CN105323245A - Intelligent terminal, authorization method and system thereof - Google Patents
Intelligent terminal, authorization method and system thereof Download PDFInfo
- Publication number
- CN105323245A CN105323245A CN201510629209.9A CN201510629209A CN105323245A CN 105323245 A CN105323245 A CN 105323245A CN 201510629209 A CN201510629209 A CN 201510629209A CN 105323245 A CN105323245 A CN 105323245A
- Authority
- CN
- China
- Prior art keywords
- intelligent terminal
- authorization
- authorization requests
- signature
- guarantee
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an intelligent terminal, an authorization method and system thereof. The method comprises the following steps: transmitting an authorization request to a second intelligent terminal by a first intelligent terminal; after the authorization request passes the verification of the second intelligent terminal, receiving the authorization request signed by a guarantee private key of the second intelligent terminal by the first intelligent terminal, and uploading the signed authorization request to an authorization server; and after the signature on the authorization request passes the verification of the authorization server, receiving an authorization result aiming at the authorization request from the authorization server by the first intelligent terminal. The intelligent terminal, the authorization method and system thereof provided by the invention can effectively improve the access security of functions or services and are suitable for the high sensitive and high-risk application scenarios.
Description
Technical field
The present invention relates to intelligent terminal technical field, specifically, the present invention relates to a kind of intelligent terminal and authorization method thereof and system.
Background technology
Intelligent terminal due to have height extensibility, for user provides infinitely wide application space.But thing followed problem is exactly to solve the safety assurance used the software provided in intelligent terminal, hardware capability.Usually, for the sensitive function in intelligent terminal or service, secure access restriction can be set.Such as, for the different attribute of different legitimate users, different identity roles is set, and different roles can be configured with corresponding access rights.Like this, authority request person must pass through authentication, just can obtain the access rights corresponding to its identity role, namely obtain the authorization.In practical application, authority request person can be concrete individual or equipment.
At present, existingly usually will authorize identity binding, take the licensing mode of " namely certification authorizes ".That is, the identity of authority request person is once be verified the predefined access rights of identity role that can obtain with this authority request person.
In practical application, usually can carry out the Role Identity of verifying authorization requestor by submitting to following several certificate data:
1, password or gesture
The password that intelligent terminal is inputted authority request person by specific algorithm or gesture are verified.Once be verified, then prove that the identity of authority request person is correct or legal, can the corresponding access rights of automatic acquisition.
2, the biological characteristic such as fingerprint or iris
Intelligent terminal carries out authentication by specific software and hardware to the biological characteristic that authority request person inputs.In like manner, once be verified, then prove that the identity of authority request person is correct or legal, can the corresponding access rights of automatic acquisition.
3, apparatus figure certificate
The digital certificate that intelligent terminal is held being verified, by namely thinking authentication success, obtaining the authorization.Because the identity of what in fact the method was verified is equipment, so usually and other mode conbined usage.
4, the hardware characteristics of equipment
The equipment of intelligent terminal has the hardware characteristics of uniqueness usually, such as, TPM (TrustedPlatformModule, credible platform module) AIK (AttestationIdentityKey that solidifies in hardware, Attestation Identity Key) certificate, SoC (SystemonChip, SOC (system on a chip)) solidification identity data in unique string in chip number or NFC (NearFieldCommunication, near-field communication) label etc.By the checking to above-mentioned hardware characteristics, can complete and the identity of intelligent terminal is verified.Equally, because in fact the method verify is the identity of equipment, so usually and additive method conbined usage.
5, two or more modes above-mentioned used in combination carry out authentication.
The present inventor finds, above-mentioned this " namely certification authorizes " pattern, although effectively can meet security requirement is not in actual applications very high application; But, for higher, the extremely sensitive function of some security requirements or service, still there is larger risk.
Therefore, be necessary the authorization method providing a kind of fail safe higher, high responsive high risk application scenarios can be applicable to.
Summary of the invention
For the defect that above-mentioned prior art exists, the invention provides authorization method and the system of terminal equipment, malice user effectively can be avoided to get final product the situation of gain access by authentication, improve access security, be applicable to high responsive high risk application scenarios.
The present invention program provides a kind of authorization method of intelligent terminal, comprising:
First intelligent terminal sends authorization requests to the second intelligent terminal;
First intelligent terminal, after described authorization requests is by the checking of the second intelligent terminal, receives the authorization requests of the guarantee private key signature through the second intelligent terminal, and the authorization requests after signature is uploaded to authorization server;
The signature of the first intelligent terminal in described authorization requests, by after the verification of authorization server, receives the Authorization result for described authorization requests from authorization server.
According to a further aspect in the invention, additionally provide a kind of authorization method of intelligent terminal, comprising:
First intelligent terminal sends authorization requests to the second intelligent terminal;
Second intelligent terminal is verified the authorization requests received, and after being verified, returns the authorization requests of the guarantee private key signature through self to the first intelligent terminal;
Authorization requests after signature is uploaded to authorization server by the first intelligent terminal;
Signature in authorization server verification authorization requests, verifies by rear, for authorization requests to the first intelligent terminal feedback Authorization result.
According to a further aspect in the invention, additionally provide a kind of authoring system of intelligent terminal, comprising: authorization server and the first intelligent terminal and the second intelligent terminal; Wherein,
First intelligent terminal is used for sending authorization requests to the second intelligent terminal, receives after the authorization requests of the guarantee private key signature of the second intelligent terminal, the authorization requests after signature is uploaded to authorization server; Signature in authorization requests, by after the verification of authorization server, receives the Authorization result for authorization requests from authorization server;
The authorization requests that second intelligent terminal is used for receiving is verified, after being verified, returns the authorization requests of the guarantee private key signature through self to the first intelligent terminal;
Described authorization server, for verifying the signature in authorization requests, verifies by rear, for authorization requests to the first intelligent terminal feedback Authorization result.
In technical scheme of the present invention, compare existing licensing mode, add the role of guarantee person, authentication is separated with licensing process, makes authority request person want gain access, except legal identity need be had, legal guarantee person is also needed to assure for it, by directly obtaining the predefined access rights of its identity after authentication, malice user effectively cannot be avoided to get final product the situation of gain access by authentication, improves access security; And, utilize guarantee person to sign to the guarantee of the authorization requests that authority request person initiates, add the difficulty of attack, further increase access security.
The aspect that the present invention adds and advantage will part provide in the following description, and these will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
Fig. 1 is the internal structure schematic diagram of the authoring system of intelligent terminal in the embodiment of the present invention;
Fig. 2,3 is the schematic flow sheet of the authorization method of intelligent terminal in the embodiment of the present invention.
Fig. 4 a, 4b are the internal structure schematic diagram of intelligent terminal in the embodiment of the present invention.
Embodiment
Carry out clear, complete description below with reference to accompanying drawing to technical scheme of the present invention, obviously, described embodiment is only a part of embodiment of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, other embodiments all that those of ordinary skill in the art obtain under the prerequisite not making creative work, all belong to the scope that the present invention protects.
Invention of the present invention finds, the licensing mode of " namely certification authorizes " of existing employing, when following several situation, will there is larger potential safety hazard:
1, the proof procedure of applicant is cheated.
Such as, the proof procedure of malice user operation technique means interference to hardware characteristics, makes proof procedure lose efficacy, steals access rights with this.
2. the technology of the checking means of pair applicant's identity itself is cracked.
Such as, the verification algorithm of password is cracked by reverse-engineering, uses calculation device to produce a large amount of legal passwords or sequence number, or directly revises verifying software, checking means were lost efficacy, thus steals to obtain access rights.
3. legal verification msg is stolen.
Such as, steal finger print data by social engineering mode, even gain iris data by cheating, " legal " by Authentication mechanism, gain access.
4. hardware device is lost.
The situation that intelligent terminal is lost, can cause the checking means complete failure relying on hardware characteristics.
5. the involuntary request of legal authority request person.
Under existing " namely certification authorizes " licensing mode, because identity and access rights are bound mutually, even if the authentication of authority request person is no problem, namely " identified ", but still may be occurred the problem of social engineering aspect.Such as, legal authority request person is actually and is forced, or the verification msg such as password is defrauded of etc.In this case, even if the identity of authority request person is by checking, the predefined access rights of this identity should do not obtained yet.
In summary it can be seen, under existing " namely certification authorizes " licensing mode, once there is above-mentioned situation, the demand for security of sensitive function or service cannot be ensured, and its key reason is: " namely certification authorizes " pattern places one's entire reliance upon the authentication of this role of authority request person.
Therefore, the present inventor considers, can introduce the new role of guarantee person, adopts the mode being similar to " eye-witness " to carry out intersection and authorizes.Particularly, authentication and mandate can be divided into two independently stages: authority request person is by can not directly obtain the authorization after authentication, and need utilization to be implemented to intersect by the authority request person of authentication to authorize by the guarantee person of authentication, thus legal user can be licensed under guaranteeing high responsive high risk application scenarios.
In practical application, authority request person and guarantee person are predefined roles, can be understood as two different individuals or equipment.
In the embodiment of the present invention, by the authority request person of authentication except can the predefined access rights of its identity of acquisition request, can also the access rights of other ranks of acquisition request.And can be assured needing the authority request person obtaining access rights by the guarantee person of authentication.And can for one or more to the guarantee person needing the authority request person of the access rights obtained to assure.
In the solution of the present invention, for different access rights, different guarantee groups can be set; Guarantee person in guarantee group can assure needing the authority request person of the access rights obtained corresponding to this guarantee group.
Like this, authority request person will obtain the access rights of sensitive function or service, except there being legal identity, also needing at least one legal guarantee person for its guarantee, adds the difficulty of attack, improve access security.Wherein, be the guarantee person of authority request person's guarantee, Stochastic choice can be carried out from the guarantee group corresponding to the access rights of authority request person institute acquisition request, be not fixing, fail safe can be improved further with this.
In the solution of the present invention, the identity role of guarantee person and authority request person might not have equal access rights, but the role definition of guarantee person allows it to authorize the access rights of authority request person.
Technical scheme of the present invention is described in detail below in conjunction with accompanying drawing.
The invention provides a kind of authoring system of intelligent terminal, as shown in Figure 1, this authoring system can comprise: the first intelligent terminal 101, second intelligent terminal 102 and authorization server 103.
In the solution of the present invention, the first intelligent terminal 101 can be the authority request person of acquisition request access rights, and correspondingly, the second intelligent terminal 102 can carry out for the authority request person of these access rights the guarantee person that assures.Or the second intelligent terminal 102 can be the authority request person of acquisition request access rights, correspondingly, the first intelligent terminal 101 can carry out for the authority request person of these access rights the guarantee person that assures.
To be below authority request person for the first intelligent terminal 101, the second intelligent terminal 102 illustrate the solution of the present invention for guarantee person.
In the solution of the present invention, in order to ensure the legitimacy of the identity of authority request person, when the first intelligent terminal 101 will access the sensitive function or service that are provided with secure access restriction, first need the checking carrying out identity role.The technological means that verification mode can adopt those skilled in the art to commonly use.
Like this, entered by the first intelligent terminal 101 of authentication verify, state to be authorized; Afterwards, the first intelligent terminal 101 can send authorization requests to legal guarantee person, and particularly, the first intelligent terminal 101 can send authorization requests to the second intelligent terminal 102 by authentication.
In the solution of the present invention, as second intelligent terminal 102 of guarantee person, the technological means that the mode of its authentication also can adopt those skilled in the art to commonly use.
In practical application, the first intelligent terminal 101, second intelligent terminal 102 can carry out authentication by following certificate data one of at least: the digital certificate that the biological characteristic of password, gesture, user, the hardware characteristics of equipment, equipment are held.Second intelligent terminal 102 can adopt identical authentication mode with the first intelligent terminal 101, also can adopt different authentication modes.
In the embodiment of the present invention, authorization requests can be sent to the second intelligent terminal 102 by authentication by the first intelligent terminal 101 of authentication.Wherein, can comprise in authorization requests: the identity data of the first intelligent terminal 101, and the rights request message of access rights for the first intelligent terminal 101 acquisition request.In practical application, the identity data of the first intelligent terminal 101 can be the equipment identification information of the first intelligent terminal 101 or the user totem information of the first intelligent terminal 101, or other can represent the identification information of the first intelligent terminal 101.
Correspondingly, the second intelligent terminal 102, after the authorization requests receiving the first intelligent terminal 101 transmission, can be verified the authorization requests received.Particularly, the identity data of the first intelligent terminal 101 in the second intelligent terminal 102 pairs authorization requests, and rights request message for access rights verify, determine whether it can be that the first intelligent terminal 101 is assured with this.
After being verified, the guarantee private key of self can being utilized to sign to the authorization requests received, and return the authorization requests of the guarantee private key signature through self to the first intelligent terminal 101.
Then, the first intelligent terminal 101 receives after the authorization requests of the guarantee private key signature of the second intelligent terminal 102, the authorization requests after signature can be uploaded to authorization server 103.
Authorization server 103 as mandate platform can verify the signature in authorization requests, verifies by rear, reads the rights request message in authorization requests; According to the rights request message read, determine whether authorize, and feed back Authorization result for authorization requests to the first intelligent terminal 101.
That is, after the verification of the signature of the first intelligent terminal 101 in authorization requests by authorization server 103, the Authorization result for authorization requests will be received from authorization server 103.If Authorization result is for authorize successfully, then the first intelligent terminal 101 can use the function corresponding to access rights or the service of its acquisition request.
Like this, in the solution of the present invention, compare the pattern of existing " namely certification authorizes ", add the role of guarantee person, authentication is separated with licensing process, make authority request person by also the predefined access rights of its identity directly cannot be obtained after authentication, avoid situation about can be obtained the authorization by authentication, improve access security; And, utilize guarantee person to sign to the guarantee of the authorization requests of authority request person, add the difficulty of attack, further increase access security.
Further, in practical application, consider the process that there is exchanges data between the first intelligent terminal 101 and the second intelligent terminal 102, and NFC (NearFieldCommunication, near-field communication) protocol requirement communication two party physical contact or bipartite distance be not more than the distance threshold of a setting (such as, 10 centimetres), the possibility being ravesdropping or being played attack is very low.
Therefore, in the embodiment of the present invention, consider based on communications security, between the first intelligent terminal 101 and the second intelligent terminal 102, NFC agreement can be adopted.In practical application, there is physical contact in the first intelligent terminal 101 and the second intelligent terminal 102, or close within the distance threshold (such as, 10 centimetres) set, can set up NFC data link.Like this, because NFC agreement limits the pressure of physical distance, authority request person and guarantee person at one time and space, just likely must be realized the signature of guarantee person to authorization requests, considerably increase the difficulty of attack.
In practical application, in order to use NFC agreement, the equipment of the first intelligent terminal 101 and the second intelligent terminal 102 all needs to have NFCSE (SecureElement, safety element) hardware, to carry out NFCSE service.
Particularly, after setting up NFC data link with the second intelligent terminal 102, the first intelligent terminal 101 activates the application for bail interface in NFCSE service; Meanwhile, the second intelligent terminal 102 activates the guarantee interface in NFCSE service, completes the secure communication between the first intelligent terminal 101 with this.
Based on the authoring system of above-mentioned intelligent terminal, the invention provides a kind of authorization method of intelligent terminal, its idiographic flow as shown in Figure 2, can comprise the steps:
S201: the first intelligent terminal sends authorization requests to the second intelligent terminal.
Particularly, be different from the pattern of existing " namely certification authorizes ", as first intelligent terminal 101 of authority request person by after authentication, enter and treat licensing status.
In order to obtain the access rights of function or service, the first intelligent terminal 101 can initiate request to legal guarantee person, namely sends authorization requests to the second intelligent terminal 102 by authentication.Wherein, can comprise in authorization requests: the identity data of the first intelligent terminal 101, and the rights request message of access rights for the first intelligent terminal 101 acquisition request.
In practical application, the first intelligent terminal 101 for acquisition request access rights carries out the second intelligent terminal 102 assured, it can select from the guarantee group corresponding to the access rights of the first intelligent terminal 101 acquisition request.Guarantee group comprises at least one legal guarantee person, can assure for the authority request person of these access rights.
And, the predefined access rights of identity of the first intelligent terminal 101, with the authorization requests sent to the second intelligent terminal 102 for access rights can be identical, also can be different.
That is, during its predefined access rights of identity institute of the first intelligent terminal 101 acquisition request, the second intelligent terminal 102 can be selected from the guarantee group corresponding with predefined access rights; And during the access rights of first other ranks of intelligent terminal 101 acquisition request, the second intelligent terminal 102 can be selected from the guarantee group corresponding to the access rights of asking with the first intelligent terminal 101.
In the solution of the present invention, the first intelligent terminal 101, second intelligent terminal 102 can carry out authentication by following certificate data one of at least:
The digital certificate that the biological characteristic of password, gesture, user, the hardware characteristics of equipment, equipment are held.
In practical application, adopt NFC agreement between first intelligent terminal 101 and the second intelligent terminal 102, at the first intelligent terminal 101 and the second intelligent terminal 102, physical contact occurs, or close to the distance threshold set (such as, 10 centimetres) within, NFC data link can be set up; Then, the first intelligent terminal 101, by the application for bail interface in the NFCSE service of activation, sends authorization requests; And the second intelligent terminal 102 is by the guarantee interface in the NFCSE service of activation, receive authorization requests.
S202: the second intelligent terminal is verified the authorization requests received, and after being verified, returns the authorization requests of the guarantee private key signature through self to the first intelligent terminal.
Particularly, by the second intelligent terminal 102 of authentication as legal guarantee person, after receiving the authorization requests of the first intelligent terminal 101 transmission, first can verify the identity data of the transmit leg of authorization requests and the rights request message of access rights of asking for transmit leg, judge whether it can be that the first intelligent terminal 101 is assured with this.
Particularly, the identity data of the first intelligent terminal 101 in the second intelligent terminal 102 pairs authorization requests, and rights request message for access rights verify, determine whether it can be that the first intelligent terminal 101 is assured with this.
After being verified, the guarantee private key of self can being utilized to sign to the authorization requests received, and by NFC data link, the authorization requests after signature is returned to the first intelligent terminal 101.
Authorization requests after signature is uploaded to authorization server by the S203: the first intelligent terminal.
Particularly, the first intelligent terminal 101 receives after the authorization requests of the guarantee private key signature of the second intelligent terminal 102 by NFC data link, the authorization requests after signature can be uploaded to authorization server 103, so that gain access.
Further, in the solution of the present invention, first intelligent terminal 101, before the authorization requests of the guarantee private key signature through the second intelligent terminal 102 being uploaded to authorization server 103, can utilize the predefined application private key of self to sign to authorization requests.
Then, the authorization requests of jointly signing through application private key, guarantee private key can be uploaded to authorization server 103 by the first intelligent terminal 101, so that subsequent authorization server 103 can be verified again according to the identity of application private key to authority request person.
In practical application, when the first intelligent terminal 101 is legal authority request person, the application PKI corresponding with the application private key of the first intelligent terminal 101 in authorization server 103, should be stored.
Equally, when the second intelligent terminal 102 is legal guarantee person, the guarantee PKI corresponding with the guarantee private key of the second intelligent terminal 102 should in authorization server 103, be stored.
More preferably, in practical application, in order to ensure the fail safe of information transmission, the first intelligent terminal 101 is before being uploaded to authorization server 103 by the authorization requests after signature, default mandate PKI can also be utilized to be encrypted the authorization requests after signature, to avoid the information such as signature to be stolen.Wherein, the mandate PKI that the first intelligent terminal 101 uses is provided and delivered by authorization server 103 public publication in advance, and correspondingly, authorization server 103 has the mandate private key corresponding with this mandate PKI, for being decrypted the information through mandate public key encryption.
S204: the signature in authorization server verification authorization requests, verifies by rear, for the rights request message in authorization requests to the first intelligent terminal feedback Authorization result.
In this step, authorization server 103 receive that the first intelligent terminal 101 uploads after the authorization requests of signature, can first verify the signature in authorization requests, in verification by rear, read the rights request message in authorization requests, and according to the rights request message read, determine whether authorize.Afterwards, Authorization result is fed back for rights request message to the first intelligent terminal 101.
In practical application, if authorization server 103 is through from authorization requests that the first intelligent terminal 101 receives and authorizes public key encryption, then before the signature of authorization server 103 in verification authorization requests, the authorization requests after need first utilizing the mandate private key of self to decrypt signature.
Then, the signature in authorization requests is verified.Particularly, the signature in authorization requests only comprises the guarantee private key of the second intelligent terminal 102, authorization server 103 can utilize the guarantee private key of guarantee PKI to the second intelligent terminal 102 prestored to verify.And the signature in authorization requests is when comprising the application private key of the guarantee private key of the second intelligent terminal 102 and the first intelligent terminal 101, authorization server 103 can utilize the application PKI and guarantee PKI that prestore, verifies the signature in authorization requests.
In practical application, between authorization server 103 and the first intelligent terminal 101, other communications protocol can be adopted, be connected by the Internet or 3G, 4G network.Such as, the safety of the secure communication protocols protected data such as PPTP (PointtoPointTunnelingProtocol, Point to Point Tunnel Protocol), L2TP (Layer2TunnelingProtocol, Level 2 Tunnel Protocol) can be adopted.
S205: the first intelligent terminal receives the Authorization result for authorization requests from authorization server.
Particularly, the first intelligent terminal 101 receives the Authorization result that authorization server 103 returns, if Authorization result is for authorize successfully, then can obtain the authorization request for access rights, use authority request for service or function; Otherwise, cannot use authority request for service or function.
In the solution of the present invention, by the authentication of the first intelligent terminal 101, second intelligent terminal 102, the legal identity of authority request person and guarantee person can be ensured, and by the checking to the mandate PKI of the second intelligent terminal 102, the legitimacy of guarantee person to the mandate of authority request person can be detected.Compare the pattern of existing " namely certification authorizes ", in the solution of the present invention, even if malice user also cannot direct gain access by authentication, the malice effectively reducing sensitive function or service accesses risk, improves fail safe.
Angle from authority request person is illustrated technical scheme of the present invention below.
Based on the authoring system of above-mentioned intelligent terminal, the invention provides a kind of authorization method of intelligent terminal, its idiographic flow as shown in Figure 3, can comprise the steps:
S301: the first intelligent terminal sends authorization requests to the second intelligent terminal.
Wherein, the first intelligent terminal 101, second intelligent terminal 102 all by authentication, and can utilize following certificate data one of at least to carry out authentication respectively:
The digital certificate that the biological characteristic of password, gesture, user, the hardware characteristics of equipment, equipment are held.
NFC agreement is adopted between first intelligent terminal 101 and the second intelligent terminal 102.
S302: the first intelligent terminal, after authorization requests is by the checking of the second intelligent terminal, receives the authorization requests of the guarantee private key signature through the second intelligent terminal, and the authorization requests after signature is uploaded to authorization server.
More preferably, the first intelligent terminal 101 receives after the authorization requests of the private key signature of the second intelligent terminal, and the application private key of self can also be utilized to sign to authorization requests.
More preferably, the first intelligent terminal 101, before the authorization requests after signature is uploaded to authorization server 103, can also utilize the mandate PKI of authorization server to be encrypted the authorization requests after signature.
The signature of the S303: the first intelligent terminal in authorization requests, by after the verification of authorization server, receives the Authorization result for authorization requests from authorization server.
Particularly, the first intelligent terminal 101 receives the Authorization result that authorization server 103 returns, if Authorization result is for authorize successfully, then the first intelligent terminal 101 can use the service corresponding to access rights of its acquisition request.
In the embodiment of the present invention, the specific implementation of the step S301-S303 in the authorization method of intelligent terminal shown in Fig. 3, can step S201-S205 in the authorization method of intelligent terminal shown in reference diagram 2.
In practical application, the function of first and second above-mentioned intelligent terminal can be present in an intelligent terminal simultaneously; That is, same intelligent terminal both can as authority request person, also can as guarantee person.Intelligent terminal of the present invention is specifically as follows PC (PersonalComputer, PC), mobile phone, PDA (PersonalDigitalAssistant, personal digital assistant), intelligent wearable device (such as, intelligent watch) etc.
Based on the authorization method of above-mentioned intelligent terminal, present invention also offers a kind of intelligent terminal 400, as shown in fig. 4 a, intelligent terminal can comprise: vouch-for request module 401, authorization request module 402.
Wherein, vouch-for request module 401 is for initiating authorization requests to other intelligent terminal; After authorization requests is by the checking of other intelligent terminal, receive the authorization requests of the guarantee private key signature through other intelligent terminal.
In practical application, for different access rights, different guarantee groups can be set; Guarantee person in guarantee group can assure needing the authority request person of the access rights obtained corresponding to this guarantee group.
Therefore, in the solution of the present invention, other intelligent terminal can from initiate authorization requests for access rights corresponding to guarantee group select; After choosing other the intelligent terminal as guarantee person, the vouch-for request module 401 in intelligent terminal 400 can adopt NFC agreement to communicate with other intelligent terminal, the authorization requests of initiation is sent to other intelligent terminal.
Authorization request module 402 is uploaded to authorization server for the authorization requests after the signature that vouch-for request module 401 received; Signature in authorization requests, by after the verification of authorization server, receives the Authorization result for authorization requests from authorization server.
Wherein, the authorization request module 402 in intelligent terminal 400 can adopt the secure communication protocols such as PPTP, L2TP to communicate with authorization server.
In practical application, intelligent terminal 400 also can as guarantee person for other intelligent terminal be assured.Further, in the solution of the present invention, as shown in Figure 4 b, intelligent terminal 400 can also comprise: authority guarantee module 403.
The authorization requests that authority guarantee module 403 sends for the intelligent terminal receiving other, and the authorization requests received is verified, after being verified, the intelligent terminal to other returns the authorization requests of the guarantee private key signature through self.
In the solution of the present invention, in intelligent terminal 400, the concrete function of each module realizes, and with reference to each step of the authorization method of the intelligent terminal shown in above-mentioned Fig. 2,3, can not repeat them here.
Like this, when intelligent terminal 400 is specially intelligent watch, when intelligent watch needs to access a certain function or service, by after authentication, authorization requests can be sent to other intelligent terminal (such as, intelligent watch, mobile phone etc.); By other intelligent terminal to the authorization requests of this intelligent watch carry out guarantee sign after, intelligent watch again by through signature authorization requests upload to authorization server, to ask to obtain the authorization.
Such as, as first intelligent watch of authority request person, by after authentication, physical contact or tender close to the distance threshold set can be there is with the guarantee person by authentication, set up NFC data link with this, and send authorization requests to guarantee person.Wherein, guarantee person can be the second intelligent watch, or other wearable smart machines.
Then, after receiving authorization requests as second intelligent watch of guarantee person, the authorization requests received is verified, after being verified, returns the authorization requests of the guarantee private key signature through self to the first intelligent watch.Like this, the first intelligent watch receives after the authorization requests of the guarantee private key signature of the second intelligent watch by NFC data link, the authorization requests after signature can be uploaded to authorization server, so that gain access.
Further, the first intelligent watch can utilize the predefined application private key of self to sign to authorization requests, then, the authorization requests of jointly signing through application private key, guarantee private key is uploaded to authorization server.
Authorization server utilizes the application PKI and guarantee PKI that prestore, verifies, verify by rear to the signature in authorization requests, for the rights request message in authorization requests to the first intelligent watch feedback Authorization result.
First intelligent watch receives the Authorization result that authorization server returns, if Authorization result is for authorize successfully, then can obtain the authorization request for access rights, use authority request for service or function; Otherwise, cannot use authority request for service or function.
In technical scheme of the present invention, compare existing licensing mode, add the role of guarantee person, authentication is separated with licensing process, makes authority request person want gain access, except legal identity need be had, legal guarantee person is also needed to assure for it, by directly obtaining the predefined access rights of its identity after authentication, malice user effectively cannot be avoided to get final product the situation of gain access by authentication, improves access security; And, utilize guarantee person to sign to the guarantee of the authorization requests that authority request person initiates, add the difficulty of attack, further increase access security.
Further, in the solution of the present invention, authority request person, except asking the predefined access rights of its identity, can also ask different access rights according to the difference of guarantee person.
The term such as " module " used in this application, " system " is intended to comprise the entity relevant to computer, such as but not limited to hardware, firmware, combination thereof, software or executory software.Such as, module can be, but be not limited in: the thread of the process that processor runs, processor, object, executable program, execution, program and/or computer.For example, application program computing equipment run and this computing equipment can be modules.One or more module can be positioned at an executory process and/or thread, and module also and/or can be distributed on a computer between two or more platform computers.
Those skilled in the art of the present technique are appreciated that the one or more equipment that the present invention includes and relate to for performing in operation described in the application.These equipment for required object and specialized designs and manufacture, or also can comprise the known device in all-purpose computer.These equipment have storage computer program within it, and these computer programs optionally activate or reconstruct.Such computer program can be stored in equipment (such as, computer) in computer-readable recording medium or be stored in and be suitable for store electrons instruction and be coupled in the medium of any type of bus respectively, described computer-readable medium includes but not limited to that the dish of any type (comprises floppy disk, hard disk, CD, CD-ROM, and magneto optical disk), ROM (Read-OnlyMemory, read-only memory), RAM (RandomAccessMemory, memory immediately), EPROM (ErasableProgrammableRead-OnlyMemory, Erarable Programmable Read only Memory), EEPROM (ElectricallyErasableProgrammableRead-OnlyMemory, EEPROM (Electrically Erasable Programmable Read Only Memo)), flash memory, magnetic card or light card.Namely, computer-readable recording medium comprises and being stored or any medium of transmission information with the form that can read by equipment (such as, computer).
Those skilled in the art of the present technique are appreciated that the combination that can realize the frame in each frame in these structure charts and/or block diagram and/or flow graph and these structure charts and/or block diagram and/or flow graph with computer program instructions.Those skilled in the art of the present technique are appreciated that, the processor that these computer program instructions can be supplied to all-purpose computer, special purpose computer or other programmable data processing methods realizes, thus is performed the scheme of specifying in the frame of structure chart disclosed by the invention and/or block diagram and/or flow graph or multiple frame by the processor of computer or other programmable data processing methods.
Those skilled in the art of the present technique are appreciated that various operations, method, the step in flow process, measure, the scheme discussed in the present invention can be replaced, changes, combines or delete.Further, there is various operations, method, other steps in flow process, measure, the scheme discussed in the present invention also can be replaced, change, reset, decompose, combine or delete.Further, of the prior art have also can be replaced with the step in operation various disclosed in the present invention, method, flow process, measure, scheme, changed, reset, decomposed, combined or deleted.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. an authorization method for intelligent terminal, is characterized in that, comprising:
First intelligent terminal sends authorization requests to the second intelligent terminal;
First intelligent terminal, after described authorization requests is by the checking of the second intelligent terminal, receives the authorization requests of the guarantee private key signature through the second intelligent terminal, and the authorization requests after signature is uploaded to authorization server;
The signature of the first intelligent terminal in described authorization requests, by after the verification of authorization server, receives the Authorization result for described authorization requests from authorization server.
2. the method for claim 1, is characterized in that, the first intelligent terminal and the second intelligent terminal all pass through authentication.
3. method as claimed in claim 2, it is characterized in that, described reception, after the authorization requests of the private key signature of the second intelligent terminal, also comprises:
First intelligent terminal utilizes the application private key of self to sign to authorization requests.
4. method as claimed in claim 2, is characterized in that, described authorization requests after signature is uploaded to authorization server before, also comprise:
First intelligent terminal utilizes the mandate PKI of authorization server to be encrypted the authorization requests after signature.
5. the method as described in as arbitrary in claim 1-4, is characterized in that, adopt near-field communication NFC agreement between the first intelligent terminal and the second intelligent terminal.
6. an authoring system for intelligent terminal, is characterized in that, comprising: authorization server, the first intelligent terminal and the second intelligent terminal; Wherein,
First intelligent terminal is used for sending authorization requests to the second intelligent terminal, receives after the authorization requests of the guarantee private key signature of the second intelligent terminal, the authorization requests after signature is uploaded to authorization server; Signature in authorization requests, by after the verification of authorization server, receives the Authorization result for authorization requests from authorization server;
The authorization requests that second intelligent terminal is used for receiving is verified, after being verified, returns the authorization requests of the guarantee private key signature through self to the first intelligent terminal;
Described authorization server, for verifying the signature in authorization requests, verifies by rear, for authorization requests to the first intelligent terminal feedback Authorization result.
7. system as claimed in claim 6, it is characterized in that, the first intelligent terminal and the second intelligent terminal all pass through authentication.
8. system as claimed in claim 7, is characterized in that, adopt near-field communication NFC agreement between the first intelligent terminal and the second intelligent terminal.
9. an intelligent terminal, is characterized in that, comprising:
Vouch-for request module, for initiating authorization requests to other intelligent terminal; Pass through the checking of other intelligent terminal in described authorization requests after, receive the authorization requests of the guarantee private key signature through other intelligent terminal;
Authorization request module, for being uploaded to authorization server by the authorization requests after signature; Signature in described authorization requests, by after the verification of authorization server, receives the Authorization result for described authorization requests from authorization server.
10. intelligent terminal as claimed in claim 9, is characterized in that, also comprise:
Authority guarantee module, for receiving the authorization requests that other intelligent terminal sends, and verifying the authorization requests received, after being verified, returning the authorization requests of the guarantee private key signature through self to other intelligent terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510629209.9A CN105323245A (en) | 2015-09-29 | 2015-09-29 | Intelligent terminal, authorization method and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510629209.9A CN105323245A (en) | 2015-09-29 | 2015-09-29 | Intelligent terminal, authorization method and system thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105323245A true CN105323245A (en) | 2016-02-10 |
Family
ID=55249840
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510629209.9A Pending CN105323245A (en) | 2015-09-29 | 2015-09-29 | Intelligent terminal, authorization method and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105323245A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107704295A (en) * | 2017-10-31 | 2018-02-16 | 北京小米移动软件有限公司 | The method, apparatus and storage medium of self-starting authority are set |
| CN108419224A (en) * | 2018-03-16 | 2018-08-17 | 上海百联集团股份有限公司 | Beacon equipment waits for authorisation device, server and encryption and authorization method |
| CN109903041A (en) * | 2018-11-30 | 2019-06-18 | 阿里巴巴集团控股有限公司 | The method and system of block cochain for the transaction of block chain |
| CN110224713A (en) * | 2019-06-12 | 2019-09-10 | 读书郎教育科技有限公司 | A kind of high security intelligence children wrist-watch and its safety protecting method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130262857A1 (en) * | 2012-04-01 | 2013-10-03 | Authentify, Inc. | Secure authentication in a multi-party system |
| CN104065653A (en) * | 2014-06-09 | 2014-09-24 | 韩晟 | Interactive authentication method, device, system and related equipment |
| CN104850990A (en) * | 2015-05-27 | 2015-08-19 | 拉卡拉支付有限公司 | Payment method and system thereof, key terminal and key support system |
| CN204614018U (en) * | 2015-05-27 | 2015-09-02 | 拉卡拉支付有限公司 | A kind of payment system, key terminal and key support system |
| CN204667407U (en) * | 2015-06-09 | 2015-09-23 | 武汉天喻信息产业股份有限公司 | A kind of wearable device and system realizing safety identification authentication |
-
2015
- 2015-09-29 CN CN201510629209.9A patent/CN105323245A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130262857A1 (en) * | 2012-04-01 | 2013-10-03 | Authentify, Inc. | Secure authentication in a multi-party system |
| CN104065653A (en) * | 2014-06-09 | 2014-09-24 | 韩晟 | Interactive authentication method, device, system and related equipment |
| CN104850990A (en) * | 2015-05-27 | 2015-08-19 | 拉卡拉支付有限公司 | Payment method and system thereof, key terminal and key support system |
| CN204614018U (en) * | 2015-05-27 | 2015-09-02 | 拉卡拉支付有限公司 | A kind of payment system, key terminal and key support system |
| CN204667407U (en) * | 2015-06-09 | 2015-09-23 | 武汉天喻信息产业股份有限公司 | A kind of wearable device and system realizing safety identification authentication |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107704295A (en) * | 2017-10-31 | 2018-02-16 | 北京小米移动软件有限公司 | The method, apparatus and storage medium of self-starting authority are set |
| CN107704295B (en) * | 2017-10-31 | 2021-07-23 | 北京小米移动软件有限公司 | Method, device and storage medium for setting self-starting authority |
| CN108419224A (en) * | 2018-03-16 | 2018-08-17 | 上海百联集团股份有限公司 | Beacon equipment waits for authorisation device, server and encryption and authorization method |
| CN109903041A (en) * | 2018-11-30 | 2019-06-18 | 阿里巴巴集团控股有限公司 | The method and system of block cochain for the transaction of block chain |
| CN110224713A (en) * | 2019-06-12 | 2019-09-10 | 读书郎教育科技有限公司 | A kind of high security intelligence children wrist-watch and its safety protecting method |
| CN110224713B (en) * | 2019-06-12 | 2020-09-15 | 读书郎教育科技有限公司 | Safety protection method and system based on high-safety intelligent child watch |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2999189B1 (en) | Network authentication method for secure electronic transactions | |
| US20160080157A1 (en) | Network authentication method for secure electronic transactions | |
| CN103152366B (en) | Obtain the method for terminal authorization, terminal and server | |
| CN109361508B (en) | Data transmission method, electronic device and computer readable storage medium | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| KR101028882B1 (en) | System and method for providing user authentication one time password using a wireless mobile terminal | |
| CN109981562B (en) | Software development kit authorization method and device | |
| EP3662430B1 (en) | System and method for authenticating a transaction | |
| US9445269B2 (en) | Terminal identity verification and service authentication method, system and terminal | |
| CN107733636B (en) | Authentication method and authentication system | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| US11424915B2 (en) | Terminal registration system and terminal registration method with reduced number of communication operations | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN103152732B (en) | Cloud password system and operation method thereof | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| EP3029879B1 (en) | Information processing device, information processing method, and computer program | |
| CN104468099A (en) | Dynamic password generating method and device based on CPK (Combined Public Key) and dynamic password authentication method and device based on CPK (Combined Public Key) | |
| CN111404664A (en) | Quantum secret communication identity authentication system and method based on secret sharing and multiple mobile devices | |
| CN105323245A (en) | Intelligent terminal, authorization method and system thereof | |
| CN111901303A (en) | Device authentication method and apparatus, storage medium, and electronic apparatus | |
| CN110138736B (en) | Identity authentication method, device and equipment for multiple dynamic random encryption of Internet of things | |
| CN110176989B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool | |
| CN110838919A (en) | Communication method, storage method, operation method and device | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| CN107204959B (en) | Verification method, device and system of verification code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160210 |