CN102694776A - Authentication system and method based on dependable computing - Google Patents
Authentication system and method based on dependable computing Download PDFInfo
- Publication number
- CN102694776A CN102694776A CN2011100706124A CN201110070612A CN102694776A CN 102694776 A CN102694776 A CN 102694776A CN 2011100706124 A CN2011100706124 A CN 2011100706124A CN 201110070612 A CN201110070612 A CN 201110070612A CN 102694776 A CN102694776 A CN 102694776A
- Authority
- CN
- China
- Prior art keywords
- trusted
- server
- terminal
- authentication
- authentic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention relates to an authentication system and a method based on dependable computing. The authentication system based on dependable computing comprises a dependable terminal, a dependable certificate server, and a dependable authentication server. Each of the dependable terminal, the dependable certificate server and the dependable authentication server has a dependable computing module. According to the authentication system and the method based on dependable computing provided by the invention, PKI digital certificate technology and a dependable computing platform are combined, the security of a network and a server terminal is ensured, at the same time, terminal can be ensured to be dependable, the security of a whole network is raised greatly, and creditability and security of computer network certification are raised.
Description
Technical field
The present invention relates to the computer network security technology field, relate in particular to a kind of Verification System and method based on Trusted Computing.
Background technology
Along with the development of computer networking technology, the diverse network in the garden net is used also more and more, and most of system all provides login window, requires the user to import the user name and password, has only authorized users ability access-controlled resource.Each application system all has independently ID authentication mechanism, when getting into different application systems, all will resubmit the identify label of oneself and come the authentication through system, can cause following consequence like this:
The user need be provided with a large amount of username and passwords, causes easily and obscures;
Frequent input the user name and password can increase the probability that the relative users password is cracked;
The user tends to select simple information perhaps identical password to be set as password for ease, will bring very big potential safety hazard like this;
After user and password are cracked, can on any computer, use, there is very big potential safety hazard in transaction for user network.
Consideration from efficient and safety factor; People have proposed new certificate scheme; Be the user in the application number of the account, also need number of the account be tied to specialized apparatus and use simultaneously that the user only needs in network, initiatively carry out authentication; Just can visit the all-network resource that it is authorized to subsequently, and not need to participate in again other authentication process.
But there is following drawback in traditional authentication:
Can't guarantee whether the terminal is credible;
Can't guarantee the credible of certificate server self;
Can't guarantee the credible of certificate server self;
Can't guarantee the credible of application server self.
Therefore, credibility, the fail safe of enhancing computer network authentication are one of current authentication field problem demanding prompt solutions.
Summary of the invention
Technical problem to be solved by this invention provides a kind of Verification System and method based on Trusted Computing, improves credibility, the fail safe of computer network authentication.
For solving the problems of the technologies described above; The present invention proposes a kind of Verification System based on Trusted Computing; Comprise trusted terminal, trusted certificates server, authentic authentication server; All have creditable calculation modules in said trusted terminal, said trusted certificates server and the said authentic authentication server, said trusted terminal respectively with said trusted certificates server, the wireless connections of said authentic authentication server.
Further, said system also can have following characteristics, also comprises the trusted application server, has creditable calculation modules in the said trusted application server, said trusted application server respectively with said trusted terminal, the wireless connections of authentic authentication server.
Further; Said system also can have following characteristics; Also comprise credible integrity verification server; Be used for said trusted terminal platform is carried out integrity verification, have creditable calculation modules in the said credible integrity verification server, said credible integrity verification server and the wireless connections of said authentic authentication server.
For solving the problems of the technologies described above, also the present invention proposes a kind of authentication method based on Trusted Computing, based on above-mentioned each described Verification System, comprising based on Trusted Computing:
Trusted terminal is to trusted certificates server application grant a certificate; And
The checking request that the said trusted terminal of authentic authentication server authentication is initiated to this authentic authentication server, and receive the identity documents that said authentic authentication server signs and issues for this trusted terminal.
Further, said method also can have following characteristics, also comprises before trusted certificates server application grant a certificate in said trusted terminal, the integrality of said trusted terminal check self platform.
Further; Said method also can have following characteristics; Also comprise; Said trusted terminal is also initiated integrality verification request to said authentic authentication server, and said authentic authentication server is transmitted to credible integrity verification server with said integrality verification request, the integrality of the said trusted terminal of said credible integrity verification server authentication.
Further; Said method also can have following characteristics, also comprises, said trusted terminal is initiated services request to the trusted application server after receiving identity documents; The identity documents of the said trusted terminal of said authentic authentication server authentication; And will verify that the result returns to said trusted application server, if said checking result is legal, then said trusted application server allows service entities to said trusted terminal requested service to be provided.
Further, said method also can have following characteristics, also comprises, said trusted terminal user carries out identity registration at said authentic authentication server, registered user's information earlier before carrying out authentication for the first time.
Verification System and method based on Trusted Computing provided by the present invention; PKI digital certificate technique and credible calculating platform are combined; Guaranteed the safety of network and server end; Simultaneously can also guarantee that the terminal is credible, improve the fail safe of whole network to a great extent, improve credibility, the fail safe of computer network authentication.
Description of drawings
Fig. 1 is trusted computer system platform structure figure in the embodiment of the invention;
Fig. 2 is based on the Verification System structure chart of Trusted Computing in the embodiment of the invention;
Fig. 3 is based on the authentication method flow chart of Trusted Computing in the embodiment of the invention.
Embodiment
Main design of the present invention is: utilize reliable computing technology; In the entity of implementing authentication, creditable calculation modules is installed; Guarantee the safety of computer network and server end, can guarantee that again the terminal is credible, not only can improve the fail safe of the entity self of implementing authentication; The fail safe of The whole calculations machine network be can also improve, thereby credibility, the fail safe of authentication on the computer network strengthened.
Among the present invention, creditable calculation modules is meant the Trusted Computing safety chip, is the safety chip on the computer main board.This chip carries out self check to the local hardware platform in computer booting; And the metric that will be kept in the Trusted Computing safety chip compares with the metric that start detects hardware again the time; Can this platform continue to use and be provided with the strategy of Trusted Computing safety chip that relevant (generally being defaulted as platform changes and can not use if local hardware changes; Need change Trusted Computing safety chip strategy if hope to continue use; Being provided with of Trusted Computing safety chip needs computer system management person to be provided with; If be still credible platform after hardware platform changes, the hardware platform information after then needing will upgrade is again measured and is kept in the Trusted Computing safety chip, and this operation is accomplished by computer system management person).
Among this paper, platform is meant the overall operation environment of computer, comprises hardware and software, but when submitting platform information to because operating system and software information also can't reach dynamic affirmation, therefore only submit hardware information to.Among this paper, trusted terminal is a kind of of credible platform.
Below in conjunction with accompanying drawing principle of the present invention and characteristic are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.
Fig. 1 is trusted computer system platform structure figure in the embodiment of the invention.As shown in Figure 1, in the present embodiment, computer system platform also is a user terminal, through following three types of mechanism and platform inherently safe management function, guarantees the fail safe of computer system platform:
(1) be starting point with credible tolerance root, computing system platform integrity metric value is set up the computer system platform trust chain, guarantees that system platform is credible;
(2) credibility of credible report root sign platform identity has uniqueness, is the basis with credible report root, implementation platform proof of identification and integrity report.
(3) based on the trusted storage root, realize key management, platform data safety protection function, corresponding cryptographic service is provided.
Fig. 2 is based on the Verification System structure chart of Trusted Computing in the embodiment of the invention.As shown in Figure 2; In the present embodiment; Verification System based on Trusted Computing comprises trusted terminal 10, trusted certificates server 20, authentic authentication server 30, credible integrity verification server 40 and trusted application server 50, and trusted terminal 10, trusted certificates server 20, authentic authentication server 30, credible integrity verification server 40 and trusted application server 50 all have creditable calculation modules.The existence of creditable calculation modules has guaranteed the credibility of each entity, has improved the Safety of Computer Network that comprises these entities greatly.
Trusted terminal 10 is the objects that carry out authentication; Be used for carrying out the integrality self check at verification process; Submit the platform relevant information to trusted certificates server 20; The application certificate is initiated trusted terminal platform identity and integrality verification request to authentic authentication server 30, initiates services request to trusted application server 50;
Trusted certificates server 20 is used to verify the platform relevant information of trusted terminal 10, and is the trusted terminal grant a certificate through checking;
Authentic authentication server 30 is used to verify the identity of trusted terminal platform, for validated user is signed and issued identity documents; Authentic authentication server 30 also is used for transmitting integrality verification request to credible integrity verification server 40, receives the integrity verification result that credible integrity verification server 40 returns, and this integrity verification result is passed to trusted terminal 10;
Credible integrity servers 40 is used to verify the integrality of trusted terminal platform, does not receive destructions such as virus with the assurance trusted terminal, thereby guarantees the credibility of terminal platform;
Whether trusted application server 50 is used for whether allowing trusted terminal user capture service according to the return results decision of authentic authentication server 30, promptly allow service entities to trusted terminal requested service to be provided.
