CN104702580A - Multi-communication-channel authentication authorization platform system and method - Google Patents
Multi-communication-channel authentication authorization platform system and method Download PDFInfo
- Publication number
- CN104702580A CN104702580A CN201310665028.2A CN201310665028A CN104702580A CN 104702580 A CN104702580 A CN 104702580A CN 201310665028 A CN201310665028 A CN 201310665028A CN 104702580 A CN104702580 A CN 104702580A
- Authority
- CN
- China
- Prior art keywords
- token
- authentication
- authorization terminal
- software
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 174
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000004891 communication Methods 0.000 claims description 54
- 238000004519 manufacturing process Methods 0.000 claims description 47
- 230000004044 response Effects 0.000 claims description 24
- 230000004913 activation Effects 0.000 claims description 5
- 238000009434 installation Methods 0.000 claims description 5
- 230000003213 activating effect Effects 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 230000008569 process Effects 0.000 description 12
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 206010068052 Mosaicism Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 210000003765 sex chromosome Anatomy 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a multi-communication-channel authentication authorization platform system and method. The system comprises a token generating server STPM, a registration server TIM, an authentication server TAM and an authorization terminal TAD, wherein the token generating server STPM generates a token combination and provides the same to the registration server; the registration server feeds the token combination back to the authorization terminal and the authentication server; the authentication server performs authentication authorization when receiving an authorization authentication request of the authorization terminal. The multi-communication-channel authentication authorization platform system is safe, convenient, easy to operate, low in cost, and capable of preventing various malicious attacks during network authentication authorization.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of many communication channels Certificate Authority plateform system and method.
Background technology
In digital certificate licensing process, program can generate electronic data, user is by some access channel, the computer of such as user, phone, IVR(Interactive Voice Response, interactive voice answering), information station (Kiosk) etc. reads these data, user profile must, by after authentication and authorization, could use these access channels to go to obtain generation electronic data.For the electronic data that some confidentialities are higher, during Certificate Authority, can require that the electronic transaction of user uses digital signature, to guarantee authenticity and the reliability of transaction.Such as, by the solution of stamped signature, use single equipment platform, the computer of such as user, information station (Kiosk), submit to request to Certificate Authority platform, and carry out stamped signature.
The Certificate Authority stamped signature solution of other safety, uses other equipment to make the first authentication code.Such as, user uses certain Certificate Authority platform to connect startup request by network, and in response process, Certificate Authority platform program is connected by network, information is sent back the computer of user.After receiving information, user, by the part of required information, is input to the equipment (this equipment is connection server/computer not) needing stamped signature, to make Electronic Signature; User inputs Electronic Signature to computer, and Electronic Signature is submitted to Certificate Authority platform, has carried out stamped signature process.
If for other manually or based on the Certificate Authority process of phone, use above-mentioned conventional method, electronic signature is irrealizable.
Traditional Certificate Authority solution, comprises Electronic Signature solution, has following various weak point:
1) for the manual authentication mandate by sales counter, the instruction finished writing or phone, the Certificate Authority solution of electronics can not be used, comprise stamped signature equipment solution and realize.
2) for single equipment platform, submit to request to certain Certificate Authority platform and the single equipment platform of making stamped signature, easily be subject to the attack of Malware, man-in-the middle phishing (Man-In-the-Middle, MitM), and swindle can be implemented by Update Table.
3) for the stamped signature equipment of not networking, although it provides safer Certificate Authority solution, the stamped signature equipment of not networking, only support single service provider, and General Requirements user manually inputs important data to client.This process is easily made mistakes; In stamped signature, data quantitative limitation can be comprised, and may also can be restricted by the data of stamped signature.In addition, this stamped signature equipment, manufacturing, buy, distribute and cancelling whole process, cost is all relatively high.Meanwhile, if Certificate Authority relates to one or more Certificate Authority, so this Certificate Authority process will become complicated, also can spend the more time simultaneously.
Summary of the invention
Based on this, be necessary the defect for prior art and deficiency, provide a kind of many communication channels Certificate Authority plateform system and method, it is safe, convenient, easy to operate, and cost is low, in network authentication licensing process, effectively prevent various malicious attack.
For realizing one many communication channels Certificate Authority plateform system that the object of the invention provides, comprise token generation server STPM, registrar TIM, certificate server TAM and authorization terminal TAD;
Wherein:
Described token generation server, for when registrar sends registration request to it, generates token combination, and described token combination is supplied to described registrar;
Described registrar, during for sending registration request by one or more access communication channel to it in the authorization terminal receiving user, according to registration request to token combination described in described token generation server request; And after the described token combination of acquisition, by corresponding with authorization terminal information for described token combination; Then token combination, encrypting and decrypting software and authentication codes production form software, feed back to the authorization terminal of user by one or more access channel described; Simultaneously by described token combination and corresponding authorization terminal information, encrypting and decrypting software and authentication codes production form software, be sent to certificate server by another access channel being different from one or more access channel described;
Described certificate server, for combining with after corresponding authorization terminal information at the described token of acquisition, when receiving authorization terminal request and carrying out authorization identifying, utilizing token to combine, generating first password with the authorisation device information of correspondence; And according to the second authentication code that authorization terminal is sent, utilize encrypting and decrypting software and authentication codes production form software, described first password is transformed first authentication code identical with the form of the second authentication code, carries out certification comparison; Or utilize encrypting and decrypting software and authentication codes production form software, the second authentication code that authorization terminal is sent is resolved, the second password that authorized terminal is sent, carries out certification comparison with first password, and the result according to certification comparison carries out Certificate Authority;
Described authorization terminal, for after receiving the combination of described token, when needs carry out Certificate Authority, token is utilized to combine, authorisation device information according to correspondence generates the second password, and utilize encrypting and decrypting software and authentication codes production form software, after described second password is converted to the second authentication code, send to certificate server to carry out Certificate Authority.
Wherein in an embodiment, described authorization terminal information is sound, image, the finger print data of the personalization that user is inputted by authorization terminal.
Wherein in an embodiment, described authorization terminal information can also comprise the Unique Device identifier of authorization terminal.
Wherein in an embodiment, described access channel is network/telephone network, use touch sound and/or sound instruction Phone IVR network, system based on information, e-mail system, kiosks, sent by image scan or faxed paper.
Wherein in an embodiment, described token combination comprises the combination in any of one or more data following:
A1) containing the certificates in digital form that two group keys are right: one for stamped signature, one for encryption;
A2) containing the data stamped signature token seed file of unique token sequence number;
A3) the OTP token containing unique token sequence number generates software.
Wherein in an embodiment, described certificate server is configured with loud speaker, microphone, camera and/or fingerprint scanner, can read or generate the first authentication code of corresponding format.
Wherein in an embodiment, described first authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code.
Wherein in an embodiment, described authorization terminal is handheld device, mobile phone, panel computer;
Described authorization terminal is configured with loud speaker, microphone, camera and/or fingerprint scanner, can read or generate the second authentication code of corresponding format.
Wherein in an embodiment, described second authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code.
Wherein in an embodiment, the described data stamped signature token seed file containing unique token sequence number utilizes authorization terminal information to generate corresponding first password or the second password.
Wherein in an embodiment, described token combination and corresponding authorization terminal, encrypting and decrypting software and authentication codes production form software, when being sent to certificate server and authorization terminal by registrar, RSA Algorithm or aes algorithm is used to be encrypted.
Wherein in an embodiment, the encryption key of described RSA Algorithm or aes algorithm is stored in tamper resistant device.
Wherein in an embodiment, described encryption uses the rsa encryption method of private cipher key to be encrypted, and/or, use the public keys of service provider, use the stochastic generation activating pin of AES encryption, token combination is further encrypted.
Wherein in an embodiment, described registrar, also for generating one for downloading the URL of token combination, encrypting and decrypting software and authentication codes production form software, being downloaded by the authorization terminal (TAD) of user and obtaining.
Also providing a kind of many communication channels authentication authority method for realizing the object of the invention, comprising the steps:
Step S100, registrar, when the authorization terminal receiving user sends registration request by one or more access communication channel to it, combines to token described in described token generation server request according to registration request;
Step S200, token generation server is after the request of receiving registrar, and token generation server generates token combination, and described token combination is returned to registrar;
Step S300, described token, after the described token combination of acquisition, combines corresponding with authorization terminal information by registrar; Then token combination, encrypting and decrypting software and authentication codes production form software, feed back to the authorization terminal of user by one or more access channel described; Simultaneously by described token combination and corresponding authorization terminal information, encrypting and decrypting software and authentication codes production form software, be sent to certificate server by another access channel being different from one or more access channel described;
Step S400, authorization terminal initiates authentication authorization request to certificate server, authentication server response;
Step S500, after authentication server response, authorization terminal combines by utilizing token, authorisation device information according to correspondence generates the second password, and utilize encrypting and decrypting software and authentication codes production form software, after described second password is converted to the second authentication code, certificate server is sent to carry out Certificate Authority;
Step S600, after authentication server response, certificate server utilizes token to combine, and generates first password with the authorisation device information of correspondence; And according to the second authentication code that authorization terminal is sent, utilize encrypting and decrypting software and authentication codes production form software, described first password is transformed first authentication code identical with the form of the second authentication code, carries out certification comparison; Or utilize encrypting and decrypting software and authentication codes production form software, the second authentication code that authorization terminal is sent is resolved, the second password that authorized terminal is sent, carries out certification comparison with first password, and the result according to certification comparison carries out Certificate Authority.
Wherein in an embodiment, described authentication codes production form software is that figure, light code, sound code or phonetic matrix generate software.
Wherein in an embodiment, described step S300 also comprises the steps:
Step S310, receiving the token assembly of registrar feedback, after encryption software and authentication codes production form software, use default settings decruption key to decipher URL information in authorization terminal, and require that user inputs token activation password installation security token combination and encryption software and form and generates software.
Wherein in an embodiment, described in be encrypted as:
Use aes algorithm or RSA Algorithm, according to presetting key between token generation server and authorization terminal, software being generated to URL information and token assembly and encryption software and form and is encrypted.
Wherein in an embodiment, described step S300 also comprises the steps:
Step S320, after the installation completing token assembly, authorization terminal requires user's input by dynamic security token Software Create and the dynamic password of display, then verifies dynamic password.
Wherein in an embodiment, described authorization terminal information is sound, image, the finger print data of the personalization that user is inputted by authorization terminal.
Wherein in an embodiment, described authorization terminal information also comprises the Unique Device identifier of authorization terminal.
Wherein in an embodiment, described access channel is network/telephone network, use touch sound and/or sound instruction Phone IVR network, system based on information, e-mail system, kiosks, sent by image scan or faxed paper.
Wherein in an embodiment, described token combination comprises the combination in any of one or more data following:
A1) containing the certificates in digital form that two group keys are right: one for stamped signature, one for encryption;
A2) containing the data stamped signature token seed file of unique token sequence number;
A3) the OTP token containing unique token sequence number generates software.
Wherein in an embodiment, described first authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code.
Wherein in an embodiment, described second authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code.
Beneficial effect of the present invention: many communication channels Certificate Authority plateform system of the present invention and method, by carrying out Certificate Authority between many communication channels, for authentication and authorization information integrity provides end-to-end protection, the proving and comparisom of information then can carry out in anti-tamper environment, and the transaction stamped signature of data by accessing to your password and based on user rs authentication, prevent Malware, real-time network fishing and based on man-in-the middle phishing (Man-In-the-Middle, MitM) attack, its safety, convenient, easy to operate, cost is low, various malicious attack is effectively prevented in network authentication licensing process.Further, it is supported in the Certificate Authority between multiple service provider of one or more communications conduit and multiple Certificate Authority platform.
Accompanying drawing explanation
Fig. 1 is many communication channels Certificate Authority plateform system structural representation of the embodiment of the present invention;
Fig. 2 is many communication channels authentication authority method flow chart of the embodiment of the present invention.
Embodiment
Clearly understand to make the object of many communication channels Certificate Authority plateform system of the present invention and method, technical scheme and advantage, below in conjunction with concrete drawings and the specific embodiments, the present invention's many communication channels Certificate Authority plateform system and method are further elaborated.
An embodiment of the present invention's many communication channels Certificate Authority plateform system, as shown in Figure 1.
As shown in Figure 1, many communication channels Certificate Authority plateform system (Authenticationand Authorization Platform of the embodiment of the present invention, AAP) token generation server (Security TokenProvisioning Module is comprised, STPM) 100, registrar (Transaction Initiation Module, TIM) 200, certificate server (Transaction Authorization Module, TAM) 300, with authorization terminal (Transaction Authorization Device, TAD) 400.
Token generation server (STPM) 100 is complete life cycle processing modules, the authentication mandate of one or more security tokens of its process authorization terminal (TAD) and releasing authentication mandate, for when registrar sends registration request to it, generation token combines, and described token combination is supplied to described registrar.
Registrar (TIM) 200 provides the interface of sequencing, to support one or more access communication channel so that the token that user obtains for authentication and authorization combines, to start authentication and authorization, during for sending registration request by one or more access communication channel to it in the authorization terminal (TAD) receiving user, described token is asked to combine according to registration request to described token generation server (STPM); And after the described token combination of acquisition, by corresponding with authorization terminal information for described token combination; Then token combination, encrypting and decrypting software and authentication codes production form software, feed back to the authorization terminal (TAD) of user by one or more access channel described; Simultaneously by described token combination and corresponding authorization terminal information, encrypting and decrypting software and authentication codes production form software, be sent to certificate server (TAM) by another access channel being different from one or more access channel described.
Described encrypting and decrypting software, and authentication codes production form software, the known existing encrypting and decrypting software be set in advance in described registrar, and known authentication codes production form software, it is a kind of prior art, therefore, in embodiments of the present invention, describe in detail no longer one by one.
Described authorization terminal information can be the sound, image (personal images or signature as scanning), finger print data etc. of the personalization that user is inputted by authorization terminal (TAD), and these authorization terminal information can be carried out regular replacing by user and be informed certificate server by access channel in authorization terminal.
As a kind of embodiment, described authorization terminal information can also comprise the Unique Device identifier (Unique Device Identification Number, UDIN) of authorization terminal (TAD).
As a kind of embodiment, described Unique Device identifier is the UUID(Universally Unique Identifier of the authorization terminal (TAD) by reading user, general unique identifier) obtain.
Described access channel includes but not limited to network/telephone network, use touch sound (touch tone) and/or sound instruction Phone IVR network, system (comprising short message system) based on information, e-mail system, kiosks, to be sent by image scan or paper of faxing (Paper) etc.
Described token combination includes but not limited to the combination in any of one or more data:
A1) containing the certificates in digital form that two group keys are right: one for stamped signature, one for encryption;
A2) containing the data stamped signature token seed file of unique token sequence number;
A3) containing the OTP(One-time Password of unique token sequence number, dynamic password) token generation software.
Certificate server (TAM) 300 is by application programming interface (application programminginterfaces, API) certificate server (TAM) is made to have authentication and authorization function, for combining with after corresponding authorization terminal information at the described token of acquisition, when receiving authorization terminal request and carrying out authorization identifying, utilize token to combine, generate first password with the authorisation device information of correspondence; And according to the second authentication code that authorization terminal is sent, utilize encrypting and decrypting software and authentication codes production form software, described first password is transformed first authentication code identical with the form of the second authentication code, carries out certification comparison; Or utilize encrypting and decrypting software and authentication codes production form software, encrypting and decrypting software and authentication codes production form software is utilized to resolve to the second authentication code that authorization terminal is sent, the second password that authorized terminal is sent, carry out certification comparison with first password, the result according to certification comparison carries out Certificate Authority.
Described encrypting and decrypting software and the authentication codes production form software of utilizing is resolved the second authentication code, obtains the second password, is a kind of prior art, therefore, in embodiments of the present invention, describes in detail no longer one by one.
Described certificate server (TAM) 300 is configured with the function device of similar computer, as loud speaker, microphone, camera, fingerprint scanner, can read or generate the first authentication code of corresponding format, as the code of one or more forms of sound code, image code, finger-print code or Quick Response Code etc.
Authorization terminal (TAD) 400 is a kind of computing equipments, for after receiving the combination of described token, when needs carry out Certificate Authority, token is utilized to combine, authorisation device information according to correspondence generates the second password, and utilize encrypting and decrypting software and authentication codes production form software, after described second password is converted to the second authentication code, send to certificate server (TAM) to carry out Certificate Authority.
Described authorization terminal (TAD) 400 can be such as handheld device, mobile phone, panel computer or similar devices, these equipment are all configured to the function device of similar computer, as loud speaker, microphone, camera, fingerprint scanner, can read or generate the second authentication code of corresponding format, as the code of one or more forms of sound code, image code, finger-print code or Quick Response Code etc.
The described data stamped signature token seed file containing unique token sequence number can utilize authorization terminal information to generate corresponding first password or the second password.
As a kind of embodiment, described token combination and corresponding authorization terminal (TAD), encrypting and decrypting software and authentication codes production form software, when being sent to certificate server and authorization terminal by registrar, RSA Algorithm or aes algorithm is used to be encrypted, and encryption key is stored in tamper resistant device (equipment of such as FIPS140 certification), ensure its fail safe.
As a kind of embodiment, described encryption uses the rsa encryption method of private cipher key to be encrypted, and/or, use public keys by the stochastic generation activating pin of AES encryption, token combination is further encrypted; Then registrar generates one for downloading the URL(UniformResource Locator of token combination, and URL(uniform resource locator), also referred to as web page address), downloaded by the authorization terminal (TAD) of user and obtain.
In many communication channels Certificate Authority plateform system (AAP) of the embodiment of the present invention, the user authorized uses token generation server (STPM) to carry out individual cultivation and supply identity combines to one or more security tokens of its authorization terminal had (TAD), and authorization terminal (TAD) is associated with the service provider of authentication and authorization, user, by the registrar (TIM) of service provider, is security token application request.
As a kind of embodiment, authentication and authorization is carried out in many communication channels Certificate Authority plateform system, the authorization terminal of the user of the different authorization terminal of one or more use (TAD) can be related to, and each authorization terminal is before participation licensing process, its authorization terminal (TAD) all will obtain the approval of token generation server (STPM).
Authorization terminal (TAD) is from an access communication channel, such as, desktop web browsers, phone, IVR, Kiosk, by registrar (TIM), and use communications conduit, submit to security token application request to registrar, registrar is by this security token application request forward to token generation server (STPM), and request generates token combination.
The present invention also provides a kind of many communication channels authentication authority method, as shown in Figure 2, comprises the steps:
Step S100, registrar (TIM), when the authorization terminal (TAD) receiving user sends registration request by one or more access communication channel to it, asks described token to combine according to registration request to described token generation server (STPM);
Step S200, token generation server (STPM) is after the request of receiving registrar, and token generation server (STPM) generates a token combination, and the combination of this token is returned to registrar.
Step S300, described token, after the described token combination of acquisition, combines corresponding with authorization terminal information by registrar (TIM); Then token combination, encrypting and decrypting software and authentication codes production form software, feed back to the authorization terminal (TAD) of user by one or more access channel described; Simultaneously by described token combination and corresponding authorization terminal information, encrypting and decrypting software and authentication codes production form software, be sent to certificate server (TAM) by another access channel being different from one or more access channel described.
Step S400, authorization terminal (TAD) initiates authentication authorization request to certificate server (TAM), and certificate server (TAM) responds;
Step S500, after authentication server response, authorization terminal combines by utilizing token, authorisation device information according to correspondence generates the second password, and utilize encrypting and decrypting software and authentication codes production form software, after described second password is converted to the second authentication code, certificate server (TAM) is sent to carry out Certificate Authority.
Step S600, after authentication server response, certificate server utilizes token to combine, and generates first password with the authorisation device information of correspondence; And according to the second authentication code that authorization terminal is sent, utilize encrypting and decrypting software and authentication codes production form software, described first password is transformed first authentication code identical with the form of the second authentication code, carries out certification comparison; Or utilize encrypting and decrypting software and authentication codes production form software, the second authentication code that authorization terminal is sent is resolved, the second password that authorized terminal is sent, carries out certification comparison with first password, and the result according to certification comparison carries out Certificate Authority.
Described token generation server, according to known token generating algorithm, generates the unique identifier of seed file in token and seed file, and adds enciphered data, the combination of composition token.
After generating token assembly, token generation server (STPM) is returned to registrar (TIM) following information: token assembly, encrypting and decrypting software and authentication codes production form software.
Described authentication codes production form software, include but not limited to that figure (such as VRcode, Barcode), light code (such as optical frequency-light frequency), sound code (such as tone-audio tone) or phonetic matrix generate software, described form generates first password that authorization terminal (TAD) or certificate server (TAM) can generate by software or the second password and generates the first authentication code or the second authentication code that user specified by authorisation device.
Receiving the token assembly of registrar (TAD) feedback, after encryption software and authentication codes production form software, use default settings decruption key to decipher URL information in authorization terminal (TAD), and require that user inputs token activation password (being provided in advance by certificate server) and installs security token combination and encryption software and form and generate software.
As a kind of embodiment, aes algorithm or RSA Algorithm can be used, according to presetting key between token generation server (STPM) and authorization terminal (TAD), software be generated to URL information and token assembly and encryption software and form and is encrypted.
As a kind of embodiment, token activation password of the present invention is by the Internet channel of predefined and registered in advance (Email, SMS or by voice call of IVR etc.), sends to authorization terminal (TAD).
After user have input token activation password, authorization terminal (TAD) downloads the token assembly of encryption, and verifies the information integrity in token assembly, and decryption content is also installed token assembly and encryption software and form and generated software.
As a kind of embodiment, in the embodiment of the present invention, after the installation completing token assembly, authorization terminal (TAD) can require that user inputs and be generated and the dynamic password shown (OTP) by security token, then verifies that dynamic password (OTP) is to guarantee that security token assembly can normally play a role.
Authorization terminal (TAD) from one or more access channel, such as, desktop web browsers, phone IVR, Kiosk, etc., carry out the Certificate Authority of equipment room, this access channel is connected to certificate server (TAM) by communication channel.This access channel is the safety certification that certificate server (TAM) passes through in advance, as carried out the secure connection of authorization identifying connection by stamped signature equipment.
Authorization terminal (TAD) sends the first authentication code to certificate server (TAM).
Described first authentication code can be that the life of using form generation software is carried out first password changing the figure (such as VRcode, Barcode) encrypted, light code (such as optical frequency-light frequency), sound code (such as tone-audio tone) or the speech data that generate.
As a kind of embodiment, the first authentication code sent, employ the AES(Advanced Encryption Standard of the combination based on multiple encryption key, Advanced Encryption Standard, also known as Rijndael enciphered method) encrypt.The Unique Device identifier (Unique DeviceIdentification Number, UDIN) of these keys and authorization terminal (TAD) and unique token sequence number (Unique Token Serial Number, UTSN) are encrypted.Then, re-use the rsa encryption of the private cipher key containing service provider, again obtain after encryption.
Ciphering process is in order to ensure safety, and as a kind of embodiment, the data of encryption only can be read by following user:
1) authorization terminal (TAD) holder of authentication and authorization is initiated;
2) in authorization terminal (TAD) in order to security component that service provider installs in advance.
Certificate server (TAM) confirms data in the request of receiving and confirms after authorization data, by obtaining the first authentication code with under type:
1) using form generates software scans figure, Quick Response Code, finger print data; Or
2) microphone preset is used to read to obtain sound code or voice.
As a kind of embodiment, before Certificate Authority completes, certificate server (TAM) deciphers the first authentication code of the encryption received, and obtains the first authentication code after deciphering.
Such as, as a kind of embodiment, when carrying out verification msg, authorization terminal (TAD) uses finger print data to confirm carries out Certificate Authority, and use authority terminal (TAD) creates first authentication code for Certificate Authority.Then, submit to stamped signature to certificate server (TAM), to carry out Certificate Authority from authorization terminal (TAD).
As a kind of embodiment, authorisation device (TAD) can use the communications conduit of its safety certification, whether detecting can connect certificate server (TAM), if connect certificate server (TAM) failure, then be switched to local mode, make the first authentication code, pay the first authentication code by communication interface (as USB, Bluetooth, NFC interface) to certificate server (TAM), to pay the first authentication code confirming authentication and authorization to certificate server (TAM).
Certificate server (TAM) at a safety, anti-tamper environment, such as HSM(HierarchicalStorage Management, hierarchical storage management) in environment, verify to make, the first authentication code confirms that authentication and authorization comes into force.
If the first authentication code is effective, will wait other Certificate Authority of next stage, if invalid, will refuse, Certificate Authority does not pass through.
Certificate server (TAM), after completing Certificate Authority, sends and confirms that response is to the authorization terminal (TAD) of all request authentication mandates, to complete Certificate Authority.
Certificate server (TAM) demonstrate all from the authentication and authorization needed for whole authorisation device after, confirmation Certificate Authority is completed, send confirm response to the authorization terminal (TAD) of all request authentication mandates.
Authorization terminal (TAD) deciphers all related datas after receiving and confirming response, and with clear-text way display information to user, so that it carries out next step operation.
Further, as a kind of embodiment, certificate server (TAM) records all Certificate Authority daily records, the Certificate Authority record of each authorization terminal (TAD) recording user.
Many communication channels Certificate Authority plateform system (AAP) of the embodiment of the present invention; by generating stamped signature at the stamped signature equipment independent from registrar (TIM); Certificate Authority between authorization terminal (TAD) and certificate server (TAM), provides the safeguard protection of Primary plateaus.The network that Registering modules (TIM) adopts handheld computing device (such as, intelligent telephone, panel computer) available connects, and uses figure, light or acoustic safety ground to pay data to authorization terminal (TAD).Can minimize or eliminate use safety sex chromosome mosaicism like this, especially about problem information being manually input to stamped signature equipment.And strong secret protection and certification can be provided, because encryption and the transaction data of stamped signature, be by figure, light or form of sound, be sent to authorization terminal (TAD) from registrar (TIM).
The above embodiment only have expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (24)
1. the Certificate Authority of communication channel a more than plateform system, is characterized in that, comprise token generation server STPM, registrar TIM, certificate server TAM and authorization terminal TAD;
Wherein:
Described token generation server, for when registrar sends registration request to it, generates token combination, and described token combination is supplied to described registrar;
Described registrar, during for sending registration request by one or more access communication channel to it in the authorization terminal receiving user, according to registration request to token combination described in described token generation server request; And after the described token combination of acquisition, by corresponding with authorization terminal information for described token combination; Then token combination, encrypting and decrypting software and authentication codes production form software, feed back to the authorization terminal of user by one or more access channel described; Simultaneously by described token combination and corresponding authorization terminal information, encrypting and decrypting software and authentication codes production form software, be sent to certificate server by another access channel being different from one or more access channel described;
Described certificate server, for combining with after corresponding authorization terminal information at the described token of acquisition, when receiving authorization terminal request and carrying out authorization identifying, utilizing token to combine, generating first password with the authorisation device information of correspondence; And according to the second authentication code that authorization terminal is sent, utilize encrypting and decrypting software and authentication codes production form software, described first password is transformed first authentication code identical with the form of the second authentication code, carries out certification comparison; Or utilize encrypting and decrypting software and authentication codes production form software, the second authentication code that authorization terminal is sent is resolved, the second password that authorized terminal is sent, carries out certification comparison with first password, and the result according to certification comparison carries out Certificate Authority;
Described authorization terminal, for after receiving the combination of described token, when needs carry out Certificate Authority, token is utilized to combine, authorisation device information according to correspondence generates the second password, and utilize encrypting and decrypting software and authentication codes production form software, after described second password is converted to the second authentication code, send to certificate server to carry out Certificate Authority.
2. many communication channels Certificate Authority plateform system according to claim 1, is characterized in that, described authorization terminal information is sound, image, the finger print data of the personalization that user is inputted by authorization terminal.
3. many communication channels Certificate Authority plateform system according to claim 2, is characterized in that, described authorization terminal information can also comprise the Unique Device identifier of authorization terminal.
4. many communication channels Certificate Authority plateform system according to claim 1, it is characterized in that, described access channel is network/telephone network, use touch sound and/or sound instruction Phone IVR network, system based on information, e-mail system, kiosks, sent by image scan or faxed paper.
5. many communication channels Certificate Authority plateform system according to claim 1, is characterized in that, described token combination comprises the combination in any of one or more data following:
A1) containing the certificates in digital form that two group keys are right: one for stamped signature, one for encryption;
A2) containing the data stamped signature token seed file of unique token sequence number;
A3) the OTP token containing unique token sequence number generates software.
6. many communication channels Certificate Authority plateform system according to claim 1, it is characterized in that, described certificate server is configured with loud speaker, microphone, camera and/or fingerprint scanner, can read or generate the first authentication code of corresponding format.
7. many communication channels Certificate Authority plateform system according to claim 6, is characterized in that, described first authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code.
8. many communication channels Certificate Authority plateform system according to claim 1, is characterized in that, described authorization terminal is handheld device, mobile phone, panel computer;
Described authorization terminal is configured with loud speaker, microphone, camera and/or fingerprint scanner, can read or generate the second authentication code of corresponding format.
9. many communication channels Certificate Authority plateform system according to claim 8, is characterized in that, described second authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code.
10. many communication channels Certificate Authority plateform system according to claim 5, is characterized in that, the described data stamped signature token seed file containing unique token sequence number utilizes authorization terminal information to generate corresponding first password or the second password.
11. many communication channels Certificate Authority plateform systems according to claim 1, it is characterized in that, described token combination and corresponding authorization terminal, encrypting and decrypting software and authentication codes production form software, when being sent to certificate server and authorization terminal by registrar, RSA Algorithm or aes algorithm is used to be encrypted.
12. many communication channels Certificate Authority plateform systems according to claim 11, it is characterized in that, the encryption key of described RSA Algorithm or aes algorithm is stored in tamper resistant device.
13. many communication channels Certificate Authority plateform systems according to claim 12, it is characterized in that, described encryption uses the rsa encryption method of private cipher key to be encrypted, and/or, use the public keys of service provider, use the stochastic generation activating pin of AES encryption, token combination is further encrypted.
14. many communication channels Certificate Authority plateform systems according to claim 13, it is characterized in that, described registrar, also for generating one for downloading the URL of token combination, encrypting and decrypting software and authentication codes production form software, being downloaded by the authorization terminal of user and obtaining.
More than 15. 1 kinds, communication channel authentication authority method, is characterized in that, comprises the steps:
Step S100, registrar, when the authorization terminal receiving user sends registration request by one or more access communication channel to it, combines to token described in described token generation server request according to registration request;
Step S200, token generation server is after the request of receiving registrar, and token generation server generates token combination, and described token combination is returned to registrar;
Step S300, described token, after the described token combination of acquisition, combines corresponding with authorization terminal information by registrar; Then token combination, encrypting and decrypting software and authentication codes production form software, feed back to the authorization terminal of user by one or more access channel described; Simultaneously by described token combination and corresponding authorization terminal information, encrypting and decrypting software and authentication codes production form software, be sent to certificate server by another access channel being different from one or more access channel described;
Step S400, authorization terminal initiates authentication authorization request to certificate server, authentication server response;
Step S500, after authentication server response, authorization terminal combines by utilizing token, authorisation device information according to correspondence generates the second password, and utilize encrypting and decrypting software and authentication codes production form software, after described second password is converted to the second authentication code, certificate server is sent to carry out Certificate Authority;
Step S600, after authentication server response, certificate server utilizes token to combine, and generates first password with the authorisation device information of correspondence; And according to the second authentication code that authorization terminal is sent, utilize encrypting and decrypting software and authentication codes production form software, described first password is transformed first authentication code identical with the form of the second authentication code, carries out certification comparison; Or utilize encrypting and decrypting software and authentication codes production form software, the second authentication code that authorization terminal is sent is resolved, the second password that authorized terminal is sent, carries out certification comparison with first password, and the result according to certification comparison carries out Certificate Authority.
16. many communication channels authentication authority methods according to claim 15, is characterized in that, described authentication codes production form software is that figure, light code, sound code or phonetic matrix generate software.
17. many communication channels authentication authority methods according to claim 15, it is characterized in that, described step S300 also comprises the steps:
Step S310, registrar is after receiving the token assembly of registrar feedback, encryption software and authentication codes production form software, use default settings decruption key to decipher URL information in authorization terminal, and require that user inputs token activation password installation security token combination and encryption software and form and generates software.
18. many communication channels authentication authority methods according to claim 17, is characterized in that, described in be encrypted as:
Use aes algorithm or RSA Algorithm, according to presetting key between token generation server and authorization terminal, software being generated to URL information and token assembly and encryption software and form and is encrypted.
19. many communication channels authentication authority methods according to claim 17, it is characterized in that, described step S300 also comprises the steps:
Step S320, after the installation completing token assembly, authorization terminal requires user's input by dynamic security token Software Create and the dynamic password of display, then verifies dynamic password.
20. many communication channels authentication authority methods according to claim 15, is characterized in that, described authorization terminal information is sound, image, the finger print data of the personalization that user is inputted by authorization terminal.
21. many communication channels authentication authority methods according to claim 20, is characterized in that, described authorization terminal information can also comprise the Unique Device identifier of authorization terminal.
22. many communication channels authentication authority methods according to claim 15, it is characterized in that, described access channel is network/telephone network, use touch sound and/or sound instruction Phone IVR network, system based on information, e-mail system, kiosks, sent by image scan or faxed paper.
23. many communication channels authentication authority methods according to claim 15, is characterized in that, described token combination comprises the combination in any of one or more data following:
A1) containing the certificates in digital form that two group keys are right: one for stamped signature, one for encryption;
A2) containing the data stamped signature token seed file of unique token sequence number;
A3) the OTP token containing unique token sequence number generates software.
24. many communication channels authentication authority methods according to claim 15, is characterized in that, described first authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code;
Described second authentication code is the code of one or more forms in sound code, image code, finger-print code or Quick Response Code.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310665028.2A CN104702580B (en) | 2013-12-10 | 2013-12-10 | More communication channel Certificate Authority plateform systems and method |
| TW103122183A TW201524177A (en) | 2013-12-10 | 2014-06-26 | Authentication and authorization platform system and method with multiple communication channels |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310665028.2A CN104702580B (en) | 2013-12-10 | 2013-12-10 | More communication channel Certificate Authority plateform systems and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104702580A true CN104702580A (en) | 2015-06-10 |
| CN104702580B CN104702580B (en) | 2017-12-29 |
Family
ID=53349352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310665028.2A Active CN104702580B (en) | 2013-12-10 | 2013-12-10 | More communication channel Certificate Authority plateform systems and method |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104702580B (en) |
| TW (1) | TW201524177A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791259A (en) * | 2015-10-26 | 2016-07-20 | 北京中金国盛认证有限公司 | Method for protecting personal information |
| CN108769992A (en) * | 2018-06-12 | 2018-11-06 | 腾讯科技(深圳)有限公司 | User authen method, device, terminal and storage medium |
| CN109583872A (en) * | 2018-11-30 | 2019-04-05 | 阿里巴巴集团控股有限公司 | Method of payment and device |
| CN110417907A (en) * | 2019-08-05 | 2019-11-05 | 斑马网络技术有限公司 | The management method and device of terminal device |
| CN110659006A (en) * | 2019-08-20 | 2020-01-07 | 北京捷通华声科技股份有限公司 | Cross-screen display method and device, electronic equipment and readable storage medium |
| CN111586023A (en) * | 2020-04-30 | 2020-08-25 | 广州市百果园信息技术有限公司 | Authentication method, authentication equipment and storage medium |
| CN112235276A (en) * | 2020-10-09 | 2021-01-15 | 三星电子(中国)研发中心 | Master-slave equipment interaction method, device, system, electronic equipment and computer medium |
| CN113141374A (en) * | 2015-12-30 | 2021-07-20 | 亚马逊科技有限公司 | Service authorization handshake |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI657399B (en) * | 2017-11-17 | 2019-04-21 | 匯智通訊有限公司 | Method for performing anti-counterfeiting authentication on transaction voucher by using ultrasonic verification code and transaction verification method |
| TWI672606B (en) * | 2018-08-28 | 2019-09-21 | 國立暨南國際大學 | Authorization authentication method based on authentication and key agreement protocol |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009028060A1 (en) * | 2007-08-29 | 2009-03-05 | Mitsubishi Electric Corporation | Authentication system, authentication device, terminal device, ic card, and program |
| US20090274303A1 (en) * | 2004-02-23 | 2009-11-05 | Nicolas Popp | Token provisioning |
| CN103209160A (en) * | 2012-01-13 | 2013-07-17 | 中兴通讯股份有限公司 | Authentication method and system for heterogeneous network |
| CN103401686A (en) * | 2013-07-31 | 2013-11-20 | 陕西海基业高科技实业有限公司 | User Internet identity authentication system and application method thereof |
-
2013
- 2013-12-10 CN CN201310665028.2A patent/CN104702580B/en active Active
-
2014
- 2014-06-26 TW TW103122183A patent/TW201524177A/en unknown
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090274303A1 (en) * | 2004-02-23 | 2009-11-05 | Nicolas Popp | Token provisioning |
| WO2009028060A1 (en) * | 2007-08-29 | 2009-03-05 | Mitsubishi Electric Corporation | Authentication system, authentication device, terminal device, ic card, and program |
| CN103209160A (en) * | 2012-01-13 | 2013-07-17 | 中兴通讯股份有限公司 | Authentication method and system for heterogeneous network |
| CN103401686A (en) * | 2013-07-31 | 2013-11-20 | 陕西海基业高科技实业有限公司 | User Internet identity authentication system and application method thereof |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791259B (en) * | 2015-10-26 | 2018-11-16 | 北京中金国盛认证有限公司 | A kind of method of personal information protection |
| CN105791259A (en) * | 2015-10-26 | 2016-07-20 | 北京中金国盛认证有限公司 | Method for protecting personal information |
| CN113141374B (en) * | 2015-12-30 | 2023-01-24 | 亚马逊科技有限公司 | Method, system and storage medium for service authorization handshake |
| CN113141374A (en) * | 2015-12-30 | 2021-07-20 | 亚马逊科技有限公司 | Service authorization handshake |
| CN108769992B (en) * | 2018-06-12 | 2021-06-18 | 腾讯科技(深圳)有限公司 | User authentication method, device, terminal and storage medium |
| CN108769992A (en) * | 2018-06-12 | 2018-11-06 | 腾讯科技(深圳)有限公司 | User authen method, device, terminal and storage medium |
| CN109583872A (en) * | 2018-11-30 | 2019-04-05 | 阿里巴巴集团控股有限公司 | Method of payment and device |
| WO2020108155A1 (en) * | 2018-11-30 | 2020-06-04 | 阿里巴巴集团控股有限公司 | Payment method and apparatus |
| CN110417907B (en) * | 2019-08-05 | 2022-04-15 | 斑马网络技术有限公司 | Management method and device of terminal equipment |
| CN110417907A (en) * | 2019-08-05 | 2019-11-05 | 斑马网络技术有限公司 | The management method and device of terminal device |
| CN110659006A (en) * | 2019-08-20 | 2020-01-07 | 北京捷通华声科技股份有限公司 | Cross-screen display method and device, electronic equipment and readable storage medium |
| CN110659006B (en) * | 2019-08-20 | 2023-08-22 | 北京捷通华声科技股份有限公司 | Cross-screen display method and device, electronic equipment and readable storage medium |
| CN111586023A (en) * | 2020-04-30 | 2020-08-25 | 广州市百果园信息技术有限公司 | Authentication method, authentication equipment and storage medium |
| CN111586023B (en) * | 2020-04-30 | 2022-05-31 | 广州市百果园信息技术有限公司 | Authentication method, authentication equipment and storage medium |
| CN112235276A (en) * | 2020-10-09 | 2021-01-15 | 三星电子(中国)研发中心 | Master-slave equipment interaction method, device, system, electronic equipment and computer medium |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI520557B (en) | 2016-02-01 |
| CN104702580B (en) | 2017-12-29 |
| TW201524177A (en) | 2015-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104702580A (en) | Multi-communication-channel authentication authorization platform system and method | |
| US8769612B2 (en) | Portable device association | |
| CN106888089B (en) | method and system for electronic signature and mobile communication terminal for electronic signature | |
| US8099761B2 (en) | Protocol for device to station association | |
| JP4252620B1 (en) | Server certificate issuing system | |
| CN111352740B (en) | Application interaction processing method and device | |
| CN109922027B (en) | Credible identity authentication method, terminal and storage medium | |
| JP5764501B2 (en) | Authentication device, authentication method, and program | |
| JP2007102778A (en) | User authentication system and method therefor | |
| KR101210260B1 (en) | OTP certification device | |
| JP2006244081A (en) | Server with authentication function and method | |
| CN102823217A (en) | Certificate authority | |
| JP5495194B2 (en) | Account issuing system, account server, service server, and account issuing method | |
| JP2015039141A (en) | Certificate issue request generation program, certificate issue request generation device, certificate issue request generation system, certificate issue request generation method, certificate issuing device, and authentication method | |
| TWI643086B (en) | Method for binding by scanning two-dimensional barcode | |
| CN114218510A (en) | Service page display method, device and equipment | |
| CN114095180A (en) | Digital certificate management method, apparatus and medium | |
| JP7079528B2 (en) | Service provision system and service provision method | |
| JP2017152877A (en) | Electronic key re-registration system, electronic key re-registration method, and program | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate | |
| KR20020010165A (en) | Method of controlling an access to a computer system and transmitting a certificate, using One Time Password | |
| KR102086406B1 (en) | User integrated authentication service system and method thereof | |
| JP7050466B2 (en) | Authentication system and authentication method | |
| CN103425917A (en) | Information display control method and mobile terminal | |
| CN116668201B (en) | System for allocating production resources, transmission method and equipment for production resources |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231031 Address after: Singapore 750D Caishi Road # 08-01ESR Industrial Park @ Caishi Patentee after: Singapore i-Sprint Technology Co.,Ltd. Address before: Room 1509, Shougang International Building, No. 60, Xizhimen North Street, Haidian District, Beijing 100082 Patentee before: BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |