CN103684798A - Authentication system used in distributed user service - Google Patents

Authentication system used in distributed user service Download PDF

Info

Publication number
CN103684798A
CN103684798A CN201310753321.4A CN201310753321A CN103684798A CN 103684798 A CN103684798 A CN 103684798A CN 201310753321 A CN201310753321 A CN 201310753321A CN 103684798 A CN103684798 A CN 103684798A
Authority
CN
China
Prior art keywords
key
authentication
server
encryption
authentication center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310753321.4A
Other languages
Chinese (zh)
Other versions
CN103684798B (en
Inventor
李千目
张晟骁
侯君
戚湧
孙向军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing China Network Technology Co., Ltd.
Original Assignee
LIANYUNGANG RESEARCH INSTITUTE OF NANJING UNIVERSITY OF SCIENCE AND TECHNOLOGY
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LIANYUNGANG RESEARCH INSTITUTE OF NANJING UNIVERSITY OF SCIENCE AND TECHNOLOGY filed Critical LIANYUNGANG RESEARCH INSTITUTE OF NANJING UNIVERSITY OF SCIENCE AND TECHNOLOGY
Priority to CN201310753321.4A priority Critical patent/CN103684798B/en
Publication of CN103684798A publication Critical patent/CN103684798A/en
Application granted granted Critical
Publication of CN103684798B publication Critical patent/CN103684798B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses an authentication system used in distributed user service. The system comprises an authentication center, a client, a server and custom made identity authentication devices, wherein the authentication center comprises an encryption storage medium and an encryption chip which are connected mutually; every two of the authentication center, the client and the server are connected, the client and the server are both connected with the custom made identity authentication devices through USB (Universal Serial Bus) ports, the encryption chip of the authentication center is used for processing encryption and decryption requests and generating a key, the encryption storage medium is used for storing the key information of all the custom made identity authentication devices, the identity authentication devices carry out encryption and decryption, and store keys of identity authenticators and keys used in communication, when encryption data communication is performed, two parties in each communication adopt keys to encrypt, the server and the authentication center as well as the client and the authentication center respectively adopt the corresponding keys, and the client and the server adopt a session key newly generated by the authentication center. The system has the advantages of safety and reliability. The hadden danger of data leakage is lowered.

Description

A kind of for Verification System between distributed user service
Technical field
The present invention relates to field of information security technology, particularly a kind of for Verification System between distributed user service.
Background technology
Along with the development of Internet technology, the terminal of each platform starts to have epistasis energy more, more enriches the operating system of interface, and computational resource starts to enrich, and on this basis the safety requirements of platform is started to improve gradually.Information security mainly comprises system safety and two aspects of data security.System safety generally adopts the measures such as fire compartment wall, anti-virus and other security precautions technologies, is the safety measure that belongs to passive-type.Data security mainly adopts modern cryptographic technique to carry out safeguard protection initiatively to data, as technology such as data confidentiality, data integrity, authentications.
Digital signature technology is the hop count word string that others that only have that the sender of information could produce cannot forge, this hop count word string be also simultaneously to the sender of information send information authenticity valid certificates, be the combination application of asymmetric encryption and digital digest technology in cryptography.In the transmitting procedure of digital signature, also need a believable management equipment to come the mechanism of unified payment, management, abolishment digital certificate---certificate management authority (CA).CA center is used the user of public-key cryptography for each and is provided a digital certificate, and the effect of digital certificate is the legal public-key cryptography of listing in certificate that has of user of listing in certification.The digital signature of CA mechanism makes assailant can not forge and distort certificate, and it is responsible for producing, distributing and manage the required digital certificate of individuality of all participation online transactions, is therefore the core link of secure electronic transaction.At present data, key information with expressly or the form of simple encryption in transmission over networks, the hidden danger that the data of bringing are revealed is larger, information security degree is low.
Summary of the invention
The object of the present invention is to provide a kind of safe and reliablely for Verification System between distributed user service, there is the function of authenticated user legitimacy, Data Encryption Transmission and Information Signature.
The technical solution that realizes the object of the invention is: a kind of for Verification System between distributed user service, the identification authentication system that comprises authentication center, client computer, server and customization, described authentication center comprises interconnective encryption storage medium and encryption chip; Described authentication center, client-server are connected between two, and client-server is all connected with the identification authentication system of customization by usb interface; The encryption chip of described authentication center is processed encrypting and decrypting request and is generated the key information of the identification authentication system of key, all customizations of encryption storage medium stores; Described identification authentication system is encrypted deciphering, and the key of storing identity authentication key and using when current; While being encrypted data communication, the both sides of each communication use secret key encryption, and server and authentication center, client computer and authentication center are used respectively each self-corresponding key, and client computer and server are used the newly-generated session key of authentication center.
For an authentication method between distributed user service, comprise the following steps:
Step 1, client computer read the identity information in the identification authentication system of customization, use encryption chip and the user key of the identification authentication system of customization to be encrypted user profile, information on services and timestamp, and send to authentication center;
Step 2, authentication center read the inner user key of encrypting in storage medium, and the authentication information receiving is decrypted, judgement user validation: if user is legal, authentication center generates by inner encryption chip PKI and private key, the PKI of client computer use and the session key of private key and session use that this conversational services provider server is used;
Step 3, authentication center read the inner service side server key of storing in storage medium of encrypting, and encrypt PKI and the session key of this communication service side's privacy key, client computer and send to service side server;
Step 4, service side server are used service side's key of storing in the identification authentication system of customization, and deciphering obtains privacy key, client public key and session key and generates confirmation, use session key confirmation to send to authentication center;
Step 6, authentication center receive after the confirmation of server, use client's secret key encryption server public key, client computer private key and session key to send to client computer;
Step 7, client computer are used the identification authentication system deciphering of customization to obtain client computer private key, server public key and session key, use session key confirmation and send to authentication center;
Step 8, server are used session key, have authenticated information respectively to client computer and service side server transmission simultaneously, and client-server receives after the information of authentication, is independent of authentication center and carries out communication.
Compared with prior art, its remarkable advantage is in the present invention: (1) authentication center controls the generation of certificate and propagates, and certificate and key mix to use realizes complete encryption and authentication mechanism; (2) password and key are not propagated in network with form expressly, and key is propagated with the form of encrypting; (3) life cycle of certificate is shorter, and each session all can have new certificate to produce; (4) authentication center's server is used encryption chip to be encrypted, and data is stored into the storage chip of encryption, and the equipment that client need to customize carries out cipher key operation and without the computing of main frame, safe and efficient.
Accompanying drawing explanation
Fig. 1 is that the present invention is for the structural representation of Verification System between distributed user service.
Embodiment
Below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
In conjunction with Fig. 1, the present invention, for Verification System between distributed user service, comprises the identification authentication system of authentication center, client computer, server and customization, and described authentication center comprises interconnective encryption storage medium and encryption chip; Described authentication center, client-server are connected between two, and client-server is all connected with the identification authentication system of customization by usb interface;
The encryption chip of described authentication center is processed encrypting and decrypting request and is generated the key information of the identification authentication system of key, all customizations of encryption storage medium stores; Described identification authentication system is encrypted deciphering, and the key of storing identity authentication key and using when current; The identification authentication system of described customization comprises encryption chip, encrypts storage medium and encryption buffer memory, and wherein encryption chip interconnects with encryption storage medium and encryption buffer memory respectively; The encryption chip of described identification authentication system is encrypted deciphering, encrypts storage medium and is used for storing identity authentication key, encrypts the key using when buffer memory passes through for storing.While being encrypted data communication, the both sides of each communication use secret key encryption, and server and authentication center, client computer and authentication center are used respectively each self-corresponding key, and client computer and server are used the newly-generated session key of authentication center.
Principle of the present invention is: user and server all need to have password as authentication authority in authentication center, but password not with expressly, the form of ciphertext or cryptographic Hash is in transmission over networks.By certain flow process, information for confirming before user, authentication center, server is transmitted in the mode of encrypting, and each transmission is all used digital signature to strengthen data integrity check, for the certificate file authenticating, has adjustable life cycle.Authentication center can control all certificates automatically, the function of can realize newly-built certificate, revoke certificate, certificate being renewed.
Whole system realize to need at least 3 computers, and wherein authentication center is the computer of customization, inside be integrated with special-purpose encryption chip have hardware level encrypting and decrypting circuit and key generative circuit, realize high concurrent encrypting and decrypting at a high speed; Authentication center also has jumbo encryption storage medium for storing the key of the identification authentication system of each customization, wherein encrypts storage medium and must could read and write through encryption chip.The authenticate device of the identity of customization is used usb interface to be connected with client computer and server, wherein also comprise an encryption chip and encrypt storage medium, this encryption chip only can be realized encrypting and decrypting and the digital signature of hardware level, encrypt storage medium and only stored the key of this authenticator, there is in addition encryption buffer memory, for storing the various keys that use with service side's server communication.Each authentication means has unique key, during order, can register each key.
The present invention is for authentication method between distributed user service, ability, the password with global administration's certificate do not transmit the only means as digital signature and authentication as middle encryption key, omnidistance use certificate and symmetric cryptography in any form in network, and authentication and service request comprise the following steps:
Step 1, client computer read the identity information in the identification authentication system of customization, use encryption chip and the user key of the identification authentication system of customization to be encrypted user profile, information on services and timestamp, and send to authentication center;
Step 2, authentication center read the inner user key of encrypting in storage medium, and the authentication information receiving is decrypted, judgement user validation: if user is legal, authentication center generates by inner encryption chip PKI and private key, the PKI of client computer use and the session key of private key and session use that this conversational services provider server is used;
Step 3, authentication center read the inner service side server key of storing in storage medium of encrypting, and encrypt PKI and the session key of this communication service side's privacy key, client computer and send to service side server;
Step 4, service side server are used service side's key of storing in the identification authentication system of customization, and deciphering obtains privacy key, client public key and session key and generates confirmation, use session key confirmation to send to authentication center;
Step 6, authentication center receive after the confirmation of server, use client's secret key encryption server public key, client computer private key and session key to send to client computer;
Step 7, client computer are used the identification authentication system deciphering of customization to obtain client computer private key, server public key and session key, use session key confirmation and send to authentication center;
Step 8, server are used session key, send the information that authenticated respectively to client computer and service side server simultaneously,
Step 9, client-server receive after the information of authentication, are independent of authentication center and carry out communication; Each transmission is all used session key and is used key separately to sign.
Through these 9 steps just can realize user authentication, for the private key of digital signature, transmit, the client computer private key that user uses has time limit regular hour, cross after date authentication center and will carry out key revocation, it is key application process again that user also needs to authenticate again, and key is application process again:
The 1st step, authentication center is used session key to client-server, to send key late note and expired time before the expired prerequisite of key simultaneously.
The 2nd step, before expired time, before client-server both sides can also use, session key and the public, private key of application communicate.
The 3rd step, after expired time arrives, server is used old session key to send key outdated information to client computer, and will serve time-out.
The 4th step, client computer receives after key outdated information, and use out of service proposes service request according to verification process step 1 to authentication center.
The 5th step, client-server authenticates again according to verification process, generates new session key and public, private key.
The 6th step, client computer is used new session key to initiate service recurrence request to service side.
The 7th step, server restarts to serve after receiving service recurrence request.
In sum, the present invention has authenticated user legitimacy, Data Encryption Transmission and Information Signature function for Verification System between distributed user service, has solved present stage data, key information with expressly or the potential problem revealed of the data brought in transmission over networks of the form of simple encryption.

Claims (3)

1. for a Verification System between distributed user service, it is characterized in that, comprise the identification authentication system of authentication center, client computer, server and customization, described authentication center comprises interconnective encryption storage medium and encryption chip; Described authentication center, client-server are connected between two, and client-server is all connected with the identification authentication system of customization by usb interface;
The encryption chip of described authentication center is processed encrypting and decrypting request and is generated the key information of the identification authentication system of key, all customizations of encryption storage medium stores; Described identification authentication system is encrypted deciphering, and the key of storing identity authentication key and using when current; While being encrypted data communication, the both sides of each communication use secret key encryption, and server and authentication center, client computer and authentication center are used respectively each self-corresponding key, and client computer and server are used the newly-generated session key of authentication center.
2. according to claim 1 for Verification System between distributed user service, it is characterized in that, the identification authentication system of described customization comprises encryption chip, encrypts storage medium and encryption buffer memory, and wherein encryption chip interconnects with encryption storage medium and encryption buffer memory respectively; The encryption chip of described identification authentication system is encrypted deciphering, encrypts storage medium and is used for storing identity authentication key, encrypts the key using when buffer memory passes through for storing.
3. for an authentication method between distributed user service, it is characterized in that, comprise the following steps:
Step 1, client computer read the identity information in the identification authentication system of customization, use encryption chip and the user key of the identification authentication system of customization to be encrypted user profile, information on services and timestamp, and send to authentication center;
Step 2, authentication center read the inner user key of encrypting in storage medium, and the authentication information receiving is decrypted, judgement user validation: if user is legal, authentication center generates by inner encryption chip PKI and private key, the PKI of client computer use and the session key of private key and session use that this conversational services provider server is used;
Step 3, authentication center read the inner service side server key of storing in storage medium of encrypting, and encrypt PKI and the session key of this communication service side's privacy key, client computer and send to service side server;
Step 4, service side server are used service side's key of storing in the identification authentication system of customization, and deciphering obtains privacy key, client public key and session key and generates confirmation, use session key confirmation to send to authentication center;
Step 6, authentication center receive after the confirmation of server, use client's secret key encryption server public key, client computer private key and session key to send to client computer;
Step 7, client computer are used the identification authentication system deciphering of customization to obtain client computer private key, server public key and session key, use session key confirmation and send to authentication center;
Step 8, server are used session key, have authenticated information respectively to client computer and service side server transmission simultaneously, and client-server receives after the information of authentication, is independent of authentication center and carries out communication.
CN201310753321.4A 2013-12-31 2013-12-31 Authentication method used in distributed user service Expired - Fee Related CN103684798B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310753321.4A CN103684798B (en) 2013-12-31 2013-12-31 Authentication method used in distributed user service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310753321.4A CN103684798B (en) 2013-12-31 2013-12-31 Authentication method used in distributed user service

Publications (2)

Publication Number Publication Date
CN103684798A true CN103684798A (en) 2014-03-26
CN103684798B CN103684798B (en) 2017-03-22

Family

ID=50321192

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310753321.4A Expired - Fee Related CN103684798B (en) 2013-12-31 2013-12-31 Authentication method used in distributed user service

Country Status (1)

Country Link
CN (1) CN103684798B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780160A (en) * 2014-10-27 2015-07-15 中华电信股份有限公司 Cloud storage service method in keymap access mode
CN105554008A (en) * 2015-12-28 2016-05-04 联想(北京)有限公司 User terminal, authentication server, middle server, system and transmission method
CN106790075A (en) * 2016-12-21 2017-05-31 上海云熵网络科技有限公司 For the Verification System and authentication method of UDP transmission
CN107070912A (en) * 2017-04-07 2017-08-18 许昌学院 The network security verification method and system of a kind of distributed system
CN108632251A (en) * 2018-03-28 2018-10-09 杭州电子科技大学 Authentic authentication method based on cloud computing data service and its Encryption Algorithm
CN108881327A (en) * 2018-09-29 2018-11-23 德州职业技术学院(德州市技师学院) A kind of computer internet information safety control system based on cloud computing
CN112202556A (en) * 2020-10-30 2021-01-08 联通物联网有限责任公司 Security authentication method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050182925A1 (en) * 2004-02-12 2005-08-18 Yoshihiro Tsukamura Multi-mode token
CN101340285A (en) * 2007-07-05 2009-01-07 杭州中正生物认证技术有限公司 Method and system for identity authentication by finger print USBkey
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN101686126A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Method for certification of set of novel dynamic passwords and autonymous network accessing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050182925A1 (en) * 2004-02-12 2005-08-18 Yoshihiro Tsukamura Multi-mode token
CN101340285A (en) * 2007-07-05 2009-01-07 杭州中正生物认证技术有限公司 Method and system for identity authentication by finger print USBkey
CN101686126A (en) * 2008-09-24 2010-03-31 北京创原天地科技有限公司 Method for certification of set of novel dynamic passwords and autonymous network accessing
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张斌等: "《基于微软MSN的安全即时通信插件研究》", 《计算机工程与设计》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780160A (en) * 2014-10-27 2015-07-15 中华电信股份有限公司 Cloud storage service method in keymap access mode
CN105554008A (en) * 2015-12-28 2016-05-04 联想(北京)有限公司 User terminal, authentication server, middle server, system and transmission method
CN105554008B (en) * 2015-12-28 2018-12-14 联想(北京)有限公司 User terminal, certificate server, intermediate server, system and transfer approach
CN106790075A (en) * 2016-12-21 2017-05-31 上海云熵网络科技有限公司 For the Verification System and authentication method of UDP transmission
CN107070912A (en) * 2017-04-07 2017-08-18 许昌学院 The network security verification method and system of a kind of distributed system
CN107070912B (en) * 2017-04-07 2020-10-13 许昌学院 Network security verification method and system for distributed system
CN108632251A (en) * 2018-03-28 2018-10-09 杭州电子科技大学 Authentic authentication method based on cloud computing data service and its Encryption Algorithm
CN108632251B (en) * 2018-03-28 2020-09-01 杭州电子科技大学 Credible authentication method based on cloud computing data service and encryption algorithm thereof
CN108881327A (en) * 2018-09-29 2018-11-23 德州职业技术学院(德州市技师学院) A kind of computer internet information safety control system based on cloud computing
CN112202556A (en) * 2020-10-30 2021-01-08 联通物联网有限责任公司 Security authentication method, device and system

Also Published As

Publication number Publication date
CN103684798B (en) 2017-03-22

Similar Documents

Publication Publication Date Title
US11323276B2 (en) Mutual authentication of confidential communication
CN103780618B (en) A kind of based on across the isomery territory authentication accessing mandate bill and session cipher negotiating method
CN103597520B (en) The ticketing service method and system of identity-based
KR100827650B1 (en) Methods for authenticating potential members invited to join a group
CN103684798A (en) Authentication system used in distributed user service
AU2016211551A1 (en) Methods for secure credential provisioning
CN110771089A (en) Secure communications providing forward privacy
CN101212293B (en) Identity authentication method and system
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
KR20080004165A (en) Method for device authentication using broadcast encryption
CN103905384A (en) Embedded inter-terminal session handshake realization method based on security digital certificate
JP2012521109A (en) Identification method and shared key generation method
CN103414559A (en) Identity authentication method based on IBE-like system in cloud computing environment
JP5324813B2 (en) Key generation apparatus, certificate generation apparatus, service provision system, key generation method, certificate generation method, service provision method, and program
KR101383810B1 (en) System and method for certificating security smart grid devices
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
JP5393594B2 (en) Efficient mutual authentication method, program, and apparatus
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
Liang et al. The remote attestation design based on the identity and attribute certificates
KR100917564B1 (en) Method for ID-based ticket authentication
RU2771928C2 (en) Secure data exchange ensuring direct secrecy
Roopa SSO-key distribution center based implementation using serpent encryption algorithm for distributed network (securing SSO in distributed network)
CN113886781A (en) Multi-authentication encryption method, system, electronic device and medium based on block chain
CN114448636A (en) Quantum-resistant computing digital currency system based on digital certificate and anonymous communication method
CN113343202A (en) Mutual authentication method based on digital certificate under condition of limited participation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20170713

Address after: High tech Zone Nanjing city Jiangsu province 210000 Liufang Road No. 8 Building 7 layer

Patentee after: Nanjing China Network Technology Co., Ltd.

Address before: 222000 No. 2 Chenguang Road, Sinpo District, Jiangsu, Lianyungang

Patentee before: Lianyungang Research Institute of Nanjing University of Science and Technology

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170322

Termination date: 20191231