as (like IMSI) that will comprise dynamic token, token purposes parameter, traffic ID, business release, client application ID, user smart card is (if for the HOTP dynamic token; Need comprise reader counter parameter) service request be forwarded to business platform; After the API Access control module is truncated to service request; Confirm the type of service request or the regulation that priority level satisfies token purposes parameter, then dynamic token is forwarded to authentication server and carries out authentication;
The dynamic token that carries in S705, the authentication factor pair service request of authentication server according to the relative users terminal of this locality preservation carries out authentication, and the return authentication result gives the API Access control module;
S706~S707, API Access control module receive authentication result, if authentication result then allows to call running environment platform capabilities API for passing through, otherwise return error message to API Calls module through the client authentication module.
Above token purposes parameter is used to stipulate the type or the level of security of the adaptable service request of this dynamic token; For example only can be used in the service request of Location Service Platform ability API; Or only can be used in the platform capabilities API class of common level of security, to realize protection to the platform capabilities API of dissimilar or different level of securitys.
In addition, in above-mentioned call flow, reach the safe and secret demand to service request and response message if need not the demand for security of client application authentication business platform, then unidirectional HTTPS secure data transmission passage is optional.
Based on same technical conceive, present embodiment also provides a kind of calling service system, comprises client application, API Access control module and authentication server, wherein:
Said client application is used to send service request, wherein carries the dynamic token that generates according to the authentication factor that from authentication server, gets access to;
Said API Access control module is used to receive after the said service request, according to authentication server to the authentication result of the dynamic token that carries in the said service request confirm authentication through the time, allow said API Calls module invokes platform capabilities API;
Said authentication server is used for the said dynamic token that said API Access control module is transmitted is carried out authentication.
Embodiment four
In the calling service flow process that embodiment three provides, send service request at every turn, authentication server all need be verified dynamic token.In order to alleviate the burden of authentication server, in the calling service stage, it is a kind of efficiently based on the call-by mechanism of the platform capabilities API of the reusable token mechanism that dynamically updates that the embodiment of the invention also provides.It is two stages that this mechanism is divided into: interim token obtains stage and safety service request stage.
A. interim token obtains the stage
The purpose in this stage is that the client authentication module is obtained interim token through dynamic token.When the API Calls module need be called access platform ability API; The API Calls module is at first handed to the client authentication module with request message; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively; Generate dynamic token in real time and token purposes parameter is set; Comprise that to the transmission of API Access control module the interim token of dynamic token obtains request through the HTTPS passage of setting up simultaneously, after the API Access control module is received request, transmit dynamic token to authentication server.If authentication server checking dynamic token passes through, then return interim token to API Access control module (interim token also can be generated by the API Access control module), otherwise return error code.At last, return interim token or error code to the client authentication module, simultaneously to API Calls module return state value by the API Access control module.Interim token carries out safe storage by the API Access control module; This interim token promptly can be used for protecting in a plurality of business request information of follow-up same type; Also can be used for protecting in certain type of ability API request message of identical safe class; And effective in the definition of certain security strategy (as effective in 10 minutes or 1 hour), cross after date when this interim token, then the client authentication module will be obtained new interim token again.
As shown in Figure 8, interim token obtains the handling process in stage and comprises the steps:
S801~S802, API Calls module will at first be forwarded to the client authentication module and handle to the service request that business platform sends; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively; The authentication factor that gets access to from authentication server according to the register requirement stage generates dynamic token; The dynamic token that for example generates can be the HOTP dynamic token, and then the authentication factor can be served as the Seed parameter that generates the HOTP dynamic token;
S803~S804, client authentication module and API Access control module are set up unidirectional HTTPS (client authentication module authentication API Access control module) secure data transmission passage; And the unique identifying number parameters such as (like IMSI) that will comprise dynamic token, token purposes parameter, traffic ID, business release, client application ID, user smart card is (if for the HOTP token; Need comprise reader counter parameter) the request of obtaining of interim token be forwarded to business platform; The API Access control module is truncated to interim token obtain request after; Confirm the type of service request or the regulation that level of security satisfies token purposes parameter, then dynamic token is forwarded to authentication server and carries out authentication;
S805, authentication server are verified according to the authentication factor pair dynamic token at the relative users terminal that preserve this locality; If checking through return at random the interim token that generates; Otherwise return error message, need to prove, interim token also can be generated by the API Access control module;
S806~S807, API Access control mould return interim token or error message to the client authentication module, and the client authentication module is to API Calls module return state value.
B. safety service request stage
The API Calls module is initiated the service request of access platform ability API once more; Likewise; The API Calls module is at first handed to request message in the client authentication module; The client authentication module is carried out after the local integrity detection client application according to security strategy alternatively, takes out corresponding interim token and also makes an addition among the former request message, is sent to business platform through the HTTPS secure data transmission passage of setting up again.After API Access control module in the business platform receives service request; According to the interim token of being preserved the interim token in the business request information is mated; If coupling is consistent; Then allow calling platform ability API (being specially running environment platform capabilities API), otherwise, error message returned.
As shown in Figure 9, the handling process of safety service request stage comprises the steps:
S901, API Calls module will at first be forwarded to the client authentication module and handle to the service request that business platform sends, the client authentication module is carried out local integrity detection to client application alternatively according to security strategy;
S902, client authentication module and API Access control module are set up unidirectional HTTPS (client authentication module authentication API Access control module) secure data transmission passage, and will comprise that the isoparametric service request of interim token is forwarded to business platform;
After S903~S904, API Access control module are truncated to service request; According to the interim token of being preserved the interim token in the business request information is mated; If coupling is consistent; Then allow calling platform ability API (being specially running environment platform capabilities API), otherwise, otherwise return error message to API Calls module through the client authentication module.
Based on same technical conceive, present embodiment also provides a kind of calling service system, comprises client application and API Access control module, wherein:
Client application is used to send service request, wherein carries the effectively interim token that gets access to from the API Access control module;
The API Access control module is used to receive after the said service request, according to the interim token of the said client authentication module of this locality storage the interim token that carries in the said service request is mated; If coupling is consistent, then allow said API Calls module invokes platform capabilities API.
Need to prove:
1, in the calling service flow process, (comprises embodiment three and embodiment four); The service request of API Calls module can be transmitted after the client authentication module is handled again; But the API Calls module obtains parameters such as corresponding dynamic token or interim token from the client authentication module before sending service request after, re-send to business platform in the service request from adding to by the API Calls module;
2, in first kind of calling service flow process (embodiment three); Client application sends to the service request of business platform can be all through authentication server; By authentication server to dynamic token wherein verify pass through after; Be transmitted to business platform again, transmit the flow process that dynamic token is verified to authentication server to reduce business platform.But in service request, need the URL parameter of interpolation service server etc., after the success of checking dynamic token, the service request that will not contain security parameters such as dynamic token according to service server URL is forwarded to the corresponding business platform for authentication server;
3, the protection mechanism of the described platform capabilities API of the embodiment of the invention can be used as a general security capabilities, reuses in a plurality of business platforms.
The technical scheme that the embodiment of the invention provides; The supporting business platform is to the legitimacy authentication of client application; Only carry out the authentication authentication in the prior art to user terminal; The client application of not considering personation or being distorted is to the security threat of platform capabilities API; The embodiment of the invention reaches the secure distribution that " client authentication module displacement mechanism " has realized the integrity protection and the client application key (cipher key shared between client application and authentication server) of client application based on " MAC fingerprint mechanism ", and generates message authentication code to realize the authentication of business platform to client application by client application according to the client application key.Simultaneously, can prevent that developer or third party from using central illegal abuse at the unauthorized client end and reusing this client application key.
The technical scheme that the embodiment of the invention provides is supported the authentication of client application to business platform.Prior art is unidirectional authentication, does not consider that business platform itself also maybe be by the service request of personation or user terminal transmission by reorientation.Root certificate and fill order that the embodiment of the invention is based on built-in business platform in the client application realize that to HTTPS client application is to the authentication of business platform and both sides' secure communication.Avoided complicated PKI certificate management simultaneously to client application.
The technical scheme that the embodiment of the invention provides has solved the security breaches problem in the existing scheme.Based on static token mechanism, the token that user terminal obtained is applied in all service request, and can't prevent to be applied in the illegal service request after the token victim from illegally obtaining in the existing scheme, and existing maybe by Replay Attack.In the embodiment of the invention, when client application was initiated service request, client application generated dynamic token temporarily and adds in the business request information, to prevent Replay Attack etc.
The technical scheme that the embodiment of the invention provides is supported the platform capabilities API of dissimilar or different security level requireds is managed respectively.In the existing scheme, User Token is applied in all service request, and the leakage that causes User Token easily is also by illegal or the use of going beyond one's commission.In the embodiment of the invention,, realize fine granularity safeguard protection to implementation platform ability API based on the dynamic token that identifies through " token purposes parameter " to the platform capabilities API of dissimilar or different security level requireds.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.
Claims (22)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010265918.0A CN102378170B (en) | 2010-08-27 | 2010-08-27 | Method, device and system of authentication and service calling |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010265918.0A CN102378170B (en) | 2010-08-27 | 2010-08-27 | Method, device and system of authentication and service calling |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102378170A true CN102378170A (en) | 2012-03-14 |
| CN102378170B CN102378170B (en) | 2014-12-10 |
Family
ID=45795993
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010265918.0A CN102378170B (en) | 2010-08-27 | 2010-08-27 | Method, device and system of authentication and service calling |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102378170B (en) |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710631A (en) * | 2012-05-28 | 2012-10-03 | 华为技术有限公司 | Data transmission method, equipment and system |
| CN102752319A (en) * | 2012-07-31 | 2012-10-24 | 广州市品高软件开发有限公司 | Cloud computing secure access method, device and system |
| CN103281187A (en) * | 2013-05-17 | 2013-09-04 | 北京网秦天下科技有限公司 | Security authentication method, equipment and system |
| CN103701761A (en) * | 2012-09-28 | 2014-04-02 | 中国电信股份有限公司 | Authentication method for invoking open interface and system |
| CN103780396A (en) * | 2014-01-27 | 2014-05-07 | 华为软件技术有限公司 | Token obtaining method and device |
| WO2014173361A1 (en) * | 2013-07-31 | 2014-10-30 | 中兴通讯股份有限公司 | Method and corresponding device for authenticating smart home terminal |
| CN104199654A (en) * | 2014-08-27 | 2014-12-10 | 百度在线网络技术(北京)有限公司 | Open platform calling method and device |
| CN104199657A (en) * | 2014-08-27 | 2014-12-10 | 百度在线网络技术(北京)有限公司 | Call method and device for open platform |
| CN104243415A (en) * | 2013-06-17 | 2014-12-24 | 中国移动通信集团公司 | Capacity calling method and device |
| CN104320389A (en) * | 2014-10-11 | 2015-01-28 | 南京邮电大学 | Fusion identify protection system and fusion identify protection method based on cloud computing |
| CN104348616A (en) * | 2013-07-26 | 2015-02-11 | 中国移动通信集团公司 | Method for visiting terminal security component, device thereof and system thereof |
| CN104426894A (en) * | 2013-09-09 | 2015-03-18 | 中国移动通信集团公司 | Registration method of terminal application, business platform equipment and terminal |
| CN104540129A (en) * | 2014-12-29 | 2015-04-22 | 广州唯品会信息科技有限公司 | Registration and login method and system for third party application |
| CN104717648A (en) * | 2013-12-12 | 2015-06-17 | 中国移动通信集团公司 | Unified authentication method and device based on SIM card |
| CN104734849A (en) * | 2013-12-19 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and system for conducting authentication on third-party application |
| CN104753674A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团公司 | Application identity authentication method and device |
| CN104753953A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Access control system |
| CN104836784A (en) * | 2014-09-25 | 2015-08-12 | 腾讯科技(北京)有限公司 | Information processing method, client, and server |
| CN105210345A (en) * | 2013-08-30 | 2015-12-30 | 华为技术有限公司 | Network capability information transmitting method and device |
| CN105306466A (en) * | 2015-10-29 | 2016-02-03 | 东莞酷派软件技术有限公司 | Execution method of service, execution system of service, and mobile terminal |
| CN105491058A (en) * | 2015-12-29 | 2016-04-13 | Tcl集团股份有限公司 | API access distributed authorization method and system |
| CN105592083A (en) * | 2015-12-18 | 2016-05-18 | 北京奇虎科技有限公司 | Method and device for terminal to have access to server by using token |
| CN105930177A (en) * | 2015-10-30 | 2016-09-07 | 中国银联股份有限公司 | Method and device for installing application |
| CN105991514A (en) * | 2015-01-28 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Service request authentication method and device |
| WO2016188231A1 (en) * | 2015-10-19 | 2016-12-01 | 中兴通讯股份有限公司 | Verification method and apparatus |
| CN106209746A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | A kind of safety service provides method and server |
| CN106255105A (en) * | 2016-07-26 | 2016-12-21 | 惠州市斯坦利科技有限公司 | Automatic vending equipment |
| WO2016202200A1 (en) * | 2015-06-17 | 2016-12-22 | 阿里巴巴集团控股有限公司 | Data verification method and apparatus, and smart television system |
| CN106412899A (en) * | 2016-10-11 | 2017-02-15 | 江苏电力信息技术有限公司 | Network request method for saving flow of mobile terminal |
| CN103795712B (en) * | 2014-01-17 | 2017-05-17 | 歌尔股份有限公司 | Method and device for authentication during Web Service calling |
| CN107261502A (en) * | 2017-05-10 | 2017-10-20 | 珠海金山网络游戏科技有限公司 | A kind of anti-external store system of game on line based on procotol and method |
| CN107302526A (en) * | 2017-06-07 | 2017-10-27 | 努比亚技术有限公司 | System interface call method, equipment and computer-readable recording medium |
| CN108259437A (en) * | 2016-12-29 | 2018-07-06 | 北京神州泰岳软件股份有限公司 | A kind of http access methods, http-server and system |
| CN108259432A (en) * | 2016-12-29 | 2018-07-06 | 亿阳安全技术有限公司 | A kind of management method of API Calls, equipment and system |
| CN108476207A (en) * | 2015-11-16 | 2018-08-31 | 万事达卡国际股份有限公司 | System and method for certification internet message |
| CN108989420A (en) * | 2018-07-12 | 2018-12-11 | 上海携程商务有限公司 | The method and system of registration service, the method and system for calling service |
| CN109361639A (en) * | 2017-12-27 | 2019-02-19 | 广州Tcl智能家居科技有限公司 | Dynamic shares HTTPS request method for authenticating, storage medium and mobile terminal |
| CN109408250A (en) * | 2018-09-27 | 2019-03-01 | 天津字节跳动科技有限公司 | Call application programming interface API approach, device, electronic equipment |
| CN110535957A (en) * | 2019-09-02 | 2019-12-03 | 珠海格力电器股份有限公司 | The data of service application platform transfer method and service application plateform system |
| CN110809011A (en) * | 2020-01-08 | 2020-02-18 | 医渡云(北京)技术有限公司 | Access control method and system, and storage medium |
| CN108476207B (en) * | 2015-11-16 | 2021-02-02 | 万事达卡国际股份有限公司 | System and method for authenticating network messages |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1767429A (en) * | 2004-10-29 | 2006-05-03 | 大唐移动通信设备有限公司 | Mobile communication user certification and key negotiation method |
| US20060126848A1 (en) * | 2004-12-15 | 2006-06-15 | Electronics And Telecommunications Research Institute | Key authentication/service system and method using one-time authentication code |
| WO2008002102A1 (en) * | 2006-06-30 | 2008-01-03 | Posdata Co., Ltd. | Dvr server and method for controlling access to monitoring device in network-based dvr system |
| CN101185311A (en) * | 2005-04-14 | 2008-05-21 | 诺基亚公司 | Utilizing generic authentication architecture for mobile internet protocol key distribution |
| CN101217367A (en) * | 2007-01-04 | 2008-07-09 | 中国移动通信集团公司 | An operation right judgment system and method realized by introducing right judgment client end |
| CN101351027A (en) * | 2007-07-19 | 2009-01-21 | 中国移动通信集团公司 | Method and system for processing service authentication |
| WO2010085813A2 (en) * | 2009-01-26 | 2010-07-29 | Qualcomm Incorporated | Communications methods and apparatus for use in communicating with communications peers |
| CN101815290A (en) * | 2010-03-08 | 2010-08-25 | 北京英福生科技有限公司 | Method for safely transmitting physical activity monitoring data |
-
2010
- 2010-08-27 CN CN201010265918.0A patent/CN102378170B/en active IP Right Grant
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1767429A (en) * | 2004-10-29 | 2006-05-03 | 大唐移动通信设备有限公司 | Mobile communication user certification and key negotiation method |
| US20060126848A1 (en) * | 2004-12-15 | 2006-06-15 | Electronics And Telecommunications Research Institute | Key authentication/service system and method using one-time authentication code |
| CN101185311A (en) * | 2005-04-14 | 2008-05-21 | 诺基亚公司 | Utilizing generic authentication architecture for mobile internet protocol key distribution |
| WO2008002102A1 (en) * | 2006-06-30 | 2008-01-03 | Posdata Co., Ltd. | Dvr server and method for controlling access to monitoring device in network-based dvr system |
| CN101217367A (en) * | 2007-01-04 | 2008-07-09 | 中国移动通信集团公司 | An operation right judgment system and method realized by introducing right judgment client end |
| CN101351027A (en) * | 2007-07-19 | 2009-01-21 | 中国移动通信集团公司 | Method and system for processing service authentication |
| WO2010085813A2 (en) * | 2009-01-26 | 2010-07-29 | Qualcomm Incorporated | Communications methods and apparatus for use in communicating with communications peers |
| CN101815290A (en) * | 2010-03-08 | 2010-08-25 | 北京英福生科技有限公司 | Method for safely transmitting physical activity monitoring data |
Cited By (60)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710631A (en) * | 2012-05-28 | 2012-10-03 | 华为技术有限公司 | Data transmission method, equipment and system |
| CN102752319A (en) * | 2012-07-31 | 2012-10-24 | 广州市品高软件开发有限公司 | Cloud computing secure access method, device and system |
| CN102752319B (en) * | 2012-07-31 | 2015-02-11 | 广州市品高软件开发有限公司 | Cloud computing secure access method, device and system |
| CN103701761A (en) * | 2012-09-28 | 2014-04-02 | 中国电信股份有限公司 | Authentication method for invoking open interface and system |
| CN103701761B (en) * | 2012-09-28 | 2017-07-18 | 中国电信股份有限公司 | Authentication method and system that open interface is called |
| CN103281187A (en) * | 2013-05-17 | 2013-09-04 | 北京网秦天下科技有限公司 | Security authentication method, equipment and system |
| CN103281187B (en) * | 2013-05-17 | 2016-12-28 | 北京网秦天下科技有限公司 | Safety certifying method, equipment and system |
| CN104243415B (en) * | 2013-06-17 | 2017-11-14 | 中国移动通信集团公司 | A kind of capacity calling method and equipment |
| CN104243415A (en) * | 2013-06-17 | 2014-12-24 | 中国移动通信集团公司 | Capacity calling method and device |
| CN104348616A (en) * | 2013-07-26 | 2015-02-11 | 中国移动通信集团公司 | Method for visiting terminal security component, device thereof and system thereof |
| CN104348616B (en) * | 2013-07-26 | 2018-02-23 | 中国移动通信集团公司 | A kind of method, apparatus and system for accessing terminal security component |
| WO2014173361A1 (en) * | 2013-07-31 | 2014-10-30 | 中兴通讯股份有限公司 | Method and corresponding device for authenticating smart home terminal |
| CN104348620A (en) * | 2013-07-31 | 2015-02-11 | 中兴通讯股份有限公司 | Method for authenticating intelligent household terminals, and corresponding devices |
| CN105210345A (en) * | 2013-08-30 | 2015-12-30 | 华为技术有限公司 | Network capability information transmitting method and device |
| CN105210345B (en) * | 2013-08-30 | 2019-03-19 | 华为技术有限公司 | A kind of capability information transmission method and device |
| CN104426894A (en) * | 2013-09-09 | 2015-03-18 | 中国移动通信集团公司 | Registration method of terminal application, business platform equipment and terminal |
| CN104426894B (en) * | 2013-09-09 | 2017-12-22 | 中国移动通信集团公司 | A kind of register method of terminal applies, business platform equipment and terminal |
| CN104717648A (en) * | 2013-12-12 | 2015-06-17 | 中国移动通信集团公司 | Unified authentication method and device based on SIM card |
| CN104717648B (en) * | 2013-12-12 | 2018-08-17 | 中国移动通信集团公司 | A kind of uniform authentication method and equipment based on SIM card |
| CN104734849A (en) * | 2013-12-19 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and system for conducting authentication on third-party application |
| CN104734849B (en) * | 2013-12-19 | 2018-09-18 | 阿里巴巴集团控股有限公司 | The method and system that third-party application is authenticated |
| CN104753674B (en) * | 2013-12-31 | 2018-10-12 | 中国移动通信集团公司 | A kind of verification method and equipment of application identity |
| CN104753674A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团公司 | Application identity authentication method and device |
| CN103795712B (en) * | 2014-01-17 | 2017-05-17 | 歌尔股份有限公司 | Method and device for authentication during Web Service calling |
| CN103780396A (en) * | 2014-01-27 | 2014-05-07 | 华为软件技术有限公司 | Token obtaining method and device |
| CN103780396B (en) * | 2014-01-27 | 2017-08-25 | 华为软件技术有限公司 | Token acquisition methods and device |
| CN104199657A (en) * | 2014-08-27 | 2014-12-10 | 百度在线网络技术(北京)有限公司 | Call method and device for open platform |
| CN104199654A (en) * | 2014-08-27 | 2014-12-10 | 百度在线网络技术(北京)有限公司 | Open platform calling method and device |
| CN104836784B (en) * | 2014-09-25 | 2018-05-15 | 腾讯科技(北京)有限公司 | A kind of information processing method, client and server |
| CN104836784A (en) * | 2014-09-25 | 2015-08-12 | 腾讯科技(北京)有限公司 | Information processing method, client, and server |
| CN104320389A (en) * | 2014-10-11 | 2015-01-28 | 南京邮电大学 | Fusion identify protection system and fusion identify protection method based on cloud computing |
| CN104320389B (en) * | 2014-10-11 | 2018-04-27 | 南京邮电大学 | A kind of fusion identity protection system and method based on cloud computing |
| CN104540129B (en) * | 2014-12-29 | 2018-08-03 | 广州品唯软件有限公司 | The registering and logging method and system of third-party application |
| CN104540129A (en) * | 2014-12-29 | 2015-04-22 | 广州唯品会信息科技有限公司 | Registration and login method and system for third party application |
| CN105991514B (en) * | 2015-01-28 | 2019-10-01 | 阿里巴巴集团控股有限公司 | A kind of service request authentication method and device |
| CN105991514A (en) * | 2015-01-28 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Service request authentication method and device |
| CN104753953A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Access control system |
| CN106209746A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | A kind of safety service provides method and server |
| CN106209746B (en) * | 2015-05-07 | 2019-12-27 | 阿里巴巴集团控股有限公司 | Security service providing method and server |
| WO2016202200A1 (en) * | 2015-06-17 | 2016-12-22 | 阿里巴巴集团控股有限公司 | Data verification method and apparatus, and smart television system |
| WO2016188231A1 (en) * | 2015-10-19 | 2016-12-01 | 中兴通讯股份有限公司 | Verification method and apparatus |
| CN105306466A (en) * | 2015-10-29 | 2016-02-03 | 东莞酷派软件技术有限公司 | Execution method of service, execution system of service, and mobile terminal |
| CN105930177A (en) * | 2015-10-30 | 2016-09-07 | 中国银联股份有限公司 | Method and device for installing application |
| CN108476207B (en) * | 2015-11-16 | 2021-02-02 | 万事达卡国际股份有限公司 | System and method for authenticating network messages |
| CN108476207A (en) * | 2015-11-16 | 2018-08-31 | 万事达卡国际股份有限公司 | System and method for certification internet message |
| CN105592083A (en) * | 2015-12-18 | 2016-05-18 | 北京奇虎科技有限公司 | Method and device for terminal to have access to server by using token |
| CN105491058B (en) * | 2015-12-29 | 2020-01-14 | Tcl集团股份有限公司 | API access distributed authorization method and system |
| CN105491058A (en) * | 2015-12-29 | 2016-04-13 | Tcl集团股份有限公司 | API access distributed authorization method and system |
| CN106255105A (en) * | 2016-07-26 | 2016-12-21 | 惠州市斯坦利科技有限公司 | Automatic vending equipment |
| CN106412899A (en) * | 2016-10-11 | 2017-02-15 | 江苏电力信息技术有限公司 | Network request method for saving flow of mobile terminal |
| CN108259432A (en) * | 2016-12-29 | 2018-07-06 | 亿阳安全技术有限公司 | A kind of management method of API Calls, equipment and system |
| CN108259437A (en) * | 2016-12-29 | 2018-07-06 | 北京神州泰岳软件股份有限公司 | A kind of http access methods, http-server and system |
| CN107261502A (en) * | 2017-05-10 | 2017-10-20 | 珠海金山网络游戏科技有限公司 | A kind of anti-external store system of game on line based on procotol and method |
| CN107302526A (en) * | 2017-06-07 | 2017-10-27 | 努比亚技术有限公司 | System interface call method, equipment and computer-readable recording medium |
| CN109361639A (en) * | 2017-12-27 | 2019-02-19 | 广州Tcl智能家居科技有限公司 | Dynamic shares HTTPS request method for authenticating, storage medium and mobile terminal |
| CN108989420A (en) * | 2018-07-12 | 2018-12-11 | 上海携程商务有限公司 | The method and system of registration service, the method and system for calling service |
| CN109408250A (en) * | 2018-09-27 | 2019-03-01 | 天津字节跳动科技有限公司 | Call application programming interface API approach, device, electronic equipment |
| CN110535957A (en) * | 2019-09-02 | 2019-12-03 | 珠海格力电器股份有限公司 | The data of service application platform transfer method and service application plateform system |
| CN110809011A (en) * | 2020-01-08 | 2020-02-18 | 医渡云(北京)技术有限公司 | Access control method and system, and storage medium |
| CN110809011B (en) * | 2020-01-08 | 2020-06-19 | 医渡云(北京)技术有限公司 | Access control method and system, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102378170B (en) | 2014-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102026612B1 (en) | Method for Creating Trust Relationship and Embedded UICC | |
| US20180294977A1 (en) | System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same | |
| US10285050B2 (en) | Method and apparatus for managing a profile of a terminal in a wireless communication system | |
| US9867043B2 (en) | Secure device service enrollment | |
| CN105027493B (en) | Safety moving application connection bus | |
| US20160226877A1 (en) | Methods and apparatus for large scale distribution of electronic access clients | |
| CN103329501B (en) | The method of the content on the safety element that management is connected to equipment | |
| KR20140107168A (en) | Apparatus and methods for storing electronic access clients | |
| CN102257505B (en) | For providing the equipment and method that access through authorization device | |
| US20140310528A1 (en) | Digital rights management using trusted processing techniques | |
| EP1687953B1 (en) | Method for the authentication of applications | |
| TWI507005B (en) | Virtual subscriber identity module | |
| EP1476980B1 (en) | Requesting digital certificates | |
| EP2340654B1 (en) | Method for securely changing a mobile device from an old owner to a new owner. | |
| US7610056B2 (en) | Method and system for phone-number discovery and phone-number authentication for mobile communications devices | |
| CN100591003C (en) | Enabling stateless server-based pre-shared secrets | |
| US9197639B2 (en) | Method for sharing data of device in M2M communication and system therefor | |
| CN102394887B (en) | OAuth protocol-based safety certificate method of open platform and system thereof | |
| CN103037312B (en) | Information push method and device | |
| EP1997291B1 (en) | Method and arrangement for secure authentication | |
| KR20170139093A (en) | A method for a network access device to access a wireless network access point, a network access device, an application server, and a non-volatile computer readable storage medium | |
| CN103812871B (en) | Development method and system based on mobile terminal application program security application | |
| DE602004012233T2 (en) | Method of providing a signing key for digital signing, verification or encryption of data | |
| EP1394982B1 (en) | Methods and apparatus for secure data communication links | |
| US8347361B2 (en) | Distributed network management hierarchy in a multi-station communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| C06 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| C10 | Entry into substantive examination | ||
| GR01 | Patent grant | ||
| C14 | Grant of patent or utility model |