CN105763526A - Security authentication method, network device and system - Google Patents
Security authentication method, network device and system Download PDFInfo
- Publication number
- CN105763526A CN105763526A CN201410805859.XA CN201410805859A CN105763526A CN 105763526 A CN105763526 A CN 105763526A CN 201410805859 A CN201410805859 A CN 201410805859A CN 105763526 A CN105763526 A CN 105763526A
- Authority
- CN
- China
- Prior art keywords
- request
- terminal unit
- identifying code
- unit
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a security authentication method, a network device and a system. The method includes the following steps that: a first request sent by a terminal device in a coverage range is received, wherein the first request is a request for obtaining a verification code for a first application; when the terminal device is determined as valid according to the first request, a first verification code is generated, and the first verification code is sent the terminal device; a second request sent by the terminal device is received, wherein the second request carries a second verification code sent by the terminal device and operation for a target object in the first application; when verification is carried out according to the second verification code in the second request, when the verification is successful, the second request is sent to a server, so that the sever can be made to perform processing according to the operation for the target object in the first application in the second request.
Description
Technical field
The present invention relates to the secure transmission technique in the communications field, particularly relate to a kind of safety certifying method, the network equipment and system.
Background technology
Along with intellectuality and the mobile Internet of mobile terminal develop rapidly, mobile phone shopping is popularized gradually.The electricity product such as business's client, mobile phone wallet client also rises simultaneously.In order to ensure processing safety, when using above client to be traded, authenticating user identification is requisite technological means.Wherein, note dynamic password is the authentication means that mobile-phone payment is conventional, can be used for logging in and transaction authentication.Note dynamic password is the dynamic password generated by server, is issued to user by short message mode and binds in mobile phone, and user, by inputting password, concurrently send server authentication, reaches the purpose of authentication.But, when doing authentication by SMS dynamic password, often occur note collect less than phenomenon.
Summary of the invention
In view of this, the purpose of the embodiment of the present invention is in that to provide a kind of safety certifying method, the network equipment and system, can at least solve the above-mentioned problems in the prior art.
For reaching above-mentioned purpose, the technical scheme is that and be achieved in that:
The invention provides a kind of safety certifying method, be applied to the network equipment, described method includes:
Receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
When determining that described terminal unit is legal according to described first request, generate the first identifying code, send described first identifying code extremely described terminal unit;
Receive described terminal unit and send the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first;
It is verified according to described second identifying code in described second request, when being verified, sends described second and ask to server so that described server processes according to the operation of destination object in applying for first in described second request.
In such scheme, described method also includes:
Receiving the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;
Send the described 3rd to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;
Receive the described authentication result that described server is sent, when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list.
In such scheme, described determine that described terminal unit is legal include according to described first request:
Judge that whether the identification information in described first request is already recorded in described service list, if it is, determine that described terminal unit is legal.
In such scheme, described second request of described transmission is to before server, and described method also includes:
The service bandwidth of described terminal unit is adjusted to preset value.
The invention provides a kind of network equipment, the described network equipment includes:
First communication unit, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Authentication ' unit, for when determining that described terminal unit is legal according to described first request, generating the first identifying code, sends described first identifying code extremely described terminal unit by the first communication unit;It is verified according to described second identifying code in described second request, when being verified, send described second by second communication unit to ask to server so that described server processes according to the operation of destination object in applying for first in described second request;
Second communication unit, is used for receiving described terminal unit and sends the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first.
In such scheme, the described network equipment also includes:
Service list unit, for when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list;
Accordingly, described authentication ' unit, it is additionally operable to receive the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;Send the described 3rd by second communication unit to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;Receive the described authentication result that described server is sent.
In such scheme, described authentication ' unit, it is additionally operable to judge in the whether described service list already recorded in described service list unit of the identification information in described first request, if it is, determine that described terminal unit is legal.
In such scheme, the described network equipment also includes:
Bandwidth adjustment unit, adjusts the service bandwidth of described first communication unit to preset value.
The invention provides a kind of security certification system, described system includes:
The network equipment, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;When determining that described terminal unit is legal according to described first request, generate the first identifying code, send described first identifying code extremely described terminal unit;Receive described terminal unit and send the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first;It is verified according to described second identifying code in described second request, when being verified, sends described second and ask to server;
Server, for processing according to the operation of destination object in applying for first in described second request.
In such scheme, the described network equipment includes:
First communication unit, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Authentication ' unit, for when determining that described terminal unit is legal according to described first request, generating the first identifying code, sends described first identifying code extremely described terminal unit by the first communication unit;It is verified according to described second identifying code in described second request, when being verified, send described second by second communication unit to ask to server so that described server processes according to the operation of destination object in applying for first in described second request;
Second communication unit, is used for receiving described terminal unit and sends the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first.
In such scheme, the described network equipment also includes:
Service list unit, for when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list;
Accordingly, described authentication ' unit, it is additionally operable to receive the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;Send the described 3rd by second communication unit to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;Receive the described authentication result that described server is sent.
In such scheme, described authentication ' unit, it is additionally operable to judge in the whether described service list already recorded in described service list unit of the identification information in described first request, if it is, determine that described terminal unit is legal.
In such scheme, the described network equipment also includes:
Bandwidth adjustment unit, adjusts the service bandwidth of described first communication unit to preset value.
In such scheme, described server includes:
Communication unit, for receiving the second request that the network equipment sends, carries the second identifying code that terminal unit sends and the delivery operation for the first application in described second request;Receiving the 3rd request that the described network equipment is sent, described 3rd request is the terminal unit logging request for the first application;
Certificate Authority unit, for extracting the delivery operation for the first application in described second request;Delivery operation according to described first application processes, and completes the delivery operation of described terminal unit;It is verified according to described 3rd request, is verified result;Send the described the result extremely described network equipment.
Safety certifying method, the network equipment and the system that the embodiment of the present invention provides, identifying code can be completed in the network device generate and send, identifying code in the second request that terminal unit in network equipment coverage is returned is verified, after being verified, second request that retransmits, to server, is operated according to the second request by server.Thus, it is ensured that identifying code need not be sent to server, shortens the distance of identifying code transmission, reduces time delay, improves the speed of verification operation, and then improve the experience of user.
Accompanying drawing explanation
Fig. 1 is safety certifying method schematic flow sheet one of the present invention;
Fig. 2 is safety certifying method schematic flow sheet two of the present invention;
Fig. 3 is flow instance one of the present invention;
Fig. 4 is flow instance two of the present invention;
Fig. 5 is inventive network equipment composition structural representation one;
Fig. 6 is inventive network equipment composition structural representation two;
Fig. 7 is security certification system of the present invention composition structural representation one;
Fig. 8 is security certification system of the present invention composition structural representation two;
Fig. 9 is the login process schematic diagram of the embodiment of the present invention;
Figure 10 is the payment flow schematic diagram of the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with drawings and the specific embodiments, the present invention is further described in more detail.
Embodiment one,
Embodiments provide a kind of authentication method, be applied to the network equipment, as it is shown in figure 1, described method includes:
Step 101: receive the first request that terminal unit in coverage is sent, described first request is the request obtaining the identifying code for the first application;
Step 102: when determining that described terminal unit is legal according to described first request, generate the first identifying code, sends described first identifying code extremely described terminal unit;
Step 103: receive described terminal unit and send the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first;
Step 104: be verified according to described second identifying code in described second request, when being verified, sends described second and asks to server so that described server processes according to the operation of destination object in applying for first in described second request.
The network equipment described in the present embodiment can be the base station in communication network, or can be the WAP possessing WIFI function.Accordingly, described terminal unit can be mobile terminal, or can also be the terminal unit possessing WIFI access function.
It is understood that before performing step 101, it is also possible to include the network equipment and be connected with the terminal unit foundation in self coverage;When the network equipment is base station, it is possible to for passing through to detect the signal of terminal unit, determine whether terminal unit enters in the coverage of self;When the network equipment is WIFI WAP, it is possible to the signal of WAP detected for terminal unit after, initiating connection request to WAP, WAP is connected with terminal unit foundation according to connection request.
Described first request can be: when user uses the first application, it is necessary to carry out delivery operation, now needs first to obtain identifying code, then the first request is user and obtains, by clicking, the operation that the button of identifying code produces in the first display interface applied;The first application described in the present embodiment is for providing the application of delivery operation, and such as, Taobao, Jingdone district etc. are applied.
In described first request except the above-mentioned request obtaining identifying code, it is also possible to include the identification information of described terminal unit;Described identification information can be IMSI, TMSI of described terminal unit, or the device name that specially can arrange for the user of terminal unit.
The acquisition methods of described service list can be: receives from server and preserves.Described service list can include the identification information of at least one terminal unit.
Described judge described terminal unit whether legal method can be: from described first request, obtain the identification information of described terminal unit, detect and whether described service list has identical described identification information, if it has, then determine that described terminal unit is legal.
It addition, when determining that described terminal unit is illegal, terminate handling process, namely illustrate that this terminal unit is not the legitimate device in the coverage of the described network equipment.
The generation method of described identifying code can be numeral for stochastic generation N, and N is the positive integer be more than or equal to 1, such as, it is possible to be 1234;Or, it is also possible to for one picture of stochastic generation, picture has M word or letter, can be such as ABCD.
Described transmission identifying code to described terminal unit for be sent by communication link, namely can send described identifying code by the mode of note;Or can for send described information by WIFI signal.
Described being verified according to described second identifying code in described second request can for, after being extracted by the identifying code in described second request, comparing with the first identifying code being emitted to described mobile terminal, when both are identical, be verified;Otherwise verify and do not pass through.
If it is understood that checking is not passed through, then the described network equipment can send the information of an identifying code mistake to described terminal unit, after user sees this information, it is possible to re-enter the second identifying code;
Wherein, it is also possible to increase a flow process regenerating a first new identifying code, particularly as follows:
When checking is obstructed out-of-date, generate the first new identifying code, send described the first new identifying code to terminal unit;
The second request that receiving terminal apparatus is sent again;It is verified according to the second identifying code in described second request.
The described delivery operation for the first application can for the delivery operation of the target information for the first application offer.It is specifically as follows: when user checks at least one target information that the first application shows, as required, chooses a target information and carry out delivery operation.Wherein, described target information can be the product can bought for user that the first application is shown, such as, it is possible in shopping webpage, and the information of the clothes of display.
In described delivery operation except including target information, it is also possible to include the on-line payment of user's selection or the product ship-to etc. of the means of payment cashed on delivery, user.
Preferably, described delivery operation can be determine that the means of payment and product ship-to etc. that user chooses are operated according to the target information chosen, does not repeat here.
Visible, by adopting such scheme, just can complete identifying code in the network device to generate and send, identifying code in the second request that terminal unit in network equipment coverage is returned is verified, after being verified, second request that retransmits, to server, is operated according to the second request by server.Thus, it is ensured that identifying code need not be sent to server, shortens the distance of identifying code transmission, reduces time delay, improves the speed of verification operation, and then improve the experience of user.
Embodiment two,
Embodiments provide a kind of authentication method, be applied to the network equipment, as in figure 2 it is shown, described method includes:
Step 201: receive the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;
Step 202: send the described 3rd and ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;
Step 203: receive the described authentication result that described server is sent, when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list;
Step 204: receive the first request that described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Step 205: when determining that described terminal unit is legal according to described first request, generate the first identifying code, sends described first identifying code extremely described terminal unit;
Step 206: receive described terminal unit and send the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first;
Step 207: be verified according to described second identifying code in described second request, when being verified, sends described second and asks to server so that described server processes according to the operation of destination object in applying for first in described second request.
The network equipment described in the present embodiment can be the base station in communication network, or can be the WAP possessing WIFI function.Accordingly, described terminal unit can be mobile terminal, or can also be the terminal unit possessing WIFI access function.
The described logging request for the first application can carry user name and the password of described terminal device logs the first application.
Described server is verified according to the 3rd request: the user profile list of the user name in described logging request and password and preservation contrasted, if having identical user name and password in user profile list, then the result is for being verified.Further, above-mentioned authentication result may include that preparation Certificate Authority token, sends user related information (user name, binding cell-phone number) and logins successfully result..
Described first request can be: when user uses the first application, it is necessary to carry out delivery operation, now needs first to obtain identifying code, then the first request is user and obtains, by clicking, the operation that the button of identifying code produces in the first display interface applied;The first application described in the present embodiment is for providing the application of delivery operation, and such as, Taobao, Jingdone district etc. are applied.
In described first request except the above-mentioned request obtaining identifying code, it is also possible to include the identification information of described terminal unit;Described identification information can be IMSI, TMSI of described terminal unit, or the device name that specially can arrange for the user of terminal unit.
Described determine that described terminal unit is legal include according to described first request: judge that whether the identification information in described first request is already recorded in described service list, if it is, determine that described terminal unit is legal.
It addition, when determining that described terminal unit is illegal, terminate handling process, namely illustrate that this terminal unit is not the legitimate device in the coverage of the described network equipment.
The generation method of described identifying code can be numeral for stochastic generation N, and N is the positive integer be more than or equal to 1, such as, it is possible to be 1234;Or, it is also possible to for one picture of stochastic generation, picture has M word or letter, can be such as ABCD.
Described transmission identifying code to described terminal unit for be sent by communication link, namely can send described identifying code by the mode of note;Or can for send described information by WIFI signal.
Described being verified according to described second identifying code in described second request can for, after being extracted by the identifying code in described second request, comparing with the first identifying code being emitted to described mobile terminal, when both are identical, be verified;Otherwise verify and do not pass through.
If it is understood that checking is not passed through, then the described network equipment can send the information of an identifying code mistake to described terminal unit, after user sees this information, it is possible to re-enter the second identifying code.
If checking is not passed through, it is also possible to increase by one flow process regenerating a first new identifying code, particularly as follows: when checking is obstructed out-of-date, generate the first new identifying code, send described the first identifying code newly to terminal unit;The second request that receiving terminal apparatus is sent again;It is verified according to the second identifying code in described second request.
The described delivery operation for the first application can for the delivery operation of the target information for the first application offer.It is specifically as follows: when user checks at least one target information that the first application shows, as required, chooses a target information and carry out delivery operation.Wherein, described target information can be the product can bought for user that the first application is shown, such as, it is possible in shopping webpage, and the information of the clothes of display.
In described delivery operation except including target information, it is also possible to include the on-line payment of user's selection or the product ship-to etc. of the means of payment cashed on delivery, user.
Preferably, described delivery operation can be determine that the means of payment and product ship-to etc. that user chooses are operated according to the target information chosen, does not repeat here.
Preferably, the delivery operation for the first application in described second request of described transmission is to before server, and described method also includes: adjust the service bandwidth of described terminal unit to preset value.Wherein, described preset bandwidth value can be the value arranged according to practical situation.So, dynamic bandwidth allocation, it is ensured that the bandwidth of operation of terminal unit, it is ensured that certification link.Improve authentication efficiency and success rate.
For Fig. 3 and Fig. 4, the present embodiment being illustrated below, it is assumed that the network equipment is base station, terminal unit is mobile phone, and the first application is a client:
First, as it is shown on figure 3, login process includes:
Step 301: user initiates logging request by cell-phone customer terminal;
Step 302: base station receives and forwards logging request;
Step 303: user profile is verified by server;
Step 304: after being verified, prepares Certificate Authority token, sends user related information (user name, binding cell-phone number) and logins successfully result and issue base station;
Step 305: base station updates service list, increases validated user information;
Step 306: user is logged-in in client.
As shown in Figure 4, payment authentication flow process:
Step 401: user initiates certification request at mobile phone terminal;
Step 402: base station accepts certification request, inquires about service list, finds validated user.Generate identifying code, and adjust this user's service bandwidth;
Step 403: base station issues identifying code to the binding mobile phone of validated user;
Step 404: user receives identifying code, manual typing order, and submits order and authentication information to;
Step 405: base station proxy authentication identifying code;
Step 406: after being verified, will send server on user's order and token;
Step 407: server is traded processing.
Visible, by adopting such scheme, just can complete in the network device to send identifying code to terminal unit, and obtain identifying code according in the second request that terminal unit returns, it is verified according to identifying code, after being verified, second request that retransmits is to server, server the payment request in asking according to second is operated.Thus, it is ensured that identifying code need not be sent to server, shortens the distance of identifying code transmission, reduces time delay, improves the speed of verification operation, and then improve the experience of user;
Additionally, server is by being sent to the network equipment by the result being verified, make the network equipment can be added in service list by the terminal unit being verified, thus, achieve and utilize geographical position to retrain, user in self coverage is only provided Security Authentication Service by the network equipment, and identifying code, only in this cell transmission, promotes safety;Further, it is ensured that the checking with server reduces alternately, the transmission pressure between Access Network and core net is reduced, it is to avoid block up.
Embodiment three,
Embodiments provide a kind of network equipment, as it is shown in figure 5, include:
First communication unit 51, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Authentication ' unit 52, for when determining that described terminal unit is legal according to described first request, generating the first identifying code, sends described first identifying code extremely described terminal unit by the first communication unit;It is verified according to described second identifying code in described second request, when being verified, send described second by second communication unit to ask to server so that described server processes according to the operation of destination object in applying for first in described second request;
Second communication unit 53, is used for receiving described terminal unit and sends the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first.
The network equipment described in the present embodiment can be the base station in communication network, or can be the WAP possessing WIFI function.Accordingly, described terminal unit can be mobile terminal, or can also be the terminal unit possessing WIFI access function.
Described first request can be: when user uses the first application, it is necessary to carry out delivery operation, now needs first to obtain identifying code, then the first request is user and obtains, by clicking, the operation that the button of identifying code produces in the first display interface applied;The first application described in the present embodiment is for providing the application of delivery operation, and such as, Taobao, Jingdone district etc. are applied.
In described first request except the above-mentioned request obtaining identifying code, it is also possible to include the identification information of described terminal unit;Described identification information can be IMSI, TMSI of described terminal unit, or the device name that specially can arrange for the user of terminal unit.
Described authentication ' unit, is additionally operable to obtain the identification information of described terminal unit from described first request, detects and whether have identical described identification information in described service list, if it has, then determine that described terminal unit is legal.
It addition, when determining that described terminal unit is illegal, terminate handling process, namely illustrate that this terminal unit is not the legitimate device in the coverage of the described network equipment.
The generation method of described identifying code can be numeral for stochastic generation N, and N is the positive integer be more than or equal to 1, such as, it is possible to be 1234;Or, it is also possible to for one picture of stochastic generation, picture has M word or letter, can be such as ABCD.
Described transmission identifying code to described terminal unit for be sent by communication link, namely can send described identifying code by the mode of note;Or can for send described information by WIFI signal.
Described being verified according to described second identifying code in described second request can for, after being extracted by the identifying code in described second request, comparing with the first identifying code being emitted to described mobile terminal, when both are identical, be verified;Otherwise verify and do not pass through.
If it is understood that checking is not passed through, then the described network equipment can send the information of an identifying code mistake to described terminal unit, after user sees this information, it is possible to re-enter the second identifying code.
Wherein, described authentication ' unit, it is additionally operable to, when checking is obstructed out-of-date, generate the first new identifying code, sends described the first new identifying code to terminal unit;
The second request that receiving terminal apparatus is sent again;It is verified according to the second identifying code in described second request.
The described delivery operation for the first application can for the delivery operation of the target information for the first application offer.Described authentication ' unit, is additionally operable to when user checks at least one target information that the first application shows, as required, chooses a target information and carries out delivery operation.Wherein, described target information can be the product can bought for user that the first application is shown, such as, it is possible in shopping webpage, and the information of the clothes of display.
In described delivery operation except including target information, it is also possible to include the on-line payment of user's selection or the product ship-to etc. of the means of payment cashed on delivery, user.
Preferably, described delivery operation can be determine that the means of payment and product ship-to etc. that user chooses are operated according to the target information chosen, does not repeat here.
Visible, by adopting such scheme, just can complete in the network device to send identifying code to terminal unit, and obtain identifying code according in the second request that terminal unit returns, it is verified according to identifying code, after being verified, second request that retransmits is to server, server the payment request in asking according to second is operated.Thus, it is ensured that identifying code need not be sent to server, shortens the distance of identifying code transmission, reduces time delay, improves the speed of verification operation, and then improve the experience of user.
Embodiment four,
Embodiments provide a kind of network equipment, as shown in Figure 6, including:
First communication unit 61, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Authentication ' unit 62, for when determining that described terminal unit is legal according to described first request, generating the first identifying code, sends described first identifying code extremely described terminal unit by the first communication unit;It is verified according to described second identifying code in described second request, when being verified, send described second by second communication unit to ask to server so that described server processes according to the operation of destination object in applying for first in described second request;
Second communication unit 63, is used for receiving described terminal unit and sends the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first.
The described network equipment also includes: service list unit 64, for when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list;Accordingly, described authentication ' unit 62, it is additionally operable to receive the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;Send the described 3rd by second communication unit to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;Receive the described authentication result that described server is sent.
Described authentication ' unit 62, is additionally operable to judge in the whether described service list already recorded in described service list unit of the identification information in described first request, if it is, determine that described terminal unit is legal.
The network equipment described in the present embodiment can be the base station in communication network, or can be the WAP possessing WIFI function.Accordingly, described terminal unit can be mobile terminal, or can also be the terminal unit possessing WIFI access function.
The described logging request for the first application can carry user name and the password of described terminal device logs the first application.
Described authentication ' unit, is additionally operable to contrast the user profile list of the user name in described logging request and password and preservation, if having identical user name and password in user profile list, then the result is for being verified.Further, above-mentioned authentication result may include that preparation Certificate Authority token, sends user related information (user name, binding cell-phone number) and logins successfully result..
Described first request can be: when user uses the first application, it is necessary to carry out delivery operation, now needs first to obtain identifying code, then the first request is user and obtains, by clicking, the operation that the button of identifying code produces in the first display interface applied;The first application described in the present embodiment is for providing the application of delivery operation, and such as, Taobao, Jingdone district etc. are applied.
In described first request except the above-mentioned request obtaining identifying code, it is also possible to include the identification information of described terminal unit;Described identification information can be IMSI, TMSI of described terminal unit, or the device name that specially can arrange for the user of terminal unit.
Described determine that described terminal unit is legal include according to described first request: judge that whether the identification information in described first request is already recorded in described service list, if it is, determine that described terminal unit is legal.
It addition, when determining that described terminal unit is illegal, terminate handling process, namely illustrate that this terminal unit is not the legitimate device in the coverage of the described network equipment.
The generation method of described identifying code can be numeral for stochastic generation N, and N is the positive integer be more than or equal to 1, such as, it is possible to be 1234;Or, it is also possible to for one picture of stochastic generation, picture has M word or letter, can be such as ABCD.
Described transmission identifying code to described terminal unit for be sent by communication link, namely can send described identifying code by the mode of note;Or can for send described information by WIFI signal.
Described being verified according to described second identifying code in described second request can for, after being extracted by the identifying code in described second request, comparing with the first identifying code being emitted to described mobile terminal, when both are identical, be verified;Otherwise verify and do not pass through.
If it is understood that checking is not passed through, then the described network equipment can send the information of an identifying code mistake to described terminal unit, after user sees this information, it is possible to re-enter the second identifying code.
If checking is not passed through, described authentication ' unit, it is additionally operable to, when checking is obstructed out-of-date, generate the first new identifying code, sends described the first new identifying code to terminal unit;The second request that receiving terminal apparatus is sent again;It is verified according to the second identifying code in described second request.
The described delivery operation for the first application can for the delivery operation of the target information for the first application offer.It is specifically as follows: when user checks at least one target information that the first application shows, as required, chooses a target information and carry out delivery operation.Wherein, described target information can be the product can bought for user that the first application is shown, such as, it is possible in shopping webpage, and the information of the clothes of display.
In described delivery operation except including target information, it is also possible to include the on-line payment of user's selection or the product ship-to etc. of the means of payment cashed on delivery, user.
Preferably, described delivery operation can be determine that the means of payment and product ship-to etc. that user chooses are operated according to the target information chosen, does not repeat here.
Preferably, the described network equipment also includes: Bandwidth adjustment unit 65, adjusts the service bandwidth of described first communication unit to preset value.Wherein, described preset bandwidth value can be the value arranged according to practical situation.So, dynamic bandwidth allocation, it is ensured that the bandwidth of operation of terminal unit, it is ensured that certification link.Improve authentication efficiency and success rate.
For Fig. 3 and Fig. 4, the present embodiment being illustrated below, it is assumed that the network equipment is base station, terminal unit is mobile phone, and the first application is a client:
First, as it is shown on figure 3, login process includes:
Step 301: user initiates logging request by cell-phone customer terminal;
Step 302: base station receives and forwards logging request;
Step 303: user profile is verified by server;
Step 304: after being verified, prepares Certificate Authority token, sends user related information (user name, binding cell-phone number) and logins successfully result and issue base station;
Step 305: base station updates service list, increases validated user information;
Step 306: user is logged-in in client.
As shown in Figure 4, payment authentication flow process:
Step 401: user initiates certification request at mobile phone terminal;
Step 402: base station accepts certification request, inquires about service list, finds validated user.Generate identifying code, and adjust this user's service bandwidth;
Step 403: base station issues identifying code to the binding mobile phone of validated user;
Step 404: user receives identifying code, manual typing order, and submits order and authentication information to;
Step 405: base station proxy authentication identifying code;
Step 406: after being verified, will send server on user's order and token;
Step 407: server is traded processing.
Visible, by adopting such scheme, just can complete in the network device to send identifying code to terminal unit, and obtain identifying code according in the second request that terminal unit returns, it is verified according to identifying code, after being verified, second request that retransmits is to server, server the payment request in asking according to second is operated.Thus, it is ensured that identifying code need not be sent to server, shortens the distance of identifying code transmission, reduces time delay, improves the speed of verification operation, and then improve the experience of user;
Additionally, server is by being sent to the network equipment by the result being verified, make the network equipment can be added in service list by the terminal unit being verified, thus, achieve and utilize geographical position to retrain, user in self coverage is only provided Security Authentication Service by the network equipment, and identifying code, only in this cell transmission, promotes safety;Further, it is ensured that the checking with server reduces alternately, the transmission pressure between Access Network and core net is reduced, it is to avoid block up.
Embodiment five,
Embodiments provide a kind of security certification system, as it is shown in fig. 7, comprises:
The network equipment 71, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;When determining that described terminal unit is legal according to described first request, generate the first identifying code, send described first identifying code extremely described terminal unit;Receive described terminal unit and send the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first;It is verified according to described second identifying code in described second request, when being verified, sends described second and ask to server;
Server 72, for processing according to the operation of destination object in applying for first in described second request.
As shown in Figure 8, it is the connection figure of the component units of a system and unit place equipment:
The described network equipment includes:
First communication unit, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Authentication ' unit, for when determining that described terminal unit is legal according to described first request, generating the first identifying code, sends described first identifying code extremely described terminal unit by the first communication unit;It is verified according to described second identifying code in described second request, when being verified, send described second by second communication unit to ask to server so that described server processes according to the operation of destination object in applying for first in described second request;
Second communication unit, is used for receiving described terminal unit and sends the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first.
The described network equipment also includes: service list unit, for when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list;Accordingly, described authentication ' unit, it is additionally operable to receive the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;Send the described 3rd by second communication unit to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;Receive the described authentication result that described server is sent.
Described authentication ' unit, is additionally operable to judge in the whether described service list already recorded in described service list unit of the identification information in described first request, if it is, determine that described terminal unit is legal.
The described network equipment also includes: Bandwidth adjustment unit, adjusts the service bandwidth of described first communication unit to preset value.
Further, described server includes: communication unit, for receiving the second request that the network equipment sends, carries the second identifying code that terminal unit sends and the delivery operation for the first application in described second request;Receiving the 3rd request that the described network equipment is sent, described 3rd request is the terminal unit logging request for the first application;Certificate Authority unit, for extracting the delivery operation for the first application in described second request;Delivery operation according to described first application processes, and completes the delivery operation of described terminal unit;It is verified according to described 3rd request, is verified result;Send the described the result extremely described network equipment.
For Fig. 3 and Fig. 4, the present embodiment being illustrated below, it is assumed that the network equipment is base station, terminal unit is mobile phone, and the first application is a client:
First, as it is shown on figure 3, login process includes:
Step 301: user initiates logging request by cell-phone customer terminal;
Step 302: base station receives and forwards logging request;
Step 303: user profile is verified by server;
Step 304: after being verified, prepares Certificate Authority token, sends user related information (user name, binding cell-phone number) and logins successfully result and issue base station;
Step 305: base station updates service list, increases validated user information;
Step 306: user is logged-in in client.
As shown in Figure 4, payment authentication flow process:
Step 401: user initiates certification request at mobile phone terminal;
Step 402: base station accepts certification request, inquires about service list, finds validated user.Generate identifying code, and adjust this user's service bandwidth;
Step 403: base station issues identifying code to the binding mobile phone of validated user;
Step 404: user receives identifying code, manual typing order, and submits order and authentication information to;
Step 405: base station proxy authentication identifying code;
Step 406: after being verified, will send server on user's order and token;
Step 407: server is traded processing.
For Fig. 9 and Figure 10, the present embodiment being illustrated below, it is assumed that the network equipment is the WAP possessing WIFI function, terminal unit is the smart mobile phone possessing WIFI function, and the first application is a client:
First, as it is shown in figure 9, login process includes:
Step 901: first smart mobile phone accesses WAP by WIFI function, and then user initiates logging request by the client of smart mobile phone to WAP;
Step 902: WAP receives and forwards logging request;
Step 903: user profile is verified by server;
Step 904: after being verified, prepares Certificate Authority token, sends user related information (user name, binding cell-phone number) and logins successfully result and issue WAP;
Step 905: WAP updates service list, increases validated user information;
Step 906: WAP notice client is logged-in.
As shown in Figure 10, payment authentication flow process:
Step 1001: user's product initiation certification of choosing in the client of smart mobile phone is asked to WAP;
Step 1002: WAP accepts certification request, inquires about service list, finds validated user.Generate identifying code, and adjust this user's service bandwidth;
Step 1003: WAP issues identifying code by WIFI interface channel to smart mobile phone;
Step 1004: user receives identifying code, manual typing order, and submits order and authentication information to;
Step 1005: WAP authentication code;
Step 1006: after being verified, WAP will send server on user's order and Certificate Authority token;
Step 1007: server is traded processing.
Visible, by adopting such scheme, just can complete in the network device to send identifying code to terminal unit, and obtain identifying code according in the second request that terminal unit returns, it is verified according to identifying code, after being verified, second request that retransmits is to server, server the payment request in asking according to second is operated.Thus, it is ensured that identifying code need not be sent to server, shortens the distance of identifying code transmission, reduces time delay, improves the speed of verification operation, and then improve the experience of user;
Additionally, server is by being sent to the network equipment by the result being verified, make the network equipment can be added in service list by the terminal unit being verified, thus, achieve and utilize geographical position to retrain, user in self coverage is only provided Security Authentication Service by the network equipment, and identifying code, only in this cell transmission, promotes safety;Further, it is ensured that the checking with server reduces alternately, the transmission pressure between Access Network and core net is reduced, it is to avoid block up.
In several embodiments provided herein, it should be understood that disclosed equipment can realize by another way.Apparatus embodiments described above is merely schematic, and actual can have other dividing mode when realizing, as some features can be ignored.It addition, the coupling each other of shown or discussed each ingredient or direct-coupling or communication connection can be through INDIRECT COUPLING or the communication connection of some interfaces, equipment or unit, it is possible to be electrical, machinery or other form.
The above-mentioned unit illustrated as separating component can be or may not be physically separate, and the parts shown as unit can be or may not be physical location;Part or all of unit therein can be selected according to the actual needs to realize the purpose of the present embodiment scheme.
The above; being only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any those familiar with the art is in the technical scope that the invention discloses; change can be readily occurred in or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with described scope of the claims.
Claims (14)
1. a safety certifying method, is applied to the network equipment, it is characterised in that described method includes:
Receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
When determining that described terminal unit is legal according to described first request, generate the first identifying code, send described first identifying code extremely described terminal unit;
Receive described terminal unit and send the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first;
It is verified according to described second identifying code in described second request, when being verified, sends described second and ask to server so that described server processes according to the operation of destination object in applying for first in described second request.
2. method according to claim 1, it is characterised in that described method also includes:
Receiving the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;
Send the described 3rd to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;
Receive the described authentication result that described server is sent, when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list.
3. method according to claim 2, it is characterised in that described determine that described terminal unit is legal include according to described first request:
Judge that whether the identification information in described first request is already recorded in described service list, if it is, determine that described terminal unit is legal.
4. method according to claim 1, it is characterised in that described second request of described transmission is to before server, and described method also includes:
The service bandwidth of described terminal unit is adjusted to preset value.
5. a network equipment, it is characterised in that the described network equipment includes:
First communication unit, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Authentication ' unit, for when determining that described terminal unit is legal according to described first request, generating the first identifying code, sends described first identifying code extremely described terminal unit by the first communication unit;It is verified according to described second identifying code in described second request, when being verified, send described second by second communication unit to ask to server so that described server processes according to the operation of destination object in applying for first in described second request;
Second communication unit, is used for receiving described terminal unit and sends the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first.
6. the network equipment according to claim 5, it is characterised in that the described network equipment also includes:
Service list unit, for when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list;
Accordingly, described authentication ' unit, it is additionally operable to receive the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;Send the described 3rd by second communication unit to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;Receive the described authentication result that described server is sent.
7. the network equipment according to claim 6, it is characterized in that, described authentication ' unit, be additionally operable to judge in the whether described service list already recorded in described service list unit of the identification information in described first request, if it is, determine that described terminal unit is legal.
8. the network equipment according to claim 5, it is characterised in that the described network equipment also includes:
Bandwidth adjustment unