CN104038486B - System and method for realizing user login identification based on identification type codes - Google Patents

System and method for realizing user login identification based on identification type codes Download PDF

Info

Publication number
CN104038486B
CN104038486B CN201410244543.8A CN201410244543A CN104038486B CN 104038486 B CN104038486 B CN 104038486B CN 201410244543 A CN201410244543 A CN 201410244543A CN 104038486 B CN104038486 B CN 104038486B
Authority
CN
China
Prior art keywords
user
account
web information
information system
browser
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410244543.8A
Other languages
Chinese (zh)
Other versions
CN104038486A (en
Inventor
龙毅宏
唐志红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201410244543.8A priority Critical patent/CN104038486B/en
Publication of CN104038486A publication Critical patent/CN104038486A/en
Application granted granted Critical
Publication of CN104038486B publication Critical patent/CN104038486B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention relates to a system and a method for realizing user login identification based on identification type codes. Based on the system, a code identification of a user irrelevant to a Web information system account serves as an identification data for the account and is stored in the user account data of the Web information system; when the user logs in the Web information system, the system determines the current valid identification private key of the code identification of the user account to determine that the user is the account owner. If the Web information system originally uses an account name and passwords or uses codes to log in, a security gateway or a plugin which processes the login uses the user code identification as the passwords or a code substituting account and fills in a login request to enable the user to log in the Web information system after identifying the login account of the user. According to the system and the method for realizing the user login identification based on the identification type codes, the identification type private key of the user is only used for substituting the passwords or codes of the account to prove that the user owns the security private data of the account and does not serve as an identity certificate for logging in the system.

Description

It is a kind of that the system and method that User logs in differentiates is realized based on identification type password
Technical field
The invention belongs to information security field, particularly a kind of to realize the system that User logs in differentiates based on identification type password And method.
Background technology
User accesses a Web information system for being kept safe and limiting (including various application systems and safety system System) when, it usually needs carry out register (Logon or Login).The purpose of user login operation seeks to confirm that user is One validated user of Web information system, that is, carry out user's discriminating (User Authentication);And actually to many For Web information system, it is unimportant that whether the identity information of user is true, who is he, therefore, more precisely, user steps on The purpose of record operation seeks to the owner that confirmation user is a registering account of Web information system, that is, carry out account's discriminating (Account Authentication)。
Current Web information system is generally made by the way of account name+password or password (account name is also referred to as user name) The security means that user or account for User logs in (Long On or Long In) Web information system differentiates.Account name+password Or the scheme of password is simple, user operation is easy to use, but the dangerous of it is well-known.PKI(Public Key Infrastructure) it is used for Web information system by digital certificate (Digital Certificate) although safety User or account differentiate, there is user operation in-convenience in use, private key for user loss recovery is difficult, certificate update trouble (generally Need manual operations) etc. ease for use difference problem, and need, for related browser control development or plug-in unit, to cause skill occur Art development amount is big, it is poor for applicability the problems such as:One is because needing for the different control of different Development of Web Browser or inserting Part, and at present browser is numerous, includes that operation browser under various circumstances carries out control or plug-in unit for all browsers The workload of exploitation is very big;Support of two browsers being because to control or plug-in unit is very limited even not to prop up Hold.Further, when PKI digital certificates to be implemented the system of employing account name+password for having disposed or password, need to There is system to be transformed, therefore up to the present PKI digital certificates do not obtain extensively application.
It is that one kind obtains people recently based on the cryptographic technique (Identity Based Cryptography, IBC) of mark The public-key cipher technology extensively paid attention to, it overcomes shortcoming of the PKI digital certificates in terms of ease for use, its major technique Feature be user a unique mark (such as E-mail address) if to constitute the public key of user (be narrowly user A unique mark disclose parameter plus one group and constitute public key), can be used for data encryption or signature verification, a mark is same When to there is a private key, for data deciphering or digital signature (for the IBC public keys and private key of data encryption with being used for numeral The IBC public keys of signature and private key are not necessarily identical);Private key is produced by a special cipher key service system for being referred to as private key generator It is raw.User or account when IBC is equally applicable to User logs in Web information system differentiates, but IBC is directly used in into Web letters The user of breath system or account differentiate to there is also following problem:
1) when differentiating user or account that IBC is used for Web information system, common scheme is in Web information by user The account name of system is identified as the IBC of user, and the shortcoming of this scheme is:One is that user has in different Web information systems Different account names, therefore need to obtain different IBC keys pair, two is that user obtains non electronic communications mark from cipher key service system Know (e-mail address, phone number etc. for electronic communication address or terminal iidentification be referred to as electronic communication mark) it is corresponding During private key, it is cumbersome, difficult (for electronic communication mark that cipher key service system validation user is the real owner of mark Know, such as E-mail address, phone number, accomplish that this point is easier);
2) when IBC being used for into Web information system, due to call crypto module to carry out IBC crypto-operations in user side, because This, similar with digital certificate, current scheme typically calls crypto module to enter in user side using browser control part and plug-in unit Row IBC crypto-operations, this there is same digital certificate in the login of Web information system user using the same problem;
3) there is the system of the substantial amounts of employing account name+password disposed or password at present, in such systems direct portion User or account authentication schemes of the administration based on IBC, needs to make an amendment Web information system.
The purpose of the present invention is exactly that identification type password (Identity-Typed Cryptography) technology is used for into Web User or account when information system is logged in differentiates, and avoids using browser plug-in and ActiveX Techniques, while keeping and portion The compatibility of administration's system.
The identification type cryptographic technique of the present invention includes the foregoing cryptographic technique (Identity-Based based on mark Cryptography (patent application referring to present invention applicant is " a kind of based on mark for the elliptic curve technology) and based on mark Elliptic curve cipher system ", application number:20131052098.5).
Identification type cryptographic technique of the present invention, either IBC cryptographic techniques be also based on identify elliptic curve Cryptographic technique, they have following common feature:
1) one mark public key of a mark correspondence and an identity private key of user is (for the mark public key of data encryption It is not necessarily identical with mark public key and private key for digital signature with private key);
2) actual key generate and crypto-operation during, be not by a mark itself be used for key generate with Crypto-operation, but the extension that addition of after other prescribed informations is identified and is generated for key and crypto-operation;
3) according to a kind of " identification type cryptographic system and method for automatically updating and recovering private key " (application number: 201410058689.3) patented technology in, then can realize recovering private key automatically, and realize automatically updating the current of mark Effectively identify public key and identity private key.
Conventional mark prescribed information is time period prescribed information, such as " mark | | the time period ", therein " | | " represent word String merges.Time period prescribed information specifies to extend the corresponding public key of mark and private key effectively and to be made only within the time period of regulation With.Time period cover the extension corresponding public key of mark and private key at current time be referred to as the currently valid mark public key for identifying and Identity private key.
The content of the invention
It is an object of the invention to provide it is a kind of by identification type cryptographic technique be used for Web information system login when user or account Family differentiates, and avoids using browser plug-in and ActiveX Techniques, while keeping compatible with deployment system based on identification type Password realizes the system and method that User logs in differentiates.
To achieve these goals, the technical solution adopted in the present invention is:
A kind of to realize the system that User logs in differentiates based on identification type password, the system includes:
Web information system:Based on the system that Web technological development user oriented provides information or application service:The one of user The hashed value of one mark of individual mark (such as E-mail address, phone number) or user is as user in Web information system The authentication data (Authentication Data) of account be stored in the user account data of Web information system (if Web Account's authentication data of information system script is password or password, then the hashed value of ID or ID as password or Password is stored in original password or password storeroom in the user account data of Web information system);Correspondingly, the conduct The authentication data of user account is stored in the ID in user account data, or the hashed value of ID as user The corresponding cipher mark of ID when the authentication data of account is stored in user account data, referred to as user account or letter Claim the cipher mark of user account;The cipher mark of the user account is input into by user in Web information system registry account, Or obtained by other means by account management system or instrument and arrange (how account management system or instrument obtain user Cipher mark belong to problem outside the present invention);
Browser:User is used to access the client of Web information system;Browser passes through described in process of user login Spooler is entered using the identity private key of the cipher mark of User logs in account to the random word string that Web information system is returned Row digital signature is decrypted to the random words string data of encryption that Web information system is returned, and to carry out other passwords pre- Calculate (the mark public key and private key for data encryption is not necessarily identical with mark public key and private key for digital signature);
Spooler:The program on one computing device backstage for operating in user side;Adjust in process of user login The encryption for the random word string that Web information system is returned being digitally signed with crypto module or Web information system being returned Random words string data is decrypted, and carries out other cryptographic calculations;
Crypto module:Implementing identification type cryptographic technique carries out the user side component software or software and hardware phase of crypto-operation With reference to component;
When user submits to account name to carry out account's login using browser access Web information system, Web information system is led to Cross following digital signature encryption mode or data encryption mode to complete user and be by verifying that user possesses the identity private key of cipher mark The discriminating of the owner of login account:
Digital signature encryption mode:Web information system returns the cipher mark of User logs in account and a random word for generating String (random word string) arrives user side browser, and browser calls crypto module to adopt User logs in account by spooler Cipher mark identity private key to return random word string signature, then by the signed data of random word string be submitted to Web letter Breath system, Web information system is public using the mark for returning to the random word string of browser and the cipher mark of User logs in account The validity of the signed data of the random word string that key checking user side browser is submitted to is gathering around for cipher mark so as to confirm user The person of having, and and then confirm that user is logged on the owner of account;
Data encryption mode:Web information system returns a mark public key using the cipher mark of User logs in account The word string (random word string) of the random generation of encryption arrives user side browser, and browser calls password mould by spooler The random word string of encryption of the block using the identity private key of the cipher mark of User logs in account to returning is decrypted, and then passes through The random words string mode for directly returning decryption or the random words string obtained using decryption pass through HMAC (Hashed Message Authentication Code) digital signature encryption mode completes User logs in and differentiates operation (if the correct random words for returning decryption String, or realize correct HMAC digital signature with the random word string of decryption, then showing that user has can correctly decrypt the random of encryption The identity private key of word string, then can determine that user is the owner of cipher mark, so that it is determined that user is logged on possessing for account Person);
If the Web information system script of User logs in is account to user by the way of account name+password or password Owner is differentiated and is kept original identification method constant, and Web information system information implements user based on identification type password It is a preposition security gateway in Web information system or the request for being inserted into Web information system to log in the system component for differentiating A safety insert in transmission channel is responded, then the hashed value of the cipher mark of the cipher mark of user account or user account The original password or password storeroom being stored in as password or password in the user account data of Web information system, and it is described Security gateway or safety insert completed using the cipher mark of user account to user be account owner differentiate after, will use The account name at family and the cipher mark of account as User logs in Web information system account name and password or the alternative family of password with The mode of logging request is submitted to Web information system and completes register, or by the account name of user and the password mark of account The hashed value of knowledge as User logs in Web information system account name and password or the alternative family of password carried in the way of logging request It is sent to Web information system and completes register, the former is corresponding to the account's mirror preserved in the user account data of Web information system Other data are the situations of the cipher mark of user account, and the latter is corresponding to preservation in the user account data of Web information system Account's authentication data is the situation of the hashed value of the cipher mark of user account;No matter which kind of situation, Web information system itself is pressed The mode of verifying account name and password or password carries out account's discriminating process to User logs in.
If a cipher mark of user is stored in the user account of Web information system as the authentication data of user account In data, then when user using browser log in Web information system when, Web information system, user, the browser of user side and Spooler completes User logs in discriminating and processes by following data encryption mode:
I is walked:Web information system passes through browser requirement user input account name;
Ii is walked:User is input into account name and the account name of input is submitted to into Web information system by browser;
Ii I is walked:Web information system is received after the account name of user side browser submission, using the account name for receiving The cipher mark of user account is obtained by the authentication data of the corresponding user account of inquiry account name in user account data, Then with obtaining the currently valid mark public key of cipher mark by the random word string for generating of Web information systematic name and (random word string) is encrypted, and then the Web information systematic name and random word string after encryption returned to the browser of user side;
Iv is walked:The browser of user side is received after the data of Web information system return, will by network communication mechanism The Web information systematic name and random word string of the encryption for receiving is submitted to a local spooler of user side, so User is pointed out afterwards by the password or Password Input frame of the random password shown on computing terminal or Password Input to browser;
V is walked:The local spooler of user side receives the Web information systematic name of the encryption of browser submission After random word string, crypto module is called to use the currently valid mark of cipher mark private using the cipher mark of user account The Web information systematic name and random word string of the encryption that key decryption Web information system is returned, then by the Web information after decryption Systematic name and random word string as User logs in Web information system disposable random password or password on computing terminal Displayed to the user that by a personal-machine interface;
VI is walked:Spooler is shown as user the random word string input of disposable random password or password To browser password or Password Input frame and by browser using user input as account password or the random words of password String is submitted to Web information system;
VII is walked:Web information system receive user side browser submission as account password or the random words of password After string, the random word string as account password or password for receiving and (ii I step) are returned to into the random word string of browser Plaintext be compared, if unanimously, confirm user be submit to account name corresponding to user account owner and allow User logs in, otherwise refuses.
If a cipher mark of user is stored in the user account of Web information system as the authentication data of user account In data, then when user using browser log in Web information system when, Web information system, user, the browser of user side and Spooler completes User logs in discriminating and processes by following data encryption mode:
1st step:Web information system passes through browser requirement user input account name;
2nd step:User is input into account name and the account name of input is submitted to into Web information system by browser;
3rd step:Web information system is received after the account name of browser submission, using the account name for receiving in user's account The cipher mark of user account is obtained in user data by the authentication data of the inquiry corresponding user account of account name, then with obtaining Currently valid mark public key word string (random word string) encryption for generating random to of cipher mark is obtained, after encrypting afterwards Random word string return to the browser of user side;
4th step:The browser of user side is received after the data of Web information system return, will by network communication mode The random word string of the encryption for receiving is submitted to spooler, the random word string of request decryption encryption;
5th step:Spooler receives asking for the random word string of the request decryption encryption of user side browser submission After asking, crypto module is called to use the random words of the currently valid identity private key decryption encryption of the cipher mark of user account String, then returns to user side browser by the random word string of decryption;
6th step:User side browser is received after the random word string of the decryption of spooler return, by directly returning The random words string mode for returning decryption or the random words string obtained using decryption complete User logs in by HMAC digital signature encryption modes Differentiate operation.
If the hashed value of a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following data encryption mode:
Step 1:Web information system is by browser requirement user input account name and authentication data;
Step 2:User is input into the cipher mark of account name and account, wherein the cipher mark conduct of account by browser Authentication data is input into, and is then submitted to using the account name of input and as the cipher mark of account's authentication data by browser Web information system;
Step 3:Web information system is received after the data of browser submission, calculates the hash of the cipher mark for receiving Value, and carry what is preserved in user account data of the hashed value of calculated cipher mark with Web information system with user The hashed value of the cipher mark of the corresponding user account of account name of friendship is compared, if unanimously, the password mark submitted to using user The currently valid mark public key the known word string encryption for generating random to, returns to user by the random word string of encryption afterwards The browser at end;Otherwise, return reports an error;
Step 4:If the Web information system returned data prompting error for receiving, the browser prompts mistake of user side; Otherwise, the random word string of the encryption for receiving is submitted to background process journey by the browser of user side by network communication mode Sequence, the random word string of request decryption encryption;
Step 5:Spooler receives the random word string request of the request decryption encryption of user side browser submission Afterwards, crypto module is called to use the random word string of the currently valid identity private key decryption encryption of the cipher mark of user account, Then the random word string of decryption is returned to into user side browser;
Step 6:User side browser is received after the random word string of the decryption of spooler return, by directly returning The random words string mode for returning decryption or the random words string obtained using decryption complete User logs in by HMAC digital signature encryption modes Differentiate operation.
If a cipher mark of user is stored in the user account of Web information system as the authentication data of user account In data, then when user using browser log in Web information system when, Web information system, user, the browser of user side and Spooler completes User logs in discriminating and processes by following digital signature encryption mode:
The first step:Web information system passes through browser requirement user input account name;
Second step:User is input into account name and the account name of input is submitted to into Web letters by browser by browser Breath system;
3rd step:Web information system is received after the account name of browser submission, using the account name for receiving in user The cipher mark of user account is obtained in account data by the authentication data of the corresponding user account of inquiry account name, then will The cipher mark of acquisition and the word string of a random generation return to the browser of user side;
4th step:The browser of user side is received after the data of Web information system return, will by network communication mode The cipher mark and random word string for receiving is submitted to spooler, asks the random word string to returning to carry out digital label Name;
5th step:Spooler receives the random word string to returning of user side browser submission and carries out digital label After the request of name, crypto module is called to enter to random word string using the currently valid identity private key of the cipher mark of user account Row digital signature, then returns to user side browser by signed data (signed data is without the need for including again random word string itself);
6th step:User side browser is received after the signed data of the random word string of spooler return, will be signed Name data are submitted to Web information system;
7th step:Web information system is received after the signed data of the random word string of browser submission, clear using returning to The random word string that the currently valid mark public key of the random word string of device and the cipher mark of user account of looking at is submitted to browser The signature validity of signed data verified, be verified, confirm that user is the user's account corresponding to the account name submitted to The owner at family simultaneously allows User logs in, otherwise refuses.
If the hashed value of a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following digital signature encryption mode:
Step one:Web information system is by browser requirement user input account name and authentication data;
Step 2:User is input into the cipher mark of account name and account by browser, and the wherein cipher mark of account is made For authentication data input, then Web information system is submitted to using the account name of input and as the cipher mark of account's authentication data System;
Step 3:Web information system is received after the data of browser submission, calculates the hash of the cipher mark for receiving Value, and carry what is preserved in user account data of the hashed value of calculated cipher mark with Web information system with user The hashed value of the cipher mark of the corresponding user account of account name of friendship is compared, if unanimously, the password mark for then submitting to user Know the browser that user side is returned to a random word string for generating;Otherwise, error is returned;
Step 4:If the returned data prompting of the Web information system for receiving reports an error, the browser prompts of user side go out It is wrong;Otherwise, the cipher mark for receiving and random word string are submitted to backstage by the browser of user side by network communication mode Processing routine, asks the random word string to returning to be digitally signed;
Step 5:Spooler receives the random word string to returning of user side browser submission and carries out digital label After the request of name, crypto module is called to enter to random word string using the currently valid identity private key of the cipher mark of user account Row digital signature, then returns to user side browser by signed data (signed data is without the need for including again random word string itself);
Step 6:User side browser is received after the signed data of the random word string of spooler return, will be signed Name data are submitted to Web information system;
Step 7:Web information system is received after the signed data of the random word string of browser submission, clear using returning to The signed data that the currently valid mark public key of the random word string of device and the cipher mark of user account of looking at is submitted to browser Signature validity verified, be verified, confirm user be submit to account name corresponding to user account owner And User logs in is allowed, otherwise refuse.
If the cipher mark of user account is input into by user in Web information system registry account, Web information system exists After receiving the account register information of user, first when User logs in account differentiate it is the same in the way of adopt digital signature or data Cipher mode checking, confirmation user possess the private key of the cipher mark of registration input, so as to confirm that user is the password mark of input The owner of knowledge, verify, be identified through after complete user account and register and preserve log-on message, otherwise return error.
If described realize that the identification type cryptographic technique that the system that User logs in differentiates is adopted is IBC based on identification type password (Identity-Based Cryptography) cryptographic technique and support that multigroup different IBC crypto-operations disclose parameter, then Web information system is determined as follows the open parameter group that the cipher mark of user account carries out used by crypto-operation:
If user is input into when logging in Web information system by browser, submits account name to and as authentication data simultaneously Cipher mark, then browser submit to cipher mark before first pass through network communication mechanism request spooler return password mark Knowledge carries out the configured information (such as parameter group mark or version number) of the open parameter group used by crypto-operation, and spooler connects The configured information for calling crypto module password for inquiry mark to carry out the open parameter group used by crypto-operation after request is received, then The configured information of the open parameter group that inquiry is obtained returns to browser, and browser receives the public affairs of spooler return Open and the configured information of open parameter group is submitted to into together Web information system, Web with cipher mark after the configured information of parameter group Information system determines according to the configured information of the open parameter submitted in logging request to be carried out using the cipher mark of user account Open parameter group used by crypto-operation;
Otherwise, if the cipher mark that Web information system preserves user account in user account data carries out password fortune The configured information of open parameter group used is calculated, then Web information system is being encrypted fortune using the cipher mark of user account First pass through before calculation the cipher mark in user account data carry out the open parameter used by crypto-operation configured information determine into Open parameter group used by row crypto-operation;
Otherwise, Web information system before computing is encrypted using the cipher mark of user account first by user account Cipher mark returns to the browser of user side, and acquisition request cipher mark carries out the finger of the open parameter group used by crypto-operation Show information;The browser of user side is received after the cipher mark of Web information system return and request, by network communication mechanism The cipher mark for receiving is submitted to into the local spooler of user side, acquisition request cipher mark carries out crypto-operation The configured information of open parameter group used;Spooler calls crypto module inquiry to obtain the cipher mark of user account The configured information of the open parameter group used by crypto-operation is carried out, and the configured information of the open parameter group that inquiry is obtained is returned To the browser of user side;The cipher mark of acquisition is carried out browser the configured information of the open parameter group used by crypto-operation Return to Web information system;It is close that Web information system determines that cipher mark is carried out according to the configured information of the open parameter group for returning Open parameter group used by code computing;
Further, if spooler calls crypto module to use Web information system the number of cipher mark encryption Find that Web information system has used incorrect open parameter group according to being decrypted in processing procedure, then spooler leads to Crossing browser carries out the instruction of the open parameter group used by crypto-operation to the cipher mark of Web information system update user account Information.
If Web information system preserves the cipher mark or close of user account names and user account also in user account data The digital signature (by Web information system signature) of the data (data after merging such as word string) after the hashed value merging of code mark, With prevent check account user data in user account names and account cipher mark or cipher mark hashed value it is unwarranted Change, then Web information system is submitted to user is being received during account's discriminating is carried out to User logs in by browser Account name after, the numeral of the data after first merging to the hashed value of the cipher mark or cipher mark of account name and user account User account names that signature is preserved in being verified to determine Web information systematic account data and the cipher mark of user account or Whether the hashed value of cipher mark is changed, if being changed, stops login account and differentiates to process and return mistake;Otherwise, The account's discriminating for continuing User logs in is processed;After the hashed value of the cipher mark or cipher mark of account name and user account merges The digital signature method that adopted of digital signature of data include digital signature of symmetric key based on HMAC and based on non-right Claim the digital signature of key cryptographic algorithm (such as RSA, ECC, IBC).
Can be seen based on the above content of the invention, the User logs in authentication schemes that system of the invention is adopted have following excellent Point or feature:
If 1) mark for using is electronic communication identify (such as E-mail address, phone number), the life of tagged keys Into, recover, updating will be convenient;Especially, if further carrying out automatically updating for tagged keys, the renewal behaviour of tagged keys Make without the need for user's manual intervention, bring great convenience to user;
2) browser is not adopted, therefore is not limited by browser type and species, not by user side computing device yet Operation platform is limited;
3) in the present invention ID and tagged keys are used not as the identity documents of user, but as Gao An The account of full strength differentiates that private data is used, and different Web information systems can use the close of same cipher mark Account when key carries out User logs in differentiates, without the need for using different tagged keys for different Web information systems;
4) the solution of the present invention can perform well in it is having disposed, itself entered using account name+password or password originally The Web information system that row login account differentiates, can in the case where Web information system is not changed by external security gateway or The mode of built-in security plug-in unit is implemented in the Web information system that login account discriminating is carried out using account name+password or password Secure log scheme of the present invention.
Description of the drawings
Fig. 1 is the system structure diagram of the present invention.
Specific embodiment
With reference to the accompanying drawings and examples the invention will be further described.
The embodiment for being embodied as first relating to identification type cryptographic technique of the present invention, has two schemes may be selected: IBC cryptographic techniques or the elliptic curve cryptography based on mark, wherein most simple using IBC schemes.
According to IBC cryptographic techniques, mark public key and private key at this moment are exactly IBC public keys and private key, and public key is exactly to mark Knowledge itself.Now, a kind of patent application " IBE encryption apparatus and data encryption/decryption method " (application number is also implemented: IBE crypto modules and data encryption/decryption method in 20131043846.2) (though the crypto module title in the patent application claims For IBE crypto modules, actually relevant technical scheme is suitable for IBC) and patent application it is " a kind of to automatically update and recover private key Identification type cryptographic system and method " (application number:201410058689.3) in tagged keys automatically update scheme, and implement One is used for the IBC cipher key service systems that IBC private keys are generated and recovered (including IBC private key generators).The technology reality of IBC itself Scheme is applied, IEEE international standard IEEE Std 1363.3-2013 are can be found in:IEEE Standard for Identity- Based Cryptographic Techniques using Pairings,22August 2013.Under IBC embodiments, If IBC encryptions support that disclosing parameter group using multigroup different IBC carries out crypto-operation, different open parameter groups is available not Same mark or version number is indicated.
According to the elliptic curve cryptography based on mark, then to implement a kind of patent application " ellipse based on mark Curve Cryptosystem " (application number:20131052098.5) cryptographic system in, including cipher key service system and user side is close Code module, now identifies public key and private key is namely based on elliptic curve cipher public key and the private key that mark is generated.Further, also Implement a kind of patent application " identification type cryptographic system and method for automatically updating and recovering private key " (application number: 201410058689.3) in tagged keys automatically update scheme.Using the scheme of the elliptic curve cryptography based on mark, How Web information system obtains the currently valid mark public key of cipher mark has two schemes available:One is from key Service system is obtained and cached, and two are obtained and are submitted to from the local cipher key store of the crypto module of user side by browser Web information system, adopts latter scheme to need mark public key (need not be adopted to ensure security by cipher key service system signature Use X509 forms).
The elliptic curve cryptography for identifying no matter is also based on using IBC cryptographic techniques, using decryption obtain it is random Word string is (may be used also by a kind of scheme that HMAC data signature modes complete owner's discriminating that user is account or cipher mark With using other schemes):The random word string that current time is obtained with decryption is merged by the spooler of user side, afterwards Data after crypto module is for merging generate a hashed value using hashing algorithm (such as SHA-1), then by browser Current time is sent collectively to into Web information system with the hashed value for generating;Web information system receives the number of browser submission According to rear, whether first check time in the data that browser is submitted to and the difference at current time is in the time range of regulation, if so, Time in the data that then user side browser is submitted to closes with the random word string that client is returned to before Web information system And, a hashed value is generated using same hashing algorithm for the data after merging, then compare user side browser and submit to Hashed value it is whether consistent with the calculated hashed value of Web information system itself, if unanimously, prove that user possesses password mark The currently valid identity private key known, and and then confirm that user is logged on the owner of account.
For spooler, a program operated in user side computing device can be developed as background process journey On the one hand sequence, this program is received with being signed to random word string of submitting to of HTTP request form or the random word string to encrypting The request being decrypted, and return result in http response form;On the other hand by calling crypto module to random words String is signed or the random word string to encrypting is decrypted and obtains cipher mark and carries out disclosing ginseng used by crypto-operation The configured information of array;Further, spooler points out User logs in Web information system by ejecting a personal-machine interactive interface The disposable random password or password of system.
Received by HTTP request, response mode corresponding to spooler and random word string is signed or to encryption The request being decrypted of random word string and the processing mode that returns result, user side browser passes through automatic HTTP POST modes will ask the place for being submitted to spooler and returning spooler by automatic HTTP POST modes Reason result submits Web information system to, or user side browser is interacted and by backstage by Ajax and spooler The result that processing routine is returned is submitted to Web information system.
If Web information system also preserves the digital signature of the hashed value of account name and cipher mark or cipher mark, account The digital signature data of the hashed value of name in an account book and cipher mark or cipher mark both can be deposited individually, it is also possible to same to cipher mark Or the hashed value of cipher mark is deposited together as the authentication data of account;If digital signature data is with cipher mark or password mark The hashed value of knowledge is deposited together as the authentication data of account, then the account's authentication data bag when implementing for user login operation Include the digital signature data obtained from user account data.Web information system one special public-key cryptography pair or random Word string is used for digital signature (public key cryptography is signed or HMAC signatures).
In order to further strengthen the security of User logs in discriminating, can be using one of following scheme:
Scheme one:Spooler is returned in the identity private key of the cipher mark using user account to Web information system Before random word string decryption before the random word string signature for returning or to the encryption for returning, a personal-machine interface prompt user is first being ejected just Login process is being carried out, is asking the user whether to continue;
Scheme two:Believable Web information system has been signed and issued a digitally signed secure site token, when user steps on This secure site token is returned to together with random word string (encryption or unencrypted random word string) during record Web information system User side browser is simultaneously submitted to spooler by browser;Spooler call crypto module use user's account Before the identity private key of the cipher mark at family is to the random word string signature of return or the random word string decryption to the encryption for returning, first examine Whether look into has believable secure site token (signature effective and credible), if without secure site token or secure site token Digital signature is insincere, then eject personal-machine interactive interface prompting consumer's risk;If there is believable secure site token, carry Show that user's system to be accessed is address that is believable and showing user's website to be accessed, ask the user whether to continue;
Scheme three:Web information system is first before the random word string of random word string or encryption is returned to user side browser The data for returning are digitally signed using public-key cipher technology, then return again to data;Spooler is being adjusted Before being decrypted with the random word string of encryption of the crypto module to the random word string signature of return or to returning, Web information is first verified The digital signature of the data that system is returned, if the data for returning do not have digital signature or sign insincere, ejects a personal-machine Interactive interface points out consumer's risk;If have digital signature and sign it is credible, point out user's system to be accessed be it is believable simultaneously Show the address of user's website to be accessed;
Scheme four:The browser of user side is carried in the random word string of the random word string or encryption that return Web information system The host address (main frame DNS domain name) of the Web information system to be logged in user while being sent to spooler is while carry It is sent to spooler;Spooler is in the identity private key pair for calling crypto module to use the cipher mark of user account Before the random word string signature for returning or the random word string decryption to the encryption for returning, a personal-machine interactive interface is first passed through to user The host address of the current browser Web information system to be accessed is shown, asks the user whether to continue;If user selects to continue, Random word string signature then to return or the random word string decryption of the encryption to returning, then call crypto module to believe using Web The public key of breath system is to the random word string signed or the random word string or the random word string with decryption of the decryption directly to return The login authentication data of HMAC signatures is encrypted, and then the data after encryption is returned to into browser and is submitted to by browser Web information system;Web information system receive browser return encryption data after, first using the private of Web information system The data of the encryption that key decryption is received, then make further login discriminating and process according to the data after decryption;The Web letters The public key of breath system includes the IBC public keys (such as using the host address of Web information system as public key) of Web information system or by one The public key that individual trusted key service system (such as CA certificate system) is issued is (such as RSA, ECC public key issued by data certificate Deng).
In addition to above scheme, Web information system can also be by server certificate and SSL (Secure Socket Layer) secure transmission tunnel is improving the security of system.
If the Web information system script of User logs in is account to user by the way of account name+password or password Owner is differentiated, and Web information system implements the system that technical scheme carries out login account discriminating to user Component is a preposition security gateway in Web information system, then security gateway can be developed based on Web reversed proxy servers (such as available Apache exploitations);If Web information system implements technical scheme carries out login account discriminating to user System component is a safety insert for being built in Web information system, then safety insert can based on filter (as ISAPI, Servlet Filter) or other plug-in part technology exploitations.
Other unaccounted particular techniques are implemented, and are it is well known that not saying certainly for those skilled in the relevant art Bright.

Claims (10)

1. a kind of to realize the system that User logs in differentiates based on identification type password, the system includes:
Web information system:Based on the system that Web technological development user oriented provides information or application service:One mark of user Know or the hashed value for identifying of user is stored in Web information as user in the authentication data of the account of Web information system In the user account data of system;Correspondingly, the authentication data as user account is stored in user account data ID, or use of the hashed value of ID when being stored in user account data as the authentication data of user account Family identifies, referred to as the cipher mark of the corresponding cipher mark of user account or abbreviation user account;The password of the user account Mark is input into by user in Web information system registry account, or is obtained by other means by account management system or instrument Obtain and arrange;
Browser:User is used to access the client of Web information system;The browser described in process of user login passes through backstage The random word string number that processing routine is returned using the identity private key of the cipher mark of User logs in account to Web information system The random words string data of the encryption that word is signed or returned to Web information system is decrypted;
Spooler:The program on one computing device backstage for operating in user side;Call in process of user login close Code module the random word string that Web information system is returned is digitally signed or to Web information system return encryption it is random Word string data are decrypted;
Crypto module:Enforcement identification type cryptographic technique carries out the user side component software or software and hardware of crypto-operation and combines Component;
When user submits to account name to carry out account's login using browser access Web information system, Web information system is by such as Lower digital signature encryption mode or data encryption mode complete user and are logged on by the identity private key that checking user possesses cipher mark The discriminating of the owner of account:
Digital signature encryption mode:Web information system returns the cipher mark of User logs in account and a random word string for generating is arrived User side browser, browser calls crypto module using the mark of the cipher mark of User logs in account by spooler Private key is known to the random word string signature for returning, then the signed data of random word string is submitted to into Web information system, Web information System utilization returns to the random word string of browser and the mark public key verifications user side of the cipher mark of User logs in account is clear The validity of the signed data of the random word string that device of looking at is submitted to is the owner of cipher mark so as to confirm user, and and then is confirmed User is logged on the owner of account;
Data encryption mode:Web information system returns a mark public key encryption using the cipher mark of User logs in account Random generation word string to user side browser, browser calls crypto module to adopt User logs in by spooler The random word string of encryption of the identity private key of the cipher mark of account to returning is decrypted, then by directly returning decryption Random words string mode or the random words string obtained using decryption are completed User logs in and differentiate operation by HMAC digital signature encryption modes;
If the Web information system script of User logs in is that account possesses to user by the way of account name+password or password Person is differentiated and is kept original identification method constant, and Web information system information implements User logs in based on identification type password The system component of discriminating is a preposition security gateway in Web information system or is inserted into the request response of Web information system A safety insert in transmission channel, then the hashed value conduct of the cipher mark of the cipher mark of user account or user account Password or password are stored in original password or password storeroom in the user account data of Web information system, and the safety Gateway or safety insert completed using the cipher mark of user account to user be account owner differentiate after, by user's The cipher mark of account name and account as User logs in Web information system account name and password or the alternative family of password logging in The mode of request is submitted to Web information system and completes register, or by the cipher mark of the account name of user and account Hashed value as User logs in Web information system account name and password or the alternative family of password be submitted in the way of logging request Web information system completes register, and the former differentiates number corresponding to the account preserved in the user account data of Web information system According to the situation of the cipher mark for being user account, the latter is corresponding to the account preserved in the user account data of Web information system Authentication data is the situation of the hashed value of the cipher mark of user account;No matter which kind of situation, Web information system itself is by checking The mode of account name and password or password carries out account's discriminating process to User logs in.
2. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following data encryption mode:
I is walked:Web information system passes through browser requirement user input account name;
Ii is walked:User is input into account name and the account name of input is submitted to into Web information system by browser;
Ii I is walked:Web information system receive user side browser submission account name after, using receive account name with The cipher mark of user account is obtained in the account data of family by the authentication data of the corresponding user account of inquiry account name, then The random word string for generating of Web information systematic name and one is encrypted with the currently valid mark public key for obtaining cipher mark, Then Web information systematic name and random word string after encryption returned to the browser of user side;
Iv is walked:The browser of user side is received after the data of Web information system return, will be received by network communication mechanism To encryption Web information systematic name and random word string be submitted to a local spooler of user side, Ran Houti Show user by the password or Password Input frame of the random password shown on computing terminal or Password Input to browser;
V is walked:The local spooler of user side receive browser submission encryption Web information systematic name and with After machine word string, crypto module is called to use the currently valid identity private key solution of cipher mark using the cipher mark of user account The Web information systematic name and random word string of the encryption that close Web information system is returned, then by the Web information system after decryption Title and random word string pass through as the disposable random password or password of User logs in Web information system on computing terminal One personal-machine interface displays to the user that;
VI is walked:User is input to the random word string that spooler is shown as disposable random password or password clear Look at device password or Password Input frame and the random word string as account password or password of user input is carried by browser It is sent to Web information system;
VII is walked:Web information system receive user side browser submission as account password or the random word string of password Afterwards, the random word string as account password or password for receiving and the plaintext of the random word string for returning to browser are compared Compared with if unanimously, confirmation user is the owner of the user account corresponding to the account name submitted to and allows User logs in, otherwise Refusal.
3. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following data encryption mode:
1st step:Web information system passes through browser requirement user input account name;
2nd step:User is input into account name and the account name of input is submitted to into Web information system by browser;
3rd step:Web information system is received after the account name of browser submission, using the account name for receiving in user account number The cipher mark of user account is obtained by the authentication data of the corresponding user account of inquiry account name according in, it is then close with obtaining The word string encryption for generating random to one of the currently valid mark public key of code mark, afterwards by encryption after random word string return To the browser of user side;
4th step:The browser of user side is received after the data of Web information system return, will be received by network communication mode To the random word string of encryption be submitted to spooler, the random word string of request decryption encryption;
5th step:Spooler is received after the request of the random word string of the request decryption encryption of user side browser submission, Crypto module is called to use the random word string of the currently valid identity private key decryption encryption of the cipher mark of user account, then The random word string of decryption is returned to into user side browser;
6th step:User side browser is received after the random word string of the decryption of spooler return, by directly returning solution Close random words string mode or the random words string obtained using decryption complete User logs in discriminating by HMAC digital signature encryption modes Operation.
4. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If the hashed value of a cipher mark of user is stored in Web letters as the authentication data of user account In the user account data of breath system, then when user using browser log in Web information system when, Web information system, user, The browser and spooler of user side completes User logs in discriminating and processes by following data encryption mode:
Step 1:Web information system is by browser requirement user input account name and authentication data;
Step 2:User is input into the cipher mark of account name and account by browser, and wherein the cipher mark of account is used as discriminating Data input, is then submitted to Web letters by browser using the account name of input and as the cipher mark of account's authentication data Breath system;
Step 3:Web information system is received after the data of browser submission, calculates the hashed value of the cipher mark for receiving, and By the account submitted to user preserved in the user account data of the hashed value of calculated cipher mark and Web information system The hashed value of the cipher mark of the corresponding user account of name in an account book is compared, if unanimously, the cipher mark submitted to using user is worked as The word string encryption for generating random to one of front effective mark public key, returns to the clear of user side by the random word string of encryption afterwards Look at device;Otherwise, return reports an error;
Step 4:If the Web information system returned data prompting error for receiving, the browser prompts mistake of user side;It is no Then, the random word string of the encryption for receiving is submitted to spooler by the browser of user side by network communication mode, The random word string of request decryption encryption;
Step 5:Spooler is received after the random word string request of request decryption encryption of user side browser submission, is adjusted With crypto module using the random word string of the currently valid identity private key decryption encryption of the cipher mark of user account, then will The random word string of decryption returns to user side browser;
Step 6:User side browser is received after the random word string of the decryption of spooler return, by directly returning solution Close random words string mode or the random words string obtained using decryption complete User logs in discriminating by HMAC digital signature encryption modes Operation.
5. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If a cipher mark of user is stored in Web information system as the authentication data of user account In user account data, then when user logs in Web information system using browser, Web information system, user, user side Browser and spooler complete User logs in discriminating and process by following digital signature encryption mode:
The first step:Web information system passes through browser requirement user input account name;
Second step:User is input into account name and the account name of input is submitted to into Web information system by browser by browser System;
3rd step:Web information system is received after the account name of browser submission, using the account name for receiving in user account The cipher mark of user account is obtained in data by the authentication data of the corresponding user account of inquiry account name, then will be obtained Cipher mark and random word string for generating return to the browser of user side;
4th step:The browser of user side is received after the data of Web information system return, will be received by network communication mode To cipher mark and random word string be submitted to spooler, ask the random word string to returning to be digitally signed;
5th step:Spooler receives what the random word string to returning of user side browser submission was digitally signed After request, call crypto module using the currently valid identity private key of the cipher mark of user account to random word string number Word is signed, and then signed data is returned to into user side browser;
6th step:User side browser is received after the signed data of the random word string of spooler return, by number of signature According to being submitted to Web information system;
7th step:Web information system is received after the signed data of the random word string of browser submission, using returning to browser Random word string and user account cipher mark the currently valid mark public key label of random word string that browser is submitted to The signature validity of name data is verified, is verified that confirmation user is the user account corresponding to the account name submitted to Owner simultaneously allows User logs in, otherwise refuses.
6. realize that the User logs in of the system that User logs in differentiates is reflected based on identification type password described in a kind of utilization claim 1 Other method, is characterized in that:If the hashed value of a cipher mark of user is stored in Web letters as the authentication data of user account In the user account data of breath system, then when user using browser log in Web information system when, Web information system, user, The browser and spooler of user side completes User logs in discriminating and processes by following digital signature encryption mode:
Step one:Web information system is by browser requirement user input account name and authentication data;
Step 2:User is input into the cipher mark of account name and account by browser, and wherein the cipher mark of account is used as mirror Other data input, is then submitted to Web information system using the account name of input and as the cipher mark of account's authentication data;
Step 3:Web information system is received after the data of browser submission, calculates the hashed value of the cipher mark for receiving, And will preserve in the user account data of the hashed value of calculated cipher mark and Web information system and submitted to user The hashed value of the cipher mark of the corresponding user account of account name is compared, if unanimously, the cipher mark of then submitting to user and One random word string for generating returns to the browser of user side;Otherwise, error is returned;
Step 4:If the returned data prompting of the Web information system for receiving reports an error, the browser prompts error of user side; Otherwise, the cipher mark for receiving and random word string are submitted to background process by the browser of user side by network communication mode Program, asks the random word string to returning to be digitally signed;
Step 5:Spooler receives what the random word string to returning of user side browser submission was digitally signed After request, call crypto module using the currently valid identity private key of the cipher mark of user account to random word string number Word is signed, and then signed data is returned to into user side browser;
Step 6:User side browser is received after the signed data of the random word string of spooler return, by number of signature According to being submitted to Web information system;
Step 7:Web information system is received after the signed data of the random word string of browser submission, using returning to browser Random word string and user account cipher mark the currently valid mark public key label of signed data that browser is submitted to Name validity is verified, is verified that confirmation user is the owner of the user account corresponding to the account name submitted to and permits Perhaps User logs in, otherwise refuses.
7. it is according to claim 1 that the system that User logs in differentiates is realized based on identification type password, it is characterized in that:If user The cipher mark of account is input into by user in Web information system registry account, then Web information system is receiving the account of user After the log-on message of family, first when User logs in account differentiate it is the same in the way of verified using digital signature or data encryption mode, Confirm that user possesses the private key of the cipher mark of registration input, so as to confirm that user is the owner of the cipher mark of input, test Card, be identified through after complete user account and register and preserve log-on message, otherwise return error.
8. it is according to claim 1 that the system that User logs in differentiates is realized based on identification type password, it is characterized in that:If described The identification type cryptographic technique that system is adopted is IBC cryptographic techniques and supports that multigroup different IBC crypto-operations disclose parameter, then Web information system is determined as follows the open parameter group that the cipher mark of user account carries out used by crypto-operation:
If input simultaneously, submission account name and the password as authentication data when user logs in Web information system by browser Mark, then browser submit to cipher mark before first pass through network communication mechanism request spooler return cipher mark enter The configured information of the open parameter group used by row crypto-operation, spooler is received and call crypto module to inquire about after request Cipher mark carries out the configured information of the open parameter group used by crypto-operation, the finger of the open parameter group for then obtaining inquiry Show that information returns to browser, browser is received will be openly after the configured information of the open parameter group of spooler return The configured information of parameter group is submitted to together Web information system with cipher mark, and Web information system is submitted to according in logging request The configured information of open parameter determine the open parameter group for carrying out using the cipher mark of user account used by crypto-operation;
Otherwise, if Web information system is preserved the cipher mark of user account in user account data and carries out crypto-operation institute The configured information of open parameter group, then Web information system using the cipher mark of user account before computing is encrypted First pass through the cipher mark in user account data carry out open parameter used by crypto-operation configured information determine carry out it is close Open parameter group used by code computing;
Otherwise, Web information system before computing is encrypted using the cipher mark of user account first by the password of user account Mark returns to the browser of user side, and acquisition request cipher mark carries out the instruction letter of the open parameter group used by crypto-operation Breath;The browser of user side is received after the cipher mark of Web information system return and request, will be connect by network communication mechanism The cipher mark for receiving is submitted to the local spooler of user side, and acquisition request cipher mark is carried out used by crypto-operation Open parameter group configured information;Spooler calls the cipher mark that crypto module inquiry obtains user account to carry out The configured information of the open parameter group used by crypto-operation, and the configured information of the open parameter group that inquiry is obtained returns to use The browser at family end;Browser the cipher mark of acquisition is carried out the configured information of the open parameter group used by crypto-operation and returned To Web information system;Web information system determines that cipher mark carries out password fortune according to the configured information of the open parameter group for returning Calculate open parameter group used;
Further, if spooler calls crypto module to enter Web information system using the data that cipher mark is encrypted Find that Web information system has used incorrect open parameter group in row decryption processes, then spooler is by clear Device of looking at carries out the instruction letter of the open parameter group used by crypto-operation to the cipher mark of Web information system update user account Breath.
9. it is according to claim 1 that the system that User logs in differentiates is realized based on identification type password, it is characterized in that:If Web Information system preserves the cipher mark or the hash of cipher mark of user account names and user account also in user account data Value merge after data digital signature, with prevent check account user data in user account names and account cipher mark or password The unwarranted modification of the hashed value of mark, then Web information system during account's discriminating is carried out to User logs in, User is received after the account name that browser is submitted to, first to the cipher mark or cipher mark of account name and user account The user account that the digital signature of the data after hashed value merging is preserved in being verified to determine Web information systematic account data Whether the hashed value of the cipher mark or cipher mark of name and user account is changed, if being changed, stops login account Discriminating processes and returns mistake;Otherwise, the account's discriminating for continuing User logs in is processed;The cipher mark of account name and user account Or the digital signature method that the digital signature of the data after the hashed value merging of cipher mark is adopted is included based on the right of HMAC Claim key digital signature and the digital signature based on asymmetric key cipher algorithm.
10. according to any one of claim 3-6 based on identification type password realize User logs in differentiate system user Discrimination method is logged in, be it is characterized in that:The User logs in discrimination method improves what User logs in differentiated by one of following scheme Security:
Scheme one:Spooler is returned in the identity private key of the cipher mark using user account to Web information system Before random word string decryption before random word string signature or to the encryption for returning, first eject a personal-machine interface prompt user and enter Row login process, asks the user whether to continue;
Scheme two:Believable Web information system has been signed and issued a digitally signed secure site token, works as User logs in This secure site token is returned to together user side browser and is submitted to by browser with random word string during Web information system To spooler;Spooler is calling crypto module using the identity private key of the cipher mark of user account to returning Before the random word string signature for returning or the random word string decryption to the encryption for returning, believable secure site order is first checked whether there is Board, if the digital signature without secure site token or secure site token is insincere, ejects a personal-machine interactive interface and carries Show consumer's risk;If there is believable secure site token, user's system to be accessed is pointed out to be believable and show that user will The address of the website of access, asks the user whether to continue;
Scheme three:Web information system was first adopted before the random word string of random word string or encryption is returned to user side browser Public-key cipher technology is digitally signed to the data for returning, and then returns again to data;Spooler call it is close Before code module is to the random word string signature of return or the random word string decryption to the encryption for returning, Web information system is first verified The digital signature of the data of return, if the data for returning do not have digital signature or sign insincere, ejects personal-machine interaction Interface prompt consumer's risk;If having digital signature and signing credible, user's system to be accessed is pointed out to be believable and show The address of user's website to be accessed;
Scheme four:The browser of user side is submitted in the random word string of the random word string or encryption that return Web information system The host address of the Web information system to be logged in user while spooler is while be submitted to spooler; Spooler is calling random word string label of the crypto module using the identity private key of the cipher mark of user account to return Before name or the random word string decryption to the encryption for returning, first pass through a personal-machine interactive interface and display to the user that current browser will The host address of the Web information system of access, asks the user whether to continue;If user selects to continue, to the random words for returning String signature or the random word string decryption of the encryption to returning, then call crypto module to use the public key of Web information system to signing The random word string of name or the random word string of the decryption directly to return are differentiated with the login of the random word string HMAC signature of decryption Data are encrypted, and then the data after encryption are returned to into browser and are submitted to Web information system by browser;Web believes Breath system receive browser return encryption data after, first using Web information system private key decryption receive plus Close data, then make further login discriminating and process according to the data after decryption;The public key of the Web information system includes The IBC public keys of Web information system or the public key issued by a trusted key service system.
CN201410244543.8A 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes Active CN104038486B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410244543.8A CN104038486B (en) 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410244543.8A CN104038486B (en) 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes

Publications (2)

Publication Number Publication Date
CN104038486A CN104038486A (en) 2014-09-10
CN104038486B true CN104038486B (en) 2017-05-10

Family

ID=51469075

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410244543.8A Active CN104038486B (en) 2014-06-04 2014-06-04 System and method for realizing user login identification based on identification type codes

Country Status (1)

Country Link
CN (1) CN104038486B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812341B (en) * 2014-12-31 2019-03-29 阿里巴巴集团控股有限公司 A kind of method and device of identity user identity
CN105868213A (en) * 2015-01-22 2016-08-17 U3D有限公司 Late binding identity method used for account
CN105282150B (en) * 2015-09-16 2019-08-20 武汉理工大学 A kind of login assistant system of web oriented system
CN105391727B (en) * 2015-11-26 2018-03-02 武汉理工大学 A kind of system login method based on mobile terminal
CN105281902B (en) * 2015-12-03 2018-04-20 武汉理工大学 A kind of Web system safe login method based on mobile terminal
CN105391549B (en) * 2015-12-10 2018-10-12 四川长虹电器股份有限公司 Communication dynamics key implementation method between client and server
CN105553970A (en) * 2015-12-14 2016-05-04 北京锐安科技有限公司 Information system safety inspection device and inspection result analysis method
CN105897424B (en) * 2016-03-14 2019-07-12 深圳奥联信息安全技术有限公司 A kind of enhancing identity authentication method
US10380100B2 (en) * 2016-04-27 2019-08-13 Western Digital Technologies, Inc. Generalized verification scheme for safe metadata modification
US10380069B2 (en) 2016-05-04 2019-08-13 Western Digital Technologies, Inc. Generalized write operations verification method
CN106100889A (en) * 2016-07-01 2016-11-09 浪潮(北京)电子信息产业有限公司 The Enhancement Method of a kind of snmp protocol safety and device
CN105933350A (en) * 2016-07-01 2016-09-07 浪潮(北京)电子信息产业有限公司 Security enhancement method and device for serial port protocol
CN107171789A (en) * 2017-04-20 2017-09-15 努比亚技术有限公司 A kind of safe login method, client device and server
CN112655173B (en) * 2019-08-13 2024-04-02 谷歌有限责任公司 Data integrity improvement using trusted code attestation tokens
CN114297597B (en) * 2021-12-29 2023-03-24 渔翁信息技术股份有限公司 Account management method, system, equipment and computer readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103117861A (en) * 2013-01-31 2013-05-22 武汉理工大学 Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE
CN103532709A (en) * 2013-09-24 2014-01-22 武汉理工大学 IBE (Identity Based Encryption) cryptographic equipment and data encryption and decryption method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103326853A (en) * 2012-03-22 2013-09-25 中兴通讯股份有限公司 Method and device for upgrading secret key

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103117861A (en) * 2013-01-31 2013-05-22 武汉理工大学 Pseudo RSA (Rivest Shamir Adleman) based method for transmitting IBE key information (identity based encryption) in IBE
CN103532709A (en) * 2013-09-24 2014-01-22 武汉理工大学 IBE (Identity Based Encryption) cryptographic equipment and data encryption and decryption method

Also Published As

Publication number Publication date
CN104038486A (en) 2014-09-10

Similar Documents

Publication Publication Date Title
CN104038486B (en) System and method for realizing user login identification based on identification type codes
US9871791B2 (en) Multi factor user authentication on multiple devices
CN110493202B (en) Login token generation and verification method and device and server
CN110069918B (en) Efficient double-factor cross-domain authentication method based on block chain technology
JP6012125B2 (en) Enhanced 2CHK authentication security through inquiry-type transactions
CN107248075B (en) Method and device for realizing bidirectional authentication and transaction of intelligent key equipment
US8549308B2 (en) Data certification method and system
JP4639084B2 (en) Encryption method and encryption apparatus for secure authentication
US8868909B2 (en) Method for authenticating a communication channel between a client and a server
CN104394172B (en) Single-sign-on apparatus and method
US8433914B1 (en) Multi-channel transaction signing
US10693638B1 (en) Protected cryptographic environment
CN107810617A (en) Secret certification and supply
US20080022085A1 (en) Server-client computer network system for carrying out cryptographic operations, and method of carrying out cryptographic operations in such a computer network system
JP2015528149A (en) Start of corporate trigger type 2CHK association
US9398024B2 (en) System and method for reliably authenticating an appliance
MX2012011105A (en) Certificate authority.
EP4072064A1 (en) Electronic signature system and tamper-resistant device
Alizai et al. Key-based cookie-less session management framework for application layer security
Raddum et al. Security analysis of mobile phones used as OTP generators
CN113545004A (en) Authentication system with reduced attack surface
EP3361670B1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
Kabier et al. Role Based Access Control Using Biometric the in Educational System
CN117792802B (en) Identity verification and application access control method and system based on multi-system interaction

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant