CN103999401B - For promoting the mthods, systems and devices of client-based certification - Google Patents
For promoting the mthods, systems and devices of client-based certification Download PDFInfo
- Publication number
- CN103999401B CN103999401B CN201180075603.2A CN201180075603A CN103999401B CN 103999401 B CN103999401 B CN 103999401B CN 201180075603 A CN201180075603 A CN 201180075603A CN 103999401 B CN103999401 B CN 103999401B
- Authority
- CN
- China
- Prior art keywords
- service provider
- user
- client platform
- manager
- proof
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000001737 promoting Effects 0.000 title abstract description 6
- 238000004891 communication Methods 0.000 claims abstract description 17
- 238000002955 isolation Methods 0.000 claims abstract description 8
- 230000004044 response Effects 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000005059 dormancy Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 description 16
- 230000000875 corresponding Effects 0.000 description 11
- 241001147458 Dasheen mosaic virus Species 0.000 description 5
- 230000002452 interceptive Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000001815 facial Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000005259 measurement Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 3
- 230000003139 buffering Effects 0.000 description 2
- 230000005611 electricity Effects 0.000 description 2
- 241000282941 Rangifer tarandus Species 0.000 description 1
- 101700050571 SUOX Proteins 0.000 description 1
- 206010039897 Sedation Diseases 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001629 suppression Effects 0.000 description 1
- 230000001360 synchronised Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Abstract
The invention discloses the mthods, systems and devices for promoting client-based certification.Illustrative methods include:Certificate authority is associated with client platform in the performing environment of isolation;User identity is associated with the certificate authority;Generate the first key pair associated with first service provider;The first authorization sequence generation based on the client platform proves;And the proof after signing is sent to attestation-signatures, and to the first service provider using a part for the key pair, to authorize the communication between the client platform and the first service provider.
Description
The cross reference of related application
This application claims the U.S. Provisional Patent Application No.61/548 submitted on October 18th, 2011,570 rights and interests,
This application is incorporated herein by being cited in full text herein.
Technical field
The disclosure relates generally to network security, more particularly relates to promote the side being authenticated based on client
Method, system and device.
Background technology
In recent years, the quantity of the example stored for the identity of the user of online service is continuously increased.Each user can
With with multiple online service providers (such as website of bank, library's Website, stream film entrance, social networks port and base
In E-mail service of network etc.) it is interactive, wherein each service provider is generally required for the certification of at least one form.Recognize
The exemplary form of card includes user name and corresponding password, and they are generally managed and stored by corresponding service provider.
Username and password is intended to allow service provider to examine visitor to correspond to identity, such as (such as bank account, schemes with account
Book shop account, movie streams account, social networks port account and network email account etc.) related identity.
In many cases, the combination that user has found to manage multiple different user name and/or passwords is dull and/or numerous
Trivial.As a result, many users apply identical user name and/or password for each of multiple online service providers.
In addition, selected user name and the cryptographic token for being selected by user and/or being generated are generally weaker and/or be for example subject to
Attack based on dictionary.
Brief description of the drawings
Fig. 1 is the illustrative authentication system controlled according to the teaching of the disclosure for promoting to be authenticated based on client
The illustrated embodiment diagram of system.
Fig. 2 is the exemplary of the exemplary trusted identity manager in the Fig. 1 being authenticated for promotion based on client
The illustrated embodiment diagram of implementation.
Fig. 3, Fig. 4 A, Fig. 4 B, Fig. 5, Fig. 6 are the flow charts for representing example machine readable, and the instruction can be held
Go to realize the trusted identity in the example authentication system being authenticated based on client and/or Fig. 1 and/or Fig. 2 in Fig. 1
Manager.
Fig. 7 illustrating exemplary processor platforms, the processor platform can perform Fig. 3, Fig. 4 A, Fig. 4 B, Fig. 5 and/or Fig. 6
In instruction with realize in illustrative methods disclosed herein, system and/or device any one or all.
Embodiment
Method, system, device and product are disclosed, methods described, system, device and product include:In isolation
Certificate authority is associated with client platform in performing environment;User identity is associated with the certificate authority;Generation with
The first key pair of first service provider association;The first authorization sequence generation based on the client platform proves;Utilize
A part for the key pair sends the proof after signing to attestation-signatures, and to the first service provider, to authorize
State the communication between client platform and the first service provider.
Unique user name is used for each service provider and password combination causes system as service provider
In infringement amount caused by hacker when a being encroached on/degree minimize.For example, the Service Providers system being cracked will can be used
Name in an account book and password use identical usemame/password as stored in clear, and in user in one or more other websites
In the case of combination, the user security of those other services can be placed among the risk further attacked.In addition, even if
User uses user name and multiple various combinations of corresponding password, these username and passwords base for attacker/hacker
Also it is relatively easy to guess in the information (such as name, the initial of middle name, surname, telephone number etc.) on user being readily available
Arrive.In other words, although service provider's regulation and/or suggestion, user also seldom create safe random cipher.In addition,
It may be found that using the user of user name and multiple various combinations of corresponding password and remember that these combinations are dullness and/or do not conform to reality
Border.In the case, user possibly relies on one or more " cheatings bars (cheat-sheet) ", once lose or by
User will be placed in great identity theft, bank's theft after robber, falsely used among identity equivalent risk.
In most cases, the beginning of session between a user and a service provider occurs for certification.After certification
Session be not received by threshold time period one or more times input in the case of, service provider can due to inactive and
Automatically the session is terminated.Auto-timeout attempts protection and inadvertently forgets to exit the user of active session, so as to prevent other people from looking into
See and/or interactive with the account of the user.Although relatively short timeout period can make other people mutual with the account of user
Dynamic risk minimization, but if user is also in machine (such as PC, laptop computer, tablet PC, the electricity being used
Words etc.) beside, so short timeout period can allow user very worried.In addition, so shorter timeout period still can not protect
Protect the user for having signed in the machine of service provider web sites from user and having been left on body.
Method disclosed herein, device, system and/or product extension are from the identity manager portion for trusting client hardware
Ground is divided to promote the local authentication of client user, the presence of client user detection and continuous passive re-authentication.In addition,
In the case that client user leaves, method disclosed herein, device, system and/or product call active session protection, so as to
Eliminate the dependence of the predetermined and/or customized timeout period to being managed by such as service provider.
In the example illustrated in Fig. 1, exemplary client-based certification (CBA) system 100 includes:Client holds level with both hands
Platform 102, it is via one or more networks 108 and the authenticating device pond 104 for including any number of authenticating device 104a-n
And service provider 106 is communicatively coupled.Exemplary client platform 102 can include any kind of client and calculate
Equipment, its include but is not limited to personal computer (PC) (such as desktop computer, laptop computer, notebook etc.),
Server/work station, personal digital assistant (PDA), phone (for example, smart phone) and/or tablet computing device (such as Tablet PC etc.).Illustrative authentication equipment pond 104 may include any number of authenticating device 104a-n
And it can be operated as the build-in components of exemplary client platform 102, and/or can be via one or more communications
Path is communicatively coupled to exemplary client platform 102, and the communication path includes but is not limited to USB
(USB), live wire (FireWire, IEEE1394), port in parallel, serial connection port (such as RS-232), general purpose interface bus
(GPIB-IEEE 488), bluetooth, LAN connection and/or Wi-Fi (IEEE 802.11x) etc..Illustrative authentication equipment
104a-n can include but is not limited to fingerprint reading device, camera (such as IP Camera), smart card reader, keyboard,
Motion sensor and/or biosensing device.
The user of calculating platform via network (such as internet) generally by being connected to service provider to perform one
Or more operation.Traditionally, service provider 106 using deployment and safeguards relatively cheap user name and corresponding close
Code authentication manages one or more authentication service and/or process.But the authoring program of this service provider's management
Opponent's theft and/or damage user certificate can be caused, especially when user becomes insensitive to be carried for multiple different services
When being combined for commercial city using identical and/or similar username and password.Once a service provider is under attack, attacker
Obtained possibly also with username and password combination to other service providers (such as website of bank/port and/or Email
Website/port) access right.In addition, carried even if user has used different username and password combinations to be used as access service
For the voucher of business, the entity and corresponding service provider account that service provider may be still on not holding barrier are legal
The instruction of ground association.In other words, the entity of access is probably the opponent for having stolen username and password combination.
In order to reduce and/or even eliminate voucher is misapplied in one or more in accessing service provider 106
Situation, the exemplary client platform 102 in Fig. 1 includes the trusted identity manager being located in safety container 112
(trusted identity manager, TIM) 110 (certificate authorities).Example safety container 112 in Fig. 1 includes one
Individual or more safety applications 114, allow when the safety applications 114 perform one or more with trusted manner progress
Individual transaction, as detailed below.Example safety container 112 provide isolation performing environment (IEE), with service provider it
Between establish root of trust, data encapsulation, for generating powerful encryption key and for attestation-signatures and to sealed storage
Data encryption random number random number generator, for one or more application and/or authenticating device 104a-n
The foundation of trusted paths, and/or the real-time clock for minimizing the repeat attack for being related to stale messages.In some examples
In, can with international publication number WO2010/057065A2, title " Method and Apparatus to Provide
Secure Application Execution ", on November 14th, 2009 mode that is consistent is submitted to realize safety container
112.In other examples, TIM110 can be realized on smart cards, for example, comprising anti-tamper data storage, authentication code and/
Or the smart card of the processor of isolation.
The IEE generated by the example safety container 112 in Fig. 1 protects TIM110 and safety applications 114 soft from system
Part and the attack of hardware opponent, for example, intercepting and capturing the trial of the communication along the bus of exemplary client platform 102.It is exemplary
The IEE that safety container 112 is generated prevents hardware beyond safety container 112 and/or software from successfully reading, change and/or deleting
Except the content of safety container 112.In order to allow TIM110 to perform proof, safety container 112 establishes letter on client platform 102
Ren Gen, wherein root of trust can represent request service provider 106 and cryptographically measure TIM110 and/or safety applications 114.One
In a little examples, safety container 112 uses the private key for being never taken out root of trust to attestation-signatures using the root of trust measured, and takes
Business provider 106 can verify signature using corresponding public key, so that it is determined that described measure and/or assert whether have expectation
Value.
The data encapsulation that example safety container 112 in Fig. 1 is promoted allows when data are stored in safety container 112
The data are protected when in addition.Data encapsulation performed by example safety container 112 can be used only in hardware security
Components interior stores and the key that uses, and/or can utilize system mode (such as the shape of client platform 102 in encryption
State) measurement result to data encryption.In some instances, only it is collected into identical system mode measurement result in decryption
Just perform decryption.If the corrupted data encapsulated in the past by example safety container 112, decryption is just prevented, unless adding
The primary platform key that close period uses can use.
In operation, the example T IM110 in Fig. 1 allows authorized user's acquisition of client platform 102 to use client
The mandate of platform 102 and its one or more service is held, in the case where not inputting and/or disclosing common credential at one
Or certification user at more service providers 106, monitoring user are present to be left in user near client platform 102
Event in prevent service provider in advance time-out and/or activation client platform 102 and service provider 106 between it is strong
System exits.Example T IM110 partly allows client platform 102 to establish to one or more service provider's 106
Safe lane, eliminate user to user voucher disclosure and by the one or more session of monitoring management be present.Can be by
Periodically, aperiodicity, according to plan and/or manually perform in the presence of monitoring.As it will be explained in more detail hereinafter, it can be wrapped in the presence of monitoring
Facial recognition techniques are included, the facial recognition techniques perform once for such as every ten seconds.In some instances, the monitoring of user can be with base
Continuously occur in sheet.
In the illustrated example shown in fig. 2, TIM110 is illustrated in further detail, and including session manager 202, the session pipe
Reason device 202 is communicatively coupled via network 108 and browser plug-in 204 with service provider 106.TIM110's in Fig. 2
Example also includes certificate manager 206, presence manager 208, certification provider 210, provider 212 be present and assert offer
Device 214.Example T IM110 in Fig. 2 also includes subjects face identification (OFR) module 216, pass phrase module 218, safety
Assertion Markup Language (SAML) module 220, open ID (OpenID) module 222 and TIM databases 224.As detailed below,
Example T IM110 authorized users use TIM110, and being activated for the user newly connected in service provider 106 initially proved
Journey, activate passive proof procedure, in TIM110 and service provider 106 in service provider 106 for ongoing session
Between establish trusted relationship, promote the unique configuration file for each user and/or service provider's relation to instruct, and
And service provider's session is monitored to ensure safety.
Before user and example T IM110 interactions, TIM110 is unassigned, uncommitted and/or exemplary client
The user of platform 102 is uncorrelated.It is one or more into service provider 106 that user can be represented in example T IM110
Send before asserting, example T IM110 is via illustrative authentication manager 206 and user identification relevancy.Can be in many ways
Establish user identity, these modes include but is not limited to obtain the certificate that sends of third party, and using random number generator and
The time inputted daily generates private/public key equity.For example, some area under one's jurisdictions have the motor vehicle pipe of distributing electronic driving license
Reason department (DMV).This license is the example of the security credence by example T IM110 and user's binding.In illustrated example
In, only the certificate can be put on example T IM110 by third party publisher (i.e. DMV), the voucher is available by the
The public key of tripartite's issue is verified.In order to farthest ensure safety, third party publisher can require only physically
Voucher is taken into third party publisher (such as DMV) and is used for initial association there, the voucher can be applied to TIM110.The
Tripartite's certificate associates with the combination of TIM110 and subscriber identity information, and is stored in example T IM databases 224.
In addition, illustrative authentication manager 206 can require to create TIM logging on authentications, wherein in entity issued opening position
During (such as DMV) associates with third party's certificate, single username and password is combined by user and is input to TIM logging on authentications
In.TIM logging on authentications are stored in example T IM databases 224, because the presence of example safety container 112, TIM data
Storehouse 224 is exemplary can not to be read and/or be write trial access by outside.In the example of illustration, although TIM logging on authentications by with
In being authorized for TIM110 to user, but TIM logging on authentications are not used in the certification of service provider 106.TIM logging on authentications are not
Example T IM110 is left, therefore minimizes the chance by hacker's detection.
In some instances, when creating TIM logging on authentications, certificate manager 206 can be called in certification provider 210
One or more inquiry system device (such as keyboard, IP Camera, intelligent card reader etc.)., can for certification
To establish any number of TIM logging on authentications combination.It is for example, related to the service (such as library's Website) of relative insensitivity
Service provider 106 (such as IP Camera images match) can allow to its website after the verification process by minimum
And/or comprehensive use of port.In other examples, if being only limited to IP Camera image for TIM110 user authentication
Matching, then the service provider 106 related to the service (such as website of bank) of sensitivity can only allow to browse financial data, but
It is when certification includes two or more different and/or (such as groups of IP Camera image and password when substituting authentication means
Close), it is allowed to financial transaction.
After the user-association of example T IM110 and client platform 102, carried with one or more service
For in the ession for telecommunication of business 106, the example T IM110 in Fig. 2 is called to user's two benches certification.The first stage bag of certification
Initial authentication is included, wherein client platform 102 is locked, and the second stage of certification includes passive re-authentication, wherein visitor
Family end platform 102 is unlocked in advance by certification, but needs one or more instruction existing for user to maintain this
Released state, so as to prevent one or more resource of user's access client platform 102.User profile can be used
To determine the level of security during initial authentication and/or passive re-authentication, the user profile can be stored in example
In property TIM databases 224.In some instances, initial authentication needs of a relatively high level of security, now needs the group of voucher
Close (such as IP Camera image adding fingerprint scanning encrypted code, or RFID label tag detection screening network camera image face knowledge
Not).In other examples, passive re-authentication needs the safe coefficient of relatively low (compared with the certification needed for initial authentication), example
IP Camera image is such as shot once in a while to the user at client platform 102.Can be by periodicity, aperiodicity, according to plan
And/or artificially perform passive re-authentication.But certification frequency and/or certification degree can be by user profile, services
The requirement of provider and/or combinations thereof determine.
After example T IM110 in fig. 2 is authenticated to the user at client platform 102, example T IM110
Contacted in first time with during client connection via one or more interim agreement with service provider 106.In other words,
Each party in example T IM110 and service provider 106 must verify that the opposing party is believable.In operation, it is exemplary
Session manager 202 determines that TIM110 and service provider 106 whether there is existing relation each other.If it is not,
Example T IM110 generations Sharename to be used when asserting user authentication to service provider 106.Exemplary services carry
The Sharename and the account related to user can be associated for business 106.In some instances, service provider 106 can
To be performed example T IM110 with outer assessment based on cryptographic hash, to determine whether TIM110 is legal.In other examples, clothes
Business provider 106 can verify the root of trust related to example safety container 112, with allow service provider 106 verify from
One or more proof that example T IM110 is received.
Request in response to user from service provider 106 to resource, the example T IM110 in Fig. 2 sends HTTP please
Ask, be used to allow user's access exemplary client to hold level with both hands including the label for indicating TIM110 and/or by what TIM110 promoted
The intensity of the certification of platform 102.When TIM110 receives the respective request for certification from service provider 106, TIM110 bases
Instructed in the one or more configuration file combined with user being for example stored in example T IM databases 224 to test
Demonstrate,prove and/or determine whether to generate public private key pair.In some instances, TIM110 session manager 202 is activated in visitor
One or more prompting that request on family end platform 102 allows to issue and/or directly send proof (such as can be clicked on
Dialog box).In some instances, configuration file allows automatic authorization to perform verification process.Automatic authorization can be for example based on
User attempts interactive service provider 106.
The illustrative authentication manager 206 of TIM110 in Fig. 2 generates and/or provides shared name to service provider 106
Claim.Exemplary Sharename can be alphanumeric character string and/or be directed to service provider by illustrative authentication manager 206
The public key of 106 generations.In the case where example T IM110 and other service providers 106 are operated and/or interacted therewith, example
Property certificate manager 206 can be directed to each corresponding service provider 106 and generate unique private/public key pair.In order to prove
Example T IM110 is not modified and run in IEE, and the generation of illustrative authentication manager 206 proves certainly.As described above, it was demonstrated that
Using the root of trust of example safety container 112, the root of trust can be carried out in cryptography by example T IM110 using its private key
Measurement and signature, the private key is without departing from TIM110 and/or safety container 112.But provided accordingly in TIM110 outside
Public key, with cause service provider 106 have an opportunity checking by TIM110 sign anything.
If service provider 106 has had a pre-existing account for user, outside one or more band
Confirmation process can associate user account with Sharename.For example it can include with outer confirmation to the transmission of the phone of user-association
The text message of code (such as generating at random), to sending the electronics postal that includes code with the email account of user-association
Part etc. is carried out.On the other hand, if user does not have pre-existing account in service provider 106, it can perform one
Or more are created with outer account creation process.No matter any situation, Sharename and public key all close with user
Connection so that the service provider 106 that the proof then sent by TIM110 can be received identifies.
Example T IM110 sends the proof after signing to service provider 106, to assert Sharename to user and recognize
Demonstrate,prove information.Authentication information can include but is not limited to timestamp information, prove outdated information, with being used to allow user to access client
The related information of the TIM110 authentication methods holding platform 102 and use (such as the scanning of face recognition, face recognition adding fingerprint, face
Portion's identification adding fingerprint scanning encrypted code etc.) etc..Private key that is being generated by example T IM110 and being associated using being combined with TIM/SP
The Sharename and authorization message of signature are sent to service provider 106, and can be tested by service provider 106 using public key
Card.Although TIM110 proves its method for being used to be authenticated user, the example T IM110 in Fig. 2, which is not sent, to be used for
Allow user's voucher that initial access is carried out to client platform 102.So, by suppressing to provide user during TIM is verified
Voucher, eliminate the storage to the voucher at long-range provider.This also prevents one or more opponent obtain user with
Demonstrate,prove and independently assert the voucher in the case where independently not providing document to TIM110 every time.
Exemplary service providers 106 can use different agreements.In order to allow in the difference using different agreement
Service provider 106 between communicate, example T IM110 includes open ID modules 222 and SAML modules 220.In general,
Open ID is the open standard for defining customer-centric and/or decentralized authentication framework, and SAML is used at one
Or the open standard of certification and/or authorization data is exchanged between more security domains.Using open standard for TIM110 and/
Or service provider 106 is beneficial, because it provides the public predefined communication language that each connection can use.
The ession for telecommunication persistently carried out between user and service provider 106 at client platform 102, it is exemplary to deposit
In manager 208 by the interface of provider 212 be present with one or more to determine whether certified user still deposits
At (such as near client platform 102).Provider 212 be present and recognize for one or more in exemplary in Fig. 2
Card and/or re-authentication event query authenticating device 104a-n are (such as exemplary for example, via one or more module
OFR modules 216, exemplary cryptographic module 218 etc.) in it is one or more.Certification and/or re-authentication event can wrap
The message from module and/or authenticating device 104a-n is included, such as indicates to detect some via IP Camera, fingerprint scanner
The message lost/be not present be present in the message and/or instruction user of user.
Exemplary session manager 202 manages one or more subscriber policy.For example, in response to from illustrative authentication
Manager 206 and/or exemplary presence manager 208 receive the message that user has been certified, exemplary session manager 202
For the instruction associated by the configuration file related to user come query example TIM databases 224.Obtained action and/or
License can instruct (such as special services by the one or more configuration file being stored in example T IM databases 224
Safe coefficient needed for provider 106) dominate.For example, if Email is taken with the configuration file regulation of user-association
The automated log on of business provider should occur, then exemplary session manager 202 will suppress calling TIM110 to Email
Service provider sends the proof after signing and prompts user using licensing dialogue box before.In some instances, if example
Property presence manager 208 receive and/or generate instruction and the message lost be present, then configuration file can dominate TIM110 lockings,
To prevent other people from using client platform 102 during user leaves.In addition, configuration file can dominate TIM110 to elder generation
The preceding one or more service provider 106 for carrying out active session sends exit message.
Although exemplified with implementation example CBA systems 100 and example T IM110 exemplary approach in Fig. 1 and Fig. 2,
It is that one or more in part shown in Fig. 1 and Fig. 2, processing and/or equipment can be merged, divide, reconfiguring
Put, omit, removing and/or being implemented with other any-modes.In addition, exemplary CBA systems 100 in Fig. 1 and Fig. 2, exemplary
Client platform 102, illustrative authentication equipment pond 104, illustrative authentication equipment 104a-n, example T IM110, exemplary meeting
Talk about manager 202, illustrative authentication manager 206, exemplary presence manager 208, illustrative authentication provider 210, example
Provider 212 be present, exemplary assert provider 214, exemplary OFR modules 216, exemplary cryptographic phrase module 218, show in property
Example property SAML modules 220, exemplary open ID modules 222 and/or example T IM databases 224 can be by one or more
Individual circuit, programmable processor, application specific integrated circuit (ASIC), programmable logic device (PLD) and/or field programmable logic are set
Standby (FPLD) etc. is realized.When any part in the device or system claims for reading this patent includes pure software and/or consolidates
During part implementation, exemplary CBA systems 100, exemplary client platform 102, illustrative authentication equipment in Fig. 1 and Fig. 2
Pond 104, illustrative authentication equipment 104a-n, example T IM110, exemplary session manager 202, illustrative authentication manager
206th, exemplary presence manager 208, illustrative authentication provider 210, it is exemplary provider 212 be present, exemplary assert carries
For device 214, exemplary OFR modules 216, exemplary cryptographic module 218, exemplary SAML modules 220, exemplary open ID modules
At least one in 222 and/or example T IM databases 224 is briefly defined to include herein to store the software and/or solid
The tangible computer-readable medium (memory, DVD, CD etc.) of part.In addition, the exemplary CBA systems in Fig. 1 and Fig. 2
100 and/or example T IM110 beyond part illustrated in Fig. 1 and Fig. 2, processing and equipment can also comprising one or
Person more parts, processing and/or equipment, or part, processing and equipment illustrated in Fig. 1 and Fig. 2 are replaced, and/or can
With including multiple or all of more than one part, processing and the equipment in illustrated part, processing and equipment.
Fig. 3, Fig. 4 A, Fig. 4 B, Fig. 5 and/or Fig. 6 exemplified with for realize CBA systems 100 in Fig. 1 and/or Fig. 1 and/or
The exemplary representative flow diagram of the machine readable instructions of example T IM110 in Fig. 2.In these examples, machine readable finger
Order includes what is performed by processor (such as processor P105 shown in the illustrative computer P100 below in conjunction with Fig. 7 descriptions)
Program.Described program can be by being stored in tangible computer-readable medium (such as CD-ROM, floppy disk, hard disk drive, numeral
Universal disc (DVD) or the memory associated with processor P105) in software realize, but whole program and/or program
Part can be alternatively by performing and/or being realized in firmware or specialized hardware different from processor P105 equipment.In addition, although
The flow chart illustrated in reference picture 3, Fig. 4 A, Fig. 4 B, Fig. 5 and/or Fig. 6 describes the exemplary process, but can also be another
Selection of land comes implementation example CBA systems 100 and/or example T IM110 using many other methods.Such as, thus it is possible to vary perform
Each piece of order, and/or some blocks described herein can be changed, remove or combine.
As described above, can utilize be stored in tangible computer-readable medium (such as hard disk drive, flash storage
Device, ROM, CD, DVD, caching, RAM and/or it is any other being capable of storage information any time section (such as period of extension, forever
Long, briefly, the caching of interim buffering and/or information) storage medium) on encoded instruction it is (such as computer-readable
Instruction) realize the exemplary process in Fig. 3, Fig. 4 A, Fig. 4 B, Fig. 5 and/or Fig. 6.Term as used herein " tangible meter
Calculation machine computer-readable recording medium " is explicitly defined including any kind of computer-readable memory.In addition, available be stored in non-face
When property computer-readable medium (such as hard disk drive, flash memory, ROM, CD, DVD, caching, RAM and/or any other
Can storage information any time section (such as the period of extension, for good and all, briefly, interim buffering and/or information it is slow
Deposit) storage medium) on codeization instruction (such as computer-readable instruction) come realize Fig. 3, Fig. 4 A, Fig. 4 B, Fig. 5 and/or
Exemplary process in Fig. 6.Term as used herein " non-transitory computer-readable medium " schematic definition is into including any
The computer-readable medium of type.
Program 300 in Fig. 3 is since at block 302, at block 302, the certain example of exemplary session manager 202
Whether TIM110 has been set up, assigns, authorizing and/or being closed with the user of client platform 102 and/or client platform 102
Connection.If not having (block 302), illustrative authentication manager 206 associates user identity with TIM110 (block 304).As above institute
State, the voucher (such as electronic driving license of DMV issues) that can be issued by third party associates user identity with TIM110, Huo Zhejie
Close private/public key and generate user identity with user.User can provide and/or select via TIM110 be associated one or
More vouchers are to obtain the access (block 306) to client platform 102, and in the example of illustration, when voucher is stored
In example T IM databases 224, without departing from TIM110 (block 308) during voucher.
In the situation that the certain example TIM110 of exemplary session manager 202 has been initialized by client platform 102
Under (block 302), session manager 202 determine client platform 102 it is current whether locked (block 310).Such as when client holds level with both hands
When platform 102 is initially powered, if user exits account, or user leaves from client platform 102, then client can occur
Hold platform 102 locked.In some instances, if client platform 102 is in the lock state, access client platform
102 just need of a relatively high safety certification rank, wherein literary by one or more configuration for the safe class unlocked
Part sets leading.If client platform 102 is locked (block 310), exemplary session manager 202 calls illustrative authentication
Manager 206 calls initial proof procedure (block 312).Block 312 is described in more detail below in conjunction with Fig. 5.If exemplary session pipe
Reason device 202 determines that active client platform 102 is not locked out (block 310), then session manager 202 calls exemplary in the presence of management
Device 208 calls passive re-authentication process (block 314).Block 314 is described in more detail below in conjunction with Fig. 6.Then, the example in Fig. 3
Property program 300 is back to block 302.
Program 400 in Fig. 4 A and Fig. 4 B is since block 402, and in block 402, the determination of exemplary session manager 202 is
It is no to have issued the request to be communicated with service provider 106.If not having (block 402), exemplary session manager 202 waits for
Request is sent.Otherwise, the query example TIM databases 224 of session manager 202 are to determine TIM110 and requested service
It whether there is existing relation between provider 106 and/or have built up relation.If example T IM110 and service provider
Without relation (block 404) is established between 106, then illustrative authentication manager 206 sends credential request to service provider
Initial message (block 406).After confirmation is received from service provider 106, certificate manager 206 is to service provider
106 send TIM certificates (block 408).Control is back to block 402.Exemplary service providers 106 can perform to the TIM certificates
Assessed outside one or many bands to verify its authenticity and/or identity.For example, service provider 106 can be close to TIM110 execution
Code and/or can verify the root of trust associated with example safety container 112 at Hash.
Referring back to block 404, if between TIM110 and requested service provider 106 exist relation and/or
Relation (block 404) is had built up, then example T IM110 just sends HTTP request to service provider 106, and the request carries one
The instruction of individual or more labels has used TIM110 to be authenticated in a secured manner to the user on client platform 102
(block 410).Illustrative authentication manager 206 waits the authorization requests (block 412) from service provider 106, and when reception
During to authorization requests, determine TIM110 whether be authorized to continue create and to service provider 106 send prove information (block 414,
Reference picture 4B).As described above, the user of client platform 102 keeps controlling whether to send from client platform 102 completely believing
Breath.This control and/or instruction can be stored in TIM databases 224, and the TIM databases 224 can also be included based on specific
Service provider 106 specific instruction.
Continue to send the license for proving information from example T IM110 to exemplary service providers 106 in response to obtaining
(block 414), exemplary session manager 202 determine whether service provider 106 has what is created before to be total to user-association
Enjoy title (block 416).Carried if it is not, certificate manager 206 generates the configuration file of certification provider 210 with associating with service
For business 106 associate new public/private keys to (block 418).Certificate manager 206 is for each unique instances with user interaction
Sex service provider 106 all generates the extra and single configuration file of certification provider 210, and the certification provider 210 configures text
Part have it is extra with single unique public/private key pair with the Sharename that associates.Illustrative authentication manager 206 generate and to
Exemplary service providers 106 send the Sharename (block 420) of the recommendation of user.
In order to prove that example T IM110 is not modified and just run in example safety container 112, authentication management
Device 206 generates TIM110 proof (block 422) certainly, and this is sent into service provider 106 (block 424) from proof.Should be from card
Bright cryptography measurement result that can be including TIM110 and/or the signature for utilizing TIM110 private keys and/or the private key of safety container 112
Information.Example T IM110 being serviceds provider 106 verify after, exemplary session manager 202 determine user whether
Service provider 106 has the account (block 426) established.If it is not, session manager 202 just promotes and service provider
106 communication, it is (such as new bank account, new library's account, new to configure new account in service provider 106
Email account etc.) (block 428).If user do not have existing account and/or not with the opening relationships of service provider 106
(block 424), then confirmation message outside one or more band can be exchanged via session manager 202, to prove user to existing
The ownership (block 430) of account credentials.However, encroach on the account of user to reduce and/or even eliminate hacker in future as far as possible
Possibility, illustrative authentication manager 206 to exemplary service providers 106 send it is one or more comprising public key and
Binding instruction (block 432) including the Sharename previously established.The exemplary binding sent by certificate manager 206 instructs life
Service provider is made to bind account and public key and Sharename, and in some instances, request service provider 106 deletes
Except old and/or original used access credentials.In some instances, old and/or original used access is not deleted
Voucher, but send voucher limitation instruction from certification provider 210 to exemplary service providers 106 so that using old
And/or only allow limited amount during original used access credentials and/or limit the account access of type (such as to allow to browse account
Family, forbid account cash transfer etc.).
In example T IM110 and user-association and example T IM110 is associated with service provider 106 and user
After being associated via TIM110 certifications with service provider 106, it can occur once between user and service provider 106
Or repeatedly prove (block 312).In the example depicted in fig. 5, exemplary session manager 202 determine configuration file whether with user
Associate (block 502).If not having (block 502), default configuration file (block 504), the default configuration file are generated for user
Conservative tolerance band can be reflected, the conservative tolerance band requirement is sent to any service provider 106 with user interaction
Clear and definite user interaction is needed before one or more proof.On the other hand, if in query example TIM databases
After 224, exemplary session manager 202 determines that user has related configuration file (block 502), then session manager 202
(block 506) is instructed with regard to the configuration file of retrieval association.
In general, each user associated with each client platform 102 may be by TIM110 set one or
More policy/configuration files, to customize one or more safe class and/or Consumer's Experience.In some instances, plan
The authorization message of user can slightly be allowed to prove automatically to special services provider 106 so that default behavior does not require clear and definite
User confirms.As described above, automatic proof strategy can with the financial security on user caused by influence one of minimum or
More service providers 106 (such as service provider 106 related to library and/or music stream service) associate.At it
In its example, policy/configuration file can specify which shared name should be proved when interactive with specific service provider 106
Claim.For example, if user creates one or more different accounts for same service provider 106, user can set
Putting should be proved by artificial, automatic proved, proves safe class (such as face recognition, face recognition on which Sharename
Encrypted code etc.) Different Strategies.In other examples, configuration file can specify that user is not before the failure of passive re-authentication
The existing duration.In addition, re-authentication is caused to fail being left due to such as user at client platform 102, then
Configuration file with command service provider Close Account and can close client platform 102.
It is exemplary to recognize based on instructing (block 506) or default configuration file instruction (block 504) with the configuration file of user-association
Card provider 210 is certified manager 206 and called to prepare to prove content (block 508).Illustrative authentication provider 210 is for coming
One or more authenticating device 104a-n is inquired about from the authentication event of user.Preparing to send to service provider 106
Proof information when, any combination of single authenticating device and/or authenticating device can be used.It is one or more called
The authenticating device authorization sequence that obtains performing in exemplary client platform 102 to obtain to exemplary client platform 102
Access and/or function.Illustrative authentication provider 210 can be via the exemplary support target face recognition of OFR modules 216
(OFR).Exemplary OFR modules 216 receive video from IP Camera, and are known using one or more face recognition algorithm
Not facial (such as human face).In the case where OFR modules 216 identify face, corresponding certification provider 210 is called to be directed to
Match and inquire about TIM databases 224.Based on Query Result, OFR modules 216 can return to identity validation message or identity is unknown
Message.In some instances, certification provider 210 can call exemplary cryptographic module 218 prompt user input one or
More pass phrases.Exemplary cryptographic phrase module 218 receives close to the transmission of corresponding illustrative authentication provider 210
Code phrase, and the pass phrase of the pass phrase and the mandate being stored in example T IM databases 224 is made comparisons.Close
Code phrase is correct and/or pass phrase and be previously identified it is facial associate in the case of, certificate manager 206 is by client platform
102 unblocks.
As described above, one or more authorization type obtains that one or more exemplary clothes can be forwarded to
The authorization sequence of business provider.In some instances, the access of service provider 106 is depended on when authorized user is accessed it
The level of security used at client platform 102.The mandate sequence of e.g., including single authenticating device (such as IP Camera)
Row, which can only assign user's function limited when interactive with service provider 106, (such as to be allowed to look back account income and expenses
And forbid account revenue and expenditure to transfer accounts).On the other hand, the authorization sequence reflection client platform 102 of multiple authenticating devices is included
Higher user authentication rank, it can obtain the larger authority of service provider 106.
User be authenticated to TIM110 mode be packaged into prove message in (such as, if used face recognition, be
No combination for having used authenticating device etc.) (block 508), and by for the unique TIM110 private key signatures of the service provider 106
(block 510).Proof content after signature is sent to service provider 106 to be entered with exemplary service providers 106 to user
Row certification (block 512), the proof content does not include being intercepted and captured easily and/or unsafe plaintext user name/password combination.
Exemplary session manager 202 inquires about TIM databases 224 to determine the account access rank of service provider 106
Whether enough (block 514).For example, the one or more configuration associated with user, client platform 102 and/or TIM110
File is expected that specific service provider allows one or more rank of account access, the visit that can only such as browse
Ask compared to the access (for example, under bank's situation) for browsing and transferring accounts.Required in one or more service provider 106
In the case of the client certificate of the rank higher than the client authorization initially performed, it can be accessed with restricted account.For example, it may be possible to
Only by face recognition initially and/or access of the previous authentication to client platform 102, and in the account of higher degree
Before authority is licensed, the service provider of concern may require the combination of authenticating device.It is exemplary in illustrated example
Certificate manager 206 calls one or more extra authenticating device 104 (block 516), recognizes via one or more
Card equipment 106 is authenticated to user, and new authorization sequence information is stored in into (block in example T IM databases 224
518)。
In the example illustrated in Fig. 6, the program 314 that activity for monitoring be present starts from block 602, wherein session management
Device 202 determines whether user has related configuration file.If not having (block 602), default configuration file (block can be used
604).Otherwise, exemplary session manager 202 retrieves profile information (block 606) from example T IM databases 224.Show
Whether the determination client platform 102 of example property session manager 202, which is in, has pattern (block 608).If it is not, then assume client
Hold platform 102 is current to be locked (block 608).As described above, client platform 102 from original off-position initially for plus
After electricity condition, client platform 102 can be locked, or client platform 102 can leave and be locked in response to user
It is fixed.On the other hand, if user currently participating in it is one or more with one or more service provider 106
Individual session, then there is pattern operation in example T IM110, its according to plan, periodicity, aperiodicity and/or artificially checking use
The presence at family.
In the case where exemplary client platform 102 is not at having pattern (block 608) (for instance in lock-out state),
The block 508 that control enters in Fig. 5, to prepare to prove content and unlock client platform 102.On the other hand, in example
Property client platform 102 be in pattern be present in the case of (block 608), exemplary session manager 202 determines whether should be from
TIM110 sends keep-alive message (block 610) to service provider 106.In order to tackle the refusal service for being directed to example T IM110
(DoS) attack, can periodicity, aperiodicity, send keep-alive message according to plan and/or artificially.If for example, DoS attack
Prevent TIM110 from sending guarantor's alive message, then the can of service provider 106 as recipient carefully terminates one enough
Individual or more sessions.
If session manager 202 determines that keep-alive message (such as according to Timer Threshold) (block 610) need not be sent,
Exemplary process 600 waits.Otherwise, exemplary presence manager 208, which is called, one or more have provider 212 and uses
Corresponding authenticating device 104a-n, and in some instances, prompt user's additional input (block 612) to prepare keep-alive message.
By the interface of provider 212 be present with one or more to determine that certified user is in exemplary presence manager 208
No to still suffer from (block 614), it can be directed to the passive one or more system equipment of re-authentication event query.Show at some
In example, OFR modules 216 are called with shooting image, and by it is described its be stored in example T IM databases 224 one
Or the profile of more known images is made comparisons.One or more known images can include holding level with both hands for client
The different profile angles of each certified user of platform 102, for example, such as direct picture, side image and/or between two
The middle viewing angle of one or more change between person.
Determine to exist if there is manager 208 and be not identified (block 614), then exemplary session manager 202 is called and recognized
Card manager 206 is based on the configuration file instruction generation locking process (block 616) retrieved from example T IM databases 224.
Exemplary presence manager 208 refers in response to one or more presence from authenticating device is not present in threshold time period
Show, can generate in the absence of message.Message, which should be not present, can indicate one or more authenticating device 104 in dormancy.Lock
The locking of both client platforms 102 can be included or can include pointing to one that previously participates in active session by determining process
Or the lock-request message of more service providers 106.If however, confirm (block be present in threshold time period
614), then exemplary presence manager 208 generates keep-alive and/or message (block 618) be present, and sends it to service provider
106 (blocks 620).After keep-alive message is sent (block 620), exemplary presence manager 208 can be monitored from each service
One or more confirmation message of provider 106, as the confirmation (block 622) being successfully received to keep-alive message.If
Confirmation (such as in threshold time period) is not received, then it may be assumed that service provider 106 is under DoS attack, and example
Property presence manager 208 can lock the client (block 616).On the other hand, after the confirmation being properly received is received
(block 622), control are advanced into block 608.
Fig. 7 be able to carry out the instruction in Fig. 3, Fig. 4 A, Fig. 4 B, Fig. 5 and Fig. 6 with realize CBA systems 100 in Fig. 1 and/
Or the exemplary processing platform P100 of the example T IM110 in Fig. 1 and/or Fig. 2 block diagram.For example, the processing platform P100
It can be the computing device of server, personal computer, tablet personal computer, mobile phone or any other type.
Processor platform P100 in above-mentioned example includes processor P105.For example, processor P105 can by one or
MoreMicroprocessor is realized.It is of course also possible to using from other serial processors.
Processor P105 is via bus P125 and the master for including volatile memory P115 and nonvolatile memory P120
Memory communication.Volatile memory P115 can be deposited by Synchronous Dynamic Random Access Memory (SDRAM), dynamic randon access
The random access memory device of reservoir (DRAM), RAMBUS dynamic random access memory (RDRAM) and/or any other type
Part is realized.Nonvolatile memory P120 can be by flash memory and/or the storage component part of any other desired type
To realize.Access to main storage P115, P120 is generally controlled by Memory Controller.
Processor platform P100 also includes interface circuit P130.Interface circuit P130 can be by any kind of past
, present or future interface standard realize that such as Ethernet interface, USB (USB) and/or PCI are quick
Interface.
One or more input unit P135 is connected to interface circuit P130.Input unit P135 allows user defeated
Enter data and send order to processor P105.The input unit can be by such as keyboard, mouse, touch-screen, track pad, track
Ball, fingerpost, camera, fingerprint scanner, biometric sensor and/or speech recognition system are realized.
One or more output device P140 is also connected to interface circuit P130.For example, output device P140 can be with
Realized (such as liquid crystal display and/or cathode-ray tube (CRT) display) by display device.Therefore, interface circuit P130 leads to
Often include image-driven card.
Interface circuit P130 also includes communicator (such as modem or NIC), to promote via network
(such as Ethernet connection, Digital Subscriber Line (DSL), telephone wire, coaxial cable, cellular phone system etc.) and outer computer
Data exchange.
Processor platform P100 also includes one or more for storing software and the mass storage device of data
P150.It is logical that exemplary mass storage device P150 includes floppy disk, hard drive disk, the close disk drive of matter and numeral
With disk (DVD) driver.
Encoded instruction in Fig. 3, Fig. 4 A, Fig. 4 B, Fig. 5 and Fig. 6 can be stored in mass storage device P150,
In volatile memory P110, in nonvolatile memory P112 and/or in removable storage medium (such as CD or DVD).
As discussed above, it should be understood that be that illustrative methods disclosed herein, equipment, system and/or product allow client
The user of end platform establishes safe position, which reduces the dependence of the safety measure prepared service provider, and allows to service
Provider trusts the request reached from network service.In addition, illustrative methods disclosed herein, equipment, system and/or product disappear
Except the username/password combination that the user of redundancy selects is in the preferable service provider there diffusion of user.In the clothes of user
One in business provider it is under attack, damage and/or crack in the case of, illustrative methods disclosed herein, equipment, system
And/or product is used for the username/password combination of certification independent of service provider there is stored in, therefore limit user
Other service providers and/or account security risk.
Disclosed herein is the illustrative methods for promoting client-based certification, unit and product.Some are public
The illustrative methods opened include:Certificate authority is associated with client platform in the performing environment of isolation;By user identity
Associated with the certificate authority;Generate the first key pair associated with first service provider;Based on the client platform
The first authorization sequence generation prove;And a part for the key pair is utilized to the attestation-signatures, and by after signature
Certificate is sent to the first service provider, logical between the client platform and the first service provider to authorize
Letter.In addition, illustrative methods include:In response to sending the proof after signing, identification is related to the first service provider
First access rights.In some instances, methods described includes:At least one authenticating device is called to generate the second authorization sequence,
And wherein, second authorization sequence obtains second access rights related to the first service provider.Show other
In example, user identity includes third party's certificate;And in other example, methods described includes:In response to receiving and the
The request of two service provider communications, generate the second key pair.Other methods include:After the signature being sent based on configuration file
Proof, wherein, the configuration file authorizes the automatic proof sent after signature for the first service provider, and is directed to
The second authorization sequence is called by second service provider.
For promoting the exemplary means of client-based certification to include:Identity manager, it is by user and client
Platform associates;Certification provider, it generates the first key pair associated with first service provider;And certificate manager, its
Based on the client platform the first authorization sequence generation prove, and using the key pair a part to attestation-signatures with
Authorize the communication between the client platform and the first service provider.Other examples device includes:In the presence of offer
Device, it calls the authenticating device associated with the client platform;And presence manager, it is in response in threshold time period
Presence from the authenticating device indicates message be present to generate.Additional exemplary device includes:Presence manager, it is responded
Message is not present in being generated from the instruction being not present existing for the authenticating device up to threshold time period;And session management
Device, it provides exit message when the authenticating device dormancy reaches threshold time period to the first service provider.Other
In example, described device includes:Presence manager, its based on periodicity, aperiodicity, according to plan with manual type at least
One kind monitors user, wherein, periodically monitoring is substantially continuous.
Some exemplary products disclosed herein for storing machine readable instructions are included, when instruction is performed
When, cause machine:Certificate authority is associated with client platform in the performing environment of isolation;By user identity and the body
Part authorized device association;Generate the first key pair associated with first service provider;First based on the client platform awards
Weight train generation proves;And it is sent to institute to attestation-signatures, and by the proof after signature using a part for the key pair
First service provider is stated to authorize the communication between the client platform and the first service provider.Other examples
Product causes machine in response to sending the proof after signing, identification first access right related to the first service provider
Limit.Other examples product causes machine to call at least one authenticating device to generate the second authorization sequence.In other examples,
Product causes machine after the request to be communicated with second service provider is received, and generates the second key pair.It is in addition, exemplary
Product causes machine to send the proof after the signature based on configuration file.Other exemplary products promote machine needle to described
First service provider authorizes the automatic proof sent after signature, and calls the second authorization sequence for second service provider,
And other examples product causes machine to be based on configuration file request dialogue license input.
While characterized as method, apparatus and the specific example of product, but the scope not limited to this of this patent.Phase
Instead, this patent includes all method, apparatus and product of the scope for the claim for falling into this patent.
Claims (23)
1. a kind of method for authorized client Platform communication, this method comprises the following steps:
Certificate authority is associated with client platform in the performing environment of isolation;
User identity is associated with the certificate authority;
The first key pair associated with certificate authority generation with first service provider;
With the certificate authority based on being held by two or more called authenticating devices on the client platform
The first capable authorization sequence proves that wherein user is authenticated to the mode of the certificate authority and is packaged into the card to generate
In bright;And
With the certificate authority using a part for the key pair to the attestation-signatures;And
The proof after signing is sent to authorize the client platform to the first service provider with the certificate authority
Communication between the first service provider.
2. according to the method for claim 1, methods described is further comprising the steps of:In response to the card after the transmission signature
It is bright, identify the first access rights associated with the first service provider.
3. according to the method for claim 2, methods described is further comprising the steps of:At least one authenticating device is called to generate
Second authorization sequence.
4. according to the method for claim 3, wherein, second authorization sequence obtains closing with the first service provider
Second access rights of connection.
5. according to the method for claim 1, wherein, the user identity includes third party's certificate.
6. according to the method for claim 1, methods described is further comprising the steps of:Carried in response to receiving with second service
For the request of business's communication, the second key pair is generated.
7. according to the method for claim 1, this method is further comprising the steps of:After the signature being sent based on configuration file
Proof.
8. according to the method for claim 7, wherein, the configuration file authorizes automatic for the first service provider
The proof after the signature is sent, and the second authorization sequence is called for second service provider.
9. a kind of device for authorized client Platform communication, the device includes:
Identity manager, the identity manager associate user with client platform;
Certification provider, the first key pair that certification provider generation associates with first service provider;And
Certificate manager, the certificate manager are used for:
Based on by the client platform two or more called authenticating devices perform the first authorization sequence come
The mode that generation proof, wherein user are authenticated to the certificate authority is packaged into the proof;And
Using a part for the key pair to the attestation-signatures to authorize the client platform and the first service to carry
For the communication between business.
10. device according to claim 9, described device also include:Provider be present, this has provider calling and institute
State the authenticating device of client platform association.
11. device according to claim 10, described device also include:Presence manager, the presence manager in response to
In threshold time period there is message in the presence instruction generation from the authenticating device.
12. device according to claim 10, described device also include:Presence manager, the presence manager in response to
Message is not present from the instruction generation being not present existing for the authenticating device up to threshold time period.
13. device according to claim 10, described device also include:Session manager, when the authenticating device dormancy
During up to threshold time period, the session manager provides exit message to the first service provider.
14. device according to claim 10, described device also include:Presence manager, the presence manager is with the cycle
Property, aperiodicity, monitor the user with least one of manual type according to plan.
15. device according to claim 14, wherein, the periodically monitoring is substantially continuous.
16. a kind of system for authorized client Platform communication, the system includes:
For the device for associating certificate authority with client platform in the performing environment of isolation;
For the device for associating user identity with the certificate authority;
For generating the device of the first key pair associated with first service provider;
For based on as the first mandate performed by two or more called authenticating devices on the client platform
Sequence generates the device of proof, and wherein user is authenticated to the mode of the certificate authority and is packaged into the proof;
And
Device for the part using the key pair to the attestation-signatures;And
For authorizing the client platform and first clothes to the proof after first service provider transmission signature
The device of communication between business provider.
17. system according to claim 16, the system also includes:For in response to sending the proof after the signature,
Identify the device of the first access rights associated with the first service provider.
18. system according to claim 17, the system also includes:For calling at least one authenticating device generation second
The device of authorization sequence.
19. system according to claim 16, the system also includes:For in response to receiving and second service provider
The request of communication, generate the device of the second key pair.
20. system according to claim 16, the system also includes:After sending the signature based on configuration file
The device of proof.
21. system according to claim 20, the system also includes:For being authorized certainly for the first service provider
The dynamic proof sent after the signature, and for the device of second service provider the second authorization sequence of calling.
22. system according to claim 20, the system also includes:Permit for being talked with based on the configuration file request
The device of input.
23. a kind of computer-readable recording medium, is stored thereon with instruction, the instruction when executed by a computer, causes institute
State method of the computer execution as any one of claim 1-8.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201161548570P | 2011-10-18 | 2011-10-18 | |
| US61/548,570 | 2011-10-18 | ||
| PCT/US2011/061359 WO2013058781A1 (en) | 2011-10-18 | 2011-11-18 | Methods, systems and apparatus to facilitate client-based authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103999401A CN103999401A (en) | 2014-08-20 |
| CN103999401B true CN103999401B (en) | 2018-02-09 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200404019A1 (en) | Mutual authentication security system with detection and mitigation of active man-in-the-middle browser attacks, phishing, and malware and other security improvements | |
| EP1625690B1 (en) | Method and apparatus for authentication of users and web sites | |
| JP6648110B2 (en) | System and method for authenticating a client to a device | |
| CN109417549A (en) | The method and apparatus of information proof is provided using centralization or distributed ledger | |
| US20050177750A1 (en) | System and method for authentication of users and communications received from computer systems | |
| AU2005283167B8 (en) | Method and apparatus for authentication of users and communications received from computer systems | |
| US11159321B2 (en) | Digital notarization using a biometric identification service | |
| JP2011502311A (en) | Account transaction management using dynamic account numbers | |
| EP3579595B1 (en) | Improved system and method for internet access age-verification | |
| US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
| US20090025066A1 (en) | Systems and methods for first and second party authentication | |
| CN103929310A (en) | Mobile phone client side password unified authentication method and system | |
| CN103999401B (en) | For promoting the mthods, systems and devices of client-based certification | |
| US20200204377A1 (en) | Digital notarization station that uses a biometric identification service | |
| Chen et al. | A trusted biometric system | |
| TWI778319B (en) | Method for cross-platform authorizing access to resources and authorization system thereof | |
| Ahmad et al. | Enhancing the Authentication Mechanism of Social Media Websites using Face Detection | |
| Schaffer | Ontology for authentication | |
| CN103999401A (en) | Methods, systems and apparatus to facilitate client-based authentication | |
| Arun et al. | Authentication and Identity Validation Blockchain Application | |
| JP2023507568A (en) | System and method for protection against malicious program code injection | |
| CN117455489A (en) | Transaction authorization method, device, equipment and storage medium | |
| Williams | Online Business Security Technologies | |
| Milovanovic et al. | Implementing Authentication in an E-Procurement System | |
| Song et al. | Building an independent integrated authentication service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180209 Termination date: 20191118 |