CN104702580B - More communication channel Certificate Authority plateform systems and method - Google Patents
More communication channel Certificate Authority plateform systems and method Download PDFInfo
- Publication number
- CN104702580B CN104702580B CN201310665028.2A CN201310665028A CN104702580B CN 104702580 B CN104702580 B CN 104702580B CN 201310665028 A CN201310665028 A CN 201310665028A CN 104702580 B CN104702580 B CN 104702580B
- Authority
- CN
- China
- Prior art keywords
- token
- code
- software
- authorization terminal
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 55
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000013475 authorization Methods 0.000 claims abstract description 151
- 230000004044 response Effects 0.000 claims description 19
- 230000004913 activation Effects 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 238000009434 installation Methods 0.000 claims description 4
- 230000003213 activating effect Effects 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 2
- 230000008569 process Effects 0.000 abstract description 11
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 206010068052 Mosaicism Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 210000003765 sex chromosome Anatomy 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of more communication channel Certificate Authority plateform systems and method.Wherein system includes token generation server STPM, registrar TIM, certificate server TAM and authorization terminal TAD.Token generation server STPM generation token combinations, and it is supplied to the registrar;Token combination is fed back to authorization terminal and certificate server by registrar;When certificate server is connected to authorization terminal request progress authorization identifying request, it is authenticated authorizing.It is safely, conveniently easy to operate, and cost is low, and various malicious attacks are effectively prevented in network authentication licensing process.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of more communication channel Certificate Authority plateform systems and
Method.
Background technology
In digital certificate licensing process, program can generate electronic data, user by some access channels, such as with
Computer, phone, the IVR at family(Interactive Voice Response, interactive voice answering), information station(Kiosk)Deng
These data are read, after user profile must be by certification and authorizing, these could be used to access channel and go to obtain generation electronics
Change data.It may require that the electronic transaction of user uses number for the higher electronic data of some confidentialities, during Certificate Authority
Word stamped signature, to ensure the authenticity and reliability of transaction.For example, by the solution method of stamped signature, single equipment platform, example are used
Computer, information station such as user(Kiosk), submit request to give Certificate Authority platform, and carry out stamped signature.
The Certificate Authority stamped signature of other safety solves method, and the first authentication code is made using other equipment.Example
Such as, user is started by network connection using some Certificate Authority platform and asked, and during response, Certificate Authority platform program is led to
Network connection is crossed, by the computer at information transmission reuse family.After information is received, user is by the part of required information, input
Equipment to stamped signature is needed(The equipment not connection server/computer), to make Electronic Signature;User inputs Electronic Signature and arrived
Computer, and Electronic Signature is submitted to Certificate Authority platform, to complete stamped signature process.
If for other Certificate Authority processes manual or based on phone, using above-mentioned conventional method, electronic signature is
It is irrealizable.
Traditional Certificate Authority solves method, including Electronic Signature solves method, there is following various weak points:
1)For the manual authentication mandate by sales counter, the instruction finished writing or phone, it is impossible to use recognizing for electronics
Card authorizes solution method, including stamped signature equipment to solve method and realize.
2)For single equipment platform, request is submitted to be put down to the single equipment of some Certificate Authority platform and making stamped signature
Platform, easily by Malware, man-in-the middle phishing(Man-In-the-Middle, MitM)Attack, and data can be changed
To implement to cheat.
3)For the stamped signature equipment do not networked, although it, which provides safer Certificate Authority, solves method, not
The stamped signature equipment of networking, single service provider is only supported, and typically require that user is manually entered important data to client
End.This process easily malfunctions;In stamped signature, the limitation of data volume can be included, and may also can by the data of stamped signature
It is restricted.In addition, this stamped signature equipment, all of a relatively high in manufacture, purchase, distribution and revocation whole process, cost.Meanwhile
If Certificate Authority is related to one or more Certificate Authorities, then this Certificate Authority process will become complicated, while also can
Take more time.
The content of the invention
Based on this, it is necessary to the defects of for prior art and deficiency, there is provided a kind of more communication channel Certificate Authority platforms
System and method, it is safely, conveniently easy to operate, and cost is low, effectively prevents various malice from attacking in network authentication licensing process
Hit.
To realize a kind of more communication channel Certificate Authority plateform systems that the object of the invention provides, including token generation clothes
Be engaged in device STPM, registrar TIM, certificate server TAM and authorization terminal TAD;
Wherein:
The token generation server, for when registrar sends registration request to it, generating token combination, and
Token combination is supplied to the registrar;
The registrar, for be connected to the authorization terminal of user by one or more access communication channel to
When it sends registration request, the token is asked to combine to the token generation server according to registration request;And obtaining institute
After stating token combination, the token is combined corresponding with authorization terminal information;Then token is combined, encrypting and decrypting software and recognized
Code building format software is demonstrate,proved, the authorization terminal of user is fed back to by one or more of access channels;Simultaneously by institute
State token combination with corresponding authorization terminal information, encrypting and decrypting software and authentication codes generation format software, by different from
One or more of another access channels for accessing channel are sent to certificate server;
The certificate server, for obtaining the token combination with after corresponding authorization terminal information, being awarded when being connected to
When weighing terminal request progress authorization identifying, combined using token, first password is generated with corresponding authorisation device information;And according to
The second authentication code that authorization terminal is sent, format software is generated using encrypting and decrypting software and authentication codes, by described first
Password converts the authentication code of form identical first with the second authentication code, is authenticated comparing;Or utilize encrypting and decrypting software
And authentication codes generation format software, the second authentication code sent to authorization terminal parse, authorized terminal is sent
The second password come, is authenticated comparing with first password, is authenticated authorizing according to the result that certification compares;
The authorization terminal, for after the token combination is received, when needing to be authenticated authorizing, utilizing token
Combination, the second password is generated according to corresponding authorisation device information, and utilize encrypting and decrypting software and authentication codes generation form
Software, after second password is converted into the second authentication code, it is sent to certificate server and is authenticated authorizing.
In one of the embodiments, the authorization terminal information is the personalized sound that user is inputted by authorization terminal
Sound, image, finger print data.
In one of the embodiments, the authorization terminal information can also include the Unique Device identification of authorization terminal
Number.
In one of the embodiments, the access channel is network/telephone network, uses tactile sound and/or sound instruction
Phone IVR networks, the system based on information, e-mail system, kiosks, pass through image scan send or facsimile transmission paper
Part.
In one of the embodiments, the token combination includes any combination of one or more following data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
In one of the embodiments, the certificate server is configured with loudspeaker, microphone, camera and/or fingerprint
Scanner, it can be read or generate the first authentication code of corresponding format.
In one of the embodiments, first authentication code is sound code, image code, finger-print code or two dimension
The code of one or more kinds of forms in code.
In one of the embodiments, the authorization terminal is handheld device, mobile phone, tablet personal computer;
The authorization terminal is configured with loudspeaker, microphone, camera and/or fingerprint scanner, can be read or generates
Second authentication code of corresponding format.
In one of the embodiments, second authentication code is sound code, image code, finger-print code or two dimension
The code of one or more kinds of forms in code.
In one of the embodiments, the data stamped signature token seed file of the sequence number containing unique token utilizes mandate
End message generates corresponding first password or the second password.
In one of the embodiments, token combination and corresponding authorization terminal, encrypting and decrypting software and recognize
Demonstrate,prove code building format software, when being sent to certificate server and authorization terminal by registrar, be using RSA Algorithm or
What aes algorithm was encrypted.
In one of the embodiments, the encryption key of the RSA Algorithm or aes algorithm is stored in tamper resistant device
In.
In one of the embodiments, the encryption is what is be encrypted using the rsa encryption method of private cipher key, and/
Or, the public keys using service provider, using the random generation activating pin of AES encryption, token combination is entered again
The encryption of one step.
In one of the embodiments, the registrar, it is additionally operable to generation one and is used to download token combination, encryption
The URL of decryption software and authentication codes generation format software, by the authorization terminal of user(TAD)Download obtains.
To realize that the object of the invention also provides a kind of more communication channel authentication authority methods, comprise the following steps:
Step S100, registrar be connected to the authorization terminal of user by one or more access communication channel to
When it sends registration request, the token is asked to combine to the token generation server according to registration request;
Step S200, token generation server is after the request of registrar is connected to, token generation server generation order
Board is combined, and token combination is returned into registrar;
Step S300, registrar is after the token combination is obtained, by token combination and authorization terminal information
It is corresponding;Then token is combined, encrypting and decrypting software and authentication codes generation format software, passes through one or more of visits
Ask that channel feeds back to the authorization terminal of user;The token is combined simultaneously soft with corresponding authorization terminal information, encrypting and decrypting
Part and authentication codes generation format software, by being sent different from another access channel of one or more of access channels
To certificate server;
Step S400, authorization terminal initiate authentication authorization request, authentication server response to certificate server;
Step S500, after authentication server response, authorization terminal combines by using token, is set according to corresponding mandate
Standby information generates the second password, and using encrypting and decrypting software and authentication codes generation format software, second password is turned
After being changed to the second authentication code, it is sent to certificate server and is authenticated authorizing;
Step S600, after authentication server response, certificate server is combined using token, is believed with corresponding authorisation device
Breath generation first password;And the second authentication code sent according to authorization terminal, given birth to using encrypting and decrypting software and authentication codes
Into format software, first password conversion and the authentication code of form identical first of the second authentication code are authenticated comparing;
Or solved using encrypting and decrypting software and authentication codes generation format software, the second authentication code sent to authorization terminal
Analysis, the second password that authorized terminal is sent, is authenticated comparing with first password, and the result compared according to certification is carried out
Certificate Authority.
In one of the embodiments, the authentication codes generation format software is figure, light code, sound code or voice
Form generates software.
In one of the embodiments, the step S300 also comprises the following steps:
Step S310, the token component of registrar feedback is being received, encryption software and authentication codes generation form are soft
After part, URL information is decrypted in authorization terminal using default settings decruption key, and requires that user inputs token activation password peace
Fill security token combination and encryption software and form generation software.
In one of the embodiments, it is described to be encrypted as:
It is close according to presetting between token generation server and authorization terminal using aes algorithm or RSA Algorithm
Key, URL information and token component and encryption software and form generation software are encrypted.
In one of the embodiments, the step S300 also comprises the following steps:
Step S320, after the installation of token component is completed, authorization terminal requires user's input by dynamic security token
Software Create and the dynamic password shown, then verify dynamic password.
In one of the embodiments, the authorization terminal information is the personalized sound that user is inputted by authorization terminal
Sound, image, finger print data.
In one of the embodiments, the authorization terminal information also includes the Unique Device identifier of authorization terminal.
In one of the embodiments, the access channel is network/telephone network, uses tactile sound and/or sound instruction
Phone IVR networks, the system based on information, e-mail system, kiosks, pass through image scan send or facsimile transmission paper
Part.
In one of the embodiments, the token combination includes any combination of one or more following data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
In one of the embodiments, first authentication code is sound code, image code, finger-print code or two dimension
The code of one or more kinds of forms in code.
In one of the embodiments, second authentication code is sound code, image code, finger-print code or two dimension
The code of one or more kinds of forms in code.
Beneficial effects of the present invention:The more communication channel Certificate Authority plateform systems and method of the present invention, by more logical
It is authenticated authorizing between news channel, end-to-end protection is provided for certification and authorization message integrality, and the proving and comparisom of information
Can then be carried out in anti-tamper environment, and by using password and the data based on user's checking transaction stamped signature, prevent from disliking
Meaning software, real-time network are gone fishing and based on man-in-the middle phishing(Man-In-the-Middle, MitM)Attack, its safety,
Convenient, easy to operate, cost is low, and various malicious attacks are effectively prevented in network authentication licensing process.Further, it is supported
Certificate Authority between multiple service providers of one or more communications conduits and multiple Certificate Authority platforms.
Brief description of the drawings
Fig. 1 is more communication channel Certificate Authority plateform system structural representations of the embodiment of the present invention;
Fig. 2 is more communication channel authentication authority method flow charts of the embodiment of the present invention.
Embodiment
In order that more communication channel Certificate Authority plateform systems of the invention and the object, technical solution and advantage of method are more
Add it is clear, below in conjunction with specific drawings and the specific embodiments, to the more communication channel Certificate Authority plateform systems of the present invention and
Method is further elaborated.
One embodiment of the more communication channel Certificate Authority plateform systems of the present invention, as shown in Figure 1.
As shown in figure 1, more communication channel Certificate Authority plateform systems of the embodiment of the present invention(Authentication and
Authorization Platform, AAP)Including token generation server(Security Token Provisioning
Module, STPM)100, registrar(Transaction Initiation Module, TIM)200, certificate server
(Transaction Authorization Module, TAM)300, and authorization terminal(Transaction
Authorization Device, TAD)400.
Token generation server(STPM)100 be a complete lifecycle processing module, and it handles authorization terminal(TAD)
One or more security tokens authentication mandate and release authentication mandate, for being sent in registrar to it
During registration request, generation token combination, and token combination is supplied to the registrar.
Registrar(TIM)200 provide the interface of sequencing, with support it is one or more access communication channels so as to
Family is obtained for certification and the token authorized combination, to start certification and mandate, for being connected to the authorization terminal of user(TAD)
When sending registration request to it by one or more access communication channel, generated and serviced to the token according to registration request
Device(STPM)The token is asked to combine;And after the token combination is obtained, by token combination and authorization terminal information
It is corresponding;Then token is combined, encrypting and decrypting software and authentication codes generation format software, passes through one or more of visits
Ask that channel feeds back to the authorization terminal of user(TAD);Token combination is solved with corresponding authorization terminal information, encryption simultaneously
Close software and authentication codes generate format software, pass through another access channel different from one or more of access channels
It is sent to certificate server(TAM).
The encrypting and decrypting software, and authentication codes generation format software, are to be set in advance in the registrar
In known existing encrypting and decrypting software, and known authentication codes generation format software, be a kind of prior art, because
This, in embodiments of the present invention, is no longer described in detail one by one.
The authorization terminal information can be that user passes through authorization terminal(TAD)Personalized sound, the image of input(Such as
The personal images or signature of scanning), finger print data etc., these authorization terminal information can be carried out by user in authorization terminal
Regularly change and notified by accessing channel to certificate server.
As a kind of embodiment, the authorization terminal information can also include authorization terminal(TAD)Unique Device
Identifier(Unique Device Identification Number, UDIN).
As a kind of embodiment, the Unique Device identifier is the authorization terminal by reading user(TAD)'s
UUID(Universally Unique Identifier, general unique identifier)Obtain.
The access channel includes but is not limited to network/telephone network, using tactile sound(touch tone)And/or sound refers to
The Phone IVR networks of order, the system based on information(Including short message system), e-mail system, kiosks, pass through image
Scanning is sent or fax paper(Paper)Deng.
The token combination includes but is not limited to any combination of one or more data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP of the sequence number containing unique token(One-time Password, dynamic password)Token generates software.
Certificate server(TAM)300 be to pass through application programming interface(application programming
Interfaces, API)Make certificate server(TAM)With certification and authorization function, for obtain the token combination with it is right
After the authorization terminal information answered, when being connected to authorization terminal request progress authorization identifying, combined using token, with corresponding mandate
Facility information generates first password;And the second authentication code sent according to authorization terminal, utilize encrypting and decrypting software and certification
Code building format software, first password conversion and the authentication code of form identical first of the second authentication code are recognized
Card compares;Or using encrypting and decrypting software and authentication codes generation format software, the second certification sent to authorization terminal
Code is parsed using encrypting and decrypting software and authentication codes generation format software, and authorized terminal is sent second close
Code, is authenticated comparing with first password, is authenticated authorizing according to the result that certification compares.
It is described that the second authentication code is parsed using encrypting and decrypting software and authentication codes generation format software, obtain the
Two passwords, it is a kind of prior art, therefore, in embodiments of the present invention, is no longer described in detail one by one.
The certificate server(TAM)300 are configured with the function device of similar computer, such as loudspeaker, microphone, photograph
Machine, fingerprint scanner, the first authentication code of corresponding format is can be read or generates, such as sound code, image code, finger-print code
Or the code of one or more kinds of forms of Quick Response Code etc..
Authorization terminal(TAD)400 be a kind of computing device, for after the token combination is received, needing to carry out
During Certificate Authority, combined using token, the second password is generated according to corresponding authorisation device information, and utilize encrypting and decrypting software
And authentication codes generation format software, after second password is converted into the second authentication code, it is sent to certificate server(TAM)
It is authenticated authorizing.
The authorization terminal(TAD)400 can be such as handheld device, mobile phone, tablet personal computer or similar devices, this
A little equipment are all configured to the function device of similar computer, such as loudspeaker, microphone, camera, fingerprint scanner, can be read or
Generate the second authentication code of corresponding format, such as sound code, image code, finger-print code either Quick Response Code it is a kind of or more
The code of kind form.
The data stamped signature token seed file of the sequence number containing unique token can utilize authorization terminal information generation phase
The first password or the second password answered.
As a kind of embodiment, the token combination and corresponding authorization terminal(TAD), encrypting and decrypting software
And authentication codes generation format software, it is to use RSA Algorithm when being sent to certificate server and authorization terminal by registrar
Or aes algorithm is encrypted, and encryption key is stored in tamper resistant device(Such as the equipment of FIPS140 certifications)In,
Ensure its security.
As a kind of embodiment, the encryption is what is be encrypted using the rsa encryption method of private cipher key, and/
Or, random generation activating pin of the public keys by AES encryption is used, token combination is further encrypted;So
Post-registration server generates a URL for being used to download token combination(Uniform Resource Locator, unified resource are fixed
Position symbol, also referred to as web page address), by the authorization terminal of user(TAD)Download obtains.
In more communication channel Certificate Authority plateform systems of the embodiment of the present invention(AAP)In, the user authorized uses order
Board generates server(STPM)Come individual cultivation and supply identity to its own authorization terminal(TAD)One or more
Security token combines, and authorization terminal(TAD)It is associated with certification and the service provider authorized, user can pass through service
The registrar of provider(TIM), asked for security token application.
As a kind of embodiment, it is authenticated and authorizes in more communication channel Certificate Authority plateform systems, can be with
It is related to one or more and uses different authorization terminals(TAD)User authorization terminal, and each authorization terminal is participating in awarding
Before power process, its authorization terminal(TAD)Token generation server will be obtained(STPM)Approval.
Authorization terminal(TAD)Communication channel is accessed from one, for example, desktop web browsers, phone, IVR, Kiosk, pass through
Registrar(TIM), and using communications conduit, submit security token application request to arrive registrar, registrar will
Security token application request is forwarded to token generation server(STPM), request generation token combination.
The present invention also provides a kind of more communication channel authentication authority methods, as shown in Fig. 2 comprising the following steps:
Step S100, registrar(TIM)It is being connected to the authorization terminal of user(TAD)Pass through one or more access
When communication channel sends registration request to it, according to registration request to the token generation server(STPM)Ask the token
Combination;
Step S200, token generation server(STPM)After the request of registrar is connected to, token generation server
(STPM)One token combination of generation, and token combination is returned into registrar.
Step S300, registrar(TIM)After token combination is obtained, the token is combined and authorization terminal
Information is corresponding;Then token is combined, encrypting and decrypting software and authentication codes generation format software, by one or more
The individual authorization terminal for accessing channel and feeding back to user(TAD);Simultaneously by the token combination with corresponding authorization terminal information, add
Close decryption software and authentication codes generate format software, pass through another access different from one or more of access channels
Channel is sent to certificate server(TAM).
Step S400, authorization terminal(TAD)To certificate server(TAM)Initiate authentication authorization request, certificate server
(TAM)Response;
Step S500, after authentication server response, authorization terminal combines by using token, is set according to corresponding mandate
Standby information generates the second password, and using encrypting and decrypting software and authentication codes generation format software, second password is turned
After being changed to the second authentication code, certificate server is sent to(TAM)It is authenticated authorizing.
Step S600, after authentication server response, certificate server is combined using token, is believed with corresponding authorisation device
Breath generation first password;And the second authentication code sent according to authorization terminal, given birth to using encrypting and decrypting software and authentication codes
Into format software, first password conversion and the authentication code of form identical first of the second authentication code are authenticated comparing;
Or solved using encrypting and decrypting software and authentication codes generation format software, the second authentication code sent to authorization terminal
Analysis, the second password that authorized terminal is sent, is authenticated comparing with first password, and the result compared according to certification is carried out
Certificate Authority.
Token generation server token generating algorithm known to, generate seed file and kind Ziwen in token
The unique identifier of part, and encryption data is added, composition token combination.
After generating token component, token generation server(STPM)Following information is returned to registrar(TIM):Order
Board component, encrypting and decrypting software and authentication codes generation format software.
The authentication codes generate format software, including but not limited to figure(Such as VRcode, Barcode), light code
(Such as optical frequency-light frequency), sound code(Such as tone-audio tone)Or phonetic matrix generation software, it is described
Form generation software can be by authorization terminal(TAD)Or certificate server(TAM)The first password of generation or the life of the second password
The first authentication code or the second authentication code specified into user by authorisation device.
Receiving registrar(TAD)After the token component of feedback, encryption software and authentication codes generation format software,
Using default settings decruption key in authorization terminal(TAD)Upper decryption URL information, and require that user inputs token activation password
(It is provided previously by by certificate server)To install security token combination and encryption software and form generation software.
As a kind of embodiment, aes algorithm or RSA Algorithm can be used, according to token generation server(STPM)
And authorization terminal(TAD)Between preset key, software is generated to URL information and token component and encryption software and form
It is encrypted.
Token activation password of the invention, it is by pre-defined and registered in advance as a kind of embodiment
Internet channel(Email, SMS or voice call for passing through IVR etc.), it is sent to authorization terminal(TAD)'s.
After user have input token activation password, authorization terminal(TAD)The token component of encryption is downloaded, and to token group
Information integrity in part is verified, is decrypted content and is installed token component and encryption software and form generation software.
As a kind of embodiment, in the embodiment of the present invention, after the installation of token component is completed, authorization terminal
(TAD)The dynamic password that user's input is generated and shown by security token can be required(OTP), then verify dynamic password(OTP)
To ensure that security token component can normally play a role.
Authorization terminal(TAD)From one or more access channel, for example, desktop web browsers, phone IVR,
Kiosk, etc., the Certificate Authority of equipment room is carried out, the access channel is to be connected to certificate server by communication channel
(TAM).The access channel is certificate server(TAM)By advance safety certification, such as authorized by stamped signature equipment
The secure connection of certification connection.
Authorization terminal(TAD)The first authentication code is sent to certificate server(TAM).
First authentication code can be the encryption for first password change generation using form generation software life
Figure(Such as VRcode, Barcode), light code(Such as optical frequency-light frequency), sound code(Such as tone-
audio tone)Or speech data.
As a kind of embodiment, the first transmitted authentication code, the combination based on multiple encryption keys has been used
AES(Advanced Encryption Standard, also known as Advanced Encryption Standard, Rijndael enciphered methods)Encryption.These
Key and authorization terminal(TAD)Unique Device identifier(Unique Device Identification Number, UDIN)
With unique token sequence number(Unique Token Serial Number, UTSN)It is encrypted.Then, reuse and carried containing service
For the rsa encryption of the private cipher key of business, obtained after encrypting again.
Ciphering process is that the data of encryption only can be by following in order to ensure safety, also, a kind of embodiment of conduct
User reads:
1)Initiate certification and the authorization terminal authorized(TAD)Holder;
2)In authorization terminal(TAD)For security component that service provider installs in advance.
Certificate server(TAM)After receiving request and confirming data and confirm authorization data, it can obtain in the following manner
First authentication code:
1)Use form generation software scans figure, Quick Response Code, finger print data;Or
2)Sound code or voice are read to obtain using default microphone.
As a kind of embodiment, before Certificate Authority completion, certificate server(TAM)The encryption that decryption receives
First authentication code, the first authentication code after being decrypted.
As a kind of embodiment, for example, when carrying out checking data, authorization terminal(TAD)Use finger print data
Confirmation is authenticated authorizing, and uses authorization terminal(TAD)To create first authentication code for Certificate Authority.Then, from awarding
Weigh terminal(TAD)Stamped signature is submitted to certificate server(TAM), to be authenticated authorizing.
As a kind of embodiment, authorisation device(TAD)The communications conduit of its safety certification can be used, whether is detecting
Certificate server can be connected(TAM)If connect certificate server(TAM)Failure, then local mode is switched to, makes the first certification
Code, deliver the first authentication code and pass through communication interface(Such as USB, Bluetooth, NFC interface)To certificate server(TAM), so as to
The first authentication code is delivered to certificate server(TAM)Confirm certification and mandate.
Certificate server(TAM)In safety, anti-tamper environment, such as HSM(Hierarchical Storage
Management, hierarchical storage management)In environment, the first authentication code of checking confirms that certification and mandate come into force to make.
If the first authentication code is effective, the other Certificate Authority of next stage will be waited, if invalid, will be refused, Certificate Authority does not lead to
Cross.
Certificate server(TAM)After Certificate Authority is completed, the mandate of all request Certificate Authorities is sent an acknowledgement to
Terminal(TAD), to complete Certificate Authority.
In certificate server(TAM), will be true after demonstrating all required certifications and mandate from whole authorisation devices
Recognize Certificate Authority completion, send an acknowledgement to the authorization terminal of all request Certificate Authorities(TAD).
Authorization terminal(TAD)Receive after confirming response, decrypt all related datas, and use is displayed information to clear-text way
Family, so that it carries out next step operation.
Further, as a kind of embodiment, certificate server(TAM)All Certificate Authority daily records are recorded, each
Authorization terminal(TAD)Record the Certificate Authority record of user.
More communication channel Certificate Authority plateform systems of the embodiment of the present invention(AAP), by from registrar(TIM)
Stamped signature, authorization terminal are generated in independent stamped signature equipment(TAD)And certificate server(TAM)Between Certificate Authority, carry
For the safeguard protection of Primary plateaus.Registering modules(TIM)Using handheld computing device(For example, intelligent telephone, tablet personal computer)
Available network connection, data are delivered using figure, light or acoustic safety to authorization terminal(TAD).Can so minimize or
Person eliminates sex chromosome mosaicism safe to use, the problem of especially with respect to stamped signature equipment is input information manually into.And it can provide strong
Secret protection and certification, it is by figure, light or form of sound, from registrar because the transaction data of encryption and stamped signature
(TIM)It is sent to authorization terminal(TAD)'s.
Embodiment described above only expresses the several embodiments of the present invention, and its description is more specific and detailed, but simultaneously
Therefore the limitation to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that for one of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the guarantor of the present invention
Protect scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.
Claims (24)
1. a kind of more communication channel Certificate Authority plateform systems, it is characterised in that including token generation server STPM, registration clothes
Be engaged in device TIM, certificate server TAM and authorization terminal TAD;
Wherein:
The token generation server, for when registrar sends registration request to it, generation token combination, and by institute
State token combination and be supplied to the registrar;
The registrar, for being sent out in the authorization terminal for being connected to user by one or more access communication channel to it
When going out registration request, the token is asked to combine to the token generation server according to registration request;And obtaining the order
After board combination, the token is combined corresponding with authorization terminal information;Then token is combined, encrypting and decrypting software and certification generation
Code generation format software, the authorization terminal of user is fed back to by one or more of access channels;Simultaneously by the order
Board combines generates format software with corresponding authorization terminal information, encrypting and decrypting software and authentication codes, by different from described
One or more another access channel for accessing channel is sent to certificate server;
The certificate server, for obtaining the token combination with after corresponding authorization terminal information, being authorized eventually when being connected to
When end request carries out authorization identifying, combined using token, first password is generated with corresponding authorisation device information;And according to mandate
The second authentication code that terminal is sent, format software is generated using encrypting and decrypting software and authentication codes, by the first password
Conversion and the authentication code of form identical first of the second authentication code, are authenticated comparing;Or using encrypting and decrypting software and recognize
Code building format software is demonstrate,proved, the second authentication code sent to authorization terminal parses, what authorized terminal was sent
Second password, it is authenticated comparing with first password, is authenticated authorizing according to the result that certification compares;
The authorization terminal, for after the token combination is received, when needing to be authenticated authorizing, utilizing token group
Close, the second password is generated according to corresponding authorisation device information, and it is soft using encrypting and decrypting software and authentication codes generation form
Part, after second password is converted into the second authentication code, it is sent to certificate server and is authenticated authorizing.
2. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the authorization terminal letter
Breath is personalized sound, image, the finger print data that user is inputted by authorization terminal.
3. more communication channel Certificate Authority plateform systems according to claim 2, it is characterised in that the authorization terminal letter
Breath also includes the Unique Device identifier of authorization terminal.
4. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that it is described access channel be
Network/telephone network, use the Phone IVR networks of tactile sound and/or sound instruction, the system based on information, Email system
System, kiosks, sent or faxed by image scan paper.
5. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the token combination bag
Include any combination of one or more following data:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
6. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the certificate server
Loudspeaker, microphone, camera and/or fingerprint scanner are configured with, can be read or generate the first authentication code of corresponding format.
7. more communication channel Certificate Authority plateform systems according to claim 6, it is characterised in that first authentication code
For the code of one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code.
8. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the authorization terminal is
Handheld device, mobile phone, tablet personal computer;
The authorization terminal is configured with loudspeaker, microphone, camera and/or fingerprint scanner, can be read or generates and be corresponding
Second authentication code of form.
9. more communication channel Certificate Authority plateform systems according to claim 8, it is characterised in that second authentication code
For the code of one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code.
10. more communication channel Certificate Authority plateform systems according to claim 5, it is characterised in that described containing unique order
The data stamped signature token seed file of card sequence number generates corresponding first password or the second password using authorization terminal information.
11. more communication channel Certificate Authority plateform systems according to claim 1, it is characterised in that the token combination
And corresponding authorization terminal, encrypting and decrypting software and authentication codes generation format software, it is sent to and is recognized by registrar
When demonstrate,proving server and authorization terminal, it is encrypted using RSA Algorithm or aes algorithm.
12. more communication channel Certificate Authority plateform systems according to claim 11, it is characterised in that the RSA Algorithm
Or the encryption key of aes algorithm is stored in tamper resistant device.
13. more communication channel Certificate Authority plateform systems according to claim 12, it is characterised in that the encryption is to make
It is encrypted with the rsa encryption method of private cipher key, and/or, using the public keys of service provider, use AES encryption
Random generation activating pin, to token combination further encrypted.
14. more communication channel Certificate Authority plateform systems according to claim 13, it is characterised in that the registration service
Device, the URL that generation one is used to download token combination, encrypting and decrypting software and authentication codes generation format software is additionally operable to, by
The authorization terminal of user is downloaded to obtain.
15. a kind of more communication channel authentication authority methods, it is characterised in that comprise the following steps:
Step S100, registrar are sent out in the authorization terminal for being connected to user by one or more access communication channel to it
When going out registration request, combined according to registration request to token generation server request token;
Step S200, token generation server is after the request of registrar is connected to, token generation server generation token group
Close, and token combination is returned into registrar;
Step S300, registrar combine the token corresponding with authorization terminal information after the token combination is obtained;
Then token is combined, encrypting and decrypting software and authentication codes generation format software, passes through one or more of access canals
Road feeds back to the authorization terminal of user;Simultaneously by the token combination with corresponding authorization terminal information, encrypting and decrypting software and
Authentication codes generate format software, are recognized by being sent to different from another access channel of one or more of access channels
Demonstrate,prove server;
Step S400, authorization terminal initiate authentication authorization request, authentication server response to certificate server;
Step S500, after authentication server response, authorization terminal combines by using token, is believed according to corresponding authorisation device
Breath the second password of generation, and using encrypting and decrypting software and authentication codes generation format software, second password is converted to
After second authentication code, it is sent to certificate server and is authenticated authorizing;
Step S600, after authentication server response, certificate server is combined using token, is given birth to corresponding authorisation device information
Into first password;And the second authentication code sent according to authorization terminal, generate lattice using encrypting and decrypting software and authentication codes
Formula software, first password conversion and the authentication code of form identical first of the second authentication code are authenticated comparing;Or
Parsed using encrypting and decrypting software and authentication codes generation format software, the second authentication code sent to authorization terminal,
The second password that authorized terminal is sent, it is authenticated comparing with first password, is recognized according to the result that certification compares
Card authorizes.
16. more communication channel authentication authority methods according to claim 15, it is characterised in that the authentication codes generation
Format software is that figure, light code, sound code or phonetic matrix generate software.
17. more communication channel authentication authority methods according to claim 15, it is characterised in that the step S300 is also wrapped
Include following steps:
Step S310, registrar generate in the token component, encryption software and authentication codes for receiving registrar feedback
After format software, URL information is decrypted in authorization terminal using default settings decruption key, and requires that user inputs token activation
Password installation security token combination and encryption software and form generation software.
18. more communication channel authentication authority methods according to claim 17, it is characterised in that described to be encrypted as:
It is right according to the key that presets between token generation server and authorization terminal using aes algorithm or RSA Algorithm
URL information and token component and encryption software and form generation software are encrypted.
19. more communication channel authentication authority methods according to claim 17, it is characterised in that the step S300 is also wrapped
Include following steps:
Step S320, after the installation of token component is completed, authorization terminal requires user's input by dynamic security token software
The dynamic password for generating and showing, then verifies dynamic password.
20. more communication channel authentication authority methods according to claim 15, it is characterised in that the authorization terminal information
It is personalized sound, image, the finger print data that user is inputted by authorization terminal.
21. more communication channel authentication authority methods according to claim 20, it is characterised in that the authorization terminal information
Also include the Unique Device identifier of authorization terminal.
22. more communication channel authentication authority methods according to claim 15, it is characterised in that the access channel is net
Network/telephone network, using the Phone IVR networks of tactile sound and/or sound instruction, the system based on information, e-mail system,
Kiosks, sent or faxed by image scan paper.
23. more communication channel authentication authority methods according to claim 15, it is characterised in that the token combination includes
Any combination of one or more data below:
A1)Certificates in digital form containing two group keys pair:One is used for stamped signature, and one is used to encrypt;
A2)The data stamped signature token seed file of the sequence number containing unique token;
A3)The OTP token generation software of the sequence number containing unique token.
24. more communication channel authentication authority methods according to claim 15, it is characterised in that first authentication code is
The code of one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code;
Second authentication code is one or more kinds of forms in sound code, image code, finger-print code or Quick Response Code
Code.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310665028.2A CN104702580B (en) | 2013-12-10 | 2013-12-10 | More communication channel Certificate Authority plateform systems and method |
TW103122183A TW201524177A (en) | 2013-12-10 | 2014-06-26 | Authentication and authorization platform system and method with multiple communication channels |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310665028.2A CN104702580B (en) | 2013-12-10 | 2013-12-10 | More communication channel Certificate Authority plateform systems and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104702580A CN104702580A (en) | 2015-06-10 |
CN104702580B true CN104702580B (en) | 2017-12-29 |
Family
ID=53349352
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310665028.2A Active CN104702580B (en) | 2013-12-10 | 2013-12-10 | More communication channel Certificate Authority plateform systems and method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN104702580B (en) |
TW (1) | TW201524177A (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105791259B (en) * | 2015-10-26 | 2018-11-16 | 北京中金国盛认证有限公司 | A kind of method of personal information protection |
US10075557B2 (en) * | 2015-12-30 | 2018-09-11 | Amazon Technologies, Inc. | Service authorization handshake |
TWI657399B (en) * | 2017-11-17 | 2019-04-21 | 匯智通訊有限公司 | Method for performing anti-counterfeiting authentication on transaction voucher by using ultrasonic verification code and transaction verification method |
CN108769992B (en) * | 2018-06-12 | 2021-06-18 | 腾讯科技(深圳)有限公司 | User authentication method, device, terminal and storage medium |
TWI672606B (en) * | 2018-08-28 | 2019-09-21 | 國立暨南國際大學 | Authorization authentication method based on authentication and key agreement protocol |
CN109583872A (en) * | 2018-11-30 | 2019-04-05 | 阿里巴巴集团控股有限公司 | Method of payment and device |
CN110417907B (en) * | 2019-08-05 | 2022-04-15 | 斑马网络技术有限公司 | Management method and device of terminal equipment |
CN110659006B (en) * | 2019-08-20 | 2023-08-22 | 北京捷通华声科技股份有限公司 | Cross-screen display method and device, electronic equipment and readable storage medium |
CN111586023B (en) * | 2020-04-30 | 2022-05-31 | 广州市百果园信息技术有限公司 | Authentication method, authentication equipment and storage medium |
CN112235276B (en) * | 2020-10-09 | 2023-04-18 | 三星电子(中国)研发中心 | Master-slave equipment interaction method, device, system, electronic equipment and computer medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009028060A1 (en) * | 2007-08-29 | 2009-03-05 | Mitsubishi Electric Corporation | Authentication system, authentication device, terminal device, ic card, and program |
CN103209160A (en) * | 2012-01-13 | 2013-07-17 | 中兴通讯股份有限公司 | Authentication method and system for heterogeneous network |
CN103401686A (en) * | 2013-07-31 | 2013-11-20 | 陕西海基业高科技实业有限公司 | User Internet identity authentication system and application method thereof |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7548620B2 (en) * | 2004-02-23 | 2009-06-16 | Verisign, Inc. | Token provisioning |
-
2013
- 2013-12-10 CN CN201310665028.2A patent/CN104702580B/en active Active
-
2014
- 2014-06-26 TW TW103122183A patent/TW201524177A/en unknown
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009028060A1 (en) * | 2007-08-29 | 2009-03-05 | Mitsubishi Electric Corporation | Authentication system, authentication device, terminal device, ic card, and program |
CN103209160A (en) * | 2012-01-13 | 2013-07-17 | 中兴通讯股份有限公司 | Authentication method and system for heterogeneous network |
CN103401686A (en) * | 2013-07-31 | 2013-11-20 | 陕西海基业高科技实业有限公司 | User Internet identity authentication system and application method thereof |
Also Published As
Publication number | Publication date |
---|---|
TWI520557B (en) | 2016-02-01 |
TW201524177A (en) | 2015-06-16 |
CN104702580A (en) | 2015-06-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104702580B (en) | More communication channel Certificate Authority plateform systems and method | |
CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
JP6012125B2 (en) | Enhanced 2CHK authentication security through inquiry-type transactions | |
US8739260B1 (en) | Systems and methods for authentication via mobile communication device | |
JP6105721B2 (en) | Start of corporate trigger type 2CHK association | |
US9185096B2 (en) | Identity verification | |
CN101414909B (en) | Network application user authentication system, method and mobile communication terminal | |
US8433914B1 (en) | Multi-channel transaction signing | |
US20120297187A1 (en) | Trusted Mobile Device Based Security | |
US20070067620A1 (en) | Systems and methods for third-party authentication | |
CN105959287A (en) | Biological feature based safety certification method and device | |
EP1807966A1 (en) | Authentication method | |
WO2011083867A1 (en) | Authentication device, authentication method, and program | |
JP2006244081A (en) | Server with authentication function and method | |
JP5495194B2 (en) | Account issuing system, account server, service server, and account issuing method | |
US20100257366A1 (en) | Method of authenticating a user | |
KR102171377B1 (en) | Method of login control | |
TWI643086B (en) | Method for binding by scanning two-dimensional barcode | |
CN114640460B (en) | User login method, device, equipment and medium in application program | |
CN114338201B (en) | Data processing method and device, electronic equipment and storage medium | |
JP7079528B2 (en) | Service provision system and service provision method | |
JP7050466B2 (en) | Authentication system and authentication method | |
US20090106829A1 (en) | Method and system for electronic reauthentication of a communication party | |
CN106921639A (en) | Mobile digital certificate application method and device | |
JP6325654B2 (en) | Network service providing apparatus, network service providing method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20231031 Address after: Singapore 750D Caishi Road # 08-01ESR Industrial Park @ Caishi Patentee after: Singapore i-Sprint Technology Co.,Ltd. Address before: Room 1509, Shougang International Building, No. 60, Xizhimen North Street, Haidian District, Beijing 100082 Patentee before: BEIJING ANXUNBEN SCIENCE & TECHNOLOGY Co.,Ltd. |
|
TR01 | Transfer of patent right |