CN104378210B - Across the identity identifying method of trust domain - Google Patents
Across the identity identifying method of trust domain Download PDFInfo
- Publication number
- CN104378210B CN104378210B CN201410690822.7A CN201410690822A CN104378210B CN 104378210 B CN104378210 B CN 104378210B CN 201410690822 A CN201410690822 A CN 201410690822A CN 104378210 B CN104378210 B CN 104378210B
- Authority
- CN
- China
- Prior art keywords
- token
- identity
- authentication
- application
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of identity identifying method across trust domain, including identity authentication service module and certification terminal module;The identity authentication service module offer identity token issues service and the service for checking credentials;The service of issuing of the identity token includes issuing to the accepting of identity token application, the encapsulation of identity token and identity token;The service for checking credentials of the identity token provides the checking of the identity token based on challenge, and returns to user's application system information by foundation of legal token, and passes through the identity token checking that synchronous LDAP or CRL excludes disabled user;The certification terminal module includes identity token application module and client password module;The identity token application module is responsible for the application and maintenance of identity token;The client password module provides client certificate and crypto-operation.The present invention realizes certification at one, network-wide access, solves the trust problem that there is currently.
Description
Technical field
The present invention relates to the identity identifying technology field in information network, and in particular to a kind of authentication across trust domain
Method, by authentication token, realize in trust domain or across trust domain browsing.
Background technology
Currently in the big network environment of the groups such as government affairs, commercial affairs, the different letter of different Web vector graphics many times be present
Appoint system, such as different CA, different operation systems, when being exchanged visits between each subnet, for security mechanism, all
Need to carry out multiple certification in each subnet, very big information barrier be present, it has not been convenient to which the information sharing between each subnet is with interacting.
The content of the invention
It is real the invention provides a kind of identity identifying method across trust domain in order to overcome the disadvantages mentioned above of prior art
Certification at existing one, network-wide access, solves the trust problem that there is currently.
The technical solution adopted for the present invention to solve the technical problems is:A kind of identity identifying method across trust domain, bag
Include identity authentication service module and certification terminal module;
The identity authentication service module offer identity token issues service and the service for checking credentials;The identity token is issued
Hair service includes issuing to the accepting of identity token application, the encapsulation of identity token and identity token;The identity token
The service for checking credentials provides the checking of the identity token based on challenge, and returns to user's application system information by foundation of legal token,
And the identity token that disabled user is excluded by synchronous LDAP or CRL is verified;
The certification terminal module includes identity token application module and client password module;The identity token application
Module is responsible for the application and maintenance of identity token;The client password module provides client certificate and crypto-operation.
Compared with prior art, the positive effect of the present invention is:For the present invention using PKI technologies as core, identity token is load
Body, the single-sign-on of domain authentication and application system is realized based on Windows and Linux platform.With as follows
Advantage:
1) solves the interdepartmental identity roaming problem of user's cross-system;
2) solve authentication question of the user across certificate domain;
3) transmission capacity trusted is provided;
4) solves the authentication question of the large-scale application system of synergetic;
5) identification authentication mode of specification application system, application system authentication development process is simplified;
6) single-sign-on between multiple application systems is realized.
7) carrier of identity token -- Authentication Client supports windows platform and Linux platform.
8) identity token across hardware and software platform, across language, scalability.
Brief description of the drawings
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the flow chart that application system carries out authentication to user.
Embodiment
The present invention is based on:
1st, PKI digital signature technology, the signature of identity token is realized, ensures the validity of identity token, recognized to be cross-domain
Card provides basis.
2nd, XML language specification, realize the encapsulation of identity token, realize token it is cross-platform, across language, expansible.
3rd, WebService technologies, realize across hardware and software platform, the identity token service for checking credentials across language.
4th, OPENID technologies, the standardization of identity authentication protocol is realized.
5th, COM technologies, realize that the token interface of Window platforms is called.
6th, FireFox plug-in part technologies, realize that the token interface of Linux platform is called.
A kind of identity identifying method across trust domain, including:The identity token of authentication server issues service, token
The service for checking credentials;Identity token application module based on Windows Authentication Clients, the token based on Windows call COM to connect
Mouthful;Identity token application module based on Linux Authentication Clients, the firefox tokens based on linux call plug-in unit;Client
Hold crypto module;Wherein:
Identity token:Similar to the resident identification card in life, including personal information (encryption, signing certificate etc.), sign and issue
Person's information, the stamped signature signature of originator (label), effective time scope, identity token is packaged using XML language, allows identity token
With it is cross-platform, across advanced features such as language, scalabilities.
Identity token issues service:Offer is accepted to identity token application, and the encapsulation of token, token is issued.
The identity token service for checking credentials:The checking of identity token based on challenge is provided, and using legal token as according to return
The function of user's application system information;And the identity token that disabled user can be excluded by synchronous LDAP or CRL is verified.
Identity token application module:Windows and Linux platform are supported, applies for identity token, safeguards identity token, and
The term of validity of token is checked in real time, ensures the available of identity token.
Token based on Windows calls com interface:There is provided the token based on windows platform calls related COM to connect
Mouthful, convenient across the language token based on Windows applications calls.
Firefox tokens based on Linux call plug-in unit:There is provided and relevant interface called based on the token under Linux platform,
The convenient application call based on Linux.
Client password module:Client certificate is provided, the crypto-operations such as signature sign test are provided.
The present invention carries out authentication using based on digital certificate X.509V3.Digital certificate is one signed and issued by CA
Statement, it was demonstrated that certificate main body (" certificate Requestor " becomes " certificate main body " after being issued certificate) and the public affairs included in certificate
The unique corresponding relation of key.Certificate includes the title and relevant information, the public key of applicant, the CA of grant a certificate of certificate Requestor
Digital signature and certificate the content such as the term of validity.By the authentication mode of digital certificate can prevent it is traditional based on user name,
Potential safety hazard caused by the authentication mode of password.
Authentication module is using PKI as technical foundation, using certificate verification as foundation of trust.User is in a certificate server
Upper certification can be that user issues a voucher related to PKI technologies and certificate by the certificate server by rear.User relies on
The voucher, the trust of other authentication service facilities for supporting authentication protocol standard of the present invention can be obtained, so as to realize that user exists
Other trust domain can be unrestrictedly roamed into after one portal login.
Authentication module provides second development interface for various application systems.Application system is changed according to interface specification
Make, the identity authentication service that authentication module can be used to provide.
Application system is after using identity authentication service, and user in each application system without being individually authenticated.User
Only need on certificate server certification by rear, application program by identity authentication service can differentiate user identity obtain user
Information.
It is that user creates account mapping relations that authentication module, which can be directed to each application system,.Application system, which can rely on, to be used
Family proof-of-identity and the application identities of itself obtain accounts information of the user in its own system from authentication service.This function can
Retain existing user profile in transformation for solving existing application system.
C/S frameworks are used based on the identity authorization system across trust domain ID authentication mechanism, portion is needed on terminal computer
Affix one's name to authentication client software.Authentication client software is used for safety as the UI programs with user mutual
Encryption device (USBKey) is scheduled.User by authentication client software and authentication server carry out PKI and
Certificate verification, issue identity token for client by certificate server after in certification and (the identity letter of user is included in token
Breath, certificate information, the relevant information of certificate server and certificate, and by certificate server private key signature).By the token, use
Family can prove the identity of itself in different authenticated domains.
Authentication module also defines the interface specification and application system development specification of complete set.Application system according to
Specification is developed, you can relies on the authentication that identity authentication service realizes itself application system.Different application systems are total to
With same identity authentication service, authentication module can provide the unified identity information and certification shape of user to application system
State, simplify the authentication operation of user, realize single-sign-on.
Authentication module externally provides authentication service for application system in two forms:Based on SOA modes and it is based on
OpenID modes.SOA modes support all operating systems, support all software development languages, but do not support to pass through united portal
Carry out unified login, using unified management;OpenID only supports Web to apply, but can uniformly be stepped on by united portal
Record, unified management.
Based on SOA modes
Authentication module provided in authentication service WebService service, terminal provide the user COM controls or
FireFox plug-in units.Application system carries out the flow of authentication to user as shown in figure 1, comprising the following steps:
Step is 1.:Authentication Client login authentication server is authenticated;
Step is 2.:After logining successfully, certificate server issues token to Authentication Client, and the identity of user is included in token
Information, certificate information, the relevant information of certificate server and certificate, and by certificate server private key signature.
Step is 3.:Applications client (such as IE browser) request accesses application server;
Step is 4.:Application server produces a random number R by itself program, initiates random number to applications client and chooses
War;
Step is 5.:Applications client is by calling random number R caused by Authentication Client interface application server to carry out
Signature, and 2. middle certificate server is handed down to the token of Authentication Client to obtaining step;
Step is 6.:By step, 2. middle certificate server is handed down to the token and random number R of Authentication Client to Authentication Client
Signature value Sign (R) be submitted to applications client (IE browser);
Step is 7.:The signature value Sign (R) and token of random number R are submitted to application server by applications client;
Step is 8.:Application server is by webservice api interface by random number R, random number signature value Sign (R)
Certificate server is submitted to token to be verified;
Step is 9.:Certificate server verifies that mark signs and issues recognizing for this token in token by preset root certificate chained file
The validity of server certificate is demonstrate,proved, and judges whether itself should trust the order that the certificate server is signed and issued according to the mandate of keeper
Board;Such as meeting above-mentioned condition, certificate server extracts certificate server public key from the certificate, verifies the validity of the token,
And extracted from token client public key to step 8. in information verified and produce authentication result.Authentication result includes certification
The signature of whether successful, subscriber identity information and certificate server;Authentication result is passed through webservice by certificate server
Return to application server.
Application server authentication verification server return authentication result, if step 9. in, by checking, using clothes
Business device extracts user profile from authentication result and is used for the operation flow of itself.
Based on OpenID modes
Authentication mode based on OpenID needs to dispose authentication plug-in unit on the application server;OpenID authenticating party
Formula can rely on SOA authentication mode, and its solution is as follows:
1) authentication plug-in unit and certificate server certification and negotiation communication key are called when application system starts;
2) user opens IE browser and accesses application server;
3) application server detection user is not authenticated jumping to user's request the certification clothes of certificate server
Business;
4) certificate server certification page is by calling COM controls to open authentication client;
5) user inputs USBKey in authentication client, and triggers itself and certificate server certification;
6) authentication client certificate obtains token after from certificate server;
7) certification page is differentiated using the flow based on SOA mode certifications to user identity, and from authentication service
Obtain subscriber identity information;
8) certification page utilizes the key consulted with application server plug-in unit to user profile according to OpenID protocol specifications
Produce bill;
9) bill is placed in the session of browser and jumps back to application server by certification page;
10) application server obtains bill from session, and verifies bill using with the communication key of certificate server
Validity;
If 11) bill is effective, application server obtains user profile from bill, starts the operation flow of itself.
Claims (4)
1. a kind of identity identifying method across trust domain, including identity authentication service module and certification terminal module, its feature exist
In:
The identity authentication service module offer identity token issues service and the service for checking credentials;The identity token issues clothes
Business includes issuing to the accepting of identity token application, the encapsulation of identity token and identity token;The checking of the identity token
Service provides the checking of the identity token based on challenge, and returns to user's application system information by foundation of legal token, and leads to
Cross the identity token checking that synchronous LDAP or CRL exclude disabled user;
The identity authentication service module externally provides authentication service in a manner of based on SOA for application system, and specific steps are such as
Under:
Step is 1.:Authentication Client login authentication server is authenticated;
Step is 2.:After logining successfully, certificate server issues token to Authentication Client, and the identity comprising user is believed in token
Breath, certificate information, the relevant information of certificate server and certificate, and by certificate server private key signature;
Step is 3.:Applications client request accesses application server;
Step is 4.:Application server produces a random number R by itself program, and random number challenge is initiated to applications client;
Step is 5.:Applications client by calling random number R caused by Authentication Client interface application server to be signed,
And 2. middle certificate server is handed down to the token of Authentication Client to obtaining step;
Step is 6.:By step, 2. middle certificate server is handed down to the token of Authentication Client and the label of random number R to Authentication Client
Name value Sign (R) is submitted to applications client;
Step is 7.:The signature value Sign (R) and token of random number R are submitted to application server by applications client;
Step is 8.:Application server by random number R, random number signature value Sign (R) and is made by webservice api interface
Board is submitted to certificate server and verified;
Step is 9.:Certificate server is verified and the certification clothes for signing and issuing this token is identified in token by preset root certificate chained file
It is engaged in the validity of device certificate, and judges whether to trust the token that the certificate server signs and issues according to the mandate of keeper;If letter
Appoint, then certificate server extracts certificate server public key from the certificate, verifies the validity of the token, is then carried from token
Take client public key to step 8. in information verified and produce authentication result, return to authentication result by webservice
To application server;Application server is verified to authentication result:If step 9. in, pass through checking, then application service
Device extracts user profile from authentication result and is used for the operation flow of itself;
The certification terminal module includes identity token application module and client password module;The identity token application module
It is responsible for the application and maintenance of identity token;The client password module provides client certificate and crypto-operation.
2. the identity identifying method according to claim 1 across trust domain, it is characterised in that:The identity token application mould
Block includes the identity token application module based on Windows Authentication Clients and the identity token based on Linux Authentication Clients
Apply for module.
3. the identity identifying method according to claim 1 across trust domain, it is characterised in that:The identity token uses
XML language is packaged.
4. the identity identifying method according to claim 1 across trust domain, it is characterised in that:The identity authentication service mould
Block externally provides authentication service in a manner of based on OpenID for application system, comprises the following steps that:
1) authentication plug-in unit and certificate server certification and negotiation communication key are called when application system starts;
2) user opens IE browser and accesses application server;
3) when application server detects that user is not authenticated, then user's request is jumped to the certification of certificate server
Service;
4) certificate server certification page is by calling COM controls to open authentication client;
5) user inputs USBKey in authentication client, and triggers itself and certificate server certification;
6) authentication client certificate obtains token after from certificate server;
7) certification page is differentiated using the flow based on SOA mode certifications to user identity, and is obtained from authentication service
Subscriber identity information;
8) certification page utilizes produces with the key that application server plug-in unit is consulted to user profile according to OpenID protocol specifications
Bill;
9) bill is placed in the session of browser and jumps back to application server by certification page;
10) application server obtains bill from session, and verifies having for bill using with the communication key of certificate server
Effect property;
If 11) bill is effective, application server obtains user profile from bill, starts the operation flow of itself.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410690822.7A CN104378210B (en) | 2014-11-26 | 2014-11-26 | Across the identity identifying method of trust domain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410690822.7A CN104378210B (en) | 2014-11-26 | 2014-11-26 | Across the identity identifying method of trust domain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104378210A CN104378210A (en) | 2015-02-25 |
| CN104378210B true CN104378210B (en) | 2018-01-26 |
Family
ID=52556891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410690822.7A Active CN104378210B (en) | 2014-11-26 | 2014-11-26 | Across the identity identifying method of trust domain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104378210B (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791259B (en) * | 2015-10-26 | 2018-11-16 | 北京中金国盛认证有限公司 | A kind of method of personal information protection |
| CN108476216B (en) * | 2016-03-31 | 2021-01-22 | 甲骨文国际公司 | System and method for integrating a transactional middleware platform with a centralized access manager for single sign-on in an enterprise-class computing environment |
| CN105978855B (en) * | 2016-04-18 | 2018-11-23 | 南开大学 | Personal information safety protection system and method under a kind of system of real name |
| GB2553376A (en) * | 2016-09-06 | 2018-03-07 | Trustonic Ltd | Future constraints for hierarchical chain of trust |
| US10382441B2 (en) * | 2016-10-13 | 2019-08-13 | Honeywell International Inc. | Cross security layer secure communication |
| CN107454077B (en) * | 2017-08-01 | 2020-05-19 | 北京迪曼森科技有限公司 | Single sign-on method based on IKI identification authentication |
| US10505916B2 (en) * | 2017-10-19 | 2019-12-10 | T-Mobile Usa, Inc. | Authentication token with client key |
| CN107995185A (en) * | 2017-11-28 | 2018-05-04 | 北京信安世纪科技有限公司 | A kind of authentication method and device |
| CN107800725B (en) * | 2017-12-11 | 2023-08-29 | 公安部第一研究所 | Remote online management device and method for digital certificates |
| CN108574576B (en) * | 2018-04-26 | 2021-05-28 | 中科边缘智慧信息科技(苏州)有限公司 | Cross-cloud-boundary authentication method based on Kerberos system |
| CN109150862B (en) * | 2018-08-03 | 2021-06-08 | 福建天泉教育科技有限公司 | Method and server for realizing token roaming |
| CN109688098B (en) * | 2018-09-07 | 2022-05-20 | 平安科技(深圳)有限公司 | Method, device and equipment for secure communication of data and computer readable storage medium |
| CN109388937B (en) * | 2018-11-05 | 2022-07-12 | 用友网络科技股份有限公司 | Single sign-on method and sign-on system for multi-factor identity authentication |
| CN109274694A (en) * | 2018-11-14 | 2019-01-25 | 天津市国瑞数码安全系统股份有限公司 | A kind of general cross-domain authentication method based on mark |
| CN109347857A (en) * | 2018-11-14 | 2019-02-15 | 天津市国瑞数码安全系统股份有限公司 | A kind of general inter-network authentication method based on mark |
| CN111865598B (en) * | 2019-04-28 | 2022-05-10 | 华为技术有限公司 | Identity verification method and related device for network function service |
| CN111464535A (en) * | 2020-03-31 | 2020-07-28 | 中国电子科技集团公司第三十研究所 | Cross-domain trust transfer method based on block chain |
| CN111541658A (en) * | 2020-04-14 | 2020-08-14 | 许艺明 | PCIE prevents hot wall |
| CN113420282B (en) * | 2021-06-12 | 2022-03-01 | 济南浪潮数据技术有限公司 | Cross-site single sign-on method and device |
| CN113626840A (en) * | 2021-07-23 | 2021-11-09 | 曙光信息产业(北京)有限公司 | Interface authentication method and device, computer equipment and storage medium |
| CN114363015B (en) * | 2021-12-17 | 2024-03-15 | 上海大智慧申久信息技术有限公司 | Customer identity authentication method and system under multi-account system |
| CN114900344A (en) * | 2022-04-26 | 2022-08-12 | 四川智能建造科技股份有限公司 | Identity authentication method, system, terminal and computer readable storage medium |
| CN116049802B (en) * | 2023-03-31 | 2023-07-18 | 深圳竹云科技股份有限公司 | Application single sign-on method, system, computer equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242272A (en) * | 2008-03-11 | 2008-08-13 | 南京邮电大学 | Realization method for cross-grid secure platform based on mobile agent, assertion |
| CN101534192A (en) * | 2008-03-14 | 2009-09-16 | 西门子公司 | System used for providing cross-domain token and method thereof |
| CN103701823A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Single-point logging in method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140189827A1 (en) * | 2012-12-27 | 2014-07-03 | Motorola Solutions, Inc. | System and method for scoping a user identity assertion to collaborative devices |
-
2014
- 2014-11-26 CN CN201410690822.7A patent/CN104378210B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242272A (en) * | 2008-03-11 | 2008-08-13 | 南京邮电大学 | Realization method for cross-grid secure platform based on mobile agent, assertion |
| CN101534192A (en) * | 2008-03-14 | 2009-09-16 | 西门子公司 | System used for providing cross-domain token and method thereof |
| CN103701823A (en) * | 2013-12-31 | 2014-04-02 | 曙光云计算技术有限公司 | Single-point logging in method and device |
Non-Patent Citations (1)
| Title |
|---|
| 基于PKI身份认证系统的研究和实现;杨宇;《中国优秀硕士学位论文全文数据库 信息科技辑》;20091115(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104378210A (en) | 2015-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104378210B (en) | Across the identity identifying method of trust domain | |
| US10075437B1 (en) | Secure authentication of a user of a device during a session with a connected server | |
| US8495720B2 (en) | Method and system for providing multifactor authentication | |
| CN102984127B (en) | User-centered mobile internet identity managing and identifying method | |
| EP2939387B1 (en) | Apparatus for and method of multi-factor authentication among collaborating communication devices | |
| CN104283886B (en) | A kind of implementation method of the web secure access based on intelligent terminal local authentication | |
| EP2770662A1 (en) | Centralized security management method and system for third party application and corresponding communication system | |
| US10050791B2 (en) | Method for verifying the identity of a user of a communicating terminal and associated system | |
| GB2547472A (en) | Method and system for authentication | |
| CN108684041A (en) | The system and method for login authentication | |
| CN104753881A (en) | WebService security certification access control method based on software digital certificate and timestamp | |
| WO2017042023A1 (en) | Method of managing credentials in a server and a client system | |
| CN103780397A (en) | Multi-screen multi-factor WEB identity authentication method convenient and fast to implement | |
| CN108040044B (en) | A kind of management method and system for realizing eSIM card security authentication | |
| CN107040513A (en) | A kind of credible access registrar processing method, user terminal and service end | |
| US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
| CN100512107C (en) | Security identification method | |
| WO2014110877A1 (en) | Mobile terminal device and user authentication method based on pki technology | |
| US20200092281A1 (en) | Asserting a mobile identity to users and devices in an enterprise authentication system | |
| CN110247758A (en) | The method, apparatus and code management device of Password Management | |
| Morii et al. | Research on integrated authentication using passwordless authentication method | |
| CN103902880A (en) | Windows system two-factor authentication method based on challenge responding type dynamic passwords | |
| CN102412969B (en) | Method for carrying out authentication by remotely using certificate and secret key, apparatus and system thereof | |
| Binu et al. | A mobile based remote user authentication scheme without verifier table for cloud based services | |
| Kerttula | A novel federated strong mobile signature service—the finnish case |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |