CN102685126A - System and method of identity authentication for network platform - Google Patents
System and method of identity authentication for network platform Download PDFInfo
- Publication number
- CN102685126A CN102685126A CN2012101401274A CN201210140127A CN102685126A CN 102685126 A CN102685126 A CN 102685126A CN 2012101401274 A CN2012101401274 A CN 2012101401274A CN 201210140127 A CN201210140127 A CN 201210140127A CN 102685126 A CN102685126 A CN 102685126A
- Authority
- CN
- China
- Prior art keywords
- client
- identity
- password module
- service end
- creditable calculation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a system and a method of identity authentication for a network platform based on a TCM (Trusted Cryptography Module) chip and provides a method for issuing a client identity certificate and performing client identity authentication based on the TCM chip. By means of the method, the TCM chip is arranged in a server of the network platform to realize the identity authentication for the network platform and the data encryption of client sensitive data. According to the invention, the problems that the identity information is easily used by a third party in a counterfeit way and the client sensitive data are transmitted and stored in the form of raw data in the network platform at present are solved.
Description
Technical field
The present invention relates to the basic functions such as key management, data encrypting and deciphering, Data Audit and critical data storage that adopt TCM (Trusted Cryptography Module) chip to provide; Propose a kind of application system client sensitive data guard method, particularly relate to a kind of network platform identity authorization system and method based on the TCM chip based on the TCM chip.
Background technology
With the network platform mutual in, the first step is exactly to carry out the discriminating of client identity, and carries out the most important condition that identity is differentiated, then is at first need to be stored in the sensitive informations such as identity of client in the other side's memory device; When the client-access network platform was carried out activity, the visited network platform can require the authenticating identity to client, authentication through after just can allow client to carry out the operation in the interest field; Two steps more than describing just with network platform interacting activity in common registration and register.
In these two operating process, there is following disadvantage:
1, in the client identity certificate issuance flow process; Service end does not provide the proof of identification of self for client, prove its effective identity, is easy to occur client client identity information like this and is stolen by the lawbreaker; Carry out unlawful activities, the rights and interests of infringement client;
When 2, carrying out the client identity authentication operation, the client sensitive information is to carry out the uncorrected data Network Transmission, is intercepted and captured by the third party easily;
3, the client sensitive data is stored in service end provider's the memory device as adopts the uncorrected data storage, and same the existence by the people initiatively divulges a secret and by danger that other people steal.
Summary of the invention
It is a kind of based on the network platform authentication of TCM chip and the data encryption of client sensitive data that the present invention provides, solve at present with network platform interacting activity in identity information be prone to pretended to be and the transmission of client sensitive data uncorrected data and the problem of storing by the third party.
The technical scheme that the present invention solves the problems of the technologies described above is following:
A kind of network platform identity authorization system is characterized in that, said Verification System comprises service end, the first creditable calculation password module TCM that is connected with service end, digital authenticating center CA and client;
The PIK function that said service end provides through the said first creditable calculation password module TCM generates the letter of identity request and outputs to said digital authenticating center CA;
Said digital authenticating center CA issues letter of identity and gives service end;
Said client receives the service end letter of identity of said service end output, and differentiates.
Said Verification System comprises the second creditable calculation password module TCM that is connected with said client; Said client offers the said second creditable calculation password module TCM with said service end letter of identity, and the second creditable calculation password module TCM differentiates and the implementation platform authentication said service end letter of identity.
A kind of network platform identity identifying method that adopts according to said system is characterized in that said network platform identity identifying method comprises the steps:
The PIK function that said service end provides through the said first creditable calculation password module TCM generates the letter of identity request and outputs to said digital authenticating center CA;
Said digital authenticating center CA issues letter of identity and gives service end;
Service end provides the service end letter of identity to client;
Said client is differentiated and the implementation platform authentication said service end letter of identity.
Said client is differentiated the letter of identity of said service end output and the step of implementation platform authentication is specially: said client offers the said second creditable calculation password module TCM with said service end letter of identity, and the second creditable calculation password module TCM differentiates and the implementation platform authentication said service end letter of identity.
Said network platform identity identifying method further comprises the steps:
The said second creditable calculation password module TCM issues said client identity certificate.
The step that the said second creditable calculation password module TCM issues said client identity certificate specifically comprises:
Said client receives the client sensitive data information of outside input;
The said second creditable calculation password module TCM uses the said client sensitive data of the public key encryption information of PEK, generates client identity information;
The said second creditable calculation password module TCM with the client identity message transmission to the said first creditable calculation password module TCM;
The said first creditable calculation password module TCM handles said client identity information, generates the client identity certificate;
The said first creditable calculation password module TCM returns said client identity certificate to the said second creditable calculation password module TCM, accomplishes issue.
The said second creditable calculation password module TCM specifically comprises the step of client identity message transmission to the said first creditable calculation password module TCM:
Through said client transmissions to said service end, said service end offers the said first creditable calculation password module TCM with said client identity information to the said second creditable calculation password module TCM with said client identity information.
The step that the said first creditable calculation password module TCM differentiates said client identity certificate specifically comprises:
The said first creditable calculation password module TCM uses the PEK private key that said client identity certificate is deciphered;
The said first creditable calculation password module TCM uses storage key that the said client identity certificate of deciphering is encrypted;
Said client identity certificate after the said first creditable calculation password module TCM will encrypt outputs to said service end, the said client identity certificate after said this encryption of service end storage.
The step that the said second creditable calculation password module TCM issues said client identity certificate specifically comprises:
The said first creditable calculation password module TCM returns said client identity certificate to said client, said client stores client identity certificate through said service end;
Said client offers the said second creditable calculation password module TCM with said client identity certificate, accomplishes issue.
Client sensitive data information comprises client name information, encrypted message and bank account information.
The invention has the beneficial effects as follows: combine the TCM chip technology; Sensitive information is carried out encrypted transmission and storage; Strengthened the information security in transmission course and the use, the key that uses in the business procedure simultaneously adopts hardware store, has solved key and has lost the problem that back information is stolen.
Description of drawings
Fig. 1 is the network platform authentication structure chart that the present invention is based on TCM chip PIK function.
Fig. 2 is the issue client terminal letter of identity flow process based on the TCM chip.
Fig. 3 is the client identity identifying procedure based on the TCM chip.
Fig. 4 is the issue client terminal letter of identity concrete grammar based on the TCM chip.
Fig. 5 is the client identity authentication concrete grammar of TCM chip.
Embodiment
Below in conjunction with accompanying drawing principle of the present invention and characteristic are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.
The basic function of creditable calculation password module TCM (Trusted Cryptography Module) chip comprises functions such as platform tolerance, platform authentication and crypto-operation.The PIK function that the present invention uses standard TCM chip functions to provide is carried out the platform proof of identification; Use PEK to carry out client sensitive data encrypted transmission; Use PEK private key deciphering client sensitive data also to carry out validity and judge, use storage key that TCM provides that validity is distinguished that the client sensitive data that passes through encrypts storage.
Shown in Figure 1 is network platform identity authorization system structure chart based on TCM chip PIK function:
Wherein, Network platform identity authorization system comprises: CA (English full name Certificate Authority; Be the abbreviation at digital certificate authentication center), the network platform (service end of the first creditable calculation password module TCM chip is installed) and client rs PC (the second creditable calculation password module TCM chip is installed).The PIK function that network platform service end provides through the first creditable calculation password module TCM submits to the letter of identity request to CA, and CA issues letter of identity and gives network platform service end; Network platform service end provides certificate to client; Said client offers the said second creditable calculation password module TCM with said service end letter of identity; Client is carried out the discriminating of certificate through the second creditable calculation password module TCM, thereby realizes carrying out network platform authentication.
Said network platform identity identifying method mainly comprises the steps:
The PIK function that said service end provides through the said first creditable calculation password module TCM generates the letter of identity request and outputs to said digital authenticating center CA;
Said digital authenticating center CA issues letter of identity and gives service end;
Service end provides the service end letter of identity to client;
Said client is differentiated and the implementation platform authentication said service end letter of identity;
The said second creditable calculation password module TCM issues said client identity certificate.
Wherein, Said client is differentiated the letter of identity of said service end output and the step of implementation platform authentication is specially: said client offers the said second creditable calculation password module TCM with said service end letter of identity, and the second creditable calculation password module TCM differentiates and the implementation platform authentication said service end letter of identity.
Issue client terminal letter of identity flow process based on the TCM chip shown in Figure 2:
Step 1, the identity of client discrimination natwork platform;
Step 2 is filled in the client log-on message;
Step 3, client is submitted the client sensitive data to;
Step 4; Client use the second creditable calculation password module TCM with the client sensitive data by the PEK public key encryption; Generate client identity information; And being transferred to the first creditable calculation password module TCM of service end, the first creditable calculation password module TCM handles said client identity information, generates the client identity certificate;
Step 5, the first creditable calculation password module TCM of network platform service end uses the PEK private key that the client identity certificate is deciphered;
Step 6, the storage key that uses the first creditable calculation password module TCM to generate in this locality to the client identity certificate after the deciphering carries out data encryption and spues;
Step 7, the client identity certificate that the storage of network platform service end is encrypted by the first creditable calculation password module TCM storage key;
Step 8 is returned the client information that succeeds in registration.
Fig. 3 is the network platform client identity identifying procedure based on the TCM chip:
Step 1, client sensitive datas such as client input client name information and encrypted message are logined;
Step 2, client sensitive datas such as client name information and encrypted message generate on the client identity News Online and transmit after using the PEK PKI to encrypt through the second creditable calculation password module TCM;
Step 3, the network platform service end first creditable calculation password module TCM handles said client identity information, generates the client identity certificate; The client identity certificate is deciphered and used storage of public keys to encrypt through the first creditable calculation password module TCM;
Step 4, network platform service end use the client identity certificate after storage of public keys is encrypted to carry out authentication;
Step 5, authentication is through accomplishing register.
Specific embodiment:
Shown in Figure 4 is method based on the issue client terminal letter of identity of TCM chip:
Step 1, client is sent the Tspi_TCM_Activate order to the network platform and is activated client encrypt key PEK1;
Step 2, the network platform are returned the secret key PKI of client encrypt Pub_PEK1, and are stored in client;
Step 3; Client is filled in log-on message (client name information; Encrypted message; Bank account information etc.), after wherein client is encrypted through PKI Pub_PEK1 through second creditable calculation password module TCM use Tspi_Data_Encrypt order client's sensitive information, generate the first creditable calculation password module TCM that client identity information sends to the service end of the network platform;
Step 4; The first creditable calculation password module TCM of service end handles said client identity information; Generate the client identity certificate; The first creditable calculation password module TCM sends order Tspi_Data_Decrypt through Pri_PEK1 deciphering client client identity certificate, and uses the key StorKey1 of local storage, sends order Tspi_Data_Encryp and through key StorKey1 the client identity certificate is encrypted; Encrypted result is carried out this locality storage, returns the client message that succeeds in registration.
Shown in Figure 5 is client identity authentication method based on the TCM chip:
Step 1; Client input client name information; Client sensitive datas such as encrypted message are submitted to network platform service end; The second creditable calculation password module TCM of client generates the first creditable calculation password module TCM that client identity information sends to the service end of the network platform after using the Tspi_Data_Encrypt order through PKI Pub_PEK1 the client sensitive data to be encrypted;
Step 2; The first creditable calculation password module TCM of service end handles said client identity information; Generate the client identity certificate, the first creditable calculation password module TCM sends order Tspi_Data_Decrypt through Pri_PEK deciphering client identity certificate;
Step 3, the first creditable calculation password module TCM of service end uses local storage key StorKey1 to send order Tspi_Data_Encryp and through StorKey1 the client identity certificate is encrypted;
Step 4, if client identity certificate and the local storing value encrypted through StorKey1 in the comparison step 3 consistent, then return the client login success message.
In conjunction with the TCM chip technology, sensitive information is carried out encrypted transmission and storage, strengthened the information security in transmission course and the use, the key that uses in the business procedure simultaneously adopts hardware store, has solved key and has lost the problem that back information is stolen.
Inventive concept and method are equally applicable to utilize the TCM technology that the client sensitive data in other applied environments is carried out encrypted transmission, storage, verification.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a network platform identity authorization system is characterized in that, said Verification System comprises service end, the first creditable calculation password module TCM that is connected with service end, digital authenticating center CA and client;
The PIK function that said service end provides through the said first creditable calculation password module TCM generates the letter of identity request and outputs to said digital authenticating center CA;
Said digital authenticating center CA issues letter of identity and gives service end;
Said client receives the service end letter of identity of said service end output, and differentiates.
2. network platform identity authorization system according to claim 1; It is characterized in that; Said Verification System comprises the second creditable calculation password module TCM that is connected with said client; Said client offers the said second creditable calculation password module TCM with said service end letter of identity, and the second creditable calculation password module TCM differentiates and the implementation platform authentication said service end letter of identity.
3. network platform identity identifying method in the system according to claim 1 and 2 is characterized in that said network platform identity identifying method comprises the steps:
The PIK function that said service end provides through the said first creditable calculation password module TCM generates the letter of identity request and outputs to said digital authenticating center CA;
Said digital authenticating center CA issues letter of identity and gives service end;
Service end provides the service end letter of identity to client;
Said client is differentiated and the implementation platform authentication said service end letter of identity.
4. network platform identity identifying method according to claim 3; It is characterized in that; Said client is differentiated the letter of identity of said service end output and the step of implementation platform authentication is specially: said client offers the said second creditable calculation password module TCM with said service end letter of identity, and the second creditable calculation password module TCM differentiates and the implementation platform authentication said service end letter of identity.
5. network platform identity identifying method according to claim 4 is characterized in that, said network platform identity identifying method further comprises the steps:
The said second creditable calculation password module TCM issues said client identity certificate.
6. network platform identity identifying method according to claim 5 is characterized in that, the step that the said second creditable calculation password module TCM issues said client identity certificate specifically comprises:
Said client receives the client sensitive data information of outside input;
The said second creditable calculation password module TCM uses the said client sensitive data of the public key encryption information of PEK, generates client identity information;
The said second creditable calculation password module TCM with the client identity message transmission to the said first creditable calculation password module TCM;
The said first creditable calculation password module TCM handles said client identity information, generates the client identity certificate;
The said first creditable calculation password module TCM returns said client identity certificate to the said second creditable calculation password module TCM, accomplishes issue.
7. network platform identity identifying method according to claim 6 is characterized in that, the said second creditable calculation password module TCM specifically comprises the step of client identity message transmission to the said first creditable calculation password module TCM:
Through said client transmissions to said service end, said service end offers the said first creditable calculation password module TCM with said client identity information to the said second creditable calculation password module TCM with said client identity information.
8. network platform identity identifying method according to claim 6 is characterized in that, the step that the said first creditable calculation password module TCM differentiates said client identity certificate specifically comprises:
The said first creditable calculation password module TCM uses the PEK private key that said client identity certificate is deciphered;
The said first creditable calculation password module TCM uses storage key that the said client identity certificate of deciphering is encrypted;
Said client identity certificate after the said first creditable calculation password module TCM will encrypt outputs to said service end, the said client identity certificate after said this encryption of service end storage.
9. network platform identity identifying method according to claim 6 is characterized in that, the step that the said second creditable calculation password module TCM issues said client identity certificate specifically comprises:
The said first creditable calculation password module TCM returns said client identity certificate to said client, said client stores client identity certificate through said service end;
Said client offers the said second creditable calculation password module TCM with said client identity certificate, accomplishes issue.
10. network platform identity identifying method according to claim 6 is characterized in that: client sensitive data information comprises client name information, encrypted message and bank account information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101401274A CN102685126A (en) | 2012-05-08 | 2012-05-08 | System and method of identity authentication for network platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101401274A CN102685126A (en) | 2012-05-08 | 2012-05-08 | System and method of identity authentication for network platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102685126A true CN102685126A (en) | 2012-09-19 |
Family
ID=46816489
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101401274A Pending CN102685126A (en) | 2012-05-08 | 2012-05-08 | System and method of identity authentication for network platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102685126A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394152A (en) * | 2014-11-27 | 2015-03-04 | 成都远为天胜科技有限公司 | High-security network platform |
| CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593324A (en) * | 2009-06-17 | 2009-12-02 | 浙江师范大学 | The network multi-level measures and procedures for the examination and approval and system based on dependable computing application technique |
| CN102035837A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Method and system for hierarchically connecting trusted networks |
| CN102035838A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Trust service connecting method and trust service system based on platform identity |
| CN102207999A (en) * | 2010-03-29 | 2011-10-05 | 国民技术股份有限公司 | Data protection method based on trusted computing cryptography support platform |
| US20120030475A1 (en) * | 2010-08-02 | 2012-02-02 | Ma Felix Kuo-We | Machine-machine authentication method and human-machine authentication method for cloud computing |
-
2012
- 2012-05-08 CN CN2012101401274A patent/CN102685126A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593324A (en) * | 2009-06-17 | 2009-12-02 | 浙江师范大学 | The network multi-level measures and procedures for the examination and approval and system based on dependable computing application technique |
| CN102207999A (en) * | 2010-03-29 | 2011-10-05 | 国民技术股份有限公司 | Data protection method based on trusted computing cryptography support platform |
| US20120030475A1 (en) * | 2010-08-02 | 2012-02-02 | Ma Felix Kuo-We | Machine-machine authentication method and human-machine authentication method for cloud computing |
| CN102035837A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Method and system for hierarchically connecting trusted networks |
| CN102035838A (en) * | 2010-12-07 | 2011-04-27 | 中国科学院软件研究所 | Trust service connecting method and trust service system based on platform identity |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104394152A (en) * | 2014-11-27 | 2015-03-04 | 成都远为天胜科技有限公司 | High-security network platform |
| CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1689297B (en) | Method of preventing unauthorized distribution and use of electronic keys using a key seed | |
| CN109687965B (en) | Real-name authentication method for protecting user identity information in network | |
| CN101640590B (en) | Method for obtaining a secret key for identifying cryptographic algorithm and cryptographic center thereof | |
| CN102769623B (en) | Two-factor authentication method based on digital certificate and biological identification information | |
| CN101834853B (en) | Method and system for sharing anonymous resource | |
| RU2584500C2 (en) | Cryptographic authentication and identification method with real-time encryption | |
| CN104796265A (en) | Internet-of-things identity authentication method based on Bluetooth communication access | |
| CN104158827B (en) | Ciphertext data sharing method, device, inquiry server and upload data client | |
| US20190370483A1 (en) | Data Protection Method and System | |
| CN103684766A (en) | Private key protection method and system for terminal user | |
| CN103281377A (en) | Cryptograph data storage and searching method for cloud | |
| JP2015154491A (en) | System and method for remote access and remote digital signature | |
| US20090271627A1 (en) | Secure Data Transmission | |
| CN102025503B (en) | Data security implementation method in cluster environment and high-security cluster | |
| CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
| CN105207776A (en) | Fingerprint authentication method and system | |
| KR20170047717A (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| CN103580868A (en) | Secure transmission method of electronic official document secure transmission system | |
| CN106656489B (en) | Mobile payment-oriented safety improvement method for information interaction between self-service selling equipment and server | |
| CN104486087A (en) | Digital signature method based on remote hardware security modules | |
| CN104852928A (en) | Authentication method for fingerprint encryption | |
| US8392703B2 (en) | Electronic signature verification method implemented by secret key infrastructure | |
| CN102694650A (en) | Secret key generating method based on identity encryption | |
| CN103532961A (en) | Method and system for authenticating identity of power grid website based on trusted crypto modules | |
| CN109040109B (en) | Data transaction method and system based on key management mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120919 |