Credible integrity servers 40 is not the requisite part of Verification System that the present invention is based on Trusted Computing with trusted application server 50; In other embodiments of the invention, the Verification System based on Trusted Computing can not comprise credible integrity servers 40 or trusted application server 50.Under the situation that does not have credible integrity servers 40, trusted terminal 10 can be through the integrality of self check check self platform, and other servers are no longer verified the integrality of trusted terminal platform in the verification process.Trusted terminal 10 just can be visited trusted application server 50 when the user needs trusted application server 50 that certain service is provided, so the further authentication that trusted application server 50 is carried out is the further extension to the most basic verification process.
Trusted terminal 10, trusted certificates server 20 and authentic authentication server 30 are formed the most basic Verification System based on Trusted Computing; The Verification System that this is the most basic and the difference of existing Verification System are; The entity inside of system all has creditable calculation modules; Therefore have higher credibility and fail safe than existing Verification System, thereby guaranteed credibility, the fail safe of the authentication that this system implemented.
It is thus clear that; Verification System based on Trusted Computing provided by the present invention; Improved the credibility and the fail safe of each entity in the system greatly through introducing creditable calculation modules, guaranteed the safety of network and server end, can also guarantee that the terminal is credible simultaneously; Therefore the fail safe that has improved whole network to a great extent, the credibility, the fail safe that have improved computer network authentication.
Based on above-mentioned Verification System, the invention allows for a kind of authentication method based on Trusted Computing based on Trusted Computing.Fig. 3 be in the embodiment of the invention based on the authentication method flow chart of Trusted Computing, as shown in Figure 3, in the present embodiment, comprise the steps: based on the authentication method of Trusted Computing
Step 301, before carrying out authentication for the first time, trusted terminal user carries out identity registration at the authentic authentication server earlier, registers individual relevant information, i.e. credible terminal use's user profile;
Here, individual relevant information is meant the needed information of identity registration of carrying out, and individual relevant information can comprise name, sex, identification card number, home address, telephone number of user etc.
Step 302, trusted terminal is carried out the integrality self check;
Step 303, trusted terminal is submitted the platform relevant information to the trusted certificates server, the application certificate;
Here, the platform relevant information can comprise following hardware information: the unique characteristic information of hard disk, the unique characteristic information of mainboard, the unique characteristic information of CPU, the unique characteristic information of internal memory, the unique characteristic information of network interface card etc.The characteristic information separately of above hardware is carried out Hash operation, be saved in the result of Hash operation among the PCR of creditable calculation modules then and submit to the trusted certificates server.
Step 304, trusted certificates server publisher verification platform relevant information, if the checking through sign and issue user certificate to trusted terminal;
If authentication failed, the trusted certificates server returns authentication failed information to trusted terminal, to remind the user of current use.
Step 305, trusted terminal is initiated platform identity and integrality verification request to the authentic authentication server;
Step 306, the identity of authentic authentication server authentication trusted terminal platform and to credible integrity verification server forwards integrality verification request;
Step 307, credible integrity verification server carries out integrity verification according to pre-determined rule to trusted terminal, and will verify that the result returns to the authentic authentication server;
Step 308, the authentic authentication server returns to trusted terminal with platform identity and integrity verification result;
Step 309, if trusted terminal has been passed through platform authentication and integrity verification, then the client certificate agency reads the relevant information of user certificate from USB Key, initiates the authenticating user identification request to the authentic authentication server;
Client certificate the agency be in the trusted terminal, and USB Key is an independent physical entity, and not in trusted terminal, USB Key can be connected with trusted terminal through USB interface.User certificate is the certificate that the trusted certificates server is signed and issued in the step 304.
Step 310, authentic authentication server authentication user's identity is if validated user is signed and issued identity documents;
If illegal user, the authentic authentication server returns information unauthorized to trusted terminal, to remind the user; Can also set if the number of times of authentication failed reaches preset numerical value continuously; Then lock number of the account and ban use of, prevent Brute Force, the number of the account of locking could used after activating again.
Step 311, trusted terminal are initiated services request to the trusted application server after receiving identity documents, carry identity documents in the said services request;
Step 312, the server-side certificate agency receives the services request that the user comprises identity documents, initiates identity documents checking request to the authentic authentication server;
Server-side certificate the agency be in the trusted application server.
Step 313, the user identity voucher that authentic authentication server authentication server-side certificate agency submits to will verify that the result returns to the trusted application server;
Step 314, whether whether the trusted application server allows the user capture service according to the identity documents checking result decision that the authentic authentication server returns, promptly allow service entities that institute's requested service is provided.
Service entities is in the trusted application server.If identity documents checking result is legal, then the trusted application server allows service entities that institute's requested service is provided, otherwise the trusted application server returns the illegal information of identity documents to trusted terminal, does not allow service entities that institute's requested service is provided.
Authentication method based on Trusted Computing provided by the present invention carries out on the entity with creditable calculation modules, has improved credibility, the fail safe of computer network authentication.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1. Verification System based on Trusted Computing; It is characterized in that; Comprise trusted terminal, trusted certificates server, authentic authentication server; All have creditable calculation modules in said trusted terminal, said trusted certificates server and the said authentic authentication server, said trusted terminal respectively with said trusted certificates server, the wireless connections of said authentic authentication server.
2. the Verification System based on Trusted Computing according to claim 1; It is characterized in that; Also comprise the trusted application server, have creditable calculation modules in the said trusted application server, said trusted application server respectively with said trusted terminal, the wireless connections of authentic authentication server.
3. the Verification System based on Trusted Computing according to claim 1; It is characterized in that; Also comprise credible integrity verification server; Be used for said trusted terminal platform is carried out integrity verification, have creditable calculation modules in the said credible integrity verification server, said credible integrity verification server and the wireless connections of said authentic authentication server.
4. the authentication method based on Trusted Computing based on each described Verification System based on Trusted Computing of claim 1 to 3, is characterized in that, comprising:
Trusted terminal is to trusted certificates server application grant a certificate; And
The checking request that the said trusted terminal of authentic authentication server authentication is initiated to this authentic authentication server, and receive the identity documents that said authentic authentication server signs and issues for this trusted terminal.
5. the authentication method based on Trusted Computing according to claim 4 is characterized in that, also comprises before trusted certificates server application grant a certificate in said trusted terminal, the integrality of said trusted terminal check self platform.
6. the authentication method based on Trusted Computing according to claim 4; It is characterized in that; Also comprise; Said trusted terminal is also initiated integrality verification request to said authentic authentication server, and said authentic authentication server is transmitted to credible integrity verification server with said integrality verification request, the integrality of the said trusted terminal of said credible integrity verification server authentication.
7. the authentication method based on Trusted Computing according to claim 4; It is characterized in that, also comprise that said trusted terminal is initiated services request to the trusted application server after receiving identity documents; The identity documents of the said trusted terminal of said authentic authentication server authentication; And will verify that the result returns to said trusted application server, if said checking result is legal, then said trusted application server allows service entities to said trusted terminal requested service to be provided.
8. the authentication method based on Trusted Computing according to claim 4 is characterized in that, also comprises, said trusted terminal user carries out identity registration at said authentic authentication server, registered user's information earlier before carrying out authentication for the first time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100706124A CN102694776A (en) | 2011-03-23 | 2011-03-23 | Authentication system and method based on dependable computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100706124A CN102694776A (en) | 2011-03-23 | 2011-03-23 | Authentication system and method based on dependable computing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102694776A true CN102694776A (en) | 2012-09-26 |
Family
ID=46860063
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100706124A Pending CN102694776A (en) | 2011-03-23 | 2011-03-23 | Authentication system and method based on dependable computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102694776A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856477A (en) * | 2012-12-06 | 2014-06-11 | 阿里巴巴集团控股有限公司 | Trusted computing system, corresponding attestation method and corresponding devices |
| CN104580250A (en) * | 2015-01-29 | 2015-04-29 | 成都卫士通信息产业股份有限公司 | System and method for authenticating credible identities on basis of safety chips |
| CN104683299A (en) * | 2013-11-28 | 2015-06-03 | 中兴通讯股份有限公司 | Control method for software registration, authentication server and terminal |
| CN106411524A (en) * | 2016-08-31 | 2017-02-15 | 广州世安信息技术有限公司 | Bluetooth-based trusted computing method of mobile terminal |
| CN110299996A (en) * | 2018-03-22 | 2019-10-01 | 阿里巴巴集团控股有限公司 | Authentication method, equipment and system |
| CN113438240A (en) * | 2021-06-25 | 2021-09-24 | 北京八分量信息科技有限公司 | Immune system and method for preventing intrusion of Internet of things information |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101458743A (en) * | 2007-12-12 | 2009-06-17 | 中国长城计算机深圳股份有限公司 | Method for protecting computer system |
| CN101621377A (en) * | 2009-03-26 | 2010-01-06 | 常熟理工学院 | Trusted access method under virtual computing environment |
| CN101778099A (en) * | 2009-12-31 | 2010-07-14 | 郑州信大捷安信息技术有限公司 | Architecture accessing trusted network for tolerating untrusted components and access method thereof |
-
2011
- 2011-03-23 CN CN2011100706124A patent/CN102694776A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101458743A (en) * | 2007-12-12 | 2009-06-17 | 中国长城计算机深圳股份有限公司 | Method for protecting computer system |
| CN101621377A (en) * | 2009-03-26 | 2010-01-06 | 常熟理工学院 | Trusted access method under virtual computing environment |
| CN101778099A (en) * | 2009-12-31 | 2010-07-14 | 郑州信大捷安信息技术有限公司 | Architecture accessing trusted network for tolerating untrusted components and access method thereof |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856477A (en) * | 2012-12-06 | 2014-06-11 | 阿里巴巴集团控股有限公司 | Trusted computing system, corresponding attestation method and corresponding devices |
| CN103856478A (en) * | 2012-12-06 | 2014-06-11 | 阿里巴巴集团控股有限公司 | Certificate signing and issuing method of trusted network, attestation method of trusted network and corresponding devices |
| CN103856478B (en) * | 2012-12-06 | 2017-11-24 | 阿里巴巴集团控股有限公司 | A kind of certificate issuance of trustable network, authentication method and corresponding equipment |
| CN104683299A (en) * | 2013-11-28 | 2015-06-03 | 中兴通讯股份有限公司 | Control method for software registration, authentication server and terminal |
| CN104580250A (en) * | 2015-01-29 | 2015-04-29 | 成都卫士通信息产业股份有限公司 | System and method for authenticating credible identities on basis of safety chips |
| CN106411524A (en) * | 2016-08-31 | 2017-02-15 | 广州世安信息技术有限公司 | Bluetooth-based trusted computing method of mobile terminal |
| CN106411524B (en) * | 2016-08-31 | 2019-07-12 | 广州世安信息技术股份有限公司 | The method of mobile terminal trust computing based on bluetooth |
| CN110299996A (en) * | 2018-03-22 | 2019-10-01 | 阿里巴巴集团控股有限公司 | Authentication method, equipment and system |
| CN110299996B (en) * | 2018-03-22 | 2022-07-01 | 阿里巴巴集团控股有限公司 | Authentication method, equipment and system |
| CN113438240A (en) * | 2021-06-25 | 2021-09-24 | 北京八分量信息科技有限公司 | Immune system and method for preventing intrusion of Internet of things information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9992189B2 (en) | Generation and validation of derived credentials | |
| US8584224B1 (en) | Ticket based strong authentication with web service | |
| US10587413B1 (en) | Decentralized identities for cross-enterprise authentication and/or authorization | |
| US11165579B2 (en) | Decentralized data authentication | |
| US10382427B2 (en) | Single sign on with multiple authentication factors | |
| WO2017000829A1 (en) | Method for checking security based on biological features, client and server | |
| CN110677376B (en) | Authentication method, related device and system and computer readable storage medium | |
| US20180234464A1 (en) | Brokered authentication with risk sharing | |
| US20180183777A1 (en) | Methods and systems for user authentication | |
| CN103475666B (en) | A kind of digital signature authentication method of Internet of Things resource | |
| US9037849B2 (en) | System and method for managing network access based on a history of a certificate | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| WO2015148331A1 (en) | Techniques to operate a service with machine generated authentication tokens | |
| CN103259663A (en) | User unified authentication method in cloud computing environment | |
| CN112000951A (en) | Access method, device, system, electronic equipment and storage medium | |
| CN111818088A (en) | Authorization mode management method and device, computer equipment and readable storage medium | |
| CN102694776A (en) | Authentication system and method based on dependable computing | |
| CN106789059A (en) | A kind of long-range two-way access control system and method based on trust computing | |
| US20160212123A1 (en) | System and method for providing a certificate by way of a browser extension | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| CN106936760A (en) | A kind of apparatus and method of login Openstack cloud system virtual machines | |
| CN103428191A (en) | Single sign on method based on combination of CAS framework and fingerprint | |
| Das et al. | Design of an automated blockchain-enabled vehicle data management system | |
| US20210037011A1 (en) | Identity intermediary service authorization | |
| Tiwari et al. | Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120926 |