CN104579662A - Identity authentication method and system for mobile terminal based on WPKI and timestamp - Google Patents
Identity authentication method and system for mobile terminal based on WPKI and timestamp Download PDFInfo
- Publication number
- CN104579662A CN104579662A CN201310496089.0A CN201310496089A CN104579662A CN 104579662 A CN104579662 A CN 104579662A CN 201310496089 A CN201310496089 A CN 201310496089A CN 104579662 A CN104579662 A CN 104579662A
- Authority
- CN
- China
- Prior art keywords
- wpki
- timestamp
- user terminal
- application service
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The embodiment of the invention provides an identity authentication method and an identity authentication system for a mobile terminal based on a WPKI and a timestamp. The method mainly comprises the steps that a user terminal acquires the timestamp from a timestamp mechanism system and establishes a safety data channel with an application server by adopting the WPKI; the application server receives the timestamp sent by the user terminal through the safety data channel and authenticates the timestamp through the timestamp mechanism system; after authentication of the timestamp is passed, data are transmitted between the application server and the user terminal by utilizing the safety data channel. According to the embodiment of the invention, a mobile intelligent terminal communicates with the application server by adopting a WPKI technology, and the safety of the whole link is guaranteed by adopting an SSL communication protocol based on an ECC algorithm; by using the timestamp service of a trusted third party, various attacks to a group key exchange protocol can be resisted, so that the effective identity authentication of the mobile terminal is achieved, and the data safety of wireless services of the mobile terminal is guaranteed.
Description
Technical field
The present invention relates to media communication technical field, particularly relate to a kind of based on WPKI(WirelessPublic Key Infrastructure, WPKI) and the mobile terminal authentication method and system of timestamp.
Background technology
Mobile intelligent terminal, mainly contains three classes now, is the Windows Phone of the android mobile phone of Google, the iphone of apple and Microsoft respectively.Wherein, the operating system of Android intelligent, based on linux kernel, is the mobile phone operating system that Google company announces, is developed in early days by Google, after developed by open handheld device alliance.This platform is made up of operating system, middleware, user interface and application software, is first real opening of making for mobile terminal and complete mobile software.
WPKI is the PKI(Public Key Infrastructure in network, PKIX) safe practice is incorporated into a set of key and certificate management platform system following written standards in wireless network environment, WPKI is used for managing the public-key cryptography that uses in mobile network environment and digital certificate, effectively sets up safe wireless network environment.WPKI, as the optimization expansion in the wireless network of PKI technology, have employed X.509 digital certificate and the ECC elliptic curve cryptography technology of the compression of optimization.It is by third-party trusted authorities CA(certificate authority, authentication center) carry out the identity of authentication of users, achieve the safe transmission of information.
At present, lack the method for mobile terminal being carried out to effective authentication, the wireless traffic of mobile terminal also exists the problem of data security.The server end of data is being provided, because external interface substantially all adopts HTTP(Hypertext Transfer Protocol, HTML (Hypertext Markup Language)) agreement, the use of encryption and signature is less, there is very large super hidden danger.In financial field, for the external interface of core, application service end is for the ultimate attainment use also accomplishing nothing but 1024 RSA Algorithms of safety, and RSA Algorithm also receives great security threat at present.
Therefore, developing a kind of method of carrying out effective authentication to mobile terminal is a problem demanding prompt solution.
Summary of the invention
The embodiment provides a kind of mobile terminal authentication method and system based on WPKI and timestamp, to realize carrying out effective authentication to mobile terminal.
The invention provides following scheme:
Based on a mobile terminal authentication method for WPKI and timestamp, comprising:
User terminal is from Time Stamping Authority system acquisition time stamp, and described user terminal adopts WPKI WPKI and application service end to set up safe data channel;
Described application service termination receives the described timestamp that described user terminal is sent by described safe data channel, and described application service end is verified described timestamp by described Time Stamping Authority system;
After being verified of described timestamp, between described application service end and described user terminal, described safe data channel is utilized to carry out transfer of data.
Described user terminal, from Time Stamping Authority system acquisition time stamp, comprising:
The connection request carrying the WPKI digital certificate of user that Time Stamping Authority system acceptance sends to user terminal, described Time Stamping Authority system obtains the WPKI digital certificate carried in described connection request, sends the certification verification request carrying described WPKI digital certificate to online certificate status protocol OCSP server;
After described OCSP server receives described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, described in described OCSP server authentication, whether the term of validity of WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective;
Described OCSP server is after all checkings of described WPKI digital certificate are all passed through, the qualified notice of checking is sent to described Time Stamping Authority system, between described Time Stamping Authority system and described user terminal, use the SSL SSL safe data channel of described WPKI certificate foundation for transmitting data;
Described user terminal adopts digest algorithm to the data genaration digest value needing to upload, and digest value is followed timestamp application specification and is transferred to Time Stamping Authority system by described SSL safe data channel; Described Time Stamping Authority system adds a cover timestamp to the digest value that described user terminal sends over, and is signed by the digital certificate of timestamp timestamp train of mechanism, and the timestamp information after signature is returned to user terminal.
Described user terminal adopts WPKI WPKI and application service end to set up safe data channel, comprising:
Application service termination receives the connection request carrying the WPKI digital certificate of user that user terminal sends, described application service end obtains the WPKI digital certificate carried in described connection request, sends the certification verification request carrying described WPKI digital certificate to OCSP server;
After described OCSP server receives described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, described in described OCSP server authentication, whether the term of validity of WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective;
Described OCSP server is after all checkings of described WPKI digital certificate are all passed through, the qualified notice of checking is sent to described application service end, after described application service termination receives the qualified notice of described checking, use the SSL escape way set up between described WPKI certificate and described user terminal for transmitting data.
Described application service end is verified described timestamp by described Time Stamping Authority system, comprising:
The digital certificate of the Time Stamping Authority system of the upper signature of described application service end acquisition time stamp, send the certification verification request carrying the digital certificate of described Time Stamping Authority system to OCSP server, the digital certificate of OCSP to described Time Stamping Authority system verifies;
Described OCSP server is after all checkings of the digital certificate of described Time Stamping Authority system are all passed through, and send the qualified notice of checking to described application service end, described timestamp information is sent to described Time Stamping Authority system by described application service end;
Described Time Stamping Authority system is verified the timestamp information that application service end is sent, whether this checking comprises timestamp is that this TSA signs and issues, can timestamp information sign test be passed through, described Time Stamping Authority system, after all checkings of described timestamp information are all passed through, stabs the qualified notice of Information Authentication to described application service end transmitting time; After all checkings of described timestamp information are not all pass through, to the defective notice of described application service end transmitting time stamp Information Authentication.
After being verified of described timestamp, utilizing described safe data channel to carry out transfer of data between described application service end and described user terminal, comprising:
Described application service termination receives after timestamp information that described Time Stamping Authority system returns verifies qualified notice, judge that the authentication of user terminal is passed through, accept the connection request of user terminal, communicated by described SSL safe data channel between user terminal and application service end.
Described application service termination receives after timestamp information that described Time Stamping Authority system returns verifies defective notice, judges that the authentication of described user terminal is not passed through, refuses the connection request of described user terminal.
Based on a mobile terminal authentication system for WPKI and timestamp, comprise user terminal, application service end and Time Stamping Authority system:
Described user terminal, for from Time Stamping Authority system acquisition time stamp, adopts WPKI WPKI and application service end to set up safe data channel;
Described application service end, for receiving the described timestamp that described user terminal is sent by described safe data channel, described application service end is verified described timestamp by described Time Stamping Authority system; After being verified of described timestamp, and described safe data channel between described user terminal, is utilized to carry out transfer of data;
Described Time Stamping Authority system, for described user terminal transmitting time stamp, verifies the timestamp that described application service end sends over.
Described system also comprises: OCSP server,
Described Time Stamping Authority system, specifically for receiving the connection request carrying the WPKI WPKI digital certificate of user that user terminal sends, obtain the WPKI digital certificate carried in described connection request, send the certification verification request carrying described WPKI digital certificate to OCSP server;
Described OCSP server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, verify that whether the term of validity of described WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective; After all checkings of described WPKI digital certificate are all passed through, send the qualified notice of checking to described Time Stamping Authority system;
Described user terminal, specifically for adopting digest algorithm to the data genaration digest value needing to upload, following timestamp application specification and being transferred to Time Stamping Authority system by described SSL safe data channel by digest value;
Described Time Stamping Authority system, after verifying qualified notice described in receiving belt, between described Time Stamping Authority system and described user terminal, uses the SSL safe data channel of described WPKI certificate foundation for transmitting data; Timestamp is added a cover to the digest value that described user terminal sends over, the digital certificate of timestamp timestamp train of mechanism is signed, the timestamp information after signature is returned to user terminal.
Described application service end, specifically for receiving the connection request carrying the WPKI digital certificate of user that user terminal sends, obtain the WPKI digital certificate carried in described connection request, send the certification verification request carrying described WPKI digital certificate to OCSP server;
Described OCSP server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, verify that whether the term of validity of described WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective; After all checkings of described WPKI digital certificate are all passed through, send the qualified notice of checking to described application service end;
Described application service end, after receiving the qualified notice of described checking, uses the SSL SSL escape way set up between described WPKI certificate and described user terminal for transmitting data.
Described application service end, specifically for the digital certificate of the Time Stamping Authority system of the upper signature of acquisition time stamp, the certification verification request carrying the digital certificate of described Time Stamping Authority system is sent to OCSP server, after receiving the qualified notice of checking of OCSP server transmission, described timestamp information is sent to described Time Stamping Authority system;
Described OCSP server, specifically for verifying the digital certificate of described Time Stamping Authority system; After all checkings of the digital certificate of described Time Stamping Authority system are all passed through, send the qualified notice of checking to described application service end;
Described Time Stamping Authority system, specifically for verifying the timestamp information after the signature sent of application service end, whether this checking comprises timestamp is that this TSA signs and issues, can timestamp information sign test be passed through, after all checkings of described timestamp information are all passed through, to the qualified notice of described application service end transmitting time stamp Information Authentication; After all checkings of described timestamp information are not all pass through, to the defective notice of described application service end transmitting time stamp Information Authentication.
Described application service end, after the timestamp information returned specifically for receiving described Time Stamping Authority system verifies qualified notice, judge that the authentication of user terminal is passed through, accept the connection request of user terminal, communicated by SSL safe data channel between user terminal and application service end.
Receive after timestamp information that described Time Stamping Authority system returns verifies defective notice, judge that the authentication of described user terminal is not passed through, refuse the connection request of described user terminal.
The technical scheme provided as can be seen from the embodiment of the invention described above, the embodiment of the present invention adopts WPKI technology and application service end to communicate by mobile intelligent terminal, adopts the SSL traffic agreement based on ECC algorithm, ensures the fail safe of whole link; By using trusted third party's time-stamping service, the mobile intelligent terminal acquisition time of user stabs the signing messages of ECC algorithm and sends, application service end carrys out the calling data of authentication of users by allocating time stamp server interface, record is put on record simultaneously, the playback of message can be prevented, the various attacks to group key exchange agreement can be resisted.Thus achieve effective authentication is carried out to mobile terminal, ensure that the data security of the wireless traffic of mobile terminal.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
A kind of mobile terminal authentication method based on WPKI and timestamp that Fig. 1 provides for the embodiment of the present invention one realize principle schematic;
The concrete process chart of a kind of mobile terminal authentication method based on WPKI and timestamp that Fig. 2 provides for the embodiment of the present invention one;
Fig. 3 is the structure chart that the embodiment of the present invention two provides a kind of mobile terminal authentication system based on WPKI and timestamp, in figure, and user terminal 310, application service end 320, Time Stamping Authority system 330 and OCSP server 340.
Embodiment
For ease of the understanding to the embodiment of the present invention, be further explained explanation below in conjunction with accompanying drawing for several specific embodiment, and each embodiment does not form the restriction to the embodiment of the present invention.
Embodiment one
In embodiments of the present invention, user terminal, from Time Stamping Authority system acquisition time stamp, adopts WPKI and application service end to set up safe data channel.Described application service termination receives the described timestamp that described user terminal is sent by described safe data channel, and described application service end is verified described timestamp by described Time Stamping Authority system; After being verified of described timestamp, between described application service end and described user terminal, described safe data channel is utilized to carry out transfer of data.
What this embodiment offers a kind of mobile terminal authentication method based on WPKI and timestamp realizes principle schematic as shown in Figure 1, and concrete handling process as shown in Figure 2, comprises following treatment step:
Step S210, timestamp are by national time service central authority, and by the credible TSA(TimeStamp Authority of authority, Time Stamping Authority) tool signing and issuing valid can prove electronic message (e-file) a time point be that existed, complete, can verify to possess the electronic certificate of legal effect.Any mechanism comprises TSA oneself can not modify to ensure the authority of time to the time.Timestamp is mainly used in e-file anti-tamper and deny afterwards, determines the correct time that e-file produces.The fields such as timestamp extensive use ecommerce now, electronic government documents, intellectual property, health care, for ensureing the legal effect problem of electronic data file.
User initiates to TSA system the connection request carrying the WPKI digital certificate of user by mobile intelligent terminal (i.e. user terminal), carry certificate DN(Distinct Name in above-mentioned WPKI digital certificate, unique identification), the content such as the term of validity, scaling option.
Step S220, TSA system obtain the WPKI digital certificate of the user terminal carried in above-mentioned connection request, to OCSP(Online Certificate Status Protocol, online certificate status protocol) server initiates the checking request of the WPKI digital certificate of user terminal.
The function of step S230, OCSP server mainly accepts the certificate retraction request of client, utilize the certificate retraction request in consensus standard analysis request, by resolving the certificate serial number obtained, inquire about the certificate status signed and issued in system database, and then utilize interface specification to encapsulate the response of certificate retraction, return to client.System service is monitored particular port, accepts by unsecured connections the certificate request that client sends.After request is analyzed, client-side information is sent to the distributor on backstage together with solicited message, submit to each service module.When user attempts an access server, online certificate status protocol sends a request for certificate status information.Server replys the response of " effectively ", " expired " or " the unknown ".Agreement defines the communication grammer of server and client side's application program.Online certificate status protocol gives a grace period of overdue certificate of user, and they just can continue access services device in a period of time before upgrading like this.
After OCSP server receives described checking request, obtain the WPKI digital certificate carried in described checking request, above-mentioned WPKI digital certificate is verified, whether this verification comprises the described WPKI certificate of checking and is issued by appointment CA, verify that whether unique identification, the scaling option of described WPKI certificate be effective
Described OCSP server, after all checkings of described WPKI digital certificate are all passed through, sends the qualified notice of checking to described TSA system; After all checkings of described WPKI digital certificate are not all pass through, send the defective notice of checking to described TSA system.
After step S240, TSA system acceptance to the qualified notice of above-mentioned checking, between described TSA system and described user terminal, described WPKI certificate is used to set up based on ECC(Error CorrectingCode, error checking and correction) the SSL(Secure SocketLayer for transmitting data of algorithm, SSL) safe data channel.
After TSA system acceptance to the defective notice of above-mentioned checking, refuse the connection request of above-mentioned user terminal.
After step S250, SSL safe data channel are set up, above-mentioned user terminal adopts digest algorithm to the data genaration digest value needing to upload, and digest value is followed timestamp application specification and is transferred to TSA system by SSL safe data channel.
Step S260, above-mentioned TSA system add a cover timestamp to the digest value that above-mentioned user terminal sends over, and are signed by the digital certificate of timestamp TSA, and the timestamp information after signature is returned to user terminal.
Step S270, user initiate to application service end the connection request carrying the WPKI digital certificate of user by user terminal, carry the contents such as certificate DN, the term of validity, scaling option in above-mentioned WPKI digital certificate.
After step S280, application service termination receive above-mentioned connection request, obtain the WPKI digital certificate of the user terminal carried in above-mentioned connection request, initiate the checking request of the WPKI digital certificate of user terminal to OCSP server.
After step S290, OCSP server receive described checking request, obtain the WPKI digital certificate carried in described checking request, above-mentioned WPKI digital certificate is verified, whether this verification comprises the described WPKI certificate of checking and is issued by appointment CA, verify that whether unique identification, the scaling option of described WPKI certificate be effective
Described OCSP server, after all checkings of described WPKI digital certificate are all passed through, sends the qualified notice of checking to described application service end; After all checkings of described WPKI digital certificate are not all pass through, send the defective notice of checking to described application service end.
After step S2100, application service termination receive the qualified notice of above-mentioned checking, between described application service end and described user terminal, use the SSL safe data channel of described WPKI certificate foundation for transmitting data.
Application service termination refuses the connection request of above-mentioned user terminal after receiving the defective notice of above-mentioned checking.
The data of the timestamp information that TSA returns by step S2110, user terminal and needs transmission are transferred to application service end by SSL safe data channel.
After step S2120, application service termination receive the timestamp information that above-mentioned user terminal sends over, the digital certificate of the TSA of the upper signature of acquisition time stamp.Application service end calls the validity that OCSP verifies the digital certificate of above-mentioned TSA, the digital certificate of OCSP to above-mentioned TSA verifies, whether this verification comprises the digital certificate verifying described TSA and is issued by appointment CA, verifies that whether the unique identification of the digital certificate of described TSA, scaling option be effective.
Step S2130, described OCSP server, after all checkings of the digital certificate of described TSA are all passed through, send the qualified notice of checking to described application service end; After all checkings of the digital certificate of described TSA are not all pass through, send the defective notice of checking to described application service end.
After step S2140, application service termination receive the defective notice of checking that OCSP server returns, then think that the signature on timestamp is illegal, the connection request of refusal user terminal.Application service termination is then thought that the signature on timestamp is legal, then the timestamp information after above-mentioned signature is sent to TSA after receiving the qualified notice of checking that OCSP server returns, and is used for the timestamp information of authentication of users.
Step S2150, TSA verify the timestamp information after the signature sent of application service end, and whether checking comprises timestamp is that this TSA signs and issues, can timestamp information sign test be passed through.
TSA, after all checkings of described timestamp information are all passed through, stabs the qualified notice of Information Authentication to described application service end transmitting time; After all checkings of described timestamp information are not all pass through, to the defective notice of described application service end transmitting time stamp Information Authentication.
Step S2160, application service termination receive after timestamp information that described Time Stamping Authority system returns verifies qualified notice, judge that the authentication of user terminal is passed through, accept the connection request of user terminal, can be communicated by SSL safe data channel between user terminal and application service end.
Application service termination receives after timestamp information that described Time Stamping Authority system returns verifies defective notice, judges that the authentication of user terminal is not passed through, the connection request of refusal user terminal.
Embodiment two
This embodiment offers the mobile terminal authentication system of a kind based on WPKI and timestamp, its concrete structure as shown in Figure 3, comprising: user terminal, application service end, Time Stamping Authority system and OCSP server.
Described user terminal, for from Time Stamping Authority system acquisition time stamp, adopts WPKI WPKI and application service end to set up safe data channel;
Described application service end, for receiving the described timestamp that described user terminal is sent by described safe data channel, described application service end is verified described timestamp by described Time Stamping Authority system; After being verified of described timestamp, and described safe data channel between described user terminal, is utilized to carry out transfer of data;
Described Time Stamping Authority system, for described user terminal transmitting time stamp, verifies the timestamp that described application service end sends over.
Concrete, described Time Stamping Authority system, specifically for receiving the connection request carrying the WPKI WPKI digital certificate of user that user terminal sends, obtain the WPKI digital certificate carried in described connection request, send the certification verification request carrying described WPKI digital certificate to OCSP server;
Concrete, described OCSP server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, verify that whether the term of validity of described WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective; After all checkings of described WPKI digital certificate are all passed through, send the qualified notice of checking to described Time Stamping Authority system;
Concrete, described user terminal, specifically for adopting digest algorithm to the data genaration digest value needing to upload, following timestamp application specification and being transferred to Time Stamping Authority system by described SSL safe data channel by digest value;
Further, described Time Stamping Authority system, after verifying qualified notice described in receiving belt, between described Time Stamping Authority system and described user terminal, uses the SSL safe data channel of described WPKI certificate foundation for transmitting data; Timestamp is added a cover to the digest value that described user terminal sends over, the digital certificate of timestamp timestamp train of mechanism is signed, the timestamp information after signature is returned to user terminal.
Further, described application service end, specifically for receiving the connection request carrying the WPKI digital certificate of user that user terminal sends, obtaining the WPKI digital certificate carried in described connection request, sending the certification verification request carrying described WPKI digital certificate to OCSP server;
Further, described OCSP server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, verify that whether the term of validity of described WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective; After all checkings of described WPKI digital certificate are all passed through, send the qualified notice of checking to described application service end;
Further, described application service end, after receiving the qualified notice of described checking, uses the SSL SSL escape way set up between described WPKI certificate and described user terminal for transmitting data.
Further, described application service end, specifically for the digital certificate of the Time Stamping Authority system of the upper signature of acquisition time stamp, the certification verification request carrying the digital certificate of described Time Stamping Authority system is sent to OCSP server, after receiving the qualified notice of checking of OCSP server transmission, described timestamp information is sent to described Time Stamping Authority system;
Further, described OCSP server, specifically for verifying the digital certificate of described Time Stamping Authority system; After all checkings of the digital certificate of described Time Stamping Authority system are all passed through, send the qualified notice of checking to described application service end;
Further, described Time Stamping Authority system, specifically for verifying the timestamp information after the signature sent of application service end, whether this checking comprises timestamp is that this TSA signs and issues, can timestamp information sign test be passed through, after all checkings of described timestamp information are all passed through, to the qualified notice of described application service end transmitting time stamp Information Authentication; After all checkings of described timestamp information are not all pass through, to the defective notice of described application service end transmitting time stamp Information Authentication.
Further, described application service end, after the timestamp information returned specifically for receiving described Time Stamping Authority system verifies qualified notice, judge that the authentication of user terminal is passed through, accept the connection request of user terminal, communicated by SSL safe data channel between user terminal and application service end.
Receive after timestamp information that described Time Stamping Authority system returns verifies defective notice, judge that the authentication of described user terminal is not passed through, refuse the connection request of described user terminal.
With the system of the embodiment of the present invention carry out based on the detailed process of the authentication of WPKI and timestamp and preceding method embodiment similar, repeat no more herein.
In sum, the embodiment of the present invention adopts WPKI technology and application service end to communicate by mobile intelligent terminal, adopts the SSL traffic agreement based on ECC algorithm, ensures the fail safe of whole link; By using trusted third party's time-stamping service, the mobile intelligent terminal acquisition time of user stabs the signing messages of ECC algorithm and sends, application service end carrys out the calling data of authentication of users by allocating time stamp server interface, record is put on record simultaneously, the playback of message can be prevented, the various attacks to group key exchange agreement can be resisted.Thus achieve effective authentication is carried out to mobile terminal, ensure that the data security of the wireless traffic of mobile terminal.
The embodiment of the present invention calls by application service end the legitimacy that OCSP system comes proving time stamp mechanism, also can the legitimacy of authentication of users certificate, carries out rigid authentication further to user identity.
The embodiment of the present invention records using the record of third party's trusted timestamp as credible electronic evidence calling of the mobile intelligent terminal of user, foundation can be provided for the follow-up audit of operating service, safety inspection and information tracing, simultaneously strict certificate identity checking and the communication link of encryption, make the fail safe of service end key interface discrepancy information improve further.
One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for system or system embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.System described above and system embodiment are only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (10)
1., based on a mobile terminal authentication method for WPKI and timestamp, it is characterized in that, comprising:
User terminal is from Time Stamping Authority system acquisition time stamp, and described user terminal adopts WPKI WPKI and application service end to set up safe data channel;
Described application service termination receives the described timestamp that described user terminal is sent by described safe data channel, and described application service end is verified described timestamp by described Time Stamping Authority system;
After being verified of described timestamp, between described application service end and described user terminal, described safe data channel is utilized to carry out transfer of data.
2. the mobile terminal authentication method based on WPKI and timestamp according to claim 1, is characterized in that, described user terminal, from Time Stamping Authority system acquisition time stamp, comprising:
The connection request carrying the WPKI digital certificate of user that Time Stamping Authority system acceptance sends to user terminal, described Time Stamping Authority system obtains the WPKI digital certificate carried in described connection request, sends the certification verification request carrying described WPKI digital certificate to online certificate status protocol OCSP server;
After described OCSP server receives described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, described in described OCSP server authentication, whether the term of validity of WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective;
Described OCSP server is after all checkings of described WPKI digital certificate are all passed through, the qualified notice of checking is sent to described Time Stamping Authority system, between described Time Stamping Authority system and described user terminal, use the SSL SSL safe data channel of described WPKI certificate foundation for transmitting data;
Described user terminal adopts digest algorithm to the data genaration digest value needing to upload, and digest value is followed timestamp application specification and is transferred to Time Stamping Authority system by described SSL safe data channel; Described Time Stamping Authority system adds a cover timestamp to the digest value that described user terminal sends over, and is signed by the digital certificate of timestamp timestamp train of mechanism, and the timestamp information after signature is returned to user terminal.
3. the mobile terminal authentication method based on WPKI and timestamp according to claim 2, is characterized in that, described user terminal adopts WPKI WPKI and application service end to set up safe data channel, comprising:
Application service termination receives the connection request carrying the WPKI digital certificate of user that user terminal sends, described application service end obtains the WPKI digital certificate carried in described connection request, sends the certification verification request carrying described WPKI digital certificate to OCSP server;
After described OCSP server receives described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, described in described OCSP server authentication, whether the term of validity of WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective;
Described OCSP server is after all checkings of described WPKI digital certificate are all passed through, the qualified notice of checking is sent to described application service end, after described application service termination receives the qualified notice of described checking, use the SSL escape way set up between described WPKI certificate and described user terminal for transmitting data.
4. the mobile terminal authentication method based on WPKI and timestamp according to claim 2, it is characterized in that, described application service end is verified described timestamp by described Time Stamping Authority system, comprising:
The digital certificate of the Time Stamping Authority system of the upper signature of described application service end acquisition time stamp, send the certification verification request carrying the digital certificate of described Time Stamping Authority system to OCSP server, the digital certificate of OCSP to described Time Stamping Authority system verifies;
Described OCSP server is after all checkings of the digital certificate of described Time Stamping Authority system are all passed through, and send the qualified notice of checking to described application service end, described timestamp information is sent to described Time Stamping Authority system by described application service end;
Described Time Stamping Authority system is verified the timestamp information that application service end is sent, whether this checking comprises timestamp is that this TSA signs and issues, can timestamp information sign test be passed through, described Time Stamping Authority system, after all checkings of described timestamp information are all passed through, stabs the qualified notice of Information Authentication to described application service end transmitting time; After all checkings of described timestamp information are not all pass through, to the defective notice of described application service end transmitting time stamp Information Authentication.
5. the mobile terminal authentication method based on WPKI and timestamp according to any one of Claims 1-4, it is characterized in that, after being verified of described timestamp, utilizing described safe data channel to carry out transfer of data between described application service end and described user terminal, comprising:
Described application service termination receives after timestamp information that described Time Stamping Authority system returns verifies qualified notice, judge that the authentication of user terminal is passed through, accept the connection request of user terminal, communicated by described SSL safe data channel between user terminal and application service end.
Described application service termination receives after timestamp information that described Time Stamping Authority system returns verifies defective notice, judges that the authentication of described user terminal is not passed through, refuses the connection request of described user terminal.
6., based on a mobile terminal authentication system for WPKI and timestamp, it is characterized in that, comprising: user terminal, application service end and Time Stamping Authority system,
Described user terminal, for from Time Stamping Authority system acquisition time stamp, adopts WPKI WPKI and application service end to set up safe data channel;
Described application service end, for receiving the described timestamp that described user terminal is sent by described safe data channel, described application service end is verified described timestamp by described Time Stamping Authority system; After being verified of described timestamp, and described safe data channel between described user terminal, is utilized to carry out transfer of data;
Described Time Stamping Authority system, for described user terminal transmitting time stamp, verifies the timestamp that described application service end sends over.
7. the mobile terminal authentication system based on WPKI and timestamp according to claim 6, it is characterized in that, described system also comprises: OCSP server,
Described Time Stamping Authority system, specifically for receiving the connection request carrying the WPKI WPKI digital certificate of user that user terminal sends, obtain the WPKI digital certificate carried in described connection request, send the certification verification request carrying described WPKI digital certificate to OCSP server;
Described OCSP server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, verify that whether the term of validity of described WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective; After all checkings of described WPKI digital certificate are all passed through, send the qualified notice of checking to described Time Stamping Authority system;
Described user terminal, specifically for adopting digest algorithm to the data genaration digest value needing to upload, following timestamp application specification and being transferred to Time Stamping Authority system by described SSL safe data channel by digest value;
Described Time Stamping Authority system, after verifying qualified notice described in receiving belt, between described Time Stamping Authority system and described user terminal, uses the SSL safe data channel of described WPKI certificate foundation for transmitting data; Timestamp is added a cover to the digest value that described user terminal sends over, the digital certificate of timestamp timestamp train of mechanism is signed, the timestamp information after signature is returned to user terminal.
8. the mobile terminal authentication system based on WPKI and timestamp according to claim 7, is characterized in that:
Described application service end, specifically for receiving the connection request carrying the WPKI digital certificate of user that user terminal sends, obtain the WPKI digital certificate carried in described connection request, send the certification verification request carrying described WPKI digital certificate to OCSP server;
Described OCSP server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described WPKI digital certificate, verify that whether the term of validity of described WPKI certificate is expired, verify whether described WPKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described WPKI certificate, scaling option be effective; After all checkings of described WPKI digital certificate are all passed through, send the qualified notice of checking to described application service end;
Described application service end, after receiving the qualified notice of described checking, uses the SSL SSL escape way set up between described WPKI certificate and described user terminal for transmitting data.
9. the mobile terminal authentication system based on WPKI and timestamp according to claim 7, is characterized in that:
Described application service end, specifically for the digital certificate of the Time Stamping Authority system of the upper signature of acquisition time stamp, the certification verification request carrying the digital certificate of described Time Stamping Authority system is sent to OCSP server, after receiving the qualified notice of checking of OCSP server transmission, described timestamp information is sent to described Time Stamping Authority system;
Described OCSP server, specifically for verifying the digital certificate of described Time Stamping Authority system; After all checkings of the digital certificate of described Time Stamping Authority system are all passed through, send the qualified notice of checking to described application service end;
Described Time Stamping Authority system, specifically for verifying the timestamp information after the signature sent of application service end, whether this checking comprises timestamp is that this TSA signs and issues, can timestamp information sign test be passed through, after all checkings of described timestamp information are all passed through, to the qualified notice of described application service end transmitting time stamp Information Authentication; After all checkings of described timestamp information are not all pass through, to the defective notice of described application service end transmitting time stamp Information Authentication.
10. the mobile terminal authentication system based on WPKI and timestamp according to any one of claim 6 to 9, is characterized in that:
Described application service end, after the timestamp information returned specifically for receiving described Time Stamping Authority system verifies qualified notice, judge that the authentication of user terminal is passed through, accept the connection request of user terminal, communicated by SSL safe data channel between user terminal and application service end.
Receive after timestamp information that described Time Stamping Authority system returns verifies defective notice, judge that the authentication of described user terminal is not passed through, refuse the connection request of described user terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310496089.0A CN104579662B (en) | 2013-10-21 | 2013-10-21 | Mobile terminal authentication method and system based on WPKI and timestamp |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310496089.0A CN104579662B (en) | 2013-10-21 | 2013-10-21 | Mobile terminal authentication method and system based on WPKI and timestamp |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104579662A true CN104579662A (en) | 2015-04-29 |
| CN104579662B CN104579662B (en) | 2018-11-13 |
Family
ID=53094946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310496089.0A Active CN104579662B (en) | 2013-10-21 | 2013-10-21 | Mobile terminal authentication method and system based on WPKI and timestamp |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104579662B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653940A (en) * | 2015-07-14 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Method and system for analyzing attacker source based on PE files |
| CN107623673A (en) * | 2016-07-14 | 2018-01-23 | 通用汽车环球科技运作有限责任公司 | The safe settling time value in connection equipment |
| CN109347897A (en) * | 2018-08-16 | 2019-02-15 | 朱小军 | A kind of center architected bionic data Transmission system |
| WO2019047927A1 (en) * | 2017-09-07 | 2019-03-14 | 西安西电捷通无线网络通信股份有限公司 | Digital credential management method and device |
| CN109492371A (en) * | 2018-10-26 | 2019-03-19 | 中国联合网络通信集团有限公司 | A kind of digital certificate sky forwarding method and device |
| CN111274031A (en) * | 2020-01-16 | 2020-06-12 | 国家电网有限公司信息通信分公司 | Method and device for dynamic migration authentication of edge service with cooperation of end and cloud |
| CN112395620A (en) * | 2020-11-19 | 2021-02-23 | 四川泰富地面北斗科技股份有限公司 | Trusted timestamp implementation method based on trusted time |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1539216A (en) * | 2001-08-03 | 2004-10-20 | 诺基亚有限公司 | System and method for managing network service auess and enrollment |
| CN1615632A (en) * | 2002-01-12 | 2005-05-11 | 英特尔公司 | Mechanism for supporting wired and wireless methods for client and server side authentication |
| CN101083530A (en) * | 2007-07-13 | 2007-12-05 | 北京工业大学 | Method for realizing intra-mobile entity authentication and cipher key negotiation using short message |
| US20080250247A1 (en) * | 2007-02-13 | 2008-10-09 | Airbus France | Authentication method for an electronic document and verification method of a document thus authenticated |
| CN101969427A (en) * | 2010-08-24 | 2011-02-09 | 吉林大学 | Set of core equipment for realizing gas station online payment system based on WPKI (Wireless Public Key Infrastructure) |
| US20130132718A1 (en) * | 2009-04-28 | 2013-05-23 | Sunil C. Agrawal | System And Method For Long-Term Digital Signature Verification Utilizing Light Weight Digital Signatures |
-
2013
- 2013-10-21 CN CN201310496089.0A patent/CN104579662B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1539216A (en) * | 2001-08-03 | 2004-10-20 | 诺基亚有限公司 | System and method for managing network service auess and enrollment |
| CN1615632A (en) * | 2002-01-12 | 2005-05-11 | 英特尔公司 | Mechanism for supporting wired and wireless methods for client and server side authentication |
| US20080250247A1 (en) * | 2007-02-13 | 2008-10-09 | Airbus France | Authentication method for an electronic document and verification method of a document thus authenticated |
| CN101083530A (en) * | 2007-07-13 | 2007-12-05 | 北京工业大学 | Method for realizing intra-mobile entity authentication and cipher key negotiation using short message |
| US20130132718A1 (en) * | 2009-04-28 | 2013-05-23 | Sunil C. Agrawal | System And Method For Long-Term Digital Signature Verification Utilizing Light Weight Digital Signatures |
| CN101969427A (en) * | 2010-08-24 | 2011-02-09 | 吉林大学 | Set of core equipment for realizing gas station online payment system based on WPKI (Wireless Public Key Infrastructure) |
Non-Patent Citations (5)
| Title |
|---|
| 余勇 等: "《电力时间戳系统的设计》", 《电力信息化》 * |
| 李昊 等: "《证书撤销方法研究》", 《计算机与信息技术》 * |
| 李福祥 等: "《基于数字证书的移动支付协议》", 《计算机科学》 * |
| 艾风 等: "《关于OCSP应用模式的标记》", 《计算机工程》 * |
| 韩玮 等: "《基于PKI体系的数字时间认证方案》", 《计算机学报》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653940A (en) * | 2015-07-14 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Method and system for analyzing attacker source based on PE files |
| CN105653940B (en) * | 2015-07-14 | 2019-02-26 | 哈尔滨安天科技股份有限公司 | A kind of method and system based on PE file analysis attacker source |
| CN107623673A (en) * | 2016-07-14 | 2018-01-23 | 通用汽车环球科技运作有限责任公司 | The safe settling time value in connection equipment |
| WO2019047927A1 (en) * | 2017-09-07 | 2019-03-14 | 西安西电捷通无线网络通信股份有限公司 | Digital credential management method and device |
| US11323433B2 (en) | 2017-09-07 | 2022-05-03 | China Iwncomm Co., Ltd. | Digital credential management method and device |
| CN109347897A (en) * | 2018-08-16 | 2019-02-15 | 朱小军 | A kind of center architected bionic data Transmission system |
| CN109492371A (en) * | 2018-10-26 | 2019-03-19 | 中国联合网络通信集团有限公司 | A kind of digital certificate sky forwarding method and device |
| CN111274031A (en) * | 2020-01-16 | 2020-06-12 | 国家电网有限公司信息通信分公司 | Method and device for dynamic migration authentication of edge service with cooperation of end and cloud |
| CN111274031B (en) * | 2020-01-16 | 2023-07-25 | 国家电网有限公司信息通信分公司 | Method and device for dynamic migration authentication of end-cloud cooperative edge service |
| CN112395620A (en) * | 2020-11-19 | 2021-02-23 | 四川泰富地面北斗科技股份有限公司 | Trusted timestamp implementation method based on trusted time |
| CN112395620B (en) * | 2020-11-19 | 2024-01-30 | 四川泰富地面北斗科技股份有限公司 | Trusted time stamp implementation method based on trusted time |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104579662B (en) | 2018-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111737724B (en) | Data processing method and device, intelligent equipment and storage medium | |
| US10812273B2 (en) | Method for validating messages | |
| CN104579662A (en) | Identity authentication method and system for mobile terminal based on WPKI and timestamp | |
| CN102378170B (en) | Method, device and system of authentication and service calling | |
| CN110544095A (en) | Transaction processing method of block chain network and block chain network | |
| CN106209726B (en) | Mobile application single sign-on method and device | |
| CN104348870A (en) | Data management method and system of cloud storage system based on trusted timestamp | |
| EP2262165B1 (en) | User generated content registering method, apparatus and system | |
| CN102724042B (en) | Third-party platform electronic contracting system based on electronic signature technology | |
| CN105554018A (en) | Network real name verification method | |
| Buschlinger et al. | Plug-and-patch: Secure value added services for electric vehicle charging | |
| KR101120059B1 (en) | Billing verifying apparatus, billing apparatus and method for cloud computing environment | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| CN115409511B (en) | Personal information protection system based on block chain | |
| CN105577738A (en) | Method, device and system for processing terminal information | |
| CN105743651A (en) | Method and apparatus for utilizing card application in chip security domain, and application terminal | |
| CN112187808B (en) | Traffic electronic authentication platform and authentication method | |
| CN114861144A (en) | Data authority processing method based on block chain | |
| GB2520938A (en) | Mobile device location | |
| CN103297464A (en) | Program information obtaining method and device | |
| GB2524497A (en) | User equipment proximity requests | |
| CN115150154B (en) | User login authentication method and related device | |
| CN110532741B (en) | Personal information authorization method, authentication center and service provider | |
| CN116684097A (en) | Node management method and related products | |
| CN115865371A (en) | Block chain-based data secure uplink method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |