CN103905400B - A kind of service authentication method, apparatus and system - Google Patents

A kind of service authentication method, apparatus and system Download PDF

Info

Publication number
CN103905400B
CN103905400B CN201210581317.XA CN201210581317A CN103905400B CN 103905400 B CN103905400 B CN 103905400B CN 201210581317 A CN201210581317 A CN 201210581317A CN 103905400 B CN103905400 B CN 103905400B
Authority
CN
China
Prior art keywords
authentication
business
terminal
request
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210581317.XA
Other languages
Chinese (zh)
Other versions
CN103905400A (en
Inventor
齐旻鹏
庄小君
阎军智
朱红儒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201210581317.XA priority Critical patent/CN103905400B/en
Publication of CN103905400A publication Critical patent/CN103905400A/en
Application granted granted Critical
Publication of CN103905400B publication Critical patent/CN103905400B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a kind of service authentication method, apparatus and system, the method includes:Service authentication server receives the certification request for username information, wherein, authentication random number is included in the certification request, when the authentication random number is that service application service device receives the service request containing the username information of client transmission, generated and sent at random according to preset algorithm;The corresponding relation of the User Identity information of the username information according to storage and the terminal comprising SIM/USIM cards, obtains the corresponding User Identity information of the username information;And obtain the Ciphering Key of the User Identity information, and send authentication response information to the terminal, the business authentication respond request that receiving terminal is sent, according to the business authentication respond request, Ciphering Key and the authentication random number, determine the targeted username information of the certification request whether by business authentication.The security of business authentication can preferably be improved.

Description

A kind of service authentication method, apparatus and system
Technical field
The present invention relates to technical field of network security, more particularly, to a kind of service authentication method, apparatus and system.
Background technology
In internet of things service application, network security is increasingly becoming the problem that terminal user compares concern.
In existing internet of things service application, to ensure the privacy of terminal user, and network security is improved, in Internet of Things When terminal user side needs to carry out business authentication with network business platform side, it is in advance user's distributing user name/mouth generally to use The mode of order carries out business authentication.Specifically, the mode of business authentication is carried out based on user name/password, business is put down in which Platform side and terminal user side preset fixed user name/password by offline mode, end user access networks with When business platform side carries out communicating requirement and carries out Business Processing, business platform side may require that terminal user side input user name/mouth Order, terminal user in terminal by being input into user name/password, and the user name/password that will be input into, and directly in plain text or carries out Send result to network business platform side after simple mathematics conversion, network business platform lateral root according to the user name for receiving/ Password carries out authentication to terminal user, when certification passes through, then allows terminal user to enter business and uses, on the contrary refusal user Use business.
In the prior art, there is more serious potential safety hazard in the teleservice authentication mode based on user name/password, The user name/password that terminal user is set is detected easily by illegal molecular detection.The user name/password of most of terminal user Typically keep constant for a long time, and terminal user is for the ease of using, typically using regular or build big character, numeral etc. Combination sets user name/password so that attacker can be can obtain terminal user's by modes such as conjecture, dictionary attacks User name/password, and illegally used by the user name/password for obtaining.
In sum, the business authentication mode for proposing in the prior art, security is relatively low.
The content of the invention
A kind of service authentication method, apparatus and system are the embodiment of the invention provides, business authentication can be preferably improved Security.
A kind of service authentication method, including:Service authentication server receive service application service device send for user The certification request of name information, wherein, authentication random number is included in the certification request, the authentication random number is service application clothes When business device receives the service request containing the username information of client transmission, generated at random according to preset algorithm concurrent Send;According to the username information for storing and comprising user's identification/common user identification (SIM, Subscriber Identity The corresponding relation of the User Identity information of the terminal of Module)/usim card, obtains the targeted user of the certification request The corresponding User Identity information of name information;And the Ciphering Key of the User Identity information is obtained, and to the terminal Authentication response information is sent, wherein for the vector of access authentication when the Ciphering Key is terminal accessing mobile communication network; The business authentication respond request that receiving terminal is sent, according to the business authentication respond request, the Ciphering Key and the mirror Whether power random number, determine the targeted username information of the certification request by business authentication.
A kind of service authentication method, including:Terminal comprising user's identification/common user identification SIM/USIM cards is connect The authentication response value included in the authentication response information of receipts, wherein the authentication response information is certification of the network side according to acquisition Vector sends to the terminal, for the vector of access authentication when the Ciphering Key is terminal accessing mobile communication network; Receive authentication random number, wherein the authentication random number is service application service device receive client transmission contain user name During the service request of information, generated and sent at random according to preset algorithm;According to the authentication random number and acquisition for receiving Authentication response value, business authentication respond request is sent to network side, wherein including user name in the business authentication respond request The User Identity information of information and the terminal comprising user's identification/common user identification SIM/USIM cards, network side according to The business authentication respond request, determines whether the targeted username information of the business authentication respond request is recognized by business Card.
A kind of business authentication device, including:Receiver module, for receiving that service application service device sends for user name The certification request of information, wherein, authentication random number is included in the certification request, the authentication random number is service application service When device receives the service request containing the username information of client transmission, generated and sent at random according to preset algorithm To service authentication server;Module is obtained, is known for the username information according to storage and comprising user's identification/common user The corresponding relation of the User Identity information of the terminal of other SIM/USIM cards, obtains the targeted user name of the certification request The corresponding User Identity information of information;And obtain the Ciphering Key of the User Identity information, wherein the certification to For the vector of access authentication when amount is terminal accessing mobile communication network;Sending module, for sending certification to the terminal Response message;The receiver module, is additionally operable to the business authentication respond request that receiving terminal is sent;Determining module, for basis The business authentication respond request, Ciphering Key and the authentication random number, determine the targeted user name letter of the certification request Whether breath passes through business authentication.
A kind of business authentication device, including:Module is obtained, for obtaining the certification included in the authentication response information for receiving Response, wherein the authentication response information is network side according to the Ciphering Key for obtaining to comprising user's identification/common user The terminal transmission of SIM/USIM cards is recognized, access authentication is used for when the Ciphering Key is the terminal accessing mobile communication network Vector;Receiver module, for receiving authentication random number, wherein the authentication random number is service application service device receives visitor During the service request containing username information that family end sends, generated and sent at random according to preset algorithm;Sending module, uses According to the authentication random number for receiving and the authentication response value of acquisition, business authentication respond request is sent to network side, wherein The end of SIM/USIM cards is recognized in the business authentication respond request comprising username information and comprising user's identification/common user The User Identity information at end, network side determines the business authentication respond request institute according to the business authentication respond request For username information whether pass through business authentication.
A kind of service authentication system, including the terminal of SIM/USIM cards is recognized comprising user's identification/common user, business is recognized Card server and service application service device, are wherein provided with safe transmission between service authentication server and service application service device Passage is communicated;The service application service device, for sending the certification request for username information, wherein, it is described to recognize Card request in include authentication random number, the authentication random number be service application service device receive client transmission containing When stating the service request of username information, service authentication server and client are generated and are sent respectively at random according to preset algorithm End;The service authentication server, for receiving certification request, username information according to storage and comprising user's identification/logical With the corresponding relation of the User Identity information of the terminal of user's identification SIM/USIM cards, the certification request is obtained targeted The corresponding User Identity information of username information;And obtain the Ciphering Key of the User Identity information, wherein institute State the vector for access authentication when Ciphering Key is terminal accessing mobile communication network;And send authentication response to the terminal Information, the business authentication respond request that receiving terminal is sent, according to authentication response request, the Ciphering Key and the mirror Whether power random number, determine the targeted username information of the certification request by business authentication;The terminal, for being connect The authentication response value included in the authentication response information of receipts, receives authentication random number, according to the authentication random number that receives and obtains The authentication response value for obtaining, sends business authentication respond request, wherein the business authentication respond request to service authentication server In the User Identity of the terminal comprising username information and comprising user's identification/common user identification SIM/USIM cards believe Breath.
Using above-mentioned technical proposal, by receiving the authentication included in the certification request sent by service application service device Random number, and obtain terminal accessing mobile communication network when for the Ciphering Key that authenticates, and the business that terminal is sent recognizes Whether card respond request, determine the targeted username information of the certification request by business authentication.So as to recognize in the business of carrying out During card, the security of business authentication process can be preferably improved.
Brief description of the drawings
Fig. 1 be the embodiment of the present invention one in, the service authentication system structure composition schematic diagram of proposition;
Fig. 2 be the embodiment of the present invention two in, the service authentication method flow chart of proposition;
Fig. 3 be the embodiment of the present invention two in, the network side traffic authentication device structure composition schematic diagram of proposition;
Fig. 4 be the embodiment of the present invention two in, the terminal side service authentication device structure composition schematic diagram of proposition.
Specific embodiment
For the relatively low problem of service authentication method security present in prior art, the embodiment of the present invention is proposed here Technical scheme, by the authentication random number included in the certification request sent by service application service device by receiving, and For the Ciphering Key for authenticating during the terminal accessing mobile communication network of acquisition, and the business authentication response that terminal is sent please Ask, determine the targeted username information of the certification request whether by business authentication.Business authentication can preferably be improved Security.
Below in conjunction with each accompanying drawing to the main realization principle of embodiment of the present invention technical scheme, specific embodiment and It is set forth in the beneficial effect that should be able to be reached.
Embodiment one
The embodiment of the present invention one proposes a kind of service authentication system here, as shown in figure 1, including end side and network side, The terminal that SIM/USIM cards are recognized comprising user's identification/common user is wherein provided with end side, network side is provided with industry Business certificate server and service application service device, are wherein provided with safety between service authentication server and service application service device Transmission channel is communicated.
The service application service device, for sending the certification request for username information, wherein, the certification request In include authentication random number, the authentication random number be service application service device receive client transmission contain the user During the service request of name information, service authentication server and client are generated and are sent respectively at random according to preset algorithm.
The service authentication server, for receiving certification request, knows according to the username information for storing and comprising user The corresponding relation of the User Identity information of the terminal of not/common user identification SIM/USIM cards, obtains the certification request The corresponding User Identity information of targeted username information;And obtain the Ciphering Key of the User Identity information, For the vector of access authentication when wherein described Ciphering Key is terminal accessing mobile communication network;And recognize to terminal transmission Card response message, the business authentication respond request that receiving terminal is sent, according to the authentication response request, the Ciphering Key and Whether the authentication random number, determine the targeted username information of the certification request by business authentication.
Specifically, the expectation authentication values comprising end side, the expectation of the end side in the business authentication respond request Authentication values are that terminal is calculated according to the authentication response information and authentication random number that receive;Above-mentioned business authentication service Device, the expectation authentication of the end side specifically for being included in the expectation authentication values and business authentication respond request that determine network side Value, wherein the expectation authentication values of the network side are determined according to the authentication random number and the Ciphering Key for obtaining;Root According to obtain end side expectation authentication values, and determine network side expectations authentication values matching result, determine the certification ask Ask whether targeted username information passes through business authentication.
Specifically, above-mentioned service authentication server, whether the expectation authentication values of the end side received specifically for determination Equal to the expectation authentication values of network side, if equal to, it is determined that the targeted username information of the certification request is recognized by business Card, and send certification success message to service application service device;Otherwise, it is determined that the targeted username information of the certification request Not by business authentication, and business authentication failed message is sent to service application service device.
The terminal, for obtaining the authentication response value included in the authentication response information for receiving, receives authentication random number, According to the authentication random number for receiving and the authentication response value of acquisition, sending business authentication response to service authentication server please Ask, wherein comprising username information and comprising user's identification/common user identification SIM/ in the business authentication respond request The User Identity information of the terminal of usim card.
Specifically, above-mentioned terminal, specifically for after access authentication response, displaying request is input into authentication random number Interface.
In specific implementation, service customer end may be mounted in the first terminal not comprising SIM/USIM cards, it is also possible to pacify In the second terminal comprising SIM/USIM cards.
The embodiment of the present invention one here, is described in detail so that client is arranged on first terminal as an example.In end side, Including first terminal, second terminal, service customer end is installed in first terminal, service application service device, industry are included in network side Business certificate server.
Wherein, the first terminal, the use username information for receiving terminal user input accesses Internet of Things network The certification request that the business of carrying out sends when using, and the certification request is sent to service application service device.
Specifically, first terminal can be, but not limited to be personal computer that terminal user uses(PC, Personal Computer), the terminal device that can and be communicated with business platform such as instrumentation.It is preferred that the embodiment of the present invention this In carry out elaborating for scheme so that first terminal is PC equipment as an example.
Specifically, the username information can be, but not limited to be the only form comprising user name, or comprising user The form of name/password, it is preferred that the security to ensure business authentication, the user name letter that the embodiment of the present invention one is proposed here Breath is using the form of user name/password.
The service application service device, the certification for username information for being sent according to the first terminal for receiving please Ask, generate authentication random number at random according to preset algorithm and be sent respectively to first terminal and service authentication server.
Wherein, service application service device is arranged on business platform side, and the business platform can be set by service provider. It for example can be the network business platform such as medical, financial that service provider is set.
The service authentication server, for receiving certification request, knows according to the username information for storing and comprising user The corresponding relation of the User Identity information of the terminal of not/common user identification SIM/USIM cards, obtains the certification request The corresponding User Identity information of targeted username information;And obtain the Ciphering Key of the User Identity information, For the vector of access authentication when wherein described Ciphering Key is terminal accessing mobile communication network;And recognize to terminal transmission Card response message, the business authentication respond request that receiving terminal is sent, according to the authentication response request, the Ciphering Key and Whether the authentication random number, determine the targeted username information of the certification request by business authentication.
Wherein, service authentication server is arranged on network side, and service authentication server can be, but not limited to be to be independently arranged An autonomous device in mobile communication system, it is also possible to be integrated in any network element device included in GSM In.For example, user's signing certification can be integrated in(HSS, Home Subscriber Server)In network element device.
Service authentication server can be direct or indirect in HSS network element equipment obtain second terminal Ciphering Key. Specifically, when including SIM or usim card accessing mobile communication network in the form of the Ciphering Key of acquisition and second terminal, The form of the Ciphering Key used when being authenticated is identical.
Specifically, first terminal can be connected with business platform by internet and be communicated, and second terminal can pass through Wireless network is connected with GSM, and secure transmission tunnel can be set between business platform and GSM to pass Transmission of data.For example, the data between special transmission channel transmission services platform and GSM can be set.
The second terminal, for obtaining the authentication response value that includes in the authentication response information for receiving, receive authentication with Machine number, according to the authentication random number for receiving and the authentication response value of acquisition, sends business authentication and rings to service authentication server Should ask, wherein comprising username information and comprising user's identification/common user identification in the business authentication respond request The User Identity information of the terminal of SIM/USIM cards.
Specifically, above-mentioned second terminal, it is defeated to terminal user's displaying request specifically for after access authentication response Enter the interface of authentication random number, for the authentication random number that warning terminal user input is received in first terminal.
Specifically, above-mentioned first terminal, specifically for the user name/password of receiving terminal user input, and by the use Name in an account book/password is sent to service application service device;
The service application service device, is additionally operable to the user name/password of user name/password and itself storage that will be received Compare, when comparison result is identical, generate authentication random number.
Embodiment two
Based on the system architecture shown in Fig. 1, the embodiment of the present invention two also proposes a kind of service authentication method here,
In specific implementation, service customer end may be mounted in the first terminal not comprising SIM/USIM cards, it is also possible to pacify In the second terminal comprising SIM/USIM cards.The embodiment of the present invention two here, by client be arranged on first terminal as a example by To be described in detail, i.e., first terminal and second terminal are two independent terminals, and first terminal can be PC.Such as Fig. 2 Shown, specific handling process is for example following:
Step 201, terminal user uses first terminal access service platform, and first terminal receiving terminal user input is directed to The access request of username information, and the access request that will be received is sent to service application service device.
Wherein, it is PC equipment, username information with first terminal in the technique proposed herein scheme of the embodiment of the present invention two To be described in detail as a example by user name/password, PC is communicated by internet with service application service device, terminal user User name/password is input into PC equipment, the user name/password that PC will be received is sent to service application service device.
In specific implementation, such as in financial industry, financial business provider sets financial business application server, terminal User can carry out business operation by internet with financial business application server communication, such as transfer accounts, pay by mails Business Processing.Terminal user generally uses the mode of user name/password and directly logs in financial service system in the prior art.User Name/password can be terminal user activate the service use when, it is set in advance, in business platform side, preserve user name/password With the corresponding relation of corresponding service(For example it is stored in service application service device), and also stores username information and comprising The corresponding relation of the User Identity information of the second terminal of user's identification/common user identification SIM/USIM cards.
Step 202, service application service device receives the access request that first terminal is sent, and will receive the use included in request Name in an account book information and the username information of itself storage are compared.
Wherein, service application service device receives the user name/passwords sent of PC, the user name/password that will be received with from The user name/password of body storage is compared, if comparison result is identical, can determine that preliminary identification passes through.For example, in gold Melt in industry, terminal user is input into user name/password in PC, service application service device is sent to by internet, at request Manage the business of a certain customization.Service application service device according to the user name/password for receiving, and the end user customization industry Business, in itself business of storage and the corresponding relation of user name/password, it is determined that whether the user name/password for receiving is correct, If correct, it is determined that terminal user completes primary certification, primary escape way is set up.Service application service device can with PC it Between transmit data.Conversely, can then refuse follow-up any operation.
Step 203, when comparison result is identical, service application service device sends to service authentication server and is directed to user name The certification request of information.
Wherein, authentication random number is included in the certification request, the authentication random number is that service application service device is received To client send the service request containing the username information when, generated and sent at random according to preset algorithm.Tool Body ground, the authentication random number is sent respectively to first terminal and service authentication server.
After being verified to user name/password, service application service device according to preset algorithm at random generate authentication with Machine number, and by the primary escape way set up by authentication random number(Can for example be represented with RAND1)Showed by PC Terminal user, and by the authentication random number RAND1 of generation by being set between service application service device and service authentication server The secure transmission tunnel put is sent to service authentication server.In specific implementation, in financial industry, service application service device and Dedicated data transmission passage can be set between business authentication service.After user name/password certification, service application service device The certification request of the authentication random number RAND1 comprising random generation is sent to PC by primary escape way, and will be random The authentication random number RAND1 of generation is sent to service authentication server by dedicated data transmission passage.
Step 204, service authentication server after authentication random number is received, according to storage username information and comprising The corresponding relation of the User Identity information of the second terminal of SIM/USIM cards, obtains the targeted user of the certification request The corresponding User Identity information of name information, and obtain the Ciphering Key of the User Identity information.
Wherein it is possible to the user identity of second terminal is obtained in HSS network element equipment by directly or indirectly mode Ciphering Key corresponding to identification information.Service authentication server is obtaining the User Identity of authentication random number and second terminal After information, Ciphering Key corresponding with the User Identity information of second terminal is obtained in HSS network element equipment.For example wrap When access network authentication is carried out, Ciphering Key can be three-dimensional matrice form to terminal containing SIM, included in syndrome vector AV and recognized Card random number(RAND2), authentication values (AUTN), expect response (XKES), i.e. AV=(RAND2, AUTN, XRES).
Step 205, after the Ciphering Key for obtaining the User Identity information, authentication response is sent to second terminal Information.
Service authentication server sends authentication response information, wherein certification according to the Ciphering Key for obtaining to second terminal Certification random number can be included in authentication response information(RAND2), authentication values (AUTN), i.e. AV1=(RAND2, AUTN).
Step 206, second terminal receives authentication response information, obtains the authentication response included in the authentication response information Value.
Wherein described authentication response information is that network side sends according to the Ciphering Key for obtaining to the terminal, described to recognize For the vector of access authentication when syndrome vector is terminal accessing mobile communication network.
Wherein, after second terminal receives AV1=(RAND2, AUTN), carried out by the SIM or usim card that set Authentication processing, obtains authentication response value RES.
Step 207, second terminal is input into authentication random number after access authentication response to terminal user's displaying request Interface, instruction terminal user is input into authentication random number in the interface.
Be input to for the authentication random number according to the authentication random number known in first terminal by step 208, terminal user In the specified interface of second terminal.
Wherein, after service application service device generation authentication random number RAND1, taken to first terminal and business authentication respectively Business device sends, therefore, terminal user can obtain authentication random number RAND1 in first terminal, the authentication random number that will be obtained RAND1 is input in the instruction interface in second terminal.
Step 209, according to the authentication random number for receiving and the authentication response value of acquisition, business authentication is sent to network side Respond request.
Wherein, second terminal determines the phase of end side according to the authentication random number for receiving and the authentication response value of acquisition Authentication values are hoped, wherein the expectation authentication values of the end side are terminals being rung according to the authentication random number for receiving and the certification of acquisition Should be worth what is determined;The business authentication respond request of the expectation authentication values comprising the end side, wherein institute are sent to network side State the User Identity information of the terminal comprising username information and comprising SIM/USIM cards in business authentication respond request.
In specific implementation, second terminal according to the authentication random number RAND1 that the receives and authentication response value RES for obtaining, According to the expectation authentication values identical computational methods of calculating network side, the expectation authentication values of computing terminal side.In specific implementation, the Two terminals can be encrypted computing according to the RES and RAND1 that obtain, obtain the expectation authentication values Auth of end side.
Step 210, service authentication server receives the business authentication respond request that second terminal is sent, according to the business Authentication response request, the Ciphering Key and the authentication random number, determine that the targeted username information of the certification request is It is no by business authentication.
In specific implementation, the expectation authentication values comprising end side in the business authentication respond request, the end side Expect that authentication values are that terminal is calculated according to the authentication response information and authentication random number that receive;Service authentication server The expectation authentication values of the end side included in the expectation authentication values and business authentication respond request that determine network side, wherein the net The expectation authentication values of network side are determined according to the authentication random number and the Ciphering Key for obtaining;According to the end side for obtaining Expectation authentication values, and determine network side expectation authentication values matching result, determine the targeted user of the certification request Whether name information passes through business authentication.
It should be noted that the targeted username information of the embodiment of the present invention determination set forth above certification request is It is no that a kind of above-mentioned method is not limited to by way of business authentication, can also be realized using other modes.The embodiment of the present invention Here a kind of preferably implementation is only given.
Specifically, it is determined that whether the expectation authentication values of the end side for receiving are equal to the expectation authentication values of network side, if It is equal to, it is determined that the targeted username information of the certification request is recognized by business authentication to the transmission of service application service device Card success message;Otherwise, it is determined that the targeted username information of the certification request does not pass through business authentication, and to service application Server sends business authentication failed message.
In specific implementation, service authentication server can be according to the Ciphering Key and authentication random number for obtaining, calculating network The expectation authentication values of side.Wherein, according to the Ciphering Key AV and authentication random number RAND1 for obtaining, according to preset algorithm, calculate To the expectation authentication values of network side.The Ciphering Key AV=(RAND2, AUTN, XRES) for preferably obtaining, in the AV by acquisition Comprising XRES, and the authentication random number RAND1 for receiving, be encrypted computing, obtain the expectation authentication values of network side XAuth, and the expectation authentication values XAuth of the network side that will be obtained stored.
Correspondingly, the embodiment of the present invention also proposes a kind of business authentication device here, and the device is located at network side, such as Fig. 3 It is shown, including:
Receiver module 301, for receiving the certification request for username information that service application service device is sent, its In, authentication random number is included in the certification request, the authentication random number is that service application service device receives client hair During the service request containing the username information sent, generated and sent at random to service authentication server according to preset algorithm 's.
Module 302 is obtained, for the username information according to storage and comprising user's identification/common user identification SIM/ The corresponding relation of the User Identity information of the terminal of usim card, obtains the targeted username information pair of the certification request The User Identity information answered;And the Ciphering Key of the User Identity information is obtained, wherein the Ciphering Key is eventually For the vector of access authentication during the accessing mobile communication network of end.
Sending module 303, for sending authentication response information to the terminal.
The receiver module 301, is additionally operable to the business authentication respond request that receiving terminal is sent.
Determining module 304, for according to the business authentication respond request, Ciphering Key and the authentication random number, really Whether the targeted username information of the fixed certification request passes through business authentication.
Specifically, the expectation authentication values comprising end side, the expectation of the end side in the business authentication respond request Authentication values are that terminal is calculated according to the authentication response information and authentication random number that receive;Above-mentioned determining module 304, tool Body is used for the expectation authentication values of the end side included in the expectation authentication values and business authentication respond request for determine network side, wherein The expectation authentication values of the network side are determined according to the authentication random number and the Ciphering Key for obtaining;According to what is obtained The expectation authentication values of end side, and determine network side expectation authentication values matching result, determine that the certification request is targeted Username information whether pass through business authentication.
Specifically, whether above-mentioned determining module 304, the expectation authentication values of the end side received specifically for determination are equal to The expectation authentication values of network side, if equal to, it is determined that the targeted username information of the certification request passes through business authentication, and Certification success message is sent to service application service device;Otherwise, it is determined that the targeted username information of the certification request does not lead to Business authentication is crossed, and business authentication failed message is sent to service application service device.
Correspondingly, the embodiment of the present invention also proposes a kind of business authentication device here, and the device is located at end side, such as Fig. 4 It is shown, including:
Module 401 is obtained, for obtaining the authentication response value included in the authentication response information for receiving, wherein the certification Response message is network side according to the Ciphering Key for obtaining to the terminal for recognizing comprising user's identification/common user SIM/USIM cards Send, for the vector of access authentication when the Ciphering Key is the terminal accessing mobile communication network.
Receiver module 402, for receiving the authentication random number that service application service device is sent, wherein the authentication random number It is random according to preset algorithm when being that service application service device receives the service request containing username information of client transmission Generate and send.
Sending module 403, for according to the authentication random number for receiving and the authentication response value of acquisition, being sent to network side Business authentication respond request, wherein in the business authentication respond request comprising username information and comprising user's identification/it is general The User Identity information of the terminal of user's identification SIM/USIM cards, network side according to the business authentication respond request, really Whether the targeted username information of the fixed business authentication respond request passes through business authentication.
It is preferred that the device also includes:
Determining module, the expectation authentication values for determining end side, wherein the expectation authentication values of the end side are terminals Determined according to the authentication random number for receiving and the authentication response value of acquisition.
The sending module, specifically for sending the expectation authentication values comprising the end side to the lateral network side of network Business authentication respond request, wherein, network side reflects according to the expectation for receiving the end side included in business authentication respond request Weights, and the expectation authentication values of the network side determined matching result, the targeted user name of the business authentication respond request Whether information passes through business authentication.
The device also includes:
Display module, the interface for showing request input authentication random number.
Using embodiment of the present invention technique proposed herein scheme, will propose in the prior art based on user name/password Authentication mode, with reference to the Ciphering Key that the terminal comprising SIM./USIM cards is generated in access to communication networks, and business should The authentication random number generated with server, carrys out common finishing service certification so that when business authentication is carried out, can be by being based on Information in terminal comprising SIM./USIM cards, completes the authentication of terminal user, can preferably improve business authentication Security, effectively prevents the attack of lawless person, so as to avoid after user name/password is obtained by attacker to business system System cause with bad, improve the security of system.And in embodiment of the present invention technique proposed herein scheme, can break through User must use the terminal comprising SIM./USIM cards to carry out the limitation of business authentication using equipment, in whole business authentication During, terminal user can be actively engaged in business authentication, prevent attacker from passing through the ignorant certification of terminal user by closing The certification of the method and then system to terminal user causes damage.
It will be understood by those skilled in the art that embodiments of the invention can be provided as method, device(Equipment)Or computer Program product.Therefore, the present invention can be using complete hardware embodiment, complete software embodiment or combination software and hardware aspect Embodiment form.And, the present invention can be used and wherein include the meter of computer usable program code at one or more Calculation machine usable storage medium(Including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)The computer journey of upper implementation The form of sequence product.
The present invention is with reference to method according to embodiments of the present invention, device(Equipment)With the flow chart of computer program product And/or block diagram is described.It should be understood that each flow during flow chart and/or block diagram can be realized by computer program instructions And/or the combination of the flow and/or square frame in square frame and flow chart and/or block diagram.These computer programs can be provided to refer to The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is made to produce One machine so that produced for realizing by the instruction of computer or the computing device of other programmable data processing devices The device of the function of being specified in one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising these changes and modification.

Claims (16)

1. a kind of service authentication method, it is characterised in that including:
Service authentication server is received service application service device and is believed for user name by what the secure transmission tunnel set up was sent The certification request of breath, wherein, authentication random number is included in the certification request, the authentication random number is service application service device When receiving the service request containing the username information of first terminal transmission, generated and sent at random according to preset algorithm 's;
The user of the username information according to storage and the second terminal comprising user's identification/common user identification SIM/USIM cards The corresponding relation of identification information, obtains the corresponding User Identity letter of the targeted username information of the certification request Breath;And
The Ciphering Key of the User Identity information is obtained, and authentication response information, wherein institute are sent to the second terminal State the vector for access authentication when Ciphering Key is second terminal accessing mobile communication network;
The business authentication respond request that second terminal is sent is received, according to the business authentication respond request, the Ciphering Key With the authentication random number, whether the targeted username information of the certification request is determined by business authentication, the business is recognized Expectation authentication values comprising end side in card respond request, the expectation authentication values of the end side are second terminals according to receiving Authentication response information and authentication random number be calculated.
2. the method for claim 1, it is characterised in that
According to the business authentication respond request, the Ciphering Key and the authentication random number, the certification request institute pin is determined To username information whether by business authentication, including:
Service authentication server determines the phase of the end side included in the expectation authentication values and business authentication respond request of network side Authentication values are hoped, wherein the expectation authentication values of the network side are determined according to the authentication random number and the Ciphering Key for obtaining 's;
According to obtain end side expectation authentication values, and determine network side expectations authentication values matching result, it is determined that this Whether the targeted username information of certification request passes through business authentication.
3. method as claimed in claim 2, it is characterised in that according to the expectation authentication values of the end side for obtaining, and determine The matching result of the expectation authentication values of network side, determines whether the targeted username information of the certification request is recognized by business Card, including:
It is determined that whether the expectation authentication values of the end side for receiving are equal to the expectation authentication values of network side, if equal to, it is determined that The targeted username information of the certification request sends certification success message by business authentication to service application service device; Otherwise, it is determined that the targeted username information of the certification request is sent not by business authentication to service application service device Business authentication failed message.
4. a kind of service authentication method, it is characterised in that including:
Second terminal comprising user's identification/common user identification SIM/USIM cards is included in obtaining the authentication response information for receiving Authentication response value, wherein the authentication response information is network side being sent to the second terminal according to the Ciphering Key for obtaining , for the vector of access authentication when the Ciphering Key is the second terminal accessing mobile communication network;
The authentication random number of receiving terminal user input, wherein the authentication random number is obtained for the terminal user from first terminal , and the authentication random number is the industry containing username information that service application service device receives first terminal transmission During business request, the secure transmission tunnel transmission for being generated at random according to preset algorithm and passing through foundation;
According to the authentication random number for receiving and the authentication response value of acquisition, business authentication respond request is sent to network side, its Described in business authentication respond request comprising username information and comprising user's identification/common user identification SIM/USIM cards The User Identity information of second terminal, network side determines that the business authentication is responded according to the business authentication respond request Whether the targeted username information of request passes through business authentication.
5. method as claimed in claim 4, it is characterised in that according to the authentication random number for receiving and the authentication response of acquisition Value, business authentication respond request is sent to network side, including:
The expectation authentication values of end side are determined, wherein the expectation authentication values of the end side are the second terminals according to the mirror What power random number and the authentication response value for obtaining were determined;
To network side send comprising the end side expectation authentication values business authentication respond request, wherein, network side according to Receive the expectation authentication values of the end side included in business authentication respond request, and the network side determined expectation authentication values Matching result, the targeted username information of the business authentication respond request whether pass through business authentication.
6. method as claimed in claim 4, it is characterised in that after access authentication response, receiving terminal user input Authentication random number before, also include:
The interface of displaying request input authentication random number.
7. a kind of business authentication device, it is characterised in that including:
Receiver module, for receive service application service device by set up secure transmission tunnel send for username information Certification request, wherein, in the certification request include authentication random number, the authentication random number is that service application service device connects Receive first terminal transmission the service request containing the username information when, generated and sent at random according to preset algorithm to Service authentication server;
Module is obtained, for the username information according to storage and comprising user's identification/common user identification SIM/USIM cards The corresponding relation of the User Identity information of second terminal, obtains the targeted username information of the certification request corresponding User Identity information;And the Ciphering Key of the User Identity information is obtained, wherein the Ciphering Key is described For the vector of access authentication during two terminal accessing mobile communication networks;
Sending module, for sending authentication response information to the second terminal;
The receiver module, is additionally operable to receive the business authentication respond request that second terminal is sent;
Determining module, for according to the business authentication respond request, the Ciphering Key and the authentication random number, it is determined that should Whether the targeted username information of certification request in the business authentication respond request includes end side by business authentication Expect authentication values, the expectation authentication values of the end side are second terminals random according to the authentication response information and authentication for receiving What number was calculated.
8. device as claimed in claim 7, it is characterised in that
The determining module, specifically for the terminal included in the expectation authentication values and business authentication respond request that determine network side The expectation authentication values of side, wherein the expectation authentication values of the network side are according to the authentication random number and the Ciphering Key for obtaining Determine;According to obtain end side expectation authentication values, and determine network side expectation authentication values matching result, really Whether the targeted username information of the fixed certification request passes through business authentication.
9. device as claimed in claim 8, it is characterised in that the determining module, specifically for the terminal that determination is received Whether the expectation authentication values of side are equal to the expectation authentication values of network side, if equal to, it is determined that the targeted use of the certification request Name in an account book information sends certification success message by business authentication to service application service device;Otherwise, it is determined that the certification request Targeted username information sends business authentication failed message not by business authentication to service application service device.
10. a kind of business authentication device, it is characterised in that including:
Module is obtained, for obtaining the authentication response value included in the authentication response information for receiving, wherein the authentication response is believed Breath is that network side is sent out according to the Ciphering Key for obtaining to the second terminal comprising user's identification/common user identification SIM/USIM cards Send, for the vector of access authentication when the Ciphering Key is the second terminal accessing mobile communication network;
Receiver module, for the authentication random number of receiving terminal user input, wherein the authentication random number is used for the terminal Family obtains from first terminal, and the authentication random number is that service application service device receives containing for first terminal transmission During the service request of username information, the secure transmission tunnel transmission for being generated at random according to preset algorithm and passing through foundation;
Sending module, for according to the authentication random number for receiving and the authentication response value of acquisition, sending business to network side and recognizing Card respond request, wherein knowing comprising username information and comprising user's identification/common user in the business authentication respond request The User Identity information of the second terminal of other SIM/USIM cards, network side according to the business authentication respond request, it is determined that Whether the targeted username information of the business authentication respond request passes through business authentication.
11. devices as claimed in claim 10, it is characterised in that the device also includes:
Determining module, the expectation authentication values for determining end side, wherein the expectation authentication values of the end side are described second Terminal is determined according to the authentication random number and the authentication response value for obtaining;
The sending module, the business specifically for sending the expectation authentication values comprising the end side to the lateral network side of network Authentication response ask, wherein, network side according to the expectation authentication values for receiving the end side included in business authentication respond request, With the matching result of the expectation authentication values of the network side determined, the targeted username information of the business authentication respond request is It is no by business authentication.
12. devices as claimed in claim 10, it is characterised in that the device also includes:
Display module, for after the acquisition module access authentication response, and in the receiver module receiving terminal Before the authentication random number of user input, the interface of displaying request input authentication random number.
13. a kind of service authentication systems, it is characterised in that including first terminal, comprising user's identification/common user identification SIM/ The second terminal of usim card, service authentication server and service application service device, wherein service authentication server and service application Secure transmission tunnel is provided between server to be communicated;
The service application service device, for sending the certification request for username information, wherein, wrapped in the certification request Containing authentication random number, the authentication random number be service application service device receive first terminal transmission contain the user name During the service request of information, generated at random according to preset algorithm and business is sent respectively to by the secure transmission tunnel set up and recognized Card server and first terminal;
The service authentication server, for receiving certification request, username information according to storage and comprising user's identification/logical With the corresponding relation of the User Identity information of the terminal of user's identification SIM/USIM cards, the certification request is obtained targeted The corresponding User Identity information of username information;And obtain the Ciphering Key of the User Identity information, wherein institute State the vector for access authentication when Ciphering Key is second terminal accessing mobile communication network;And sent to the second terminal Authentication response information, receives the business authentication respond request that second terminal is sent, according to authentication response request, the certification Whether authentication random number described in vector sum, determine the targeted username information of the certification request by business authentication, the industry Expectation authentication values comprising end side in business authentication response request, the expectation authentication values of the end side are terminals according to receiving Authentication response information and authentication random number be calculated;
The second terminal, for obtaining the authentication response value included in the authentication response information for receiving, receiving terminal user is defeated The authentication random number for entering, according to the authentication random number and the authentication response value for obtaining, business is sent to service authentication server Authentication response is asked, wherein comprising username information and comprising user's identification/common user in the business authentication respond request Recognize the User Identity information of the second terminal of SIM/USIM cards.
14. systems as claimed in claim 13, it is characterised in that
The service authentication server, specifically for being included in the expectation authentication values and business authentication respond request that determine network side End side expectation authentication values, wherein the expectation authentication values of the network side be according to the authentication random number and obtain recognize What syndrome vector was determined;According to obtain end side expectation authentication values, and determine network side expectation authentication values matching As a result, determine the targeted username information of the certification request whether by business authentication.
15. systems as claimed in claim 14, it is characterised in that the service authentication server, specifically for determining to receive Whether the expectation authentication values of the end side arrived are equal to the expectation authentication values of network side, if equal to, it is determined that the certification request institute For username information by business authentication, and send certification success message to service application service device;Otherwise, it is determined that should The targeted username information of certification request is unsuccessfully disappeared not by business authentication to service application service device transmission business authentication Breath.
16. systems as claimed in claim 13, it is characterised in that the second terminal, specifically for being responded in access authentication After value, the interface of displaying request input authentication random number.
CN201210581317.XA 2012-12-27 2012-12-27 A kind of service authentication method, apparatus and system Active CN103905400B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210581317.XA CN103905400B (en) 2012-12-27 2012-12-27 A kind of service authentication method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210581317.XA CN103905400B (en) 2012-12-27 2012-12-27 A kind of service authentication method, apparatus and system

Publications (2)

Publication Number Publication Date
CN103905400A CN103905400A (en) 2014-07-02
CN103905400B true CN103905400B (en) 2017-06-23

Family

ID=50996555

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210581317.XA Active CN103905400B (en) 2012-12-27 2012-12-27 A kind of service authentication method, apparatus and system

Country Status (1)

Country Link
CN (1) CN103905400B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107005842B (en) * 2014-12-02 2019-12-24 华为技术有限公司 Authentication method, related device and system in wireless communication network
EP3408988B1 (en) * 2016-01-25 2020-06-17 Telefonaktiebolaget LM Ericsson (publ) Method and apparatus for network access
CN106210031A (en) * 2016-07-06 2016-12-07 北京金山安全软件有限公司 Service execution method, device, client and server
CN106375444B (en) * 2016-08-31 2019-10-25 北京华大智宝电子系统有限公司 A kind of data processing method and cloud platform server
CN109328348B (en) * 2016-09-30 2023-03-03 华为技术有限公司 Service authentication method, system and related equipment
CN106657034B (en) * 2016-12-02 2020-09-25 中国联合网络通信集团有限公司 Service authentication method and authentication capability open server
WO2019140554A1 (en) * 2018-01-16 2019-07-25 Oppo广东移动通信有限公司 Data verification method, network device, user equipment and computer storage medium
CN110113670B (en) * 2018-02-01 2022-05-06 中国移动通信有限公司研究院 Authority control method, terminal and computer storage medium
CN111885585B (en) * 2020-07-29 2023-04-07 中国联合网络通信集团有限公司 Communication service opening method and communication device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1288765A1 (en) * 2001-09-04 2003-03-05 Telefonaktiebolaget L M Ericsson (Publ) Universal authentication mechanism
CN1200579C (en) * 2000-01-18 2005-05-04 微探测株式会社 Authentication method using cellular phone in internet
CN100380267C (en) * 1998-02-25 2008-04-09 艾利森电话股份有限公司 Method, arrangement and apparatus for authentication through communications network
CN101163010A (en) * 2007-11-14 2008-04-16 华为软件技术有限公司 Method of authenticating request message and related equipment
CN101227415A (en) * 2008-02-04 2008-07-23 华为技术有限公司 Multi business resource allocation method, system, gateway equipment and authentication server
WO2010098534A1 (en) * 2009-02-27 2010-09-02 Kt Corporation Method for user terminal authentication of interface server and interface server and user terminal thereof
CN102111275A (en) * 2011-04-01 2011-06-29 王冬梅 User authentication and authorization method and system for implementing user authentication and authorization method
CN102377759A (en) * 2010-08-25 2012-03-14 中国移动通信有限公司 Service processing system, user identity identification method and related devices
CN102420800A (en) * 2010-09-28 2012-04-18 俞浩波 Method, system and authentication terminal for accomplishing service by multi-factor identity authentication

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100380267C (en) * 1998-02-25 2008-04-09 艾利森电话股份有限公司 Method, arrangement and apparatus for authentication through communications network
CN1200579C (en) * 2000-01-18 2005-05-04 微探测株式会社 Authentication method using cellular phone in internet
EP1288765A1 (en) * 2001-09-04 2003-03-05 Telefonaktiebolaget L M Ericsson (Publ) Universal authentication mechanism
CN101163010A (en) * 2007-11-14 2008-04-16 华为软件技术有限公司 Method of authenticating request message and related equipment
CN101227415A (en) * 2008-02-04 2008-07-23 华为技术有限公司 Multi business resource allocation method, system, gateway equipment and authentication server
WO2010098534A1 (en) * 2009-02-27 2010-09-02 Kt Corporation Method for user terminal authentication of interface server and interface server and user terminal thereof
CN102377759A (en) * 2010-08-25 2012-03-14 中国移动通信有限公司 Service processing system, user identity identification method and related devices
CN102420800A (en) * 2010-09-28 2012-04-18 俞浩波 Method, system and authentication terminal for accomplishing service by multi-factor identity authentication
CN102111275A (en) * 2011-04-01 2011-06-29 王冬梅 User authentication and authorization method and system for implementing user authentication and authorization method

Also Published As

Publication number Publication date
CN103905400A (en) 2014-07-02

Similar Documents

Publication Publication Date Title
CN103905400B (en) A kind of service authentication method, apparatus and system
EP2304636B1 (en) Mobile device assisted secure computer network communications
US9141782B2 (en) Authentication using a wireless mobile communication device
Tsai Efficient multi-server authentication scheme based on one-way hash function without verification table
CN106779716B (en) Authentication method, device and system based on block chain account address
WO2012167941A1 (en) Method to validate a transaction between a user and a service provider
US10050791B2 (en) Method for verifying the identity of a user of a communicating terminal and associated system
US11636478B2 (en) Method of performing authentication for a transaction and a system thereof
US10147092B2 (en) System and method for signing and authenticating secure transactions through a communications network
CN107784499B (en) Secure payment system and method of near field communication mobile terminal
CN105337977A (en) Secure mobile communication architecture with dynamic two-way authentication and implementation method thereof
CN104579649A (en) Identity recognition method and system
CN107196972B (en) Authentication method and system, terminal and server
US20090220075A1 (en) Multifactor authentication system and methodology
US20170011393A1 (en) Personal identification and anti-theft system and method using disposable random key
CN109495454A (en) Authentication method, device, cloud server and vehicle
CN109639731A (en) The certification of multiple-factor Universal-Composability and service authorizing method, communications service system
CN103944724A (en) User identity identification card
KR101499906B1 (en) Smart card having OTP generation function and OTP authentication server
EP2533486A1 (en) Method to validate a transaction between a user and a service provider
US20140330689A1 (en) System and Method for Verifying Online Banking Account Identity Using Real-Time Communication and Digital Certificate
CN105024813B (en) A kind of exchange method of server, user equipment and user equipment and server
US20170295017A1 (en) System and method for mobile cross-authentication
CN107453871A (en) Password generated method, password authentication method, method of payment and device
CN109587683B (en) Method and system for preventing short message from being monitored, application program and terminal information database

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant