CN104753953A - Access control system - Google Patents
Access control system Download PDFInfo
- Publication number
- CN104753953A CN104753953A CN201510172175.5A CN201510172175A CN104753953A CN 104753953 A CN104753953 A CN 104753953A CN 201510172175 A CN201510172175 A CN 201510172175A CN 104753953 A CN104753953 A CN 104753953A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- access
- access control
- server
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an access control system comprising an access terminal, an access control server and a data server. The access terminal is used for generating a random key, generating a first ciphertext and a second ciphertext according to the random key, sending the first ciphertext to request for an access token to the access control server, and sending the access token and the second ciphertext to the data server after the access token sent by a control server is received. The access control server is used for receiving the first ciphertext, sending the access token to the access terminal according to the first ciphertext, and sending the access token and the first ciphertext to the data server. The data server is used for decrypting the second ciphertext sent by the access terminal, and generating third ciphertext according to the random key generated by decryption; if the third ciphertext matches with the first ciphertext and the access token sent by the access control server matches with the access token sent by the access terminal, data services are provided for the access terminal according to a preset access control strategy. The access control system allows higher access security.
Description
Technical field
The present invention relates to NS software technical field, particularly relate to a kind of access control system.
Background technology
Current network technology develops rapidly; mutual day by day frequent between machine; but in a network environment; the safety of network service cannot be guaranteed; although adopt the technology such as fire compartment wall that internal network can be protected to a certain extent from the threat from external network; but fire compartment wall is only protected for the physical characteristic of network packet, higher level protection cannot be provided.
At present most extensive use, be also the method for the most effective safe access control be use third party's identity management system, access token is sent respectively to terminal and network terminal by identity management services device, the access token received is sent to network terminal by terminal, network terminal judges whether the access token to terminal sends mates with the access token that identity server sends, and judges whether to Terminal for service.
In above-mentioned authentication process itself, have following problem: first, assailant may infect identity management services device with Malware or monitor the access token that the mode of communication link steals user.And communication link is monitored especially occurs in radio communication scene.
Summary of the invention
The technical problem that the present invention mainly solves is to provide a kind of access control system, can improve access security.
For solving the problems of the technologies described above, the technical scheme that the present invention adopts is: provide a kind of access control system, comprise access terminal, access control server and data server, wherein: described access terminal is for generating random key, and generate the first ciphertext and the second ciphertext according to described random key, and send the first ciphertext request access token to described access control server, and after the access token receiving the transmission of described access control server, described access token and described second ciphertext are sent to described data server, wherein, described first ciphertext and described second ciphertext are mated mutually, described access control server for receiving described first ciphertext, and sends access token to described access terminal according to described first ciphertext, described access token and the first ciphertext is sent to described data server simultaneously, described data server is used for being decrypted the second ciphertext that described access terminal sends, and obtain the 3rd ciphertext according to the random key obtained after deciphering, verify whether described 3rd ciphertext and described first ciphertext mate, and verify whether the access token that described access control server sends mates with the access token that described access terminal sends, if two the results are coupling, then provide data, services according to the access control policy pre-set to described access terminal.
Preferably, described data server also for any one the result in two the results for do not mate time, then refuse to provide data, services to described access terminal.
Be different from the situation of prior art, the invention has the beneficial effects as follows: by carrying out the Dual Matching checking of ciphertext and access token on data server, thus can access security be improved, avoiding because unauthorized access causes leaking data.
Accompanying drawing explanation
Fig. 1 is the block schematic illustration of embodiment of the present invention access control system.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only a part of embodiment of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
See Fig. 1, it is the block schematic illustration of embodiment of the present invention access control system.The access control system of the present embodiment comprises access terminal, access control server and data server.
Access terminal is for generating random key, and generate the first ciphertext and the second ciphertext according to random key, and send the first ciphertext request access token to access control server, and after the access token receiving access control server transmission, access token and the second ciphertext are sent to data server, wherein, the first ciphertext and the second ciphertext are mated mutually.
Wherein, the first ciphertext can be directly be encrypted random key to obtain.Second ciphertext can be adopt encryption key to be encrypted random key to obtain.Encryption key can be that mobile terminal obtains from data server in advance.Encryption key can be the PKI of PKI-private key centering that data server generates.Corresponding, the private key of PKI-private key centering is decruption key.
Access control server for receiving the first ciphertext, and sends access token to access terminal according to the first ciphertext, access token and the first ciphertext is sent to data server simultaneously.
Wherein, when access terminal sends access token request, send the first ciphertext in the lump, thus access control server is after generation access token, in the lump the first ciphertext and access token can be sent to data server.
The second ciphertext that data server is used for access terminal sends is decrypted, and obtain the 3rd ciphertext according to the random key obtained after deciphering, verify whether the 3rd ciphertext and the first ciphertext mate, and whether the access token that authentication-access Control Server sends mates with the access token that access terminal sends, if two the results are coupling, then provide data, services according to the access control policy pre-set to access terminal.
Wherein, data server can adopt decruption key to be decrypted the second ciphertext, obtains random key, and direct being encrypted random key obtains the 3rd ciphertext.In the present embodiment, data server also for any one the result in two the results for do not mate time, then refuse to provide data, services to access terminal.The access control policy pre-set can comprise multiple security permission, and such as access terminal can be inquired about, revises, increases, be deleted data etc.
By the way, the access control system of the embodiment of the present invention is communicated with data server three's by terminal, access control server, realize the Dual Matching checking of ciphertext and access token, only when two kinds of the results are coupling, just allow to provide data, services, thus can access security be improved, avoid because unauthorized access causes leaking data, meanwhile, by being encrypted ciphertext, can prevent ciphertext content from maliciously being monitored.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every utilize specification of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.
Claims (2)
1. an access control system, is characterized in that, comprises access terminal, access control server and data server, wherein:
Described access terminal is for generating random key, and generate the first ciphertext and the second ciphertext according to described random key, and send the first ciphertext request access token to described access control server, and after the access token receiving the transmission of described access control server, described access token and described second ciphertext are sent to described data server, wherein, described first ciphertext and described second ciphertext are mated mutually;
Described access control server for receiving described first ciphertext, and sends access token to described access terminal according to described first ciphertext, described access token and the first ciphertext is sent to described data server simultaneously;
Described data server is used for being decrypted the second ciphertext that described access terminal sends, and obtain the 3rd ciphertext according to the random key obtained after deciphering, verify whether described 3rd ciphertext and described first ciphertext mate, and verify whether the access token that described access control server sends mates with the access token that described access terminal sends, if two the results are coupling, then provide data, services according to the access control policy pre-set to described access terminal.
2. access control system according to claim 1, is characterized in that, described data server also for any one the result in two the results for do not mate time, then refuse to provide data, services to described access terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172175.5A CN104753953A (en) | 2015-04-13 | 2015-04-13 | Access control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510172175.5A CN104753953A (en) | 2015-04-13 | 2015-04-13 | Access control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104753953A true CN104753953A (en) | 2015-07-01 |
Family
ID=53593057
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510172175.5A Pending CN104753953A (en) | 2015-04-13 | 2015-04-13 | Access control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104753953A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105095789A (en) * | 2015-07-08 | 2015-11-25 | 广东欧珀移动通信有限公司 | Method, system, user terminal and server for operating resource |
| CN106657152A (en) * | 2017-02-07 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Authentication method, server and access control device |
| CN108390878A (en) * | 2018-02-26 | 2018-08-10 | 腾讯科技(深圳)有限公司 | Method, apparatus for verifying network request safety |
| CN108989331A (en) * | 2018-08-09 | 2018-12-11 | 芜湖机智智能科技有限公司 | Data storage device uses method for authenticating and its equipment and storage medium |
| CN109067881A (en) * | 2018-08-09 | 2018-12-21 | 顾宏超 | Remote-authorization method and its device, equipment and storage medium |
| CN109067880A (en) * | 2018-08-09 | 2018-12-21 | 芜湖机智智能科技有限公司 | The remote de-locking method and its device of shared device, equipment and storage medium |
| CN109118237A (en) * | 2018-08-09 | 2019-01-01 | 芜湖机智智能科技有限公司 | The pre-paid method and its device and storage medium of self-service facilities |
| CN109117617A (en) * | 2018-08-09 | 2019-01-01 | 芜湖机智智能科技有限公司 | Remote authentication method and device thereof, equipment and the storage medium of self-service terminal |
| CN109145561A (en) * | 2018-08-09 | 2019-01-04 | 芜湖机智智能科技有限公司 | The method for authenticating and its equipment and storage medium of computer |
| CN109194624A (en) * | 2018-08-09 | 2019-01-11 | 芜湖机智智能科技有限公司 | Engineering mechanical device uses method for authenticating and its equipment and storage medium |
| CN110224999A (en) * | 2019-05-20 | 2019-09-10 | 深圳壹账通智能科技有限公司 | Information interacting method, device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633084A (en) * | 2004-12-28 | 2005-06-29 | 北京邮电大学 | Token-based fine granularity access control system and method for application server |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN104243452A (en) * | 2014-08-20 | 2014-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for cloud computing access control |
| US8984505B2 (en) * | 2008-11-26 | 2015-03-17 | Red Hat, Inc. | Providing access control to user-controlled resources in a cloud computing environment |
-
2015
- 2015-04-13 CN CN201510172175.5A patent/CN104753953A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633084A (en) * | 2004-12-28 | 2005-06-29 | 北京邮电大学 | Token-based fine granularity access control system and method for application server |
| US8984505B2 (en) * | 2008-11-26 | 2015-03-17 | Red Hat, Inc. | Providing access control to user-controlled resources in a cloud computing environment |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN104243452A (en) * | 2014-08-20 | 2014-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for cloud computing access control |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105095789B (en) * | 2015-07-08 | 2018-03-27 | 广东欧珀移动通信有限公司 | A kind of resource operating methods, system, user terminal and server |
| CN105095789A (en) * | 2015-07-08 | 2015-11-25 | 广东欧珀移动通信有限公司 | Method, system, user terminal and server for operating resource |
| CN106657152B (en) * | 2017-02-07 | 2021-05-28 | 腾讯科技(深圳)有限公司 | Authentication method, server and access control device |
| CN106657152A (en) * | 2017-02-07 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Authentication method, server and access control device |
| CN108390878A (en) * | 2018-02-26 | 2018-08-10 | 腾讯科技(深圳)有限公司 | Method, apparatus for verifying network request safety |
| CN108390878B (en) * | 2018-02-26 | 2021-11-05 | 腾讯科技(深圳)有限公司 | Method and device for verifying network request security |
| CN109067881A (en) * | 2018-08-09 | 2018-12-21 | 顾宏超 | Remote-authorization method and its device, equipment and storage medium |
| CN109067880B (en) * | 2018-08-09 | 2021-06-18 | 顾宏超 | Remote unlocking method of shared equipment, device, equipment and storage medium thereof |
| CN109117617A (en) * | 2018-08-09 | 2019-01-01 | 芜湖机智智能科技有限公司 | Remote authentication method and device thereof, equipment and the storage medium of self-service terminal |
| CN109145561A (en) * | 2018-08-09 | 2019-01-04 | 芜湖机智智能科技有限公司 | The method for authenticating and its equipment and storage medium of computer |
| CN109194624A (en) * | 2018-08-09 | 2019-01-11 | 芜湖机智智能科技有限公司 | Engineering mechanical device uses method for authenticating and its equipment and storage medium |
| CN108989331A (en) * | 2018-08-09 | 2018-12-11 | 芜湖机智智能科技有限公司 | Data storage device uses method for authenticating and its equipment and storage medium |
| CN109067881B (en) * | 2018-08-09 | 2020-08-21 | 顾宏超 | Remote authorization method, device, equipment and storage medium thereof |
| CN109145561B (en) * | 2018-08-09 | 2021-10-29 | 顾宏超 | Authentication method of computer, apparatus thereof and storage medium |
| CN109194624B (en) * | 2018-08-09 | 2021-03-26 | 顾宏超 | Method for authenticating use of engineering machinery equipment, equipment and storage medium thereof |
| CN109067880A (en) * | 2018-08-09 | 2018-12-21 | 芜湖机智智能科技有限公司 | The remote de-locking method and its device of shared device, equipment and storage medium |
| CN109118237A (en) * | 2018-08-09 | 2019-01-01 | 芜湖机智智能科技有限公司 | The pre-paid method and its device and storage medium of self-service facilities |
| CN109117617B (en) * | 2018-08-09 | 2021-10-29 | 顾宏超 | Remote authentication method of self-service terminal, device, equipment and storage medium thereof |
| CN109118237B (en) * | 2018-08-09 | 2021-10-29 | 顾宏超 | Method for prepayment of self-service facility, and apparatus and storage medium therefor |
| WO2020233033A1 (en) * | 2019-05-20 | 2020-11-26 | 深圳壹账通智能科技有限公司 | Information interaction method, device and storage medium |
| CN110224999A (en) * | 2019-05-20 | 2019-09-10 | 深圳壹账通智能科技有限公司 | Information interacting method, device and storage medium |
| CN110224999B (en) * | 2019-05-20 | 2022-02-18 | 深圳壹账通智能科技有限公司 | Information interaction method and device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104753953A (en) | Access control system | |
| CN106789015B (en) | Intelligent power distribution network communication safety system | |
| CN106101147B (en) | A kind of method and system for realizing smart machine and the communication of remote terminal dynamic encryption | |
| CN103166958B (en) | A kind of guard method of file and system | |
| CN110572804B (en) | Bluetooth communication authentication request, receiving and communication method, mobile terminal and equipment terminal | |
| CN101094065B (en) | Method and system for distributing cipher key in wireless communication network | |
| CN103248479A (en) | Cloud storage safety system, data protection method and data sharing method | |
| CN104219041A (en) | Data transmission encryption method applicable for mobile internet | |
| CN102780698A (en) | User terminal safety communication method in platform of Internet of Things | |
| CN103427998A (en) | Internet data distribution oriented identity authentication and data encryption method | |
| CN110192381A (en) | The transmission method and equipment of key | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| JP6807153B2 (en) | Devices and related methods for secure hearing device communication | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN105959648B (en) | A kind of encryption method, device and video monitoring system | |
| CN104506500A (en) | GOOSE message authentication method based on transformer substation | |
| CN104754571A (en) | User authentication realizing method, device and system thereof for multimedia data transmission | |
| CN106027473A (en) | Identity card reading terminal and cloud authentication platform data transmission method and system | |
| CN108848503B (en) | A kind of smart home dynamic encryption means of communication and system transmitted using merogenesis | |
| CN104243452A (en) | Method and system for cloud computing access control | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| CN102281303A (en) | Data exchange method | |
| CN117118763B (en) | Method, device and system for data transmission | |
| CN105812338B (en) | Data access control method and network management equipment | |
| KR101760376B1 (en) | Terminal and method for providing secure messenger service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150701 |