CN105162602A - Trusted network identity management and verification system and method - Google Patents

Trusted network identity management and verification system and method Download PDF

Info

Publication number
CN105162602A
CN105162602A CN201510551325.3A CN201510551325A CN105162602A CN 105162602 A CN105162602 A CN 105162602A CN 201510551325 A CN201510551325 A CN 201510551325A CN 105162602 A CN105162602 A CN 105162602A
Authority
CN
China
Prior art keywords
user
unit
information
network
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510551325.3A
Other languages
Chinese (zh)
Other versions
CN105162602B (en
Inventor
延志伟
耿光刚
傅瑜
李晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Internet Network Information Center
Original Assignee
China Internet Network Information Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Internet Network Information Center filed Critical China Internet Network Information Center
Priority to CN201510551325.3A priority Critical patent/CN105162602B/en
Publication of CN105162602A publication Critical patent/CN105162602A/en
Priority to PCT/CN2015/098467 priority patent/WO2017036003A1/en
Application granted granted Critical
Publication of CN105162602B publication Critical patent/CN105162602B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Abstract

The invention relates to a trusted network identity management and verification system and method. The method comprises the following steps that: a user identity management unit maintains network identity information of a user, binds a network identity of the user with public key information, and registers the bound network identity and public key information to a trusted identity maintenance unit; a network service management unit manages an Internet service, binds corresponding public key information with a domain name, and registers the bound public key information and domain name to the trusted identity maintenance unit; the trusted identity maintenance unit deploys a DNSSEC (Domain Name System Security Extensions) protocol, and maintains identity and public key binding information of the user and the Internet service; an Internet user unit saves and manages private key information of the Internet user unit, and acquires information of a trusted Internet service provider by inquiring the trusted identity maintenance unit; and an Internet service provider unit saves and manages private key information of the Internet service provider unit, and acquires user information by inquiring the trusted identity maintenance unit. Through adoption of the trusted network identity management and verification system and method, functions such as bidirectional identity authentication, key negotiation and secure communication between the service provider and an Internet user can be supported.

Description

A kind of trustable network Identity Management and verification system and method
Technical field
The invention belongs to network technology, field of information security technology, be specifically related to a kind of trustable network Identity Management and verification system and method.
Background technology
Recent two decades carrys out the fast development along with information technology, and the importance of the Internet in social production and personal lifestyle highlights day by day, and its service and application have penetrated into military affairs, culture, politics, economic dispatch every field.But unprecedentedly apply widely along with the Internet, its safety problem faced is increasingly serious.The cases such as " prism door " event, " five eyes " information alliance, " bird of indignation " spy's disturbance constantly cause various countries to network trusted safe showing great attention to.
Since two thousand, the U.S., European Union, Japan and other countries and area all accelerate introduce in information network and dispose trustable network strategic framework, strengthen Identity Management, build trusted context.For the U.S., the White House has just issued " cyberspace trusted identity national strategy " as far back as in April, 2011, plan to build network identity ecosystem, to promote individuals and organizations use safety, efficient, easy-to-use trusted identity on network with about 10 years time.
This just means that the secure and trusted of the Internet is more and more important, and the two-way authentication of setting up between Internet user and ISP has become the extremely urgent basis of structure internet security trusted context.
Domain name system (DomainNameSystem, DNS) is a kind of distributed interconnection service system domain name being mapped as some predefined type resource record (as IP address).As a kind of addressing resources service of internet, applications layer, domain name service is the basis of other internet application service, and common internet application service (as Web service, E-mail service, FTP service etc.) all realizes addressing and the location of resource based on domain name service.
The original agreement of DNS is a kind of lightweight protocol, and it can not provide safety assurance to service data content; And DNS data are transmitted with clear-text way on the internet, data are easy to be kidnapped or distort in transmitting procedure.Because DNS Protocol itself does not provide the integrity protection mechanism of data content, therefore recipient cannot differentiate whether correct whether the message received be tampered and originate; In addition, the realization of DNS Protocol is usually based on udp protocol, and lack the Reliability Assurance of communication, this has increased the weight of the possibility that message is tampered or is forged further.Just because of the above safety defect that DNS Protocol comes out, impel the emergence and development of DNS security expansion (DNSSecurityExtensions, DNSSEC).
DNSSEC agreement is a security extension for DNS Protocol, and it is by adding the digital signature based on rivest, shamir, adelman to the response message of DNS, ensures that data are without distorting and originating correct; Submitted to the public keys of oneself again by domain name system from bottom to top step by step to father field, realize the safety certification step by step of whole domain name system.Specifically, DNSSEC is the safety guarantee that DNS data provide three aspects: (1) source-verify: ensure that DNS response message is from authorized authoritative server; (2) integrity verification: ensure DNS response message in transmission way without distorting; (3) there is checking in negative: when user asks a non-existent domain name, dns server also can provide the negative acknowledgment message comprising digital signature, to ensure the reliability of this negative response.
DNSSEC is in essence on the basis of the tree-like mandate system of domain name system, set up a set of signature/verification system based on cryptography means again, namely trust chain system, by the safety verification step by step on trust chain, guarantee true and reliable (data integrity and the non repudiation protocol) of DNS query result.
Summary of the invention
The invention provides a kind of trustable network Identity Management and verification system and method, the function such as bidirectional identification checking, key agreement, secure communication between ISP and Internet user can be realized.
For achieving the above object, the technical solution used in the present invention is as follows:
A kind of trustable network Identity Management and verification system, comprise user ID administrative unit, network service management unit, trusted identities maintenance unit, Internet user's unit and Internet Service Provider's unit;
The network identity identification information of described user ID administrative unit maintenance customer, and by the network identity of user mark and public key information binding registration to described trusted identities maintenance unit;
The Internet service of described network service management Single Component Management, and by the public key information of correspondence and domain name binding registration to described trusted identities maintenance unit;
Described trusted identities maintenance unit disposes DNSSEC agreement, and the mark of maintenance customer and Internet service and PKI binding information;
Described Internet user's unit is preserved and the own private key information of management, and is obtained the information of believable Internet Service Provider by the described trusted identities maintenance unit of inquiry;
Described Internet Service Provider unit is preserved and the own private key information of management, and obtains user profile by the described trusted identities maintenance unit of inquiry.
Adopt trustable network authentication and the safety communicating method of said system, comprise the steps:
1) Internet user carries out real name registration to user ID administrative unit;
2) user ID administrative unit is user's generating network mark, and creates user ID management account for it;
3) user generates unsymmetrical key pair, uploads public key information by login account;
4) user network identify label and public key information thereof are registered to trusted identities maintenance unit by user ID administrative unit; The network identity of this user mark and public key information thereof are sent to local ISP simultaneously, by the ISP of locality, the network identity information of this user and online accounts information are bound;
5) ISP carries out real name registration to network service management unit;
6) network service management unit carries out networking License Authentication to it, carries out safety status classification based on service content, and creates service identifiers management account for it;
7) ISP generates unsymmetrical key pair, uploads public key information by login account;
8) service domain name and public key information thereof are registered to trusted identities maintenance unit by network service management unit;
9) when certain user wants the website of access network services supplier, first public key information corresponding to this website and IP address is inquired about by trusted identities maintenance unit;
10) user uses network identity and the public key information of the public key signature oneself of Internet Service Provider;
11) Internet Service Provider's inquiry trusted identities maintenance unit, veritifies user network mark and public key information with the private key of oneself;
12) Internet Service Provider generates symmetric key, is transferred to user after being encrypted with the PKI of user;
13) user obtains this symmetric key with the private key deciphering of oneself after receiving, and user and Internet Service Provider use this symmetric key to securely communicate.
The present invention utilizes DNS and DNSSEC technology, carry out management and the checking of the Internet trusted identity, and support the Service Management of different safety class, and then the function such as bidirectional identification checking, key agreement, secure communication between Service supportive supplier and Internet user.
Accompanying drawing explanation
Fig. 1 is trustable network framework relative role schematic diagram.
Fig. 2 is key distribution and user ID registration schematic diagram.
Fig. 3 is key distribution and service identifier register schematic diagram.
Fig. 4 is the schematic diagram of trusted identities maintenance field.
Fig. 5 is trusted identities checking flow chart.
Embodiment
For enabling above-mentioned purpose of the present invention, feature and advantage become apparent more, and below by specific embodiments and the drawings, the present invention will be further described.
The present invention specifically comprises five functions role: the mechanism of the mechanism of managing user identities information, the mechanism of managing internet ISP, maintenance customer and service trusted identities information, Internet user and Internet Service Provider.Above-mentioned five functions role can be realized by concrete hardware unit or software module, can be called user ID administrative unit/device/module, network service management unit/device/module, trusted identities maintenance unit/device/module, Internet user's unit/device/module and Internet Service Provider's unit/device/module.Adopt " unit " this title below, as shown in Figure 1.
User ID administrative unit safeguards the unique identification information of Chinese citizen (and foreign nationality enter a country user), and by its network identity mark and public key information binding registration to trusted identities maintenance unit, the ISP (InternetServiceProvider Internet Service Provider) of the network identity identification information of user and public key information and locality is shared simultaneously, thus the online accounts information of the network identity of user mark and this user is bound by ISP.
The Internet service of the domestic registration of network service management Single Component Management (and external registration but domestic operation), confirms its service safe sexual demand, by corresponding public key information and domain name binding registration to trusted identities maintenance unit.
Trusted identities maintenance unit disposes DNSSEC agreement, by easily extensible, manageable schema maintenance mass users/service identifiers and PKI binding information, and supports the inquiry of efficiently and accurately.
Internet user's unit is preserved and the own private key information of management, and obtains believable Internet Service Provider information by inquiry trusted identities maintenance unit.
Internet Service Provider's unit is preserved and is managed own private key information, and obtains user profile by inquiry trusted identities maintenance unit.
Describe respectively with regard to each role's key function below.
1. user ID administrative unit
User ID administrative unit maintenance customer identification database, wherein comprises: the 1) identity information (as ID card No.) of China citizen; 2) immigration foreign nationals identity information (as passport number).Wish to obtain Internet service within the border in China everyone all need to carry out true identity registration in subscriber identity data storehouse, and to fill in more than a kind of efficient communication mode (being generally E-mail address and phone number).And generate an account, the identity of leading subscriber and public key information for the user of each registration.Send to local ISP to put on record by the secured fashion outside band the identity information of user and public key information simultaneously.
User ID administrative unit generates the network identity mark through the user of registration, and the public key information that this mark and user are submitted to is registered to trusted identities maintenance unit, as shown in Figure 2;
1.1 user's registrations: after user fills in relevant information in subscriber identity data storehouse, select user's registering functional, the PKI in the key of generation is registered to identification database by user.In order to avoid fake user registration, the strict conformance of enrollment status and registrant must be ensured in this step, specifically can veritify mechanism with reference to CN personal domain register flow path and user.
3.1 identifier registers: subscriber identity data storehouse submits user's registration information inventory by Special safety interface (as CN domain name registration service) to mark maintenance unit, and wherein essential information at least comprises:
● User Identity information
● affiliated province or country
● public key information
● life span
3.2 identifier registers confirm: mark maintenance unit is based on inventory information, and first generate corresponding domain name, its form is as follows:
U-ID.Location.USER.CN
Wherein USER is the territory of special maintenance customer's identification information under CN, Location identifies geographic area belonging to this user and (distinguishes with province for Chinese citizen, immigration foreign nationals is distinguished with country), U-ID is no more than the user ID (as identity card or passport number) of 13.
Then (the present invention does not limit to adopt which kind of resource record to identify DNS resource record corresponding to maintenance unit generation, suggestion uses TLSA or TXT resource record), and add corresponding CN subdomain to, life cycle is wherein not more than the life cycle in user's registration information inventory.
Finally, identify maintenance unit and carry out to user ID administrative unit confirmation of succeeding in registration.
1.2 user's accreditation verifications: after receiving the acknowledge message that succeeds in registration, user ID administrative unit sends the user network identify label (communication mode selected by user) of succeed in registration message and correspondence to user.
2. network service management unit
Network service management unit maintaining network ISP puts on record management database, wherein comprises: 1) based on domestic domain name (.CN. China. company. network etc.) Internet Service Provider; 2) based on overseas domain name but the Internet Service Provider (as www.baidu.com) run at home.Wish to provide safety in Chinese scope, the domain name owner of effective internet service should carry out registration at this database and put on record, and fill in more than a kind of efficient communication mode (being generally E-mail address and phone number).And be service creation account of each registration, management service corresponding domain name, IP and public key information.
In addition, network service management unit also according to COS, should set its safe class, is currently divided into three types:
● strong demand for security business: user identity authenticity and user right tool be there are certain requirements, and certain guarantee may be had to session privacy;
● middle demand for security business: only carry out the unidirectional authentication of user to Internet Service Provider, and the session channel setting up safety;
● weak demand for security business: only have user to need to carry out unidirectional authentication to Internet Service Provider's identity.
In Internet Service Provider's registration process, relate to Internet Service Provider's unit, mutual between network service management unit and trusted identities maintenance unit, as shown in Figure 3;
2.1 service registrys: ISP wishes to provide certain business in internet environment, first need to carry out registering and putting on record at network service management unit, in order to avoid personation registration, the strict conformance of enrollment status and registrant must be ensured in this step, specifically can veritify mechanism with reference to CN company domain register flow path and formality.
4.1 identifier registers: the information that network service management unit is registered based on it, delimit its business safety grade, then receive the public key information of the double secret key that ISP generates.Then submitted to Service provider information's inventory of registration to mark maintenance unit by Special safety interface (as CN domain name registration service) by network service management unit, wherein essential information at least comprises:
● the domain name of Internet Service Provider
● affiliated province or country
● type of service and safe class
● key algorithm and public key information
● life span
4.2 identifier registers confirm: for domestic registered domain name, and mark maintenance unit, based on inventory information, generates corresponding DNS resource record, and adds the newly-built resource type as corresponding domestic domain name; For registration overseas but in the domestic domain name run, mark maintenance unit is based on this overseas domain name, and additional SERVICE.CN suffix, generates new domain name, and adds corresponding resource record.As www.baidu.com will exist a DNS resource record of following domain name in CN territory:
www.baidu.com.service.cn
Finally identify maintenance unit and carry out to service managing unit confirmation of succeeding in registration.
2.2 service registrys confirm: after receiving the acknowledge message that succeeds in registration, and service identifiers administrative unit provides domain-name information (communication mode selected by ISP) in the message that succeeds in registration, new DNS record to this ISP.
3. trusted identities maintenance unit
Trusted identities maintenance unit management trusted identities data, increase the support (at least ensureing that the dns zone of supervising the network identity information supports DNSSEC) to DNSSEC agreement in existing domain name system.And the domain name district dividing correspondence safeguards trusted identities data, physical planning as shown in Figure 4.
1) person identifier maintenance field: set up .USER subdomain under .CN, corresponding subdomain is set up (if Beijing is .BJ according to the Pinyin abbreviation (or Alpha-3 national code) of each geographic area under this subdomain, Shanxi is .SX, Shandong is .SD, and U.S. immigration citizen is .USA).User's domain name of identity-based card numbering is safeguarded below each subdomain.
Wherein, the Pinyin abbreviation of each geographic area can with reference to Chinese each province, municipality directly under the Central Government, autonomous region's title Chinese phonetic alphabet abbreviation table (http://www.pthyygf.org/guifanbiaozhun/guifanbiaozhun/2011-11-26/12.html); Adopt Alpha-3 national code to be in order to avoid there is conflict (as SD is abbreviated as in Shandong, and the Alpha-2 national code of Sudan is also SD, but its Alpha-3 national code is SDN) with Chinese each province Pinyin abbreviation, specific code see: https: //www.iso.org/obp/ui/#search.
2) service identifiers maintenance field: set up .SERVICE subdomain under .CN, generates and safeguards registration overseas but the service domain name run at home under this subdomain.
Registration service: trusted identities maintenance unit should provide the interface and service that identifier register unit (user ID administrative unit and network service management unit) is corresponding, and emphasis provides following function and performance guarantee:
● the clock synchronous of registrar and client
● the efficiency of magnanimity identifier register and renewal
● the safety certification of registrant's identity and the safe transmission of log-on data
Inquiry service: trusted identities maintenance unit also should be query interface and the service that user and ISP provide identification information, and emphasis provides following function and performance guarantee:
● the efficiency of magnanimity identified query
● the impact that basic DNS serves is evaded
4. user's (Internet user's unit)
First user needs to carry out registering and authentication in user ID administrative unit, and oneself generates unsymmetrical key, and wherein public key information is registered to the corresponding account of user ID administrative unit.
5. Internet Service Provider's (Internet Service Provider's unit)
First Internet Service Provider needs the registration before network service management unit activates the service, and generate corresponding unsymmetrical key pair according to the safe class of network service management unit evaluation, wherein public key information is registered to the corresponding account of network service management unit.
Based on above-mentioned each role to the function of managing network identities, the network identity validation flow process shown in Fig. 5 can be realized, specifically comprise the steps:
(1) Internet user carries out real name registration to user ID administrative unit;
(2) user ID administrative unit is based on checking structure, for user's generating network mark, and create user ID management account (as used identity card system, ID card No. can be used as user name, and ID card verification code can be used as initial log password) for it;
(3) user generates unsymmetrical key pair, uploads public key information by logging in this account;
(4) user network identify label and public key information thereof are registered to trusted identities maintenance unit by user ID administrative unit; The network identity of this user mark and public key information thereof are sent to local ISP simultaneously, by the ISP of locality, the network identity information of this user and online accounts information are bound.Thus make user ID administrative unit can according to the online online hours network identity information of user to local ISP being found this user, the site information of access, IP address (the publicly-owned address information of IPv4, IPv4 private address information, IPv6 address information) etc., thus legal network monitoring is carried out to this user and by the IP address function such as carry out that network is traced to the source.
(1 ') ISP carries out real name registration to network service management unit;
(2 ') network service management unit carries out networking License Authentication to it, and carries out safety status classification based on service content, and creates service identifiers management account for it;
(3 '), ISP generated unsymmetrical key pair, uploaded public key information by logging in this account;
Service domain name and public key information thereof are registered to trusted identities maintenance unit by (4 ') network service management unit;
(5) when certain user wants the website of access network services supplier, first public key information corresponding to this website and IP address is inquired about by trusted identities maintenance unit;
(6) user uses network identity and the public key information of the public key signature oneself of Internet Service Provider;
(7) Internet Service Provider's inquiry trusted identities maintenance unit, veritifies user network mark and public key information with the private key of oneself;
(8) Internet Service Provider generates symmetric key, is transferred to user after being encrypted with the PKI of user;
(9) user obtains this symmetric key with the private key deciphering of oneself after receiving, and user and Internet Service Provider use this symmetric key to securely communicate.
Invention defines and ensure internet communication both sides secure communication, and the main logic role that network is controlled, and define key function and the trusted identities checking flow process of each role.In order to support various practical situations, do not limit following ins and outs, those skilled in the art can adopt existing method to realize:
1) user network mark generting machanism;
2) key generation method of user and Internet Service Provider;
3) secure communication interface of each role's sign-on ID management data;
4) user and ISP are to the authentication mechanism of signature record comprising trusted identities and corresponding PKI;
5) function of tracing to the source is carried out by the IP address of user.
Above embodiment is only in order to illustrate technical scheme of the present invention but not to be limited; those of ordinary skill in the art can modify to technical scheme of the present invention or equivalent replacement; and not departing from the spirit and scope of the present invention, protection scope of the present invention should be as the criterion with described in claims.

Claims (9)

1. trustable network Identity Management and a verification system, is characterized in that, comprises user ID administrative unit, network service management unit, trusted identities maintenance unit, Internet user's unit and Internet Service Provider's unit;
The network identity identification information of described user ID administrative unit maintenance customer, and by the network identity of user mark and public key information binding registration to described trusted identities maintenance unit;
The Internet service of described network service management Single Component Management, and by the public key information of correspondence and domain name binding registration to described trusted identities maintenance unit;
Described trusted identities maintenance unit disposes DNSSEC agreement, and the mark of maintenance customer and Internet service and PKI binding information;
Described Internet user's unit is preserved and the own private key information of management, and is obtained the information of believable Internet Service Provider by the described trusted identities maintenance unit of inquiry;
Described Internet Service Provider unit is preserved and the own private key information of management, and obtains user profile by the described trusted identities maintenance unit of inquiry.
2. the system as claimed in claim 1, is characterized in that: described user ID administrative unit maintenance customer identification database, wherein comprises the identity information of citizen, immigration foreign nationals identity information, for carrying out identity registration to user; Described user ID administrative unit generates the network identity mark through the user of registration, and the public key information that this mark and user are submitted to is registered to described trusted identities maintenance unit.
3. the system as claimed in claim 1, it is characterized in that: described network service management unit maintaining network ISP puts on record management database, wherein comprise based on the Internet Service Provider of domestic domain name, based on overseas domain name but the Internet Service Provider run at home, for putting on record to providing the domain name owner of Internet service to carry out registration.
4. the system as claimed in claim 1, is characterized in that: described network service management unit sets its safe class according to COS, is divided into three types:
A) strong demand for security business: user identity authenticity and user right tool be there are certain requirements, and certain guarantee may be had to session privacy;
B) demand for security business in: only carry out the unidirectional authentication of user to Internet Service Provider, and the session channel setting up safety;
C) weak demand for security business: only have user to need to carry out unidirectional authentication to Internet Service Provider's identity.
5. the system as claimed in claim 1, is characterized in that: described trusted identities maintenance unit divides corresponding domain name district and safeguards trusted identities data, comprises person identifier maintenance field and service identifiers maintenance field.
6. system as claimed in claim 5, it is characterized in that: described person identifier maintenance field sets up .USER subdomain under .CN, under this subdomain, set up corresponding subdomain according to the Pinyin abbreviation of each geographic area or Alpha-3 national code, below each subdomain, safeguard user's domain name of identity-based card numbering; Described service identifiers maintenance field sets up .SERVICE subdomain under .CN, generates and safeguard registration overseas but the service domain name run at home under this subdomain.
7. adopt trustable network authentication and the safety communicating method of system described in claim 1, it is characterized in that, comprise the steps:
1) Internet user carries out real name registration to user ID administrative unit;
2) user ID administrative unit is user's generating network mark, and creates user ID management account for it;
3) user generates unsymmetrical key pair, uploads public key information by login account;
4) user network identify label and public key information thereof are registered to trusted identities maintenance unit by user ID administrative unit; The network identity of this user mark and public key information thereof are sent to local ISP simultaneously, by the ISP of locality, the network identity information of this user and online accounts information are bound;
5) ISP carries out real name registration to network service management unit;
6) network service management unit carries out networking License Authentication to it, carries out safety status classification based on service content, and creates service identifiers management account for it;
7) ISP generates unsymmetrical key pair, uploads public key information by login account;
8) service domain name and public key information thereof are registered to trusted identities maintenance unit by network service management unit;
9) when certain user wants the website of access network services supplier, first public key information corresponding to this website and IP address is inquired about by trusted identities maintenance unit;
10) user uses network identity and the public key information of the public key signature oneself of Internet Service Provider;
11) Internet Service Provider's inquiry trusted identities maintenance unit, veritifies user network mark and public key information with the private key of oneself;
12) Internet Service Provider generates symmetric key, is transferred to user after being encrypted with the PKI of user;
13) user obtains this symmetric key with the private key deciphering of oneself after receiving, and user and Internet Service Provider use this symmetric key to securely communicate.
8. method as claimed in claim 7, is characterized in that, step 4) in user ID administrative unit by the method that user network identify label and public key information thereof are registered to trusted identities maintenance unit be:
A) user ID administrative unit submits user's registration information inventory by Special safety interface to trusted identities maintenance unit, and wherein essential information at least comprises: User Identity information, affiliated province or country, public key information, life span;
B) trusted identities maintenance unit generates corresponding domain name based on inventory information, and its form is: U-ID.Location.USER.CN; Wherein USER is the territory of special maintenance customer's identification information under CN, and Location identifies geographic area belonging to this user, and U-ID is user ID;
C) trusted identities maintenance unit generates corresponding DNS resource record, and adds corresponding CN subdomain to, and life cycle is wherein not more than the life cycle in user's registration information inventory;
D) trusted identities maintenance unit carries out to user ID administrative unit confirmation of succeeding in registration.
9. as claimed in claim 7 or 8 method, is characterized in that: step 8) in network service management unit by the method that service domain name and public key information thereof are registered to trusted identities maintenance unit be:
A) network service management unit submits Service provider information's inventory of registration to trusted identities maintenance unit by Special safety interface, and wherein essential information at least comprises: the domain name of Internet Service Provider, affiliated province or country, type of service and safe class, key algorithm and public key information, life span;
B) for domestic registered domain name, trusted identities maintenance unit generates corresponding DNS resource record based on inventory information, and adds the newly-built resource type as corresponding domestic domain name; For registration overseas but in the domestic domain name run, trusted identities maintenance unit is based on this overseas domain name, and additional SERVICE.CN suffix, generates new domain name, and adds corresponding resource record;
C) trusted identities maintenance unit carries out to Service Management mechanism confirmation of succeeding in registration.
CN201510551325.3A 2015-09-01 2015-09-01 A kind of trustable network Identity Management and verification system and method Active CN105162602B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510551325.3A CN105162602B (en) 2015-09-01 2015-09-01 A kind of trustable network Identity Management and verification system and method
PCT/CN2015/098467 WO2017036003A1 (en) 2015-09-01 2015-12-23 Trusted network identity management and authentication system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510551325.3A CN105162602B (en) 2015-09-01 2015-09-01 A kind of trustable network Identity Management and verification system and method

Publications (2)

Publication Number Publication Date
CN105162602A true CN105162602A (en) 2015-12-16
CN105162602B CN105162602B (en) 2018-05-11

Family

ID=54803366

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510551325.3A Active CN105162602B (en) 2015-09-01 2015-09-01 A kind of trustable network Identity Management and verification system and method

Country Status (2)

Country Link
CN (1) CN105162602B (en)
WO (1) WO2017036003A1 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105743918A (en) * 2016-04-05 2016-07-06 浪潮电子信息产业股份有限公司 Information encrypted transmission method, device and system
CN106302513A (en) * 2016-09-06 2017-01-04 中国互联网络信息中心 A kind of network identity validation method and device
WO2017036003A1 (en) * 2015-09-01 2017-03-09 中国互联网络信息中心 Trusted network identity management and authentication system and method
CN106789881A (en) * 2016-11-17 2017-05-31 中国互联网络信息中心 A kind of block chain digital identification authentication method and system based on domain name service DNS systems
CN108737420A (en) * 2018-05-22 2018-11-02 北京航空航天大学 Information service trusted identities format and its life cycle management device and method
CN108737419A (en) * 2018-05-22 2018-11-02 北京航空航天大学 Trusted identities life cycle management device and method based on block chain
CN108964892A (en) * 2018-06-25 2018-12-07 北京迪曼森科技有限公司 Generation method, application method, management system and the application system of trusted application mark
CN109005029A (en) * 2018-06-25 2018-12-14 北京迪曼森科技有限公司 Trusted application mark generation method and system, application method and apply end equipment
CN109067768A (en) * 2018-08-31 2018-12-21 赛尔网络有限公司 A kind of detection method, system, equipment and the medium of inquiry of the domain name safety
CN109474592A (en) * 2018-11-08 2019-03-15 蓝信移动(北京)科技有限公司 Public key binding method and system
CN109831529A (en) * 2019-03-15 2019-05-31 北京世纪诚链科技有限公司 A kind of integrated architecture of cloud chain number
WO2020168586A1 (en) * 2019-02-20 2020-08-27 中国互联网络信息中心 Blockchain and dnssec-based user authentication method, system, device and medium
CN111783135A (en) * 2020-06-17 2020-10-16 复旦大学 DNSSEC-based data trusted service implementation method
CN112995139A (en) * 2021-02-04 2021-06-18 北京信息科技大学 Trusted network, and construction method and construction system of trusted network
CN113660276A (en) * 2021-08-18 2021-11-16 宜宾电子科技大学研究院 Remote task scheduling method based on privacy data protection

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110945833B (en) * 2018-12-07 2022-08-16 北京大学深圳研究生院 Method and system for multi-mode identification network privacy protection and identity management
CN113346990B (en) * 2021-05-11 2022-12-23 科大讯飞股份有限公司 Secure communication method and system, and related equipment and device
CN114520734B (en) * 2021-12-31 2024-01-26 华能信息技术有限公司 Network data security management and control method and system based on bidirectional transmission

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1182557A2 (en) * 2000-08-18 2002-02-27 Hewlett-Packard Company, A Delaware Corporation Performance of a service on a computing platform
CN101179380A (en) * 2007-11-19 2008-05-14 上海交通大学 Bidirectional authentication method, system and network terminal
CN102594558A (en) * 2012-01-19 2012-07-18 东北大学 Anonymous digital certificate system and verification method of trustable computing environment
CN103796200A (en) * 2014-03-03 2014-05-14 公安部第三研究所 Method for achieving key management in wireless mobile ad hoc network based on identities

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401686B (en) * 2013-07-31 2016-08-10 陕西海基业高科技实业有限公司 A kind of user's OTP WEB Authentication System and application process thereof
GB2533728B (en) * 2013-10-17 2017-03-22 Arm Ip Ltd Method for assigning an agent device from a first device registry to a second device registry
CN103929435B (en) * 2014-05-05 2017-04-12 中国科学院计算机网络信息中心 Credibility verification method based on DNSSEC and DANE protocols
CN104243150A (en) * 2014-09-05 2014-12-24 中国联合网络通信集团有限公司 IPSec public key interaction method, nodes and DNS servers
CN105162602B (en) * 2015-09-01 2018-05-11 中国互联网络信息中心 A kind of trustable network Identity Management and verification system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1182557A2 (en) * 2000-08-18 2002-02-27 Hewlett-Packard Company, A Delaware Corporation Performance of a service on a computing platform
CN101179380A (en) * 2007-11-19 2008-05-14 上海交通大学 Bidirectional authentication method, system and network terminal
CN102594558A (en) * 2012-01-19 2012-07-18 东北大学 Anonymous digital certificate system and verification method of trustable computing environment
CN103796200A (en) * 2014-03-03 2014-05-14 公安部第三研究所 Method for achieving key management in wireless mobile ad hoc network based on identities

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017036003A1 (en) * 2015-09-01 2017-03-09 中国互联网络信息中心 Trusted network identity management and authentication system and method
CN105743918A (en) * 2016-04-05 2016-07-06 浪潮电子信息产业股份有限公司 Information encrypted transmission method, device and system
CN106302513A (en) * 2016-09-06 2017-01-04 中国互联网络信息中心 A kind of network identity validation method and device
CN106789881A (en) * 2016-11-17 2017-05-31 中国互联网络信息中心 A kind of block chain digital identification authentication method and system based on domain name service DNS systems
CN108737420A (en) * 2018-05-22 2018-11-02 北京航空航天大学 Information service trusted identities format and its life cycle management device and method
CN108737419A (en) * 2018-05-22 2018-11-02 北京航空航天大学 Trusted identities life cycle management device and method based on block chain
CN108737419B (en) * 2018-05-22 2020-05-22 北京航空航天大学 Trusted identifier life cycle management device and method based on block chain
CN108964892A (en) * 2018-06-25 2018-12-07 北京迪曼森科技有限公司 Generation method, application method, management system and the application system of trusted application mark
CN108964892B (en) * 2018-06-25 2019-07-26 北京迪曼森科技有限公司 Generation method, application method, management system and the application system of trusted application mark
CN109005029B (en) * 2018-06-25 2019-08-16 北京迪曼森科技有限公司 Trusted application mark generation method and system, application method and apply end equipment
CN109005029A (en) * 2018-06-25 2018-12-14 北京迪曼森科技有限公司 Trusted application mark generation method and system, application method and apply end equipment
CN109067768A (en) * 2018-08-31 2018-12-21 赛尔网络有限公司 A kind of detection method, system, equipment and the medium of inquiry of the domain name safety
CN109067768B (en) * 2018-08-31 2021-11-26 赛尔网络有限公司 Method, system, equipment and medium for detecting domain name query security
CN109474592A (en) * 2018-11-08 2019-03-15 蓝信移动(北京)科技有限公司 Public key binding method and system
WO2020168586A1 (en) * 2019-02-20 2020-08-27 中国互联网络信息中心 Blockchain and dnssec-based user authentication method, system, device and medium
CN109831529B (en) * 2019-03-15 2020-05-12 北京世纪诚链科技有限公司 Cloud chain number integrated system structure
CN109831529A (en) * 2019-03-15 2019-05-31 北京世纪诚链科技有限公司 A kind of integrated architecture of cloud chain number
CN111783135A (en) * 2020-06-17 2020-10-16 复旦大学 DNSSEC-based data trusted service implementation method
CN112995139A (en) * 2021-02-04 2021-06-18 北京信息科技大学 Trusted network, and construction method and construction system of trusted network
CN112995139B (en) * 2021-02-04 2023-06-02 北京信息科技大学 Trusted network, trusted network construction method and trusted network construction system
CN113660276A (en) * 2021-08-18 2021-11-16 宜宾电子科技大学研究院 Remote task scheduling method based on privacy data protection

Also Published As

Publication number Publication date
WO2017036003A1 (en) 2017-03-09
CN105162602B (en) 2018-05-11

Similar Documents

Publication Publication Date Title
CN105162602B (en) A kind of trustable network Identity Management and verification system and method
US10642969B2 (en) Automating internet of things security provisioning
CN109768988B (en) Decentralized Internet of things security authentication system, equipment registration and identity authentication method
US11870769B2 (en) System and method for identifying a browser instance in a browser session with a server
CN102932149B (en) Integrated identity based encryption (IBE) data encryption system
CN102984252B (en) Cloud resource access control method based on dynamic cross-domain security token
CN114679293A (en) Access control method, device and storage medium based on zero trust security
Panda et al. A blockchain based decentralized authentication framework for resource constrained iot devices
CN102611707B (en) A kind of credible website identity is installed and recognition methods
CN104184713A (en) Terminal identification method, machine identification code registration method, and corresponding system and equipment
CN102629923B (en) Installation and identification method of website credible identity based on domain name system technology
Zhang et al. Security architecture on the trusting internet of things
CN102025741A (en) Trusted identity service platform with two-layer framework and construction method thereof
US20220261798A1 (en) Computer-Implemented System and Method for Facilitating Transactions Associated with a Blockchain Using a Network Identifier for Participating Entities
JP2015512109A (en) Identification method, apparatus and system
CN101547097A (en) Digital media management system and management method based on digital certificate
CN103401686A (en) User Internet identity authentication system and application method thereof
KR101458820B1 (en) Secure Data Management Scheme in Cloud Environment in the Public Sector
CN114079645B (en) Method and device for registering service
Buccafurri et al. Ethereum Transactions and Smart Contracts among Secure Identities.
CN102833239B (en) Method for implementing nesting protection of client account information based on network identity
CN105743883B (en) A kind of the identity attribute acquisition methods and device of network application
Amin et al. Identity-of-things model using composite identity on permissioned blockchain network
Yang et al. Identity authentication system for mobile terminal equipment based on SDN network
CN101593333A (en) E-commerce information security processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant