CN103546293A

CN103546293A - Third party certification system or method

Info

Publication number: CN103546293A
Application number: CN201310465842.XA
Authority: CN
Inventors: 任少华
Original assignee: Individual
Current assignee: Individual
Priority date: 2013-10-08
Filing date: 2013-10-08
Publication date: 2014-01-29

Abstract

The invention relates to a third party certification system or method. A user terminal can log in a service party or use services of the service party only after being certificated by the service party; service party certification is completed through an intermediary and further requires the application of certification programs; the service party certification passes only when the certification programs keep running.

Description

Third Party Authentication system or method

Technical field

The present invention relates to a kind of Third Party Authentication system or method.

Background technology

The resource that many Internets provide and the quantity of service are very huge and increase swift and violent, the Internet has become the main channel of people's obtaining information resource and information service, many internet resources and service provider require user to login and verify, this has just produced the problem of convenience and fail safe.Authentication method by third party or party intermediary is a kind of effective way addressing these problems.

Summary of the invention

The present invention realizes like this, a kind of Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary, wherein, user terminal is after login party intermediary, on authentication procedure interface, can show or search for and can carry out with this party intermediary associated service side or service side's respective service, wherein, user terminal is after login party intermediary, user can directly register a service side's that can be associated user account and this user account is associated with to this user at the user account of party intermediary on authentication procedure interface.

The present invention realizes like this, a kind of Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary, wherein, user terminal is after login party intermediary, on authentication procedure interface, can show or search for and can carry out with this party intermediary associated service side or service side's respective service.

The present invention realizes like this, a kind of Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PR0 who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary.

The present invention realizes like this, a kind of Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure.

The present invention realizes like this, a kind of Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface.

The present invention realizes like this, a kind of Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary.

The present invention realizes like this, a kind of Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, on authentication procedure interface, can show or search for and can carry out with this party intermediary associated service side or service side's respective service.

Wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side to access this service side's respective service at a service side's a user account with user by enterprising line operate at the interface of authentication procedure.

Wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end service side to wherein showing or the access of respective service or user account on authentication procedure interface.

Wherein, user can on authentication procedure interface, select to terminate in having accessed by party intermediary of showing on authentication procedure interface service side or among service side's respective service one or several or all.

Wherein, when user selects the service side who has accessed by party intermediary that shows on aborts authentication program interface or service side's respective service on authentication procedure interface, authentication procedure can be sent one to party intermediary and end access request, party intermediary can be sent and end access notice to corresponding service side, and service side receives and ends will end the access of this user terminal to this service side or this service side's respective service after access notice.Wherein, described termination access notice is carried out digital signature or encryption by party intermediary with the secret key of party intermediary, and service side can rely on corresponding party intermediary PKI verify or decipher.

Wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, and user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary.

Wherein, user terminal, after login party intermediary, can show or search on authentication procedure interface and can carry out with this party intermediary associated service side or service side's respective service.

Wherein, user terminal is after login party intermediary, and user can directly register a service side's that can be associated user account and this user account is associated with to this user at the user account of party intermediary on authentication procedure interface.

Wherein, service side's account of user and party intermediary account need first interrelated, and then user could complete service side by party intermediary and authenticate the also respective service of access service side.Wherein, service side's account of user refers to user's group of the service side at service side's account of user or service side's account place of user.Wherein, user's party intermediary account refers to user's group of the party intermediary at user's party intermediary account or user's party intermediary account place.Wherein, service side's account of user and party intermediary account is interrelated refers to, interrelated between user's group of service side's account of user or the service side at its place and user's group of user's party intermediary account or the party intermediary at its place.

Wherein, after service side's account of user and party intermediary account are interrelated, service side's user account and the user account of party intermediary have mutual corresponding relation, and this corresponding relation is specifically preserved by service side and party intermediary both sides.

Wherein, user uses the concrete steps of terminal access service side respective service to be: on 1> user terminal, move authentication procedure, user uses authentication procedure login party intermediary, 2> user selects request access service side on the interface of authentication procedure, whether 3> party intermediary authentication verification program keeps operation, only have this to be verified just and can carry out next step, 4> user terminal, service side and party intermediary complete service side and authenticate, only have service side to authenticate by just carrying out next step, the respective service of 5> user access service side.

Wherein, after user terminal is ended service side's access, user terminal need to again carry out service side by party intermediary and authenticate access service side again.

Wherein, after authentication procedure is stopped running, authentication procedure need to be carried out after party intermediary authentication again, and user terminal could carry out service side again and authenticate.

Wherein, user logins these two steps that party intermediary and authentication procedure authenticate by party intermediary, can be specifically same step or the different step of simultaneously carrying out or the different step of carrying out when different.

Wherein, authentication procedure authenticates by party intermediary, specifically refers to: user uses the authentication of authentication procedure by party intermediary or authentication procedure undertaken and authenticated by party intermediary by another program connecting with party intermediary.For example: after user logins party intermediary by a dedicated program, this dedicated program is set up safely and is connected with party intermediary, authentication procedure is connected safely and is carried out and authenticate (for example: authentication procedure, this dedicated program and party intermediary three closure are transmitted an authentication information, and authentication procedure is set up one by this closure transmission and party intermediary and is newly connected and authenticates by party intermediary) by party intermediary by this.

Wherein, the process that authentication procedure authenticates by party intermediary can comprise that user uses the authentication of terminal by party intermediary and authentication procedure undertaken and authenticated by party intermediary by another program connecting with party intermediary simultaneously.For example: user uses dedicated program login party intermediary and connects, of being authenticated and being set up by party intermediary again between authentication procedure and party intermediary based on this connections of authentication procedure is newly connected---and above process is all included in user terminal and carries out in process that party intermediary authenticates.

Wherein, can not by known customer identification information know by inference later or unknown or other or new customer identification information.

Wherein, can not be by known users identifying information customer identification information that know other by inference or that later service side authenticates.

Wherein, customer identification information is included as this service side and authenticates the content of random generation or comprise time that this service side authenticate and the information of computations.For example: the rise time that customer identification information comprises this information is also carried out digital signature.

Wherein, a customer identification information only authenticates for a service side.

Wherein, the free term of validity of each customer identification information, expired customer identification information can lose efficacy and cannot complete service side and authenticate.

Wherein, when party intermediary directly sends Service Ticket to service side, customer identification information and Service Ticket can have the corresponding relation that can verify.Wherein, service side understands authentication of users identifying information and Service Ticket, and whether the two is corresponding, and not corresponding words just can not authenticate by service side.For example: in customer identification information and Service Ticket, can all comprise that user is in service side's user name or same random number.Again for example: Service Ticket is that PKI and customer identification information are to calculate by corresponding private key the information generating.

Wherein, when party intermediary forwards Service Ticket by user terminal to service side, customer identification information and Service Ticket can be that same information or both are included in same information.For example: described Service Ticket is that party intermediary first sends to user terminal, user terminal sends to Service Ticket service side again together with customer identification information.Again for example: Service Ticket sends to user terminal by user terminal, to send to service side again by party intermediary, in this Service Ticket, comprise user in service side's user name and random number, and user is exactly customer identification information in service side's user name and random number.

Wherein, in customer identification information, can comprise this user in the information of service side's account.Wherein, in customer identification information, can comprise the information about service side.

Wherein, while only having authentication procedure to keep operation, user terminal could send customer identification information.Wherein, customer identification information be by authentication procedure, generated or send.

Wherein, user terminal is the respective service of access service side and being connected without party intermediary of service side's foundation after authenticating by service side.

Wherein, service side, authenticate middle user terminal and can forward the Service Ticket from party intermediary to service side, or, service side, authenticating middle user terminal can be sent based on user terminal and party intermediary engagement arithmetic between the two and be calculated the authentication information generating by service orientation party intermediary, or, service side, authenticate middle user terminal, between service side and party intermediary three, can come authentication verification information whether to carry out the starting point of self-closing transmission by the closed terminal that transmits an authentication information and transmitted by closure, or, service side, authenticating middle user terminal can send based on user terminal and service side's engagement arithmetic between the two and calculate the authentication information generating to service side.

Wherein, service side, authenticating middle user terminal can be sent based on user terminal and party intermediary engagement arithmetic between the two and be calculated the authentication information generating by service orientation party intermediary.Wherein, described engagement arithmetic is encrypting and decrypting algorithm.Wherein, user, use after authentication procedure in terminal login party intermediary, party intermediary and user terminal can have respectively in the pair of secret keys of described engagement arithmetic.Wherein, pair of secret keys is the pair of secret keys of asymmetric encryption.Wherein, user terminal has this to the private key in key, and party intermediary has this to the PKI in key.Wherein, only have party intermediary correct with this authentication information of this public key verifications, service side authenticates and could pass through.

Wherein, service side, authenticate between middle user terminal, service side and party intermediary three and can come authentication verification information whether to carry out the starting point of self-closing transmission by the closed terminal that transmits an authentication information and transmitted by closure.Wherein, only have closed transmission to be successfully completed, service side authenticates and could pass through.

Wherein, service side, authenticating middle user terminal can send based on user terminal and service side's engagement arithmetic between the two and calculate the authentication information generating to service side.Wherein, described engagement arithmetic is encrypting and decrypting algorithm.Wherein, user, use after authentication procedure in terminal login party intermediary, party intermediary and user terminal can have respectively in the pair of secret keys of described engagement arithmetic.Wherein, pair of secret keys is the pair of secret keys of asymmetric encryption.Wherein, user terminal has this to the private key in key, and party intermediary has this to the PKI in key.Wherein, in service side authenticates, service side can receive the PKI corresponding with the private key of user terminal, user terminal can mail to service side by calculate the authentication information generating based on private key, service side can verify that whether the authentication information of receiving from user terminal is correct according to the PKI of receiving, while only having authentication information correct, service side authenticates and could pass through.

Wherein, the program of the respective service of user access service side or program object are not authentication procedures.Wherein, the program of the respective service of user access service side or program object are program or the program objects that user asks access service Fang Houxin operation on the interface of authentication procedure.

Wherein, user has respectively user account service side and party intermediary, and service side's user account and the user account of party intermediary have mutual corresponding relation.This corresponding relation can be one to one or one-to-many or many-to-one corresponding relation.Wherein, man-to-man corresponding relation is for example: first user registers the user account of party intermediary, then user is by the user account of the direct registration service side of user account of party intermediary, user is exactly by party intermediary, to pass to service side's user in user account or the user identification code of party intermediary during in registration service side at service side's user account, and the also user account phase relation two sides by user when the user account of user by party intermediary registration service side.Wherein, the corresponding relation of one-to-many for example: user has a plurality of user accounts in party intermediary, and these user accounts are the same user account service side corresponding to user.Wherein, many-to-one corresponding system for example: user has a plurality of user accounts service side, and these user accounts are the same user account in party intermediary corresponding to user.

Wherein, in service side authenticates, user terminal, service side and party intermediary can complete the closure transmission of an information, the closed terminal one transmitting can enough verify two information in closure transmission be all whether same the dot generation of being transmitted by this closure or send.For example: in party intermediary, generate a random string as Service Ticket, party intermediary directly sends to service side by character string, simultaneously, party intermediary is by turning to service side to send character string in user terminal, and whether whether two character strings that service side receives by comparison are all authentication verification mutually correct.

Wherein, the connection that the respective service of user terminal access service side is set up is without party intermediary.

Wherein, Service Ticket can directly send to service side by party intermediary.Wherein, the route directly sending is without user terminal.Wherein, the mode of described direct transmission is without user terminal.For example: this Service Ticket comprises a PKI, and the authentication procedure of user terminal has corresponding private key, service side verifies that by the right corresponding relation of this key whether described Service Ticket is correct.

Wherein, Service Ticket can be that party intermediary is transmitted to service side by user terminal.For example: this Service Ticket comprises the digital signature of party intermediary, whether service side is correct by this Service Ticket of this digital signature authentication.

Wherein, Service Ticket also comprises the information about the rise time, and the Service Ticket that surpasses the term of validity can lose efficacy.

Wherein, when authentication procedure is stopped running, user terminal also can be ended service side's access.Authentication procedure is when ending, and party intermediary can be ended the access of user terminal to service side in notification service side, and the program object of user terminal login service side is out of service.

Wherein, user terminal, service side and party intermediary are connected by the Internet.Wherein, tripartite's information passes through the Internet and carries out.

Wherein, each Service Ticket can only complete a service side a service side and authenticates.

Wherein, party intermediary has corresponding engagement arithmetic with service side, and whether the Service Ticket that service side can receive by the engagement arithmetic checking having is correct.Wherein, described engagement arithmetic can be encrypting and decrypting algorithm or Digital Signature Algorithm or one-way function algorithm or dynamic password algorithm etc.

Wherein, Service Ticket can be an information, also can be comprised of two information that send respectively.

Wherein, service side authenticates by rear service side and can allow from connection of user terminal or port login or with corresponding authority login or use special services, and this connection or port are that user terminal forwards that port or the connection of Service Ticket to service side.

Wherein, described access, specifically refers to login or connects.

Wherein, service side provides the computer system of resource and service or website etc. by the Internet to user terminal.

Wherein, party intermediary is to carry out on the internet the computer system of Third Party Authentication.

Wherein, terminal, service side and party intermediary are the equipment with computer function, as: PC, mobile phone, server, server farm etc.

Wherein, user has user account APID service side, and user also has user account AUID in party intermediary.Wherein, user is associated APID and AUID.Wherein, there is corresponding relation in APID and AUID.Wherein, this corresponding relation is by service side or party intermediary or above all both are preserved.

Wherein, party intermediary can consist of together a plurality of servers or a plurality of server farm.Wherein, the role of party intermediary or function can be born respectively by a plurality of servers or a plurality of server farm.For example: the server A of user terminal login party intermediary, user terminal keeps being connected with the server B of party intermediary, user terminal obtains scrip from the server C of party intermediary, user terminal exchanges Service Ticket from the server D of party intermediary for scrip, and user terminal goes to login service side with Service Ticket.

Wherein, it can be different forming the different server of party intermediary or the network address of different server group.Wherein, different server or the different server group of composition party intermediary belong to different operator.

Wherein, the result of the respective service of access service side is that user terminal can connect with service side or the side by service side's credit.For example: user terminal sends Service Ticket to service side, service orientation user terminal returns to service side's voucher, and user terminal is with service side's voucher the opposing party of login service side's credit again.

Accompanying drawing explanation

Fig. 1 is the schematic network structure of the embodiment of the present invention 1.

Embodiment

Embodiment 1

User terminal is a computer, and service side comprises three websites: e-commerce website A, search website B and instant messaging website Q, party intermediary is Third Party Authentication provider.

User uses the flow process of user account of terminal login service side as follows:

1) register account number and associated account number:

1.1) user is registering new user account AID, BID, QID at A, B, Q on tri-websites respectively;

1.2) user downloads authentication procedure client at party intermediary AU, and uses authentication procedure client to be registered in the user account AUID of party intermediary.

1.3) user moves authentication procedure and uses authentication procedure login party intermediary in terminal, user searches for service side A, B, Q that can be associated with party intermediary in the search box at authentication procedure interface, and party intermediary is searched for A, B, Q and returned to Search Results to authentication procedure from authentication procedure is received searching request in the server database of party intermediary;

1.4) user is at service side interface or the enterprising line operate in authentication procedure interface, AID, BID, QID and AUID are associated respectively, and serviced side A, B, Q preserve and by party intermediary AU, are preserved simultaneously respectively for three associated corresponding relation AID-AUID, BID-AUID, QID-AUID.

2) respective service of login service side:

2.1) user moves authentication procedure in terminal, and uses authentication procedure login party intermediary;

2.2) party intermediary is to authentication procedure return data, comprising: user is associated service side A, B, Q and service side's user account AID, BID, QID.

2.3) user selects respectively with AID login A on authentication procedure interface;

2.4) user terminal, service side A and party intermediary AU carry out authenticating about the service side of service side A: a, whether party intermediary keeps operation with question and answer response verification authentication procedure, only have authentication procedure to keep operation just to carry out next step, b, party intermediary sends Service Ticket in the mode directly with by user terminal to service side A respectively, service side receives that whether check two Service Ticket after Service Ticket identical, wherein, the Service Ticket sending by user terminal is included in user terminal in the customer identification information of service side's transmission, this customer identification information also comprises that user is in service side's account, party intermediary title and service party name, only have Service Ticket and customer identification information all under correct condition, just to carry out next step, c, user terminal authenticates by service side,

2.5) after the service side of user terminal by service side A authenticates, the service side's that just can be asked with AID access respective service;

2.6) user can also be by repeating above 2.3) and 2.4) two steps come login service side B and Q.

3) user terminal is ended the login to service side's respective service:

3.1) authentication procedure on user terminal can show service side and the respective service that the user of this terminal has accessed by party intermediary,

3.2) user selects to end access service side or a respective service on the interface of authentication procedure, authentication procedure send to be ended the request of access and party intermediary sends the request of ending access to service side to party intermediary, and service side receives that the request of the termination access that party intermediary is sent will end the access of this user terminal to service side or respective service.

3.3) when authentication procedure is stopped running on user terminal, authentication procedure also can be sent one to party intermediary and end access request, party intermediary can give notice to end the access of this user terminal to service side and respective service to the service side of this user terminal access, or, when party intermediary fails to receive the heartbeat response of authentication procedure or question and answer response, also can end the access of this user terminal to service side and respective service.

4) user ends associated to the user account in party intermediary and service side's user account:

4.1) this user account that user terminal can show to authentication procedure transmission and on authentication procedure interface party intermediary in login party intermediary Hou， intermediary is the service side of party intermediary association or at service side's user account,

4.2) user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary.

Embodiment 2

1) register account number and associated account number:

1.1) user downloads authentication procedure client at party intermediary AU, and uses authentication procedure client to be registered in the user account AUID of party intermediary.

1.2) user moves authentication procedure and uses authentication procedure login party intermediary in terminal, user searches for service side A, B, Q that can be associated with party intermediary in the search box at authentication procedure interface, and party intermediary is searched for A, B, Q and returned to Search Results to authentication procedure from authentication procedure is received searching request in the server database of party intermediary;

1.3) user is at service side interface or the enterprising line operate in authentication procedure interface, on service side A, B, Q, by authentication procedure and party intermediary, directly register AID, BID, QID respectively, above 3 ID and AUID are associated respectively, serviced side A, B, Q preserve and by party intermediary AU, are preserved simultaneously respectively for three associated corresponding relation AID-AUID, BID-AUID, QID-AUID simultaneously.

2) respective service of login service side:

2.4) user terminal, service side A and party intermediary AU carry out authenticating about the service side of service side A: a, whether party intermediary keeps operation with question and answer response verification authentication procedure, only have authentication procedure to keep operation just to carry out next step, b, party intermediary sends Service Ticket in the mode directly with by user terminal to service side A respectively, service side receives that whether check two Service Ticket after Service Ticket identical, wherein, the Service Ticket sending by user terminal is included in user terminal in the customer identification information of service side's transmission, this customer identification information also comprises that user is in service side's account, party intermediary title and service party name, only have Service Ticket and customer identification information all under correct condition, just to carry out next step, c, user terminal authenticate by service side,

3) user terminal is ended the login to service side's respective service:

Claims

1. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary, wherein, user terminal is after login party intermediary, on authentication procedure interface, can show or search for and can carry out with this party intermediary associated service side or service side's respective service, wherein, user terminal is after login party intermediary, user can directly register a service side's that can be associated user account and this user account is associated with to this user at the user account of party intermediary on authentication procedure interface.

2. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary, wherein, user terminal is after login party intermediary, on authentication procedure interface, can show or search for and can carry out with this party intermediary associated service side or service side's respective service.

3. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary, wherein, user terminal is after login party intermediary, on authentication procedure interface, can show or search for and can carry out with this party intermediary associated service side or service side's respective service.

4. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary.

5. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure.

6. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface.

7. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary.

8. a Third Party Authentication system or method, it is characterized in that, the respective service of this user terminal ability access service side after user uses terminal to authenticate by service side, service side authenticates by party intermediary and completes, wherein, user logins an authentication procedure of moving on user terminal after party intermediary and can authenticate by party intermediary, after authentication procedure authenticates by party intermediary, user terminal just can carry out service side and authenticates, under the condition that a program object PRO who only has this authentication procedure or this authentication procedure to start still keeps moving, user terminal could authenticate by service side, wherein, carry out service side while authenticating party intermediary can directly send or forward a Service Ticket by user terminal to service side, after only having service side to receive correct Service Ticket, this service side authenticates and could pass through, wherein, carry out service side while authenticating user terminal can send a customer identification information to service side, while only having service side to receive correct customer identification information, this service side authenticates and could pass through, wherein, service side, authenticate by rear, service side can allow a port of user terminal or connect the respective service of access service side, this port or connection are exactly that user terminal sends port or the connection of Service Ticket or customer identification information to service side, wherein, user terminal is after login party intermediary, on authentication procedure interface, can show or search for and can carry out with this party intermediary associated service side or service side's respective service.

9. Third Party Authentication system or the method described in one of them according to claim 1 to 8, it is characterized in that, user uses the concrete steps of terminal access service side respective service to be: on 1> user terminal, move authentication procedure, user uses authentication procedure login party intermediary, 2> user selects request access service side on the interface of authentication procedure, whether 3> party intermediary authentication verification program keeps operation, only have this to be verified just and can carry out next step, 4> user terminal, service side and party intermediary complete service side and authenticate, only have service side to authenticate by just carrying out next step, the respective service of 5> user access service side.

10. Third Party Authentication system or the method described in one of them according to claim 1 to 8, is characterized in that, this Verification System or method have or several in following characteristics:

1) service side's account of user and party intermediary account need to be first interrelated, and then user could complete service side by party intermediary and authenticate the also respective service of access service side,

2) service side's account of user and party intermediary account interrelated after, service side's user account and the user account of party intermediary have mutual corresponding relation, this corresponding relation is specifically preserved by service side and party intermediary both sides,

3) user uses the concrete steps of terminal access service side respective service to be: on 1> user terminal, move authentication procedure, user uses authentication procedure login party intermediary, 2> user selects request access service side on the interface of authentication procedure, whether 3> party intermediary authentication verification program keeps operation, only have this to be verified just and can carry out next step, 4> user terminal, service side and party intermediary complete service side and authenticate, only have service side to authenticate by just carrying out next step, the respective service of 5> user access service side,

4) after user terminal is ended service side's access, user terminal need to again carry out service side by party intermediary and authenticate access service side again,

5) user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user can ask the respective service or the request that access one of them service side with user, at a service side's a user account, to access this service side's respective service by enterprising line operate at the interface of authentication procedure

6) on described authentication procedure interface, can show service side that this user terminal has accessed by party intermediary or service side's respective service or at service side's user account, user can end the service side of wherein demonstration or the access of respective service or user account on authentication procedure interface

7) user can on authentication procedure interface, select to terminate in having accessed by party intermediary of showing on authentication procedure interface service side or among service side's respective service one or several or all,

8) when user selects the service side who has accessed by party intermediary that shows on aborts authentication program interface or service side's respective service on authentication procedure interface, authentication procedure can be sent one to party intermediary and end access request, party intermediary can be sent and end access notice to corresponding service side, service side receives and ends will end the access of this user terminal to this service side or this service side's respective service after access notice

9) user terminal is after login party intermediary, this user account that intermediary can show to authentication procedure transmission and on authentication procedure interface party intermediary is the service side of party intermediary association or at service side's user account, user account that user can select to end a service side or a service side on the interface of authentication procedure and this user are associated the user account of party intermediary

10) user terminal, after login party intermediary, can show or search on authentication procedure interface and can carry out with this party intermediary associated service side or service side's respective service,

11) user terminal is after login party intermediary, and user can directly register a service side's that can be associated user account and this user account is associated with to this user at the user account of party intermediary on authentication procedure interface,

12) program of the respective service of user access service side or program object are not authentication procedures,

13) user has respectively user account service side and party intermediary, and service side's user account and the user account of party intermediary have mutual corresponding relation,

14) in service side authenticates, user terminal, service side and party intermediary can complete the closure transmission of an information, the closed terminal one transmitting can enough verify two information in closure transmission be all whether same the dot generation of being transmitted by this closure or send

15) can not by known customer identification information know by inference later or unknown or other or new customer identification information,

16) can not be by known users identifying information customer identification information that know other by inference or that later service side authenticates,

17) customer identification information is included as this service side and authenticates the content of random generation or comprise time that this service side authenticate and the information of computations,

18) customer identification information only authenticates for a service side,

19) the free term of validity of each customer identification information, expired customer identification information can lose efficacy and cannot complete service side and authenticate,

20) user terminal is the respective service of access service side and being connected without party intermediary of service side's foundation after authenticating by service side,

21) service side, authenticate middle user terminal and can forward the Service Ticket from party intermediary to service side, or, service side, authenticating middle user terminal can be sent based on user terminal and party intermediary engagement arithmetic between the two and be calculated the authentication information generating by service orientation party intermediary, or, service side, authenticate middle user terminal, between service side and party intermediary three, can come authentication verification information whether to carry out the starting point of self-closing transmission by the closed terminal that transmits an authentication information and transmitted by closure, or, service side, authenticating middle user terminal can send based on user terminal and service side's engagement arithmetic between the two and calculate the authentication information generating to service side

22) party intermediary can consist of together a plurality of servers or a plurality of server farm,

23) result of the respective service of access service side is that user terminal can connect with service side or the side by service side's credit,

24) after authentication procedure is stopped running, authentication procedure need to be carried out after party intermediary authentication again, and user terminal could carry out service side again and authenticate,

25) user logins these two steps that party intermediary and authentication procedure authenticate by party intermediary, can be specifically same step or the different step of simultaneously carrying out or the different step of carrying out when different,

26) described termination access notice is carried out digital signature or encryption by party intermediary with the secret key of party intermediary, and service side can rely on corresponding party intermediary PKI verify or decipher.