CN104468074A - Method and equipment for authentication between applications - Google Patents
Method and equipment for authentication between applications Download PDFInfo
- Publication number
- CN104468074A CN104468074A CN201310428372.XA CN201310428372A CN104468074A CN 104468074 A CN104468074 A CN 104468074A CN 201310428372 A CN201310428372 A CN 201310428372A CN 104468074 A CN104468074 A CN 104468074A
- Authority
- CN
- China
- Prior art keywords
- application program
- kdc
- session key
- certificate server
- ticket
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
Provided is a method for authentication between applications, comprising the following steps: sending information of an application and an authentication request of an authentication server to a key distribution center KDC; receiving a session key and a ticket generated by the KDC; decrypting the session key according to a public key PUB_KEY1, generating an authenticator and sending the authenticator and the ticket to the authentication server; and receiving an authentication result of the application sent by the authentication server. The embodiment of the invention further provides a key distribution center and a client. According to the scheme provided by the invention, when an application is authenticated, a key used for encryption in the process of transmission is a short-term key, so that the possibility that the key might be maliciously monitored and intercepted is reduced; and through the introduction of the KDC, the client and the server can adopt different encryption algorithms for encryption, thus effectively enhancing the security of the authentication process. Through the KDC, whether a client to be verified is trusted or not can be verified, and whether a server is trusted or not can be verified, so that the hidden security problems existing in the application authentication process in the prior art are solved.
Description
Technical field
The present invention relates to application program technical field, specifically, the present invention relates to the method and apparatus of certification between application program.
Background technology
At present in the technology of Android platform, authentication mechanism between Android application program is normally based on server-client (Server-Client) mechanism, wherein, server is application authentication server (App Auth Server), client is Android application program (Android app), carries out certification by the mode sharing a pair PKI and private key server and client side.Specifically, network in charge generates a pair PKI and private key, and wherein, private key is kept at server, and client can get PKI by REST API.Client (namely Android application program) is after server registration first, server end can generate HASH Value to the APK binary system bag of client and generate signature with symmetric encipherment algorithm to this HASH Value, and is kept in the database of server end.When initiating mutual trust access between client (namely Android application program), need to carry out certification to Android application program.When client (namely Android application program) wishes to carry out certification to certain client (namely another one Android application program) time, the client transmission of requests verification needs the information of the client of checking to server end, server end returns to the HASH Value of the signature of its client to be verified, the client of requests verification is come this signature verification by the PKI obtained before, after certification is passed through, then complete the certification to client to be verified.
, there is following one or more defect in above-mentioned authentication mode of the prior art, such as:
1. a pair PKI maintain of existing client and server end and private key, be belong to long-term in the key (Long-term Key) that remains unchanged, and long-term in the key that remains unchanged need in transmission over networks, also can there is potential safety hazard.Reason is very simple, intercepts and captures, in principle, as long as there is the sufficient time, can obtain initial data once the secret key encryption bag remained unchanged in long-term is monitored by hostile network.
2. client and server end needs to use identical algorithm to be encrypted, and maintaining secrecy of algorithm also exists security risk.
3. be repeatedly the same with the authentication request flow process of single between client and server end, easily like this monitored by hostile network or intercept and capture.
4. above-mentioned identifying procedure can only verify the whether credible of client to be verified, cannot authentication server whether credible.
Based on above reason, therefore, be necessary to propose effective authentication mechanism, to solve the shortcomings and deficiencies of certification between application program.
Summary of the invention
Object of the present invention is intended at least solve one of above-mentioned technological deficiency, particularly by introducing KDC(Key Distribution Center, KDC), and the key (Short-term Key) remained unchanged in use in short-term and timestamp (Timestamp) solve one or more problems of above-mentioned existence, simplify the integrated of application authentication external function simultaneously and realize with the extensibility strengthening the realization of application authentication process internal.
The embodiment of the present invention proposes the method for certification between a kind of application program on the one hand, comprises the following steps:
The information of application program and the checking request application of certificate server is sent to KDC KDC;
Receive session key Session Key and the label Ticket of described KDC KDC generation;
Decipher described Session Key according to PKI PUB_KEY1, generate qualification code Authenticator, described qualification code Authenticator and described label Ticket is sent to described certificate server;
Receive the authentication result of the described application program that described certificate server sends.
The embodiment of the present invention also proposed a kind of KDC KDC on the other hand, comprises receiver module, encrypting module and sending module,
Described receiver module, for the checking request application of the information and certificate server that receive application program;
Described encrypting module, for the information of described application program is encrypted, session key generation Session Key and label Ticket;
Described sending module, for sending described session key Session Key and described label Ticket.
The embodiment of the present invention also proposed a kind of client on the other hand, comprises receiver module, deciphering module, encrypting module and sending module,
Described receiver module, for receiving session key Session Key and the label Ticket of described KDC KDC generation, and receives the authentication result of the application program that certificate server sends;
Described deciphering module, for deciphering described Session Key according to PKI PUB_KEY1;
Described encrypting module, for generating qualification code Authenticator;
Described sending module, for sending the information of application program and the checking request application of certificate server to KDC KDC, and for described qualification code Authenticator and described label Ticket is sent to described certificate server.
The such scheme that the present invention proposes, when application program carries out certification, the key used when encrypting in transmitting procedure belongs to short time effective key, reduces and is monitored by malice the possibility intercepted and captured; In addition, by introducing KDC KDC, client and server can adopt different cryptographic algorithm to be encrypted, and effectively enhances the fail safe of verification process.By introducing KDC KDC, except the whether credible of client to be verified can be verified, simultaneously also can authentication server end whether credible, solve the potential safety hazard that in prior art, application authentication process exists.In addition, the such scheme that the present invention proposes, very little to the change of existing system, can not the compatibility of influential system, and realize simple, efficient.
The aspect that the present invention adds and advantage will part provide in the following description, and these will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or additional aspect and advantage will become obvious and easy understand from the following description of the accompanying drawings of embodiments, wherein:
Fig. 1 is the method flow diagram of certification between embodiment of the present invention application program;
Fig. 2 is the handling process schematic diagram of KDC;
Fig. 3 is the handling process schematic diagram of client;
Fig. 4 is the deciphering schematic flow sheet of certificate server checking;
Fig. 5 is the checking schematic flow sheet of certificate server checking;
Fig. 6 is the structural representation of Verification System.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Those skilled in the art of the present technique are appreciated that unless expressly stated, and singulative used herein " ", " one ", " described " and " being somebody's turn to do " also can comprise plural form.Should be further understood that, the wording used in specification of the present invention " comprises " and refers to there is described feature, integer, step, operation, element and/or assembly, but does not get rid of and exist or add other features one or more, integer, step, operation, element, assembly and/or their group.Should be appreciated that, when we claim element to be " connected " or " coupling " to another element time, it can be directly connected or coupled to other elements, or also can there is intermediary element.In addition, " connection " used herein or " coupling " can comprise wireless connections or couple.Wording "and/or" used herein comprises one or more arbitrary unit listing item be associated and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, and all terms used herein (comprising technical term and scientific terminology) have the meaning identical with the general understanding of the those of ordinary skill in field belonging to the present invention.Should also be understood that those terms defined in such as general dictionary should be understood to have the meaning consistent with the meaning in the context of prior art, unless and define as here, can not explain by idealized or too formal implication.
Those skilled in the art of the present technique are appreciated that, here used " terminal ", " terminal equipment " had both comprised the equipment of the wireless signal receiver only possessed without emissivities, comprised again the reception having and can carry out two-way communication on bidirectional communication link and the equipment launching hardware.This equipment can comprise: tool is with or without honeycomb or other communication equipments of multi-line display; Can the PCS Personal Communications System (PCS) of combine voice and data processing, fax and/or its communication ability; The PDA(Personal Digital Assistant) of radio frequency receiver and beep-pager, the Internet/intranet access, web browser, notepad, calendar and/or global positioning system (GPS) receiver can be comprised; And/or comprise the conventional laptop of radio frequency receiver and/or palmtop computer or other equipment.Here used " terminal ", " terminal equipment " can be portable, can transport, be arranged in the vehicles (aviation, sea-freight and/or land), or be suitable for and/or be configured to run at local runtime and/or with distribution form any other position in the earth and/or space.Here used " terminal ", " terminal equipment " can also be communication terminal, access terminals, music/video playback terminal, can be such as PDA, MID and/or the mobile phone with music/video playing function, can be the equipment such as intelligent television, Set Top Box.
In ensuing introduction, the section Example mode that the present invention proposes can be described for Android technology platform.Should be appreciated that technical scheme disclosed by the invention is equally applicable to other technologies platform.Therefore, the technical scheme of certification between the application program that the present invention proposes, be a kind of blanket technical scheme when carrying out certification between application program, be described can not be interpreted as limitation of the present invention for Android technology platform, just in order to set forth the present invention better.
In order to realize the object of the present invention, the method for certification between the application program that the present invention proposes, introduces KDC, and uses in short-term key Session Key and Timestamp remained unchanged to solve one or more problems of above-mentioned existence.
The embodiment of the present invention proposes the method for certification between a kind of application program, comprises the following steps:
The information of application program and the checking request application of certificate server is sent to KDC KDC;
Receive session key Session Key and the label Ticket of described KDC KDC generation;
Decipher described Session Key according to PKI PUB_KEY1, generate qualification code Authenticator, described qualification code Authenticator and described label Ticket is sent to described certificate server;
Receive the authentication result of the described application program that described certificate server sends.
For the ease of understanding the present invention, be briefly described as follows to the proper noun that the present invention uses:
KDC:Key Distribution Center, KDC, manages the certification between client and server as third party;
Session Key: the key remained unchanged in short-term, its life cycle is shorter, is generally effective key in a request request or transaction cycles; Session Key encrypts in transmitting procedure, needs after the receipt can be obtained by deciphering;
Ticket: a kind of special tag, is generated by KDC during use, and is transmitted to server end by client, is used for carrying out identification, and Ticket such as to comprise at the information of application program to be certified, and Session Key and HMAC signs; Ticket encrypts in transmitting procedure, needs after the receipt can be obtained by deciphering; Wherein, HMAC is the Hash operation message authentication code (Hash-based Message Authentication Code) that key is relevant, HMAC computing utilizes hash algorithm, with a key and message for input, generate an eap-message digest as output, specifically, HMAC signature is (as MD5 by HASH algorithm, SHA1 etc.) carry out HMAC computing, thus generate an eap-message digest as output, the result of output i.e. HMAC signature;
Authenticator: a kind of special qualification code, the information of application program to be certified and a Timestamp of current time such as to comprise, and be encrypted by Session Key in transmitting procedure, need after the receipt can be obtained by deciphering.
Use technical scheme disclosed by the invention, similar with existing authentication mechanism, client (namely application program) needs first to register at the certificate server of application program; Unlike, now KDC KDC also participates in into wherein, certificate server obtains the PKI of a pair secret key shared between it and KDC by KDC KDC, and the HMAC of the APK bag generating corresponding application program signs, and stored in the database of certificate server this locality.
Specifically, in the present invention, two pairs of keys can be used:
A. be for a pair the secret key shared between client and KDC KDC, client preserves PKI, and KDC preserves private key, and in order to the convenience stated, definition client public key is the corresponding private key of PUB_KEY1, KDC is here PRI_KEY1;
B. be for a pair the secret key that certificate server and KDC share, certificate server end preserves PKI, and KDC preserves private key, and in order to the convenience stated, definition certificate server end PKI is the corresponding private key of PUB_KEY2, KDC is here PRI_KEY2.
As shown in Figure 1, be the method flow diagram of certification between embodiment of the present invention application program, comprise the following steps:
S110: send the information of application program and the checking request application of certificate server to KDC KDC;
S120: the session key Session Key and the label Ticket that receive KDC KDC generation;
S130: decipher Session Key according to PKI PUB_KEY1, generates qualification code Authenticator, qualification code Authenticator and label Ticket is sent to certificate server;
S140: the authentication result receiving the application program that certificate server sends.
Above-described embodiment covers taproot flow process of the present invention substantially, such as, when a main application (Master App) is initiated a request call from application (Slave App), step S110 is performed to step S120 from application, generate Session Key and Ticket of short-life-cycle by request KDC and receive, and perform step S130, by directly forwarding the process that Ticket comes Ticket certification to application authentication server from application.In like manner, corresponding primary application program is also this flow process to the checking from application program.
By such scheme, when application program carries out certification, the key used when encrypting in transmitting procedure belongs to short time effective key, reduces and is monitored by malice the possibility intercepted and captured; In addition, by introducing KDC KDC, client and server can adopt different cryptographic algorithm to be encrypted, and effectively enhances the fail safe of verification process.By introducing KDC KDC, except the whether credible of client to be verified can be verified, simultaneously also can authentication server end whether credible, solve the potential safety hazard that in prior art, application authentication process exists.
Below in conjunction with the specific embodiment of the present invention, above-mentioned steps is described further.
S110: send the information of application program and the checking request application of certificate server to KDC KDC.
In step s 110, to the information that KDC KDC sends application program, comprising:
The title of application program, the version of application program and the APK binary system bag of application program.
For Android application program, namely, as the Android application program (Androidapp) of client, be such as that the version of application program and the APK binary system bag of application program send to KDC KDC from the title of application program (Slave App) by the application program of primary application program (Master App).
As embodiments of the invention, first Android application program (Android Application) can be primary application program (Master App) also can be from application program (Slave App); And the second Android application program (Android Application) both can be primary application program (MasterApp), also can be that these can not affect enforcement and control of the present invention from application program (Slave App).Such as, primary application program request call one is from application program, and primary application program likely needs to use the end value performed from application program; Be that an auxiliary application program is used for by primary application program request call from application program, and transmit corresponding end value to primary application program.
In step s 110, first Android application program (Android Application) request call second Android application program (Android Application), second Android application (AndroidApplication) is the title of first Android application (Android Application) received, version and its APK binary system bag, the application that even same request authentication server (App Auth Server) is verified sends to KDC.Said process can be understood as " I is certain application program on platform, and I needs a Session Key to carry out the checking of request authentication server ".
At this, need the role that introducing one is important: KDC KDC, KDC is in whole application authentication flow process, as the third party that client and server end is trusted jointly, play an important role, and the verification process of application authentication flow process is cooperated by this tripartite.
S120: the session key Session Key and the label Ticket that receive KDC KDC generation.
As embodiments of the invention, the session key SessionKey that KDC KDC generates, comprising:
KDC KDC generates a session key SessionKey by private key PRI_KEY1.
As embodiments of the invention, the label Ticket that KDC KDC generates, comprising:
KDC KDC generates a session key SessionKey by private key PRI_KEY2;
KDC KDC carries out HMAC signature by the APK binary system bag of HMAC Key application programs;
KDC KDC is by the information of private key PRI_KEY2 application programs, and signature and the session key Session Key of the APK binary system bag of application program are encrypted, generating labels Ticket.
Namely, in the step s 120, when KDC receives the title of the application program sent, after version and APK binary system package informatin, KDC carries out a series of operation and generates the Session Key of short-life-cycle and the Ticket of encapsulation generation, returns to the Android application program to KDC request.
In order to the detailed process in this stage of more detailed description, particular flow sheet as shown in Figure 2, is the handling process schematic diagram of KDC, comprises the following steps:
S210: receive the information that application program sends.
In step S210, the information of reception comprises the information of application program and the checking request application of certificate server.Namely, certain application program issues the request of KDC mono-application: " I is certain application program on platform; I needs a Session Key to carry out the checking of request authentication server ", together with title, version and its APK binary system bag of asking the data sended over to comprise application program.
S220: generate Session Key and be encrypted.
In step S220, namely KDC is after receiving this request, generate the Session Key of a short-life-cycle, in order to ensure that this Session Key is only only limitted to the application program for sending request, wish that the certificate server of accessing is known with application program, KDC can generate two files equally for this Session Key, is employed program and certificate server use respectively.The corresponding private key that then KDC extracts application program and certificate server carries out symmetric cryptography to these two the same files respectively.For the Session Key file giving certificate server, some information also comprised about application program encrypted together with SessionKey, comprise the title of application program, version, the HMAC signature of APK binary system bag and APK binary system bag.
S230: generate Ticket and be encrypted.
Afterwards, in order to generate the HMAC signature of the APK binary system bag of application program, KDC extracts KDC and HMAC Key corresponding to certificate server to extract summary to this APK binary system bag and encryption generates signature.After this, the Session Key giving certificate server, the title of APK, version, together, adopt the private key of arranging with certificate server to be encrypted, the encapsulation after encryption is called Ticket to the HMAC signature of APK binary system bag and APK binary system bag.
S240: transmit Session Key and Ticket.
As embodiments of the invention, KDC can these two files here, SessionKey and Ticket of encryption sends to application program and certificate server respectively.If processed like this, may there is two problems: one, if so certificate server can in the face of different application programs, and each application program has different Session Key.Under such circumstances, certificate server will be the list of all application maintenance Session Key, and efficiency may be very low, and pretty troublesome.They are two years old, between network, transmission is unstable, likely occur that application program have received the Session Key of encryption very soon, and this Session Key is sent together as judging identity and gives certificate server, but certificate server does not also receive, to such an extent as to application program cannot obtain certification.
Therefore, as the preferred embodiment of the present invention, the present invention's design can also adopt other one mechanism, be exactly that KDC KDC sends to application program together with Session Key with Ticket of encryption, then be transmitted to certificate server again by application program, its detailed process will provide subsequently.
So far, after execution of step S210 to S240, client, namely second application program, have received session key Session Key and the label Ticket of KDC KDC generation.
S130: decipher Session Key according to PKI PUB_KEY1, generates qualification code Authenticator, qualification code Authenticator and label Ticket is sent to certificate server.
As embodiments of the invention, generate qualification code Authenticator, comprising:
Be encrypted according to the information of session key Session Key application programs and time stamp T imestamp, generate qualification code Authenticator.
Second application program receives Session Key and Ticket of the encryption that KDC returns, and in fact second application program obtains two groups of information: a Session Key being the private key PRI_KEY1 arranged by oneself and KDC and encrypting; Another encrypts with the private key PRI_KEY2 of certificate server and KDC agreement the Ticket generated.Session Key is comprised, the title of the APK binary system bag of first application program, the APK binary system bag of the version of first application program and first application program and the HMAC signing messages of APK binary system bag in Ticket.Second application program to be decrypted the Session Key that KDC encrypts by PKI PUB_KEY1 thus to obtain Session Key, creates information and Timestamp information that Authenticator(Authenticator comprises first application program subsequently) and with Session Key, it is encrypted.Authenticator is sent to certificate server together with the Ticket obtained from KDC by second application program subsequently in the lump.
In order to the detailed process in this stage of more detailed description, particular flow sheet as shown in Figure 3, is the handling process schematic diagram of client, comprises the following steps:
S310: receive Session Key and Ticket that KDC sends.
After KDC transmission request information, in step S310, client, namely second application program receives the Session Key of the encryption that KDC returns and needs to be transmitted to the Ticket of certificate server.
S320: obtain Session Key.
Next in step s 320, second application program gets Session Key by oneself and the Session Key deciphering of PKI PUB_KEY1 to encryption of KDC agreement.
S330: generate Authenticator.
After getting Session Key, second application program with this Session Key the title of to be verified first application program, version and binary system bag, and the time stamp T imestamp generated together encapsulates encryption generation Authenticator.
Here a Timestamp is related to, because if do not have the security breaches that this Timestamp is likely very large.This is because following unsafe conditions may be there is: the packet that client sends is intercepted and captured by certain hostile network listener, packet pretends to be client to conduct interviews as the authority (Credential) of oneself by this listener subsequently, in this case, still can the success identity of very successfully access authentication server.
Therefore, in order to address this problem, the present invention proposes, and application program can add the Timestamp of a current time in Authenticator.Before the information of certificate server to the application program in the information of the application program in Authenticator and Ticket compares, first can extract the Timestamp in Authenticator, and compare with the current time, if the deviation between them exceeds an acceptable time range (being such as 5 minutes), the authentication request of this client is directly refused in the meeting of application program Server.If need to proceed certification, then need again to obtain Ticket to KDC, repeat this Timestamp and verify flow process, until pass through.Here it is understood that, certificate server can realize above-mentioned authentication policy by maintain a list, and this list records and allly in this acceptable time range carried out the information of the client of certification and the temporal information of request authentication.Acceptable time range is presented as the time configured in configuration file in actual applications, as: the time range configured in configuration file is 5 minutes, 10 minutes or 30 minutes, etc.
When an application program is to certificate server request authentication time, pass to Authenticator and Ticket of certificate server encapsulation, wherein, Ticket is according to Session Key, the title of APK binary system bag, version, the HMAC signature of APK binary system bag and APK binary system bag is added together the hash value of a MD5 of production, and numerical value is that the overall situation uniquely can not repeat.Certificate server can take out Timestamp from the Authenticator that this application program encapsulates:
1) when application program sends Ticket and Authenticator to certificate server requests verification time, if certificate server end checks in the list of maintenance do not have this Ticket(such as, Ticket value is 4219299820e8812e172724541d826c5f) any request record.The then time (be such as 2013.9.1313:00:13) of certificate server according to Timestamp in Authenticator and the time range (being such as 5 minutes) of configuration file configuration, calculating Ticket(value is 4219299820e8812e172724541d826c5f) request authentication scope be 2013.9.1313:00:13-2013.9.1313:05:13, and insert the request record of a current time (such as current time is 2013.9.1313:00:44) in lists, as follows:
Client name client release request authentication time time range Ticket
Android App1;1.0;2013.9.1313:00:44;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f。
Then, follow-up identifying procedure is continued.
2) if viewed in list, to have there is this Ticket(value be 4219299820e8812e172724541d826c5f) record, and if the Timestamp simultaneously in Authenticator is at (2013.9.1313:00:13-2013.9.1313:05:13) within the scope of this
Such as, the state of now list is:
Client name client release request authentication time time range Ticket
Android App1;1.0;2013.9.1313:00:44;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:01:13;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:04:13;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f。
Certificate server can take out the nearest request authentication time, namely 2013.9.1313:04:13 from list above, and only have when this Timestamp is later than 2013.9.1313:04:13, certificate server enters follow-up identifying procedure;
Such as: if this Timestamp is 2013.9.1313:04:23, be later than 2013.9.1313:04:13, then Timestamp certification is passed through.And in class table, increase up-to-date authentication request record, in list, data become afterwards:
Client name client release request authentication time time range Ticket
Android App1;1.0;2013.9.1313:00:44;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:01:13;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:04:13;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:04:23;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f。
3) if viewed in list, to there is this Ticket(value be 4219299820e8812e172724541d826c5f) record, and this Timestamp is at (2013.9.1313:00:13-2013.9.1313:05:13) within the scope of this, but this Timestamp is early than the record (2013.9.1313:04:13) of list the last time, such as, time in Timestamp is 2013.9.1313:03:23, early than 2013.9.1313:04:13, then certificate server refuses the authentication request of this client.If need to proceed certification, then need again to obtain Ticket to KDC, repeat this Timestamp and verify flow process, until pass through.
4) if this Timestamp is not at (2013.9.1313:00:13-2013.9.1313:05:13) within the scope of this, certificate server can refuse the authentication request of this client, if need to proceed certification, then need again to obtain Ticket to KDC, repeat this Timestamp and verify flow process, until pass through.
Such as: the Timestamp in current request Authenticator is that 2013.9.1314:00:13 is not at (2013.9.1313:00:13-2013.9.1313:05:13) within the scope of this.The authentication request of this client of Server end refusal.The value that client goes acquisition Ticket(newly to produce again is 9c1356f1b68012c2594aeead75c139c4).When application program sends Ticket and Authenticator again to certificate server end requests verification time, if certificate server checks in its list safeguarded do not have this Ticket(such as, now Ticket value is 9c1356f1b68012c2594aeead75c139c4) any request record, then certificate server according to the time (as: 2013.9.1314:02:13) of Timestamp in Authenticator and configuration file configuration time range (5 minutes), calculating Ticket(value is 4219299820e8812e172724541d826c5f) request authentication scope be 2013.9.1314:02:13-2013.9.1314:07:13, and insert a current time (such as in lists, current time is 2013.9.1314:02:44) request record, be listed as follows:
Client name client release request authentication time time range Ticket
Android App1;1.0;2013.9.1313:00:13;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:01:13;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:04:13;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1313:04:23;2013.9.1313:00:13-2013.9.1313:05:13;4219299820e8812e172724541d826c5f
Android App1;1.0;2013.9.1314:02:44;2013.9.1314:02:13-2013.9.1314:07:13;9c1356f1b68012c2594aeead75c139c4。
In addition, as embodiments of the invention, introducing another advantage of Timestamp is to provide two-way authentication: not only certificate server application programs can carry out certification, and application program also can carry out certification to certificate server.
Detailed process is such as follows: if application program also needs to carry out certification to the certificate server of its access, arrange a mark the need of certification in the authority (Credential) that can send to certificate server at it.Certificate server is after application programs authentication success, Timestamp in Authenticator can be extracted, be encrypted by Session Key, after application program receives and uses Session Key to be decrypted, if confirm Timestamp and the initial value sent completely the same, so application program just thinks the certification that have passed certificate server.
S340: send Ticket and Authenticator.
In step S340, the Authenticator of the Ticket obtained before and encapsulation encryption is together sent to certificate server by second application program.
So far, after execution of step S310 to S340, client, namely second application program, initiate certification to certificate server.
S140: the authentication result receiving the application program that certificate server sends.
As embodiments of the invention, receive the authentication result of the application program that certificate server sends, comprising:
Certificate server deciphers label Ticket according to PKI PUB_KEY2, obtains information and the session key Session Key of application program wherein;
Certificate server deciphers qualification code Authenticator according to session key Session Key, obtains information and the time stamp T imestamp of application program wherein;
Time stamp T imestamp and current time are compared, when both are within the scheduled time, timestamp is verified;
After timestamp is verified, the information of the application program relatively obtained from label Ticket and qualification code Authenticator, when the information of the application program in both is identical, whether the HMAC signature comparing certificate server this locality signs identical with the HMAC in label Ticket;
When HMAC signature is identical, whether the HMAC signature that certificate server is obtained from label Ticket by the APK binary verification of HMAC Key and application program is correct;
When the HMAC signature obtained in label Ticket is correct, the information that the certification of application program that certificate server sends is passed through.
Specifically, after certificate server receives Ticket and Authenticator, verifying application programs to be carried out according to the data among both, comprising two stages: decryption phase and Qualify Phase.
Decryption phase: certificate server first carries out decryption phase, decipher Ticket according to the PKI PUB_KEY2 arranged with KDC and get the Session Key of short-life-cycle and some information of application program, comprise the title of application program, the HMAC signature of version and binary system bag and binary system bag; Secondly, certificate server is deciphered Authenticator according to the Session Key deciphering acquisition above, to get some information of application program, comprises the title of application program, version and binary system bag and Timestamp.
Qualify Phase: be first proving time stamp, and judge the information of the application program in Ticket with Authenticator whether identical (comprising the title of application program, version and binary system bag); Secondly, the HMAC signature that before taking out from database according to the title of application program and version, the registration of application program generates, judges whether identical with the HMAC signature in Ticket; If last identical, the HMAC Key of certificate server and KDC agreement and the binary system bag of application program is used to verify whether this signature is correct.
In order to the detailed process in these two stages of more detailed description, particular flow sheet as shown in Figure 4, is the deciphering schematic flow sheet of certificate server checking, comprises the following steps:
S410: certificate server receives Ticket and Authenticator.
In step S410, certificate server receives the Ticket that second application program (i.e. client) forwards and the Authenticator encapsulating encryption.
S420: certificate server deciphering Ticket.
The PKI PUB_KEY2 that certificate server is arranged according to it and KDC deciphers Ticket, thus gets the information of Session Key and first application program, and the information of first application program comprises the title of application program, version, binary system bag and HMAC signature.
S430: certificate server deciphering Authenticator.
Last certificate server is deciphered Authenticator according to the Session Key deciphering acquisition before, to get the title of first application program, version, and binary system bag and time stamp T imestamp.
So far, after execution of step S410 to S430, certificate server has obtained the application program needing checking, and the namely relevant information of first application program, can carry out thereafter the certification of being correlated with.
As shown in Figure 5, be the checking schematic flow sheet of certificate server checking, comprise the following steps:
S510: certificate server carries out Timestamp checking.
In step S510, certificate server is verified time stamp T imestamp.As introduced as described in Timestamp place above, comparing with this Timestamp and current time, if within the acceptable time range of a configuration, being then verified, otherwise authentication failed.
S520: the information of certificate server application program more to be certified.
After have passed Timestamp checking, whether the information of the application program (namely first application program) in certificate server multilevel iudge Ticket with Authenticator is identical, comprises the title of application program, version and binary system bag.
S530: certificate server carries out HMAC signature and compares.
More whether before certificate server finds from database according to the title of first application program and version, it registers the HMAC signature of generation in certificate server, and identical with HMAC signature in Ticket.
S540: certificate server inspection HMAC signature.
When in S530 HMAC sign the result that compares be identical time, certificate server with and the binary system bag of HMAC Key and first application program of KDC agreement verify whether correct the HMAC in Ticket signs.
So far, after execution of step S510 to S540, certificate server just can obtain first application program whether by the information of certification.When the HMAC signature obtained from Ticket is correct, certificate server sends to second application program the information that first application authentication pass through.
As embodiments of the invention, also comprise:
Apart from time of last certification within the scheduled time, when application programs carries out certification to needs again, the Session Key of local cache and qualification code Authenticator directly sends to certificate server to carry out certification by client (namely second application program).The whole process that client is asked to KDC can be saved like this, thus simplify the flow process of second time request authentication, improve systematic function and operating efficiency.The said method that the present invention proposes, when making application program carry out certification, the key used when encrypting in transmitting procedure belongs to short time effective key, reduces and is monitored by malice the possibility intercepted and captured; In addition, by introducing KDC KDC, client and server can adopt different cryptographic algorithm to be encrypted, and effectively enhances the fail safe of verification process.By introducing KDC KDC, except the whether credible of client to be verified can be verified, simultaneously also can authentication server end whether credible, solve the potential safety hazard that in prior art, application authentication process exists.In addition, the said method that the present invention proposes, simplifies the external harmoniousness work of required realization during application authentication, strengthens the inner extensibility realized in application authentication process simultaneously and realizes, such as, the autgmentability of KDC and certificate server inside is strengthened.
Correspondingly, the embodiment of the present invention also proposed a kind of KDC and a kind of client, as shown in Figure 6, is the structural representation of Verification System.
Specifically, KDC 100 comprises receiver module 110, encrypting module 120 and sending module 130.
Wherein, receiver module 110 is for the checking request application of the information and certificate server that receive application program;
Encrypting module 120 for the information of application program is encrypted, session key generation SessionKey and label Ticket;
Sending module 130 is for sending session key Session Key and label Ticket.
As the embodiment of KDC 100, receiver module 110 is further used for the title, the version of application program and the APK binary system bag of application program that receive application program.
As the embodiment of KDC 100, encrypting module 120 is further used for generating a session key Session Key by private key PRI_KEY1.
As the embodiment of KDC 100, encrypting module 120, for generating labels Ticket, comprises further:
Encrypting module 120 is further used for generating a session key Session Key by private key PRI_KEY2;
Encrypting module 120 is further used for carrying out HMAC signature by the APK binary system bag of HMAC Key application programs;
Encrypting module 120 is further used for the information by private key PRI_KEY2 application programs, and signature and the session key Session Key of the APK binary system bag of application program are encrypted, generating labels Ticket.
Specifically, client 200 comprises receiver module 210, deciphering module 220, encrypting module 230 and sending module 240.
Wherein, receiver module 210 for receiving session key Session Key and the label Ticket of KDC KDC generation, and receives the authentication result of the application program that certificate server sends;
Deciphering module 220 is for deciphering Session Key according to PKI PUB_KEY1;
Encrypting module 230 is for generating qualification code Authenticator;
Sending module 240 for sending the information of application program and the checking request application of certificate server to KDC KDC, and for qualification code Authenticator and label Ticket is sent to certificate server.
As the embodiment of the said equipment client 200, sending module 240 is further used for the title, the version of application program and the APK binary system bag of application program that send application program.
As the embodiment of the said equipment client 200, encrypting module 230 is further used for being encrypted according to the information of session key Session Key application programs and time stamp T imestamp, generates qualification code Authenticator.
In actual applications, certain the specific server in network is presented as in KDC 100, for client and certificate server provide service; Client 200 is presented as the application program be arranged on certain terminal or terminal equipment.
The said equipment that the present invention proposes, when making application program carry out certification, the key used when encrypting in transmitting procedure belongs to short time effective key, reduces and is monitored by malice the possibility intercepted and captured; In addition, by introducing KDC KDC, client and server can adopt different cryptographic algorithm to be encrypted, and effectively enhances the fail safe of verification process.By introducing KDC KDC, except the whether credible of client to be verified can be verified, simultaneously also can authentication server end whether credible, solve the potential safety hazard that in prior art, application authentication process exists.In addition, the external harmoniousness work of required realization when the said equipment that the present invention proposes simplifies application authentication, strengthen the inner extensibility realized in application authentication process to realize simultaneously, such as, strengthen the autgmentability of KDC and certificate server inside.
Those skilled in the art of the present technique are appreciated that the present invention can relate to the equipment for performing the one or more operation in operation described in the application.Described equipment for required object and specialized designs and manufacture, or also can comprise the known device in all-purpose computer, and described all-purpose computer activates or reconstructs with having storage procedure Selection within it.Such computer program can be stored in equipment (such as, computer) in computer-readable recording medium or be stored in and be suitable for store electrons instruction and be coupled in the medium of any type of bus respectively, described computer-readable medium includes but not limited to dish (comprising floppy disk, hard disk, CD, CD-ROM and magneto optical disk), the immediately memory (RAM) of any type, read-only memory (ROM), electrically programmable ROM, electric erasable ROM(EPROM), electrically erasable ROM(EEPROM), flash memory, magnetic card or light card.Computer-readable recording medium comprises for be stored by the readable form of equipment (such as, computer) or any mechanism of transmission information.Such as, computer-readable recording medium comprise memory (RAM) immediately, read-only memory (ROM), magnetic disk storage medium, optical storage medium, flash memory device, with electricity, light, sound or signal (such as carrier wave, infrared signal, digital signal) etc. that other form is propagated.
Those skilled in the art of the present technique are appreciated that the combination that can realize the frame in each frame in these structure charts and/or block diagram and/or flow graph and these structure charts and/or block diagram and/or flow graph with computer program instructions.These computer program instructions can be supplied to the processor of all-purpose computer, special purpose computer or other programmable data processing methods to generate machine, thus create the method for specifying in the frame of implementation structure figure and/or block diagram and/or flow graph or multiple frame by the instruction that the processor of computer or other programmable data processing methods performs.
Those skilled in the art of the present technique are appreciated that various operations, method, the step in flow process, measure, the scheme discussed in the present invention can be replaced, changes, combines or delete.Further, there is various operations, method, other steps in flow process, measure, the scheme discussed in the present invention also can be replaced, change, reset, decompose, combine or delete.Further, of the prior art have also can be replaced with the step in operation various disclosed in the present invention, method, flow process, measure, scheme, changed, reset, decomposed, combined or deleted.
The above is only some embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (15)
1. a method for certification between application program, is characterized in that, comprises the following steps:
The information of application program and the checking request application of certificate server is sent to KDC KDC;
Receive session key Session Key and the label Ticket of described KDC KDC generation;
Decipher described Session Key according to PKI PUB_KEY1, generate qualification code Authenticator, described qualification code Authenticator and described label Ticket is sent to described certificate server;
Receive the authentication result of the described application program that described certificate server sends.
2. the method for certification between application program according to claim 1, is characterized in that, to the information that KDC KDC sends application program, comprising:
The title of described application program, the version of described application program and the APK binary system bag of described application program.
3. the method for certification between the application program according to claim 2 or 1, is characterized in that, the session key Session Key that described KDC KDC generates, and comprising:
Described KDC KDC generates a session key Session Key by private key PRI_KEY1.
4. the method for certification between the application program according to claim 2 or 1, is characterized in that, the label Ticket that described KDC KDC generates, and comprising:
Described KDC KDC generates a session key Session Key by private key PRI_KEY2;
Described KDC KDC carries out HMAC signature by the APK binary system bag of HMAC Key application programs;
Described KDC KDC is by private key PRI_KEY2 to the information of described application program, and signature and the described session key Session Key of the APK binary system bag of described application program are encrypted, generating labels Ticket.
5. the method for certification between application program according to claim 1, is characterized in that, generates qualification code Authenticator, comprising:
According to described session key Session Key, the information of described application program and time stamp T imestamp are encrypted, generate described qualification code Authenticator.
6. the method for certification between application program according to claim 1 or 5, is characterized in that, receives the authentication result of the described application program that described certificate server sends, comprising:
Described certificate server deciphers described label Ticket according to PKI PUB_KEY2, obtains the information of described application program wherein and described session key Session Key;
Described certificate server deciphers described qualification code Authenticator according to described session key Session Key, obtains information and the time stamp T imestamp of described application program wherein;
Described time stamp T imestamp and current time are compared, when both are within the scheduled time, timestamp is verified;
After timestamp is verified, the information of the application program relatively obtained from described label Ticket and described qualification code Authenticator, when the information of the application program in both is identical, whether the HMAC signature of more described certificate server this locality signs identical with the HMAC in described label Ticket;
When described HMAC signature is identical, whether the HMAC signature that described certificate server is obtained from described label Ticket by the APK binary verification of HMAC Key and application program is correct;
When the HMAC signature obtained in described label Ticket is correct, the information that the certification of the described application program that described certificate server sends is passed through.
7. the method for certification between application program according to claim 5, is characterized in that, also comprises:
Indicate described certificate server, need certificate server described in certification; Wherein, described in certification, certificate server comprises:
Receive the time stamp T imestamp of described certificate server feedback, when the Timestamp that described certificate server feeds back is identical with the Timestamp sent by described qualification code Authenticator, by the certification to described certificate server.
8. the method for certification between application program according to claim 1, is characterized in that, also comprises:
Apart from time of last certification within the scheduled time, when application programs carries out certification to needs again, described certificate server is directly sent to carry out certification the described Session Key of local cache and described qualification code Authenticator.
9. a KDC KDC, is characterized in that, comprises receiver module, encrypting module and sending module,
Described receiver module, for the checking request application of the information and certificate server that receive application program;
Described encrypting module, for the information of described application program is encrypted, session key generation Session Key and label Ticket;
Described sending module, for sending described session key Session Key and described label Ticket.
10. KDC KDC according to claim 9, is characterized in that, described receiver module is further used for the title receiving described application program, the version of described application program and the APK binary system bag of described application program.
11. KDC KDC according to claim 9 or 10, it is characterized in that, described encrypting module is further used for generating a session key SessionKey by private key PRI_KEY1.
12. KDC KDC according to claim 9 or 10, is characterized in that, described encrypting module is used for generating labels Ticket, comprises further:
Described encrypting module is further used for generating a session key Session Key by private key PRI_KEY2;
Described encrypting module is further used for carrying out HMAC signature by the APK binary system bag of HMAC Key application programs;
Described encrypting module is further used for by the information of private key PRI_KEY2 to described application program, and signature and the described session key Session Key of the APK binary system bag of described application program are encrypted, generating labels Ticket.
13. 1 kinds of clients, is characterized in that, comprise receiver module, deciphering module, encrypting module and sending module,
Described receiver module, for receiving session key Session Key and the label Ticket of described KDC KDC generation, and receives the authentication result of the application program that certificate server sends;
Described deciphering module, for deciphering described Session Key according to PKI PUB_KEY1;
Described encrypting module, for generating qualification code Authenticator;
Described sending module, for sending the information of application program and the checking request application of certificate server to KDC KDC, and for described qualification code Authenticator and described label Ticket is sent to described certificate server.
14. clients according to claim 13, is characterized in that, described sending module is further used for the title sending described application program, the version of described application program and the APK binary system bag of described application program.
15. clients according to claim 13, it is characterized in that, described encrypting module is further used for being encrypted the information of described application program and time stamp T imestamp according to described session key Session Key, generates described qualification code Authenticator.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310428372.XA CN104468074A (en) | 2013-09-18 | 2013-09-18 | Method and equipment for authentication between applications |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310428372.XA CN104468074A (en) | 2013-09-18 | 2013-09-18 | Method and equipment for authentication between applications |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104468074A true CN104468074A (en) | 2015-03-25 |
Family
ID=52913510
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310428372.XA Pending CN104468074A (en) | 2013-09-18 | 2013-09-18 | Method and equipment for authentication between applications |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104468074A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548062A (en) * | 2015-09-18 | 2017-03-29 | 三星电子株式会社 | Server and user terminal |
| CN108509787A (en) * | 2018-03-14 | 2018-09-07 | 深圳市中易通安全芯科技有限公司 | A kind of program authentication method |
| CN109587107A (en) * | 2017-09-28 | 2019-04-05 | 通用汽车环球科技运作有限责任公司 | Method and apparatus for application authentication |
| CN112565236A (en) * | 2020-11-30 | 2021-03-26 | 广州酷狗计算机科技有限公司 | Information authentication method, device, computer equipment and storage medium |
| WO2022042746A1 (en) * | 2020-08-31 | 2022-03-03 | 北京书生网络技术有限公司 | Key management method and apparatus |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020146132A1 (en) * | 2001-04-05 | 2002-10-10 | General Instrument Corporation | System for seamlessly updating service keys with automatic recovery |
| WO2003028330A2 (en) * | 2001-09-26 | 2003-04-03 | General Instrument Corporation | Unique on-line provisioning of user terminals allowing user authentication |
| CN1611031A (en) * | 2001-10-05 | 2005-04-27 | 通用仪表公司 | Method and system for providing client privacy when requesting content from a public server |
| CN1640092A (en) * | 2002-02-04 | 2005-07-13 | 通用仪器公司 | System and method for providing key management protocol with client verification of authorization |
| US20060224891A1 (en) * | 2005-04-01 | 2006-10-05 | Microsoft Corporation | Scheme for sub-realms within an authentication protocol |
| CN101051898A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying method and its device for radio network end-to-end communication |
| US20080083026A1 (en) * | 2006-10-02 | 2008-04-03 | Bea Systems, Inc. | Kerberos Protocol Security Provider for a Java Based Application Server |
| JP2008108137A (en) * | 2006-10-26 | 2008-05-08 | Ricoh Co Ltd | Spoofing prevention method, image processor, spoofing prevention program and recording medium |
| CN101286842A (en) * | 2008-05-26 | 2008-10-15 | 西安西电捷通无线网络通信有限公司 | Method for distributing key using public key cryptographic technique and on-line updating of the public key |
| US20090119504A1 (en) * | 2005-08-10 | 2009-05-07 | Riverbed Technology, Inc. | Intercepting and split-terminating authenticated communication connections |
| CN101449257A (en) * | 2006-05-26 | 2009-06-03 | 微软公司 | Policy driven, credential delegation for single sign on and secure access to network resources |
| US20090150989A1 (en) * | 2007-12-07 | 2009-06-11 | Pistolstar, Inc. | User authentication |
| CN101499113A (en) * | 2008-01-28 | 2009-08-05 | 联想(北京)有限公司 | Security dispatching indication system, method and auxiliary display equipment |
| CN101946536A (en) * | 2008-02-15 | 2011-01-12 | 艾利森电话股份有限公司 | Application specific master key selection in evolved networks |
| CN102457482A (en) * | 2010-10-19 | 2012-05-16 | 成都市华为赛门铁克科技有限公司 | Authentication method, apparatus and system thereof |
-
2013
- 2013-09-18 CN CN201310428372.XA patent/CN104468074A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020146132A1 (en) * | 2001-04-05 | 2002-10-10 | General Instrument Corporation | System for seamlessly updating service keys with automatic recovery |
| WO2003028330A2 (en) * | 2001-09-26 | 2003-04-03 | General Instrument Corporation | Unique on-line provisioning of user terminals allowing user authentication |
| CN1611031A (en) * | 2001-10-05 | 2005-04-27 | 通用仪表公司 | Method and system for providing client privacy when requesting content from a public server |
| CN1640092A (en) * | 2002-02-04 | 2005-07-13 | 通用仪器公司 | System and method for providing key management protocol with client verification of authorization |
| US20060224891A1 (en) * | 2005-04-01 | 2006-10-05 | Microsoft Corporation | Scheme for sub-realms within an authentication protocol |
| US20090119504A1 (en) * | 2005-08-10 | 2009-05-07 | Riverbed Technology, Inc. | Intercepting and split-terminating authenticated communication connections |
| CN101051898A (en) * | 2006-04-05 | 2007-10-10 | 华为技术有限公司 | Certifying method and its device for radio network end-to-end communication |
| CN101449257A (en) * | 2006-05-26 | 2009-06-03 | 微软公司 | Policy driven, credential delegation for single sign on and secure access to network resources |
| US20080083026A1 (en) * | 2006-10-02 | 2008-04-03 | Bea Systems, Inc. | Kerberos Protocol Security Provider for a Java Based Application Server |
| JP2008108137A (en) * | 2006-10-26 | 2008-05-08 | Ricoh Co Ltd | Spoofing prevention method, image processor, spoofing prevention program and recording medium |
| US20090150989A1 (en) * | 2007-12-07 | 2009-06-11 | Pistolstar, Inc. | User authentication |
| CN101499113A (en) * | 2008-01-28 | 2009-08-05 | 联想(北京)有限公司 | Security dispatching indication system, method and auxiliary display equipment |
| CN101946536A (en) * | 2008-02-15 | 2011-01-12 | 艾利森电话股份有限公司 | Application specific master key selection in evolved networks |
| CN101286842A (en) * | 2008-05-26 | 2008-10-15 | 西安西电捷通无线网络通信有限公司 | Method for distributing key using public key cryptographic technique and on-line updating of the public key |
| CN102457482A (en) * | 2010-10-19 | 2012-05-16 | 成都市华为赛门铁克科技有限公司 | Authentication method, apparatus and system thereof |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548062A (en) * | 2015-09-18 | 2017-03-29 | 三星电子株式会社 | Server and user terminal |
| CN106548062B (en) * | 2015-09-18 | 2022-05-24 | 三星电子株式会社 | Server and user terminal |
| CN109587107A (en) * | 2017-09-28 | 2019-04-05 | 通用汽车环球科技运作有限责任公司 | Method and apparatus for application authentication |
| CN108509787A (en) * | 2018-03-14 | 2018-09-07 | 深圳市中易通安全芯科技有限公司 | A kind of program authentication method |
| CN108509787B (en) * | 2018-03-14 | 2022-06-10 | 深圳市中易通安全芯科技有限公司 | Program authentication method |
| WO2022042746A1 (en) * | 2020-08-31 | 2022-03-03 | 北京书生网络技术有限公司 | Key management method and apparatus |
| CN112565236A (en) * | 2020-11-30 | 2021-03-26 | 广州酷狗计算机科技有限公司 | Information authentication method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112003889B (en) | Distributed cross-link system and cross-link information interaction and system access control method | |
| US11722314B2 (en) | Digital transaction signing for multiple client devices using secured encrypted private keys | |
| JP5432999B2 (en) | Encryption key distribution system | |
| CN109559122A (en) | Block chain data transmission method and block chain data transmission system | |
| CN112150147A (en) | Data security storage system based on block chain | |
| US20030026433A1 (en) | Method and apparatus for cryptographic key establishment using an identity based symmetric keying technique | |
| CN110852745B (en) | Block chain distributed dynamic network key automatic updating method | |
| CN113067699B (en) | Data sharing method and device based on quantum key and computer equipment | |
| CN112491550B (en) | Mobile terminal equipment credibility authentication method and system based on Internet of vehicles | |
| CN111080299B (en) | Anti-repudiation method for transaction information, client and server | |
| CN113190860B (en) | Block chain sensor data authentication method and system based on ring signature | |
| CN104468074A (en) | Method and equipment for authentication between applications | |
| JP2001177513A (en) | Authenticating method in communication system, center equipment, and recording medium with authentication program recorded thereon | |
| Su et al. | Blockchain-based internet of vehicles privacy protection system | |
| CN116506854A (en) | Encryption communication system and method for Beidou short message | |
| CN111934888B (en) | Safety communication system of improved software defined network | |
| CN100499453C (en) | Method of the authentication at client end | |
| CN113709734A (en) | Unmanned aerial vehicle distributed identity authentication method based on block chain | |
| KR102321405B1 (en) | System and method for providing security service using blockchain and biometric information | |
| CN110839067A (en) | Information providing method and device | |
| CN112217797B (en) | Intelligent gateway Internet of things control system and method applying block chain technology | |
| CN112035820B (en) | Data analysis method used in Kerberos encryption environment | |
| CN114866244A (en) | Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption | |
| Wu et al. | Security design of OTA upgrade for intelligent connected vehicle | |
| CN112583605B (en) | Block chain-based secret-free authentication method, system, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20181109 |
|
| AD01 | Patent right deemed abandoned |