CN104836662A - Unified identity authentication system - Google Patents
Unified identity authentication system Download PDFInfo
- Publication number
- CN104836662A CN104836662A CN201510042447.XA CN201510042447A CN104836662A CN 104836662 A CN104836662 A CN 104836662A CN 201510042447 A CN201510042447 A CN 201510042447A CN 104836662 A CN104836662 A CN 104836662A
- Authority
- CN
- China
- Prior art keywords
- user
- gateway device
- certificate
- electron key
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention relates to the information safety technology field, to be specific, relates to a unified identity authentication system. The unified identity authentication system comprises hardware devices: an electronic key, a gateway device, a user terminal device, an authentication server, and a user cell phone; and related softwares: a client software and a unified identity authentication module. The electronic key and the client software are disposed on the user terminal device. The bidirectional information interaction between the gateway device and the user terminal device can be carried out. The bidirectional information interaction between the gateway device and the authentication server can be carried out. The authentication server is also connected with the user cell phone, and the electronic key comprises a user credential and a positioning module. The positioning module is used to acquire the information of the electronic key position. The electronic key is integrated with the user credential, and the user name can be acquired by adopting the user basic information analyzed by the gateway device, and then the effective correlation between the user credential and the user real information can be guaranteed. By adopting the positioning module in the electronic key, the user can be aware of the position of the electronic key timely, and when the embezzlement condition occurs, the operation can be stopped timely.
Description
Technical field
Field of information security technology of the present invention, is specifically related to a kind of unified single sign-on system.
Background technology
User authentication correlation technique is very ripe, at present mainly: (1) is based on the certification of certificate; (2) based on the certification of user name password; (3) double factor authentication needs to carry out certification to certificate and user name password simultaneously.Relevant authentication agreement is all very ripe and perfect, to certificate verification mainly by PKI (Public Key Infrastructure, PKIX) correlation technique, by CA (Certificate Authority, certificate granting) center, signature realizes certification, also has some related protocols in addition, such as OCSP (Online Certificate Status Protocol, online certificate status protocol) etc.User name cipher authentication is that certificate server is verified the user name password that user inputs, conventional agreement has Radius (Remote Authentication Dial-In User Service, remote authentication dial-in user service) and LDAP (Light Directory Access Protocol, LDAP) etc.
But current equipment implementation exists a problem, more independently two parts that to be exactly certificate verification and user name cipher authentication be, do not realize well association.That is: when user requires double factor authentication, user certificate and user name cannot be bound, and certificate verification uses a set of flow process and the agreement of certificate verification, and username-password certification uses other a set of agreement and flow process, and both not direct relations, exist security risk.Such as: user Zhang San and Li Si give they everyone to issue certificate by CA center respectively, the information such as everyone validity period of certificate are different, after a while, if the certificate expired of Zhang San or be revoked, now Zhang San uses the certificate of Li Si, but user name password uses Zhang San's, so still can pass through relevant authentication.
Summary of the invention
The object of the invention is the problem that there is security risk in order to overcome user authentication correlation technique, proposing a kind of unified single sign-on system.
The object of the invention is to be achieved through the following technical solutions.
A kind of unified single sign-on system that the present invention proposes, is characterized in that: comprise hardware device and related software.Described hardware device comprises: electron key, gateway device, subscriber terminal equipment, certificate server and user mobile phone; Described related software comprises: client software and unified identity authentication module.
Electron key and client software are arranged on subscriber terminal equipment, and subscriber terminal equipment can read data from electron key.Gateway device and subscriber terminal equipment carry out two-way information interaction; Gateway device and certificate server carry out two-way information interaction; Certificate server is also connected with user mobile phone.
Electron key, by certificate authority unified management, comprises a user certificate and a locating module inside each electron key; User certificate is issued by certificate authority is unified.Comprise user basic information inside user certificate, described user basic information comprises user name, unit, department, telephone number and email address.Locating module is for obtaining the positional information of electron key.
The major function of client software is: 1. send authentication request to gateway device; 2. the user certificate in electron key is sent to gateway device; 3. the password that user inputs is transferred to gateway device by cipher mode; 4. the electron key positional information that locating module in electron key obtains is sent to gateway device.
Unified identity authentication module is arranged on gateway device, and its major function is: 1. receive user certificate from subscriber terminal equipment; 2. authentication of users certificate legitimacy; 3. from user certificate, user basic information is extracted; 4. the user cipher through encryption is received from subscriber terminal equipment, and decrypted user password; 5. electron key positional information is received from subscriber terminal equipment; 6. user basic information, the user cipher passing through encryption and electron key positional information are sent to certificate server; 7. obtain the result from certificate server, and send to subscriber terminal equipment; 8. according to the lock command that certificate server sends, electron key is locked, makes it lose efficacy.
Described certificate server is used for carrying out subscriber authentication to the unified user certificate issued of certificate authority.Certificate server comprises Radius certificate server and ldap authentication server.
Described gateway device comprises: router, switch and firewall box.
The process using described unified single sign-on system to carry out authenticating user identification is:
Step 1: subscriber terminal equipment sends authentication request to gateway device, the locating module be simultaneously arranged in the electron key on subscriber terminal equipment obtains electron key positional information, and it is sent to gateway device by subscriber terminal equipment.
Step 2: gateway device sends user certificate request to subscriber terminal equipment.
Step 3: the user certificate in electron key is sent to gateway device by subscriber terminal equipment.
Step 4: gateway device receives user certificate, and authentication of users certificate legitimacy; If user certificate is legal, then gateway device sends password request to subscriber terminal equipment, then performs the operation of step 5; Otherwise, stop certification.
Step 5: send to gateway device after the password encryption that user inputs by subscriber terminal equipment.
Step 6: gateway device received the user cipher of encryption and deciphering obtains the user cipher after deciphering; Gateway device extracts user basic information from user certificate simultaneously.
Step 7: the positional information of the user cipher after user basic information, deciphering and electron key is sent to certificate server by gateway device.
Step 8: electron key positional information is sent to user mobile phone according to the telephone number in user basic information by certificate server.If user confirms electron key, positional information is wrong, then send locking request by user mobile phone to certificate server, then performs the operation of step 9; If user confirms electron key, positional information is errorless, then send confirmation by user mobile phone to certificate server, then performs the operation of step 10.
Step 9: certificate server sends lock command to gateway device, electron key locks by gateway device, makes it lose efficacy, end operation.
Step 10: certificate server carries out subscriber authentication, and returns the result by gateway device to subscriber terminal equipment.
Beneficial effect
Compared with the prior art comparatively, its advantage is a kind of unified single sign-on system that the present invention proposes:
1. the integrated user certificate of electron key, does not need when user logs in input user name, only need input password; User name is directly resolved user basic information by gateway device and is obtained, and under double factor authentication pattern, ensure that the efficient association of user certificate and user's real information.
2. by the locating module in electron key, user can understand the position of electron key in time, as there is other people stolen, and can terminating operation in time.
Accompanying drawing explanation
Unified single sign-on system is used to carry out the schematic flow sheet of authenticating user identification in Fig. 1 embodiment of the present invention 1;
Unified single sign-on system is used to carry out the schematic flow sheet of authenticating user identification in Fig. 2 embodiment of the present invention 2.
Embodiment
Below in conjunction with drawings and Examples, the present invention will be further described.
Embodiment 1:
The unified single sign-on system that realizes in embodiment 1 comprises hardware device and related software.Hardware device comprises: electron key, gateway device, subscriber terminal equipment, certificate server and user mobile phone; Related software comprises: client software and unified identity authentication module.
Electron key and client software are arranged on subscriber terminal equipment, and subscriber terminal equipment can read data from electron key.Gateway device and subscriber terminal equipment carry out two-way information interaction; Gateway device and certificate server carry out two-way information interaction; Certificate server is also connected with user mobile phone.
Electron key, by certificate authority unified management, comprises a user certificate and a locating module inside each electron key; User certificate is issued by certificate authority is unified.Comprise user basic information inside user certificate, described user basic information comprises user name, unit, department, telephone number and email address.Locating module is for obtaining the positional information of electron key.
The major function of client software is: 1. send authentication request to gateway device; 2. the user certificate in electron key is sent to gateway device; 3. the password that user inputs is transferred to gateway device by cipher mode; 4. the electron key positional information that locating module in electron key obtains is sent to gateway device.
Unified identity authentication module is arranged on gateway device, and its major function is: 1. receive user certificate from subscriber terminal equipment; 2. authentication of users certificate legitimacy; 3. from user certificate, user basic information is extracted; 4. the user cipher through encryption is received from subscriber terminal equipment, and decrypted user password; 5. electron key positional information is received from subscriber terminal equipment; 6. user basic information, the user cipher passing through encryption and electron key positional information are sent to certificate server; 7. obtain the result from certificate server, and send to subscriber terminal equipment; 8. according to the lock command that certificate server sends, electron key is locked, makes it lose efficacy.
Certificate server is used for carrying out subscriber authentication to the unified user certificate issued of certificate authority.Certificate server comprises Radius certificate server and ldap authentication server.
Gateway device is a firewall box; Certificate server is Radius certificate server.
Use described unified single sign-on system to carry out the operating process of authenticating user identification as shown in Figure 1, be specially:
Step 1: subscriber terminal equipment sends authentication request to gateway device, the locating module be simultaneously arranged in the electron key on subscriber terminal equipment obtains electron key positional information, and it is sent to gateway device by subscriber terminal equipment.
Step 2: gateway device sends user certificate request to subscriber terminal equipment.
Step 3: the user certificate in electron key is sent to gateway device by subscriber terminal equipment.
Step 4: gateway device receives user certificate, and authentication of users certificate legitimacy; User certificate is legal, and gateway device sends password request to subscriber terminal equipment.
Step 5: send to gateway device after the password encryption that user inputs by subscriber terminal equipment.
Step 6: gateway device received the user cipher of encryption and deciphering obtains the user cipher after deciphering; Gateway device extracts user basic information from user certificate simultaneously.
Step 7: the positional information of the user cipher after user basic information, deciphering and electron key is sent to certificate server by gateway device.
Step 8: electron key positional information is sent to user mobile phone according to the telephone number in user basic information by certificate server.User confirms that electron key positional information is errorless, sends confirmation by user mobile phone to certificate server.
Step 10: certificate server carries out subscriber authentication, and returns the result by gateway device to subscriber terminal equipment.
Embodiment 2:
In embodiment 2 to realize unified single sign-on system structure identical with the system in embodiment 1, difference is only: certificate server is ldap authentication server; Gateway device is switch.
Use unified single sign-on system described in embodiment 2 to carry out the operating process of authenticating user identification as shown in Figure 2, be specially:
Step 1: subscriber terminal equipment sends authentication request to gateway device, the locating module be simultaneously arranged in the electron key on subscriber terminal equipment obtains electron key positional information, and it is sent to gateway device by subscriber terminal equipment.
Step 2: gateway device sends user certificate request to subscriber terminal equipment.
Step 3: the user certificate in electron key is sent to gateway device by subscriber terminal equipment.
Step 4: gateway device receives user certificate, and authentication of users certificate legitimacy; User certificate is legal, and gateway device sends password request to subscriber terminal equipment.
Step 5: send to gateway device after the password encryption that user inputs by subscriber terminal equipment.
Step 6: gateway device received the user cipher of encryption and deciphering obtains the user cipher after deciphering; Gateway device extracts user basic information from user certificate simultaneously.
Step 7: the positional information of the user cipher after user basic information, deciphering and electron key is sent to certificate server by gateway device.
Step 8: electron key positional information is sent to user mobile phone according to the telephone number in user basic information by certificate server.User confirms that electron key positional information is wrong, sends locking request by user mobile phone to certificate server.
Step 9: certificate server sends lock command to gateway device, electron key locks by gateway device, makes it lose efficacy, end operation.
Claims (4)
1. a unified single sign-on system, is characterized in that: comprise hardware device and related software; Described hardware device comprises: electron key, gateway device, subscriber terminal equipment, certificate server and user mobile phone; Described related software comprises: client software and unified identity authentication module;
Electron key and client software are arranged on subscriber terminal equipment, and subscriber terminal equipment can read data from electron key; Gateway device and subscriber terminal equipment carry out two-way information interaction; Gateway device and certificate server carry out two-way information interaction; Certificate server is also connected with user mobile phone;
Electron key, by certificate authority unified management, comprises a user certificate and a locating module inside each electron key; User certificate is issued by certificate authority is unified; Comprise user basic information inside user certificate, described user basic information comprises user name, unit, department, telephone number and email address; Locating module is for obtaining the positional information of electron key;
The major function of client software is: 1. send authentication request to gateway device; 2. the user certificate in electron key is sent to gateway device; 3. the password that user inputs is transferred to gateway device by cipher mode; 4. the electron key positional information that locating module in electron key obtains is sent to gateway device;
Unified identity authentication module is arranged on gateway device, and its major function is: 1. receive user certificate from subscriber terminal equipment; 2. authentication of users certificate legitimacy; 3. from user certificate, user basic information is extracted; 4. the user cipher through encryption is received from subscriber terminal equipment, and decrypted user password; 5. electron key positional information is received from subscriber terminal equipment; 6. user basic information, the user cipher passing through encryption and electron key positional information are sent to certificate server; 7. obtain the result from certificate server, and send to subscriber terminal equipment; 8. according to the lock command that certificate server sends, electron key is locked, makes it lose efficacy;
Described certificate server is used for carrying out subscriber authentication to the unified user certificate issued of certificate authority.
2. a kind of unified single sign-on system as claimed in claim 1, is characterized in that: described gateway device comprises: router, switch and firewall box.
3. a kind of unified single sign-on system as claimed in claim 1 or 2, is characterized in that: described certificate server comprises Radius certificate server and ldap authentication server.
4. the process using a kind of unified single sign-on system as claimed in claim 1 or 2 to carry out authenticating user identification is:
Step 1: subscriber terminal equipment sends authentication request to gateway device, the locating module be simultaneously arranged in the electron key on subscriber terminal equipment obtains electron key positional information, and it is sent to gateway device by subscriber terminal equipment;
Step 2: gateway device sends user certificate request to subscriber terminal equipment;
Step 3: the user certificate in electron key is sent to gateway device by subscriber terminal equipment;
Step 4: gateway device receives user certificate, and authentication of users certificate legitimacy; If user certificate is legal, then gateway device sends password request to subscriber terminal equipment, then performs the operation of step 5; Otherwise, stop certification;
Step 5: send to gateway device after the password encryption that user inputs by subscriber terminal equipment;
Step 6: gateway device received the user cipher of encryption and deciphering obtains the user cipher after deciphering; Gateway device extracts user basic information from user certificate simultaneously;
Step 7: the positional information of the user cipher after user basic information, deciphering and electron key is sent to certificate server by gateway device;
Step 8: electron key positional information is sent to user mobile phone according to the telephone number in user basic information by certificate server; If user confirms electron key, positional information is wrong, then send locking request by user mobile phone to certificate server, then performs the operation of step 9; If user confirms electron key, positional information is errorless, then send confirmation by user mobile phone to certificate server, then performs the operation of step 10;
Step 9: certificate server sends lock command to gateway device, electron key locks by gateway device, makes it lose efficacy, end operation;
Step 10: certificate server carries out subscriber authentication, and returns the result by gateway device to subscriber terminal equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510042447.XA CN104836662A (en) | 2015-01-27 | 2015-01-27 | Unified identity authentication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510042447.XA CN104836662A (en) | 2015-01-27 | 2015-01-27 | Unified identity authentication system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104836662A true CN104836662A (en) | 2015-08-12 |
Family
ID=53814318
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510042447.XA Pending CN104836662A (en) | 2015-01-27 | 2015-01-27 | Unified identity authentication system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104836662A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106209849A (en) * | 2016-07-13 | 2016-12-07 | 浪潮电子信息产业股份有限公司 | A kind of implementation of the double factor login mode that can freely open and close |
TWI666565B (en) * | 2018-12-07 | 2019-07-21 | 中華電信股份有限公司 | Identity authentication system and method thereof |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
CN101686164A (en) * | 2008-09-24 | 2010-03-31 | 华为技术有限公司 | Positioning method and position verification method of wireless access device, and wireless access device |
CN101783806A (en) * | 2010-03-15 | 2010-07-21 | 杭州华三通信技术有限公司 | Portal certificate authentication method and device |
US20130311784A1 (en) * | 2008-02-20 | 2013-11-21 | Micheal Bleahen | System and method for preventing unauthorized access to information |
-
2015
- 2015-01-27 CN CN201510042447.XA patent/CN104836662A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130311784A1 (en) * | 2008-02-20 | 2013-11-21 | Micheal Bleahen | System and method for preventing unauthorized access to information |
CN101686164A (en) * | 2008-09-24 | 2010-03-31 | 华为技术有限公司 | Positioning method and position verification method of wireless access device, and wireless access device |
CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
CN101783806A (en) * | 2010-03-15 | 2010-07-21 | 杭州华三通信技术有限公司 | Portal certificate authentication method and device |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106209849A (en) * | 2016-07-13 | 2016-12-07 | 浪潮电子信息产业股份有限公司 | A kind of implementation of the double factor login mode that can freely open and close |
TWI666565B (en) * | 2018-12-07 | 2019-07-21 | 中華電信股份有限公司 | Identity authentication system and method thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111049660B (en) | Certificate distribution method, system, device and equipment, and storage medium | |
US9847882B2 (en) | Multiple factor authentication in an identity certificate service | |
CN101364876B (en) | Method realizing public key acquiring, certificater verification and bidirectional identification of entity | |
US9882726B2 (en) | Method and apparatus for initial certificate enrollment in a wireless communication system | |
CN104753881B (en) | A kind of WebService safety certification access control method based on software digital certificate and timestamp | |
CN101364875B (en) | Method realizing public key acquiring, certificater verification and bidirectional identification of entity | |
CN104994114A (en) | Identity authentication system and method based on electronic identification card | |
CN105553666B (en) | Intelligent power terminal safety authentication system and method | |
CN101674182B (en) | Entity public key acquisition and certificate verification and authentication method and system of introducing online trusted third party | |
WO2014110877A1 (en) | Mobile terminal device and user authentication method based on pki technology | |
CN104038481A (en) | Communication method of power asset management master station system and RFID (radio frequency identification device) terminal | |
US20140245409A1 (en) | Extension of the Attributes of a Credential Request | |
WO2012166299A1 (en) | Method and system for registering a drm client | |
KR101631635B1 (en) | Method, device, and system for identity authentication | |
KR100723835B1 (en) | System for key authentication/service with one time authentication code and method therefor | |
WO2022143030A1 (en) | National key identification cryptographic algorithm-based private key distribution system | |
CN103916363A (en) | Communication security management method and system for encryption machine | |
CN102893575A (en) | One time passwords with ipsec and ike version 1 authentication | |
CN104753886B (en) | It is a kind of to the locking method of remote user, unlocking method and device | |
CN101282215A (en) | Method and apparatus for distinguishing certificate | |
CN106936760A (en) | A kind of apparatus and method of login Openstack cloud system virtual machines | |
CN104836662A (en) | Unified identity authentication system | |
CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
KR20150005788A (en) | Method for authenticating by using user's key value | |
CN114615309B (en) | Client access control method, device, system, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
EXSB | Decision made by sipo to initiate substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
AD01 | Patent right deemed abandoned | ||
AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20181102 |