CN102510336A - Security certification system or method - Google Patents
Security certification system or method Download PDFInfo
- Publication number
- CN102510336A CN102510336A CN2011103974100A CN201110397410A CN102510336A CN 102510336 A CN102510336 A CN 102510336A CN 2011103974100 A CN2011103974100 A CN 2011103974100A CN 201110397410 A CN201110397410 A CN 201110397410A CN 102510336 A CN102510336 A CN 102510336A
- Authority
- CN
- China
- Prior art keywords
- service
- authentication
- terminal
- user
- account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a security certification system or method. A movable IC (integrated circuit) mode is used for solving the problems of inconvenience in use and low security when users login the same network account on different terminals or users login different network accounts on the same terminal.
Description
Technical field
The present invention relates to a kind of safe Verification System or method.
Background technology
There is inconvenience and the not high problem of fail safe used when on same terminal, landing the heterogeneous networks number of the account in the user landing consolidated network number of the account and user on the different terminals.And removable IC can't be applied to a plurality of websites simultaneously.
Summary of the invention
The present invention is achieved in that a kind of safe Verification System or method, wherein; Comprise terminal, service side, party intermediary and removable IC chip, wherein, the user at terminal has service side's number of the account in service side; The user at terminal has the party intermediary number of the account in party intermediary, and wherein, the user at terminal can be associated party intermediary number of the account and service side's number of the account; Party intermediary can write down should association, wherein, and after the user uses the terminal to pass through the party intermediary authentication and logins party intermediary; Party intermediary can send to the terminal with the service side's account information that is associated with this user's party intermediary number of the account; The terminal will be to this side's of service number of the account of this service side's request login user after selecting the service side that an is associated number of the account on the party intermediary interface at terminal for the user, and service side can have only the authentication of service side can allow this service side's number of the account of terminal login just now through the back service to the authentication of the side of service, terminal after receiving the logging request at terminal; Wherein, The user has removable IC chip, and the authentication of the side of service is carried out through this removable IC chip, and only the authentication of the side of service could be passed through when this removable IC chip is connected in the terminal.
Wherein, preserve the privately owned part of an authentication sign in the removable IC chip, party intermediary is preserved the open part of this authentication sign, and this privately owned part can be carried out mutual authentication through corresponding calculating with open part.Wherein, removable IC chip is the party intermediary issue.
Wherein, this authentication sign is the key of a pair of asymmetric encryption.Wherein, privately owned part is a private key, and open part is a PKI.
Wherein, in the authentication of service side, the terminal can be sent with the privately owned part of authentication sign to service side and calculated the authentication information that generates.Wherein, service side can verify calculating to this authentication information with the open part of authentication sign, and the authentication of the side of service just can be passed through when having only checking result of calculation correct.Wherein, the free term of validity of authentication information, expired authentication information can lose efficacy.
Wherein, in the authentication of service side, can transmit the open part of this authentication sign between the side of service and the party intermediary.After having only the correct completion of this transmission, the authentication of the side of service could be passed through.Wherein, or party intermediary transmits the open part of this authentication sign to service side, or the open part that the service orientation party intermediary transmits this authentication sign is returned confirmation by party intermediary to service side then.
Wherein, when the user will the side's of service number of the account be associated with the party intermediary number of the account, can transmit the open part of this authentication sign between the side of service and the party intermediary.After having only the correct completion of this transmission, related ability success.Wherein, or party intermediary transmits the open part of this authentication sign to service side, or the open part that the service orientation party intermediary transmits this authentication sign is returned confirmation by party intermediary to service side then.Wherein, after the association success, the open part of the authentication sign of service side's meeting recording user.
Wherein, after the user was associated party intermediary number of the account and service side's number of the account, service side also can write down should association.
Wherein, the program object of the program object of login service side, terminal and terminal login party intermediary is two different programs objects.Wherein, the terminal is two different programs objects to the program object of service side's transmission authentication information and the program object of terminal login party intermediary.
Wherein, the in store key of described removable IC chip calculates and authentication with this key in the authentication of the side of service.Wherein, in store private key for user in the removable IC chip.Wherein, in the authentication of service side, service side can carry out authentication through calculating to the terminal through the corresponding relation of the private key for user in client public key and the removable IC chip.
Wherein, the terminal is after the service side of login user number of the account, and the terminal will connect with service side, and the user just can connect the resource and the service of the appointment of using service side through this.
Wherein, same user's the difference side of service number of the account can be associated with this user's same party intermediary number of the account.
Wherein, same user also can have a plurality of party intermediary numbers of the account in same party intermediary.
Wherein, after passing through the authentication of service side, the terminal is connected setting up to encrypt with the key that privately owned part is formed with the open part that the service square tube is crossed said authentication sign.Wherein, through after the authentication of service side, the key that the open part that terminal and service square tube are crossed said authentication sign and privately owned part are formed is to transmitting key and the foundation encryption is connected.For example: set up SSL through the authentication sign and connect.
Wherein, terminal, the side of service and party intermediary are connected through the Internet.Wherein, tripartite information transmission is carried out through the Internet.
Wherein, party intermediary and service side also have corresponding engagement arithmetic, and whether the affirmation information that service can be enough received through this engagement arithmetic calculating inspection is from party intermediary, and perhaps, confirmation is the transmission of encrypting with this engagement arithmetic.Wherein, said engagement arithmetic can be encrypting and decrypting algorithm or Digital Signature Algorithm or one-way hash function algorithm or dynamic password algorithm or the like.Wherein, said engagement arithmetic is a rivest, shamir, adelman.
Wherein, the information transmission between terminal and the service side is without party intermediary, perhaps service side allow the terminal login and the connection of setting up without party intermediary.
Wherein, the authentication of the side of service can allow one of self terminal to connect or port login through service side, back, and this connection or port are that said that port or connection of calculating the authentication information that generates with the authentication sign sent to service side in the terminal.
Wherein, after ended the login of the side of service at the terminal, the terminal side's of service authentication again could be logined again.
Wherein, service can be to be to the terminal server system of resource and service to be provided through the Internet, like various websites etc.Service side also can be other user's on the internet terminal, and for example: above mutual authentication just can be applicable in the instant communicating system two user terminals and sets up the handshake procedure of two point-to-point connections of terminal room.
Wherein, party intermediary is the computer system of carrying out third party's authentication on the internet.
Wherein, the terminal is the equipment with computer function, as: PC, mobile phone, server, server farm etc.
Wherein, the user also uses removable IC chip to login party intermediary.
Description of drawings
Fig. 1 is a schematic network structure of the present invention.
Embodiment
Embodiment 1
In the present embodiment, the user has a user account (AUID) in that party intermediary is registered, and the user is also registered in service side to have a user account (APID).Wherein, service side is an ICP.Wherein, the user associates oneself service side number of the account APID and party intermediary number of the account AUID, and this incidence relation is kept in the system of service side and party intermediary simultaneously.The user has the usb key of party intermediary issue, preserves private key for user and client public key in the usb key, the in store client public key corresponding with this user's party intermediary number of the account in the party intermediary system.
The concrete steps of present embodiment are following:
1) user is connected removable IC with the terminal, and the user uses the authentication procedure at terminal through the party intermediary authentication, and party intermediary is returned all side's of service account information that are associated with user's party intermediary number of the account to the authentication procedure at terminal;
2) when the user clicks the option of login service side on the authentication procedure interface; The browser object of authentication procedure newly-generated sensing address, service side on the terminal or the object of other specific program; This newly-generated program object sends connection request to service side; Comprise service side's number of the account of user, user's party intermediary number of the account, service party name and rise time in this connection request, and this connection request also comprises client public key and the digital signature of carrying out with private key for user;
3) after the connection request from the user is received by service side, the service orientation party intermediary is sent an authentication request, comprise in this authentication request the user the user name of service side, user in the user name of party intermediary, serve party name and client public key;
4) after party intermediary is received the authentication request from service side; Whether party intermediary is checked the terminal public key of sending service side consistent with the client public key of oneself preserving; If client public key is consistent, party intermediary will be sent the correct affirmation information of this client public key of expression to service side so;
5) after the affirmation information from party intermediary is received by service side; Whether service side is correct with the digital signature of client public key checking user's connection request, and service side can also verify whether user's connection request is expired, has only the digital signature of this connection request correct and not out of date; This terminal could be through authentication; Service side can also carry out question and answer response several times again based on the removable IC that is connected on client public key and the terminal, if the question and answer response is correct, then the authentication of service side has been passed through at the terminal.
6) after the authentication of service side was passed through, service side will allow this side's of service number of the account of terminal login user and connect.Wherein, the program object of the service side that the terminal is inserted can be browser or other dedicated program, and after the access, the user just can pass through service specified and the resource that this program connects and use service side on the terminal.
Wherein, the terminal can also be set up to encrypt with service side and be connected by client public key and private key for user, specifically following dual mode can be arranged:
First kind of mode is; Service side has service side's private key and the terminal can obtain the corresponding PKI in the side of service; In above step 2) in; In the connection request that service side sends, also include the DES key by service side's public key encryption at the terminal, the terminal is set up to encrypt with this DES key with service side and is connected;
The second way is, in above step 5), encrypt DES key and sends to the terminal with this client public key service side, and service side is connected with this DES key foundation encryption with the terminal.
Embodiment 2
In the present embodiment, the user has a user account (AUID) in that party intermediary is registered, and the user is also registered in service side to have a user account (APID).Wherein, service side is an ICP.Wherein, the user has the usb key of party intermediary issue, preserves private key for user and client public key in the usb key, the in store client public key corresponding with this user's party intermediary number of the account in the party intermediary system.
Wherein, the user associates oneself service side number of the account APID and party intermediary number of the account AUID, and this incidence relation is kept in the system of service side and party intermediary simultaneously.Simultaneously, in association process, service side has also preserved this user's client public key simultaneously.
The concrete steps of present embodiment are following:
1) user is connected removable IC with the terminal, and the user uses the authentication procedure at terminal through the party intermediary authentication, and party intermediary is returned all side's of service account information that are associated with user's party intermediary number of the account to the authentication procedure at terminal;
2) when the user clicks the option of login service side on the authentication procedure interface; The browser object of authentication procedure newly-generated sensing address, service side on the terminal or the object of other specific program; This newly-generated program object sends connection request to service side; Comprise service side's number of the account of user, user's party intermediary number of the account, service party name and rise time in this connection request, and this connection request also comprises client public key and the digital signature of carrying out with private key for user;
3) after the connection request from the user is received by service side; Whether service side is correct with the digital signature of client public key checking user's connection request, and service side can also verify whether user's connection request is expired, has only the digital signature of this connection request correct and not out of date; This terminal could be through authentication; Service side can also carry out question and answer response several times again based on the removable IC that is connected on client public key and the terminal, if the question and answer response is correct, then the authentication of service side has been passed through at the terminal.
4) after the authentication of service side was passed through, service side will allow this side's of service number of the account of terminal login user and connect.Wherein, the program object of the service side that the terminal is inserted can be browser or other dedicated program, and after the access, the user just can pass through service specified and the resource that this program connects and use service side on the terminal.
Embodiment 3
In the present embodiment, the user has a user account (AUID) in that party intermediary is registered, and the user is also registered in service side to have a user account (APID).Wherein, service side is an ICP.Wherein, the user has the usb key of certain CA issue, preserves private key for user and client public key in the usb key.Wherein, the in store client public key corresponding in the service method, system with service side's number of the account of this user, this preservation can be in the process of user registration service side number of the account or after user login services side's number of the account, to carry out.
Wherein, the user associates oneself service side number of the account APID and party intermediary number of the account AUID, in the system of this incidence relation party intermediary.
The concrete steps of present embodiment are following:
1) user is connected removable IC with the terminal, and the user uses the authentication procedure at terminal through the party intermediary authentication, and party intermediary is returned all side's of service account information that are associated with user's party intermediary number of the account to the authentication procedure at terminal;
2) when the user clicks the option of login service side on the authentication procedure interface; The browser object of authentication procedure newly-generated sensing address, service side on the terminal or the object of other specific program; This newly-generated program object sends connection request to service side; Comprise service side's number of the account of user, user's party intermediary number of the account, service party name and rise time in this connection request, and this connection request also comprises client public key and the digital signature of carrying out with private key for user;
3) after the connection request from the user is received by service side; Whether service side is correct with the digital signature of client public key checking user's connection request, and service side can also verify whether user's connection request is expired, has only the digital signature of this connection request correct and not out of date; This terminal could be through authentication; Service side can also carry out question and answer response several times again based on the removable IC that is connected on client public key and the terminal, if the question and answer response is correct, then the authentication of service side has been passed through at the terminal.
4) after the authentication of service side was passed through, service side will allow this side's of service number of the account of terminal login user and connect.Wherein, the program object of the service side that the terminal is inserted can be browser or other dedicated program, and after the access, the user just can pass through service specified and the resource that this program connects and use service side on the terminal.
Certainly, the present invention also can or combine other systems approach and produces many other embodiment based on concrete condition.
Claims (10)
1. the Verification System of a safety or method wherein, comprise terminal, service side, party intermediary and removable IC chip; Wherein, the user at terminal has service side's number of the account in service side, and the user at terminal has the party intermediary number of the account in party intermediary; Wherein, the user at terminal can be associated party intermediary number of the account and service side's number of the account, and party intermediary can write down should association; Wherein, After the user used the terminal to pass through the party intermediary authentication and logins party intermediary, party intermediary can send to the terminal with the service side's account information that is associated with this user's party intermediary number of the account, and the terminal will be to this side's of service number of the account of this service side's request login user after selecting the service side that an is associated number of the account on the party intermediary interface at terminal for the user; Service side can be to the authentication of the side of service, terminal after receiving the logging request at terminal; Have only the authentication of service side can allow this service side's number of the account of terminal login just now through the back service, wherein, the user has removable IC chip; The authentication of the side of service is carried out through this removable IC chip, and only the authentication of the side of service could be passed through when this removable IC chip is connected in the terminal.
2. safe Verification System according to claim 1 or method; It is characterized in that; Preserve the privately owned part of an authentication sign in the removable IC chip; Party intermediary is preserved the open part of this authentication sign, and this privately owned part can be carried out mutual authentication through corresponding calculating with open part.
3. safe Verification System according to claim 2 or method is characterized in that, this authentication sign is the key of a pair of asymmetric encryption, and wherein, privately owned part is a private key, and open part is a PKI.
4. based on described safe Verification System of claim 2 or method, it is characterized in that in the authentication of service side, the terminal can be sent with the privately owned part of authentication sign to service side and calculated the authentication information that generates.
5. safe Verification System according to claim 4 or method is characterized in that, service side can verify calculating to this authentication information with the open part of authentication sign, and the authentication of the side of service just can be passed through when having only checking result of calculation correct.
6. safe Verification System according to claim 4 or method is characterized in that, in the authentication of service side, can transmit the open part of this authentication sign between the side of service and the party intermediary.
7. based on described safe Verification System of claim 2 or method, it is characterized in that, when the user will the side's of service number of the account be associated with the party intermediary number of the account, can transmit the open part of this authentication sign between the side of service and the party intermediary.
8. safe Verification System according to claim 1 or method is characterized in that, after the user was associated party intermediary number of the account and service side's number of the account, service side also can write down should association.
9. safe Verification System according to claim 1 or method is characterized in that, the program object of the program object of login service side, terminal and terminal login party intermediary is two different programs objects.
10. safe Verification System according to claim 1 or method is characterized in that, the in store key of described removable IC chip calculates and authentication with this key in the authentication of the side of service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103974100A CN102510336A (en) | 2011-12-05 | 2011-12-05 | Security certification system or method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103974100A CN102510336A (en) | 2011-12-05 | 2011-12-05 | Security certification system or method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102510336A true CN102510336A (en) | 2012-06-20 |
Family
ID=46222390
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011103974100A Pending CN102510336A (en) | 2011-12-05 | 2011-12-05 | Security certification system or method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102510336A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103546293A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system or method |
| CN103546462A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system with specific associated processes or third party certification method |
| CN103546290A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system with user groups or third party certification method |
| CN103546291A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system with specific registration processes or third party certification method |
| CN104348824A (en) * | 2013-08-09 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and system for associating network account |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202631A (en) * | 2007-12-21 | 2008-06-18 | 任少华 | System and method for identification authentication based on cipher key and timestamp |
| CN101252438A (en) * | 2008-01-10 | 2008-08-27 | 任少华 | Third party identification authentication system based on mobile type IC |
| CN101291223A (en) * | 2007-12-21 | 2008-10-22 | 任少华 | System and method for a third party to provide identity authentication service |
| CN101304318A (en) * | 2008-07-04 | 2008-11-12 | 任少华 | Safe network authentication system and method |
| US20110145899A1 (en) * | 2009-12-10 | 2011-06-16 | Verisign, Inc. | Single Action Authentication via Mobile Devices |
-
2011
- 2011-12-05 CN CN2011103974100A patent/CN102510336A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202631A (en) * | 2007-12-21 | 2008-06-18 | 任少华 | System and method for identification authentication based on cipher key and timestamp |
| CN101291223A (en) * | 2007-12-21 | 2008-10-22 | 任少华 | System and method for a third party to provide identity authentication service |
| CN101252438A (en) * | 2008-01-10 | 2008-08-27 | 任少华 | Third party identification authentication system based on mobile type IC |
| CN101304318A (en) * | 2008-07-04 | 2008-11-12 | 任少华 | Safe network authentication system and method |
| US20110145899A1 (en) * | 2009-12-10 | 2011-06-16 | Verisign, Inc. | Single Action Authentication via Mobile Devices |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348824A (en) * | 2013-08-09 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Method and system for associating network account |
| CN104348824B (en) * | 2013-08-09 | 2018-07-20 | 深圳市腾讯计算机系统有限公司 | The method and system of related network account number |
| CN103546293A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system or method |
| CN103546462A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system with specific associated processes or third party certification method |
| CN103546290A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system with user groups or third party certification method |
| CN103546291A (en) * | 2013-10-08 | 2014-01-29 | 任少华 | Third party certification system with specific registration processes or third party certification method |
| CN103546290B (en) * | 2013-10-08 | 2019-06-18 | 任少华 | Third Party Authentication system or method with user group |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101708587B1 (en) | Bidirectional authorization system, client and method | |
| US9021552B2 (en) | User authentication for intermediate representational state transfer (REST) client via certificate authority | |
| US9912477B2 (en) | Using everyday objects as cryptographic keys | |
| EP3611871B1 (en) | Technologies for synchronizing and restoring reference templates | |
| WO2018121249A1 (en) | Ssl protocol-based access control method and device | |
| EP2839401B1 (en) | Secure password-based authentication for cloud computing services | |
| EP2434715A1 (en) | Method for establishing a secure communication channel | |
| JP2017528963A (en) | System and method for establishing trust using a secure transmission protocol | |
| CN101651666A (en) | Method and device for identity authentication and single sign-on based on virtual private network | |
| US9544152B2 (en) | Dual layer transport security configuration | |
| CN112543166B (en) | Real name login method and device | |
| CN102333085B (en) | Security network authentication system and method | |
| US20160381011A1 (en) | Network security method and network security system | |
| CN104935441A (en) | Authentication method and relevant devices and systems | |
| CN102510336A (en) | Security certification system or method | |
| CN104994115B (en) | A kind of login authentication method and system | |
| CN108322507A (en) | A kind of method and system executing safety operation using safety equipment | |
| CN103546292A (en) | Third-party certification system or method with multiple identification codes | |
| WO2015109958A1 (en) | Data processing method based on negotiation key, and mobile phone | |
| CN109802834A (en) | The method and system that a kind of pair of business layer data is encrypted, decrypted | |
| CN102811203B (en) | Method for identifying ID, system and user terminal in the Internet | |
| CN202206419U (en) | Network security terminal and interactive system based on terminal | |
| CN103379119A (en) | Network multi-authentication system or network multi-authentication method | |
| Me et al. | A mobile based approach to strong authentication on Web | |
| CN117336092A (en) | Client login method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120620 |