Summary of the invention
The embodiment of the present invention provides a kind of user resources authorization method, and the method can realize the high-precision resource authorization between user and user.The embodiment of the present invention also provides corresponding equipment and system.
The technical scheme that the embodiment of the present invention provides is as follows:
A kind of user resources authorization method, comprising:
Mandate mark is carried in challenge message and sends to authorized user end by service end;
Receive that authorized user end returns carry the response message of authorization message after, create and comprise described mandate authority of authorizing mark, authorization message and random number seed and licensing status information;
Described mandate authority is sent to authorized users end, random number seed in described mandate authority and licensing status information are used for authorized users end and generate bill, described authorized users end can according to describedly authorizing mark, the bill of authorization message and generation obtains the resource of authorizing from service end.
A kind of user resources authorisation device, comprising:
First sending module, sends to authorized user end for mandate mark being carried in challenge message;
Receiver module, for receiving the response message carrying authorization message that authorized user end returns;
Creation module, comprises described mandate authority of authorizing mark, authorization message and random number seed and licensing status information for creating;
Second sending module, for described mandate authority is sent to authorized users end, random number seed in described mandate authority and licensing status information are used for authorized users end and generate bill, described authorized users end can according to describedly authorizing mark, the bill of authorization message and generation obtains authorized resource from service end.
A kind of user resources authoring system, comprising: service end, authorized user end and authorized users end;
Described service end, authorized user end is sent to for mandate mark being carried in challenge message, receive that authorized user end returns carry the response message of authorization message after, create and comprise described mandate authority of authorizing mark, authorization message and random number seed and licensing status information, described mandate authority is sent to authorized users end, the resource of mandate is provided to authorized users end;
Described authorized user end, carries the challenge message of authorizing mark for what receive that service end sends, and authorization message is carried and send to service end in the response message;
Described authorized users end, for receiving the mandate authority that service end sends, generates bill according to the random number seed of authorizing in authority and licensing status information, and according to describedly authorizing mark, the bill of authorization message and generation obtains the resource of authorizing from service end.
The embodiment of the present invention extends challenge handshake authentication scheme, service end can obtain authorization message by challenge handshake authentication process from authorized user end, create and send comprise this authorization message mandate authority to authorized users end, authorized users end can generate bill according to information such as the random number seeds comprised in mandate authority, and then obtain the resource of authorizing from service end according to this bill, thus achieve the high-precision resource authorization between authorized user end and authorized users end.
Embodiment
The embodiment of the present invention provides a kind of user resources authorization method, and the method can realize the high-precision resource authorization between user and user.The embodiment of the present invention also provides corresponding equipment and system.Below be described in detail respectively.
Embodiment one,
Please refer to Fig. 1 and Fig. 2, the embodiment of the present invention provides a kind of family resource authorization method.The method relate to equipment comprise service end S and at least two user side.Hereafter to comprise two user side A and B.
Wherein, service end S is a public operation platform, includes certificate server; User side A and B connects with this service end S-phase, be the validated user of service end S, and the resource that user side A and B has is provided by service end and manages.Service end S can carry out certification to user side A or B, but does not support direct certification between user side A and user side B.User side A and user side B applies for there is one section of memory space respectively on service end S, and namely Space A and Space B, preserves respective resource.In prior art, user side B can not the calling party end A resource in Space A space of applying for, user side A can not the calling party end B resource in Space B space of applying for.
The problem that the embodiment of the present invention will solve is, part or all of resource authorization on its storage space S pace A can be accessed to user side B by user side A, or, the part or all of resource authorization on its storage space S pace B can be accessed to user side A by user side B.Hereafter for user side A, the part or all of resource authorization on its storage space S pace A is described to user side B access.After this, user side A is called authorized user end, user side B is called authorized users end.
As shown in Figure 1, the user resources authorization method that the embodiment of the present invention provides, comprising:
110, mandate mark is carried in challenge message and sends to authorized user end by service end.
In order to identify each mandate, service end S can authorize mark (authorization identity, Auth_id) for each mandate generates one.This mandate mark can be carried in the challenge message for challenge handshake authentication and send to authorized user end.Authorize mark generation have two kinds opportunity, a kind of be service end S receive authorized user end A send authorization requests time, a kind of be service end S receive authorized users end B send be authorized request time.
When authorized user end A needs to authorize authorized users end B, initiatively can send authorization requests to service end S.After service end S receives this authorization requests, identify the authorization requests mark wherein comprised, return corresponding challenge message to authorized user end A.The message of this challenge message as shown in Fig. 2 (1), content at least comprises a random number R for challenge handshake authentication
swith one for identifying mandate mark (Auth_id) of this mandate.After user A receives challenge message, calculate authentication code and arrange authorization message, authorization message comprises: authorized object, and authorized resource, authorizes restriction etc.; Wherein, authorized object and authorized users end, authorize restriction to comprise time restriction, or number of times restriction, or read-write comment etc.Authorized user end responds this challenge, returns the response message carrying authentication code and authorization message, as the message (2) in Fig. 2.The response message that service end S authenticated user end A sends over, contrasts authentication code after comprising deciphering response message, the identity of confirmation user side A, and by database manipulation, confirms authorized object, authorization resources and mandate restriction etc.; Service end S also needs certification this authorization privilege whether under the existing authority of user side A.If authentication failure or authority do not meet, then service end S returns error code immediately, and this time is authorized and terminated.
Authorized users end B also can provide the resource under authority to access to B by initiative authorized user end A, and now, authorized users end B sends the request of being authorized to service end S.Service end S with the identity of the challenge handshake authentication authenticates user B of challenge-response mode and request, as the challenge message (01) in Fig. 2 and response message (02).This challenge message (01) comprises a random number for challenge handshake authentication
one for identifying mandate mark (Auth_id) of this mandate.If service end S check that this is authorized to ask content in the authority tolerance band of user A itself, then this content of being authorized to ask is carried in challenge message when authorized user end A is online and sends to authorized user end A, this challenge message comprises the random number R for challenge handshake authentication
sthe content (text1) of (Auth_id) and this request of being authorized is identified for the mandate identifying this mandate, as the message (1) in Fig. 2 with one.If authorized user end A agrees to, then respond this challenge message, authorization message be set, return carry authorization message response message to service end S.
120, receive that authorized user end returns carry the response message of authorization message after, create and comprise described mandate authority of authorizing mark, authorization message and random number seed and licensing status information.
Service end S obtains authorization message from the response message that authorized user end A returns.Then, service end S creates one and authorizes authority, and this mandate authority comprises authorizes mark and authorization message, also comprises random number seed (seed) and licensing status information.
Wherein, authorization message comprises authorized object, and authorized resource, authorizes restriction etc.; Authorized object and authorized users end, can identify with IP address etc.; Authorized resource can with reference to use DOI(DigitalObject Unique identifier, Digital Object Unique Identifier) or URI(Uniform ResourceIdentifier, resource locator) as globally unique identifier; Restriction is authorized to comprise time restriction, or number of times restriction, or read-write comment etc.Licensing status information includes authorizes restriction by situation about using, and such as, the number of times restriction of mandate by situation about using, that is, is employed several times, also the surplus chance of use several times etc.Random number seed is generated by service end S, at follow-up generation bill.
The mandate authority that service end creates and stores is designated index, i.e. T to authorize
index=Auth_id, as shown in (5) in Fig. 2, follow-up, can retrieve corresponding mandate authority by authorizing mark.Service end S generates random number seed seed, means that this time authorizes the establishment of authority to complete.Random number seed in authority is for calculating bill (T), and bill is used for the resource of the authorized user end A in authorized users end B access services end S.The generation of bill depends on Hash (hash) the chain inverse operation of authorizing random number seed in authority and licensing status information, and bill has disposable feature.The validity of bill is the respective service once got.Service end S can generate corresponding bill as required according to the random number seed of authorizing in authority and licensing status information and store and checking.Licensing status information changes along with the service provided for authorized object and authorized users end.
130, described mandate authority is sent to authorized users end, random number seed in this mandate authority and licensing status information are used for authorized users end and generate bill, described authorized users end can according to describedly authorizing mark, the bill of authorization message and generation obtains the resource of authorizing from service end.
Service end S can send to authorized users end B with the form of safety the mandate authority of this generation, as the message (4) in Fig. 2.This secured fashion refers to the protection of confidentiality and information integrity, as digital signature and HMAC(Hash-based Message Authentication Code) etc. disclosed safe practice, can use public-key cipher mechanism or Symmetric Cryptography.After authorized users end B gets and authorizes authority, integrality and the source of authority is authorized in checking.The destruction of authority integrality can be caused this to provide and be authorized authority unsuccessful, need service end to retransmit.Authorized users end B stores the random number seed (seed) of authorizing in authority with the encrypted form that can decipher, as the message (4) in Fig. 2, also licensing status information etc. is stored in this locality simultaneously.
Authorized users end B can according to store licensing status information and random number seed calculate the bill of this access through hash chain, and show authorize mark and this bill to service end, as shown in (6) in Fig. 2.Service end is according to the mandate authority of authorizing mark to retrieve storage from database, also a bill is calculated according to the random number seed of authorizing in authority and licensing status information, the bill shown with authorized users end B contrasts, if inconsistent, then returns error message; If consistent, be then verified, illustrate that this request service of user B is in the mandate restriction of authorizing authority, then provide respective service, the resource of mandate is supplied to authorized users end B and accesses.
After user B gets service, upgrade licensing status information, such as, authorize number of times to subtract 1 etc., as shown in (7) in Fig. 2.Service end S is same after providing service upgrades corresponding licensing status information.
In the embodiment of the present invention, the data of authorizing authority and interior licensing status information thereof to safeguard with service end are as the criterion.If the licensing status information of authorized users end B or mandate limit inaccurate or lose, authorized users end B can identify to the correct licensing status information of service end request and mandate restriction according to authorizing.If a random number seed of authorized users end B is tampered, can identify to the correct random number seed of service end request and licensing status information according to authorizing.If authorize the whole loss of authority or destruction, authorized users end B can resend all one's own all mandate authority by request service end S.
In the embodiment of the present invention, the service condition of authorized user end A and authorized users end B by authorizing mark to know this mandate of granting.Authorized user A is also by authorizing mark change and upgrade this mandate.Service end and can authorize mark to manage mandate authority according to user side mark.
To sum up, embodiments provide a kind of user resources authorization method, the embodiment of the present invention extends challenge handshake authentication scheme, service end can obtain authorization message by challenge handshake authentication process from authorized user end, create and send comprise this authorization message mandate authority to authorized users end, authorized users end can generate bill according to information such as the random number seeds comprised in mandate authority, and then obtain the resource of authorizing from service end according to this bill, thus achieve the high-precision resource authorization between authorized user end and authorized users end.This technical scheme efficiency is high, is simple and easy to use, easily incorporates existing authentication scheme, realizes the security extension of business function.Especially, embodiment of the present invention technical scheme can be used for the mutual mandate realizing resource between internet television user.The mandate precise particle of embodiment of the present invention technical scheme is little, and authorized user and service end can review tracking licensing status, easily follows the trail of mandate and manages.
Embodiment of the present invention technical scheme is the expansion on existing challenge handshake authentication technical scheme basis, based on challenge handshake authentication scheme can adopt one in three kinds of following unilateral authentication technology, these three kinds of schemes come from following standard respectively: ISO/IEC 9798-2, ISO/IEC 9798-3, ISO/IEC 9798-4.
These three kinds of schemes can represent by formula below respectively:
The first:
S→C:R
S‖text1
C→S:Token
CS=text2‖ε
KCS(R
S‖S‖text2)
The second:
S→C:R
S‖text1
C→S:Token
CS=text2‖f
KCS(R
S‖S‖text2)
The third:
S→C:R
S‖text1
C → S:CertC ‖ Token
cS, wherein, Token
cS=R
c‖ R
s‖ text2 ‖ S ‖ sig
c(R
c‖ R
s‖ S ‖ text2)
In above-mentioned formula, C represents user side, and S represents service end, carries out unilateral authentication by S to C.
S → C or C → S represents once inquiry or response alternately.C or S represents the identify label of C or S.Text1 or text2 represents the message that will authenticate and respond.Token
cSrepresent a set of the message body of response, can be described as bill.R
cor R
sfor one section of random number that C or S generates.ε
kCSbe symmetric encipherment algorithm, the KCS shared with C and S is for key.F
kCSrefer to the safe hash function of band key in essence.CertC is the public key certificate of C.Sig
crepresent the private key signature algorithm of C.
Bill in the embodiment of the present invention adopts Hash chain technique computes, and the one-way function in Hash chain technology comprises Md5, SHA1 and their mutation, also can refer to their combination and repeatedly computing, as the key in ISO-18033-2 obtains function.
In the embodiment of the present invention, authorize the restriction can be correlated with containing number of times in restriction.If authority limited number of times corresponds to authorize entirety, then the value in first time bill can calculate n time according to random number seed one-way function in mandate authority, and n is the number of times restriction that entirety is authorized in this time.The calculating one-way function calculation times of later bill is successively decreased once.If number of times corresponds to concrete rights service action, then there are two kinds of modes.The first, the value for the first time in bill is calculate n time according to the ASCII value one-way function of random number seed in authority and authorization service action, and n is the number of times restriction that action is authorized in this time, and the calculating one-way function calculation times of later bill is successively decreased once; The second, agreement negotiates multiple seed value, and each seed value corresponds to one and authorizes action.Authorize in restriction and also can not comprise the relevant restriction of number of times.Now, the generation of bill still can use hash chain to carry out computing.The value of number of times can use a theoretic large value or acquiescence agreement generates after initial time numerical value is used up.
The embodiment of the present invention adds in challenge-response process authorizes mark for index this mandate, thus authorizes authority in recovery, synchronously authorizes authority state, browses the aspects such as authorization message and more easily realize.The embodiment of the present invention is sent by believable service end and authorizes authority, thus realizes the mutual mandate between user side.Being generated by service end authorizes authority that business is carried out more easily with accurate.The embodiment of the present invention quotes hash chain safe practice, realizes authorizing number of times restriction, and each bill difference obtaining service also makes scheme safer.
Embodiment two,
Please refer to Fig. 3, the embodiment of the present invention provides a kind of user resources authorisation device, comprising:
First sending module 310, sends to authorized user end for mandate mark being carried in challenge message;
Receiver module 320, for receiving the response message carrying authorization message that authorized user end returns;
Creation module 330, comprises described mandate authority of authorizing mark, authorization message and random number seed and licensing status information for creating;
Second sending module 340, for described mandate authority is sent to authorized users end, random number seed in described mandate authority and licensing status information are used for authorized users end and generate bill, described authorized users end can according to describedly authorizing mark, the bill of authorization message and generation obtains authorized resource from service end.
Further, this user resources authorisation device can also comprise:
Generation module, for receive authorized user end send authorization requests or authorized users end send be authorized request time, generate authorize mark.
Further, described creation module 330 can also be used for described mark of authorizing as the index of described mandate authority
Further, this user resources authorisation device can also comprise: authentication module and update module;
Described receiver module, also for receiving the service request comprising described mandate mark and bill that authorized users end sends;
Described authentication module, for the legitimacy of bill according to described random number seed and licensing status Information Authentication;
Described update module, for upgrading licensing status information.
To sum up, embodiments provide a kind of user resources authorisation device, this equipment can obtain authorization message by challenge handshake authentication process from authorized user end, create and send comprise this authorization message mandate authority to authorized users end, authorized users end can generate bill according to information such as the random number seeds comprised in mandate authority, and then obtain the resource of authorizing from service end according to this bill, thus achieve the high-precision resource authorization between authorized user end and authorized users end.
Embodiment three,
Please refer to Fig. 2, the embodiment of the present invention provides a kind of user resources authoring system, comprising:
Service end S, authorized user end A and authorized users end B;
Described service end S, authorized user end is sent to for mandate mark being carried in challenge message, receive that authorized user end returns carry the response message of authorization message after, create and comprise described mandate authority of authorizing mark, authorization message and random number seed and licensing status information, described mandate authority is sent to authorized users end, the resource of mandate is provided to authorized users end;
Described authorized user end A, carries the challenge message of authorizing mark for what receive that service end sends, and authorization message is carried and send to service end in the response message;
Described authorized users end B, for receiving the mandate authority that service end sends, generates bill according to the random number seed of authorizing in authority and licensing status information, and according to describedly authorizing mark, the bill of authorization message and generation obtains the resource of authorizing from service end.
To sum up, embodiments provide a kind of user resources authoring system, this system extension challenge handshake authentication scheme, service end can obtain authorization message by challenge handshake authentication process from authorized user end, create and send comprise this authorization message mandate authority to authorized users end, authorized users end can generate bill according to information such as the random number seeds comprised in mandate authority, and then obtain the resource of authorizing from service end according to this bill, thus achieve the high-precision resource authorization between authorized user end and authorized users end.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment can have been come by hardware, also can have been come by the hardware that program command is relevant, this program can be stored in a computer-readable recording medium, and storage medium can comprise: read-only memory, random-access memory, disk or CD etc.
The user resources authorization method provided the embodiment of the present invention above, equipment and system are described in detail, but the explanation of above embodiment just understands method of the present invention and core concept thereof for helping, and should not be construed as limitation of the present invention.Those skilled in the art are in the technical scope that the present invention discloses, and the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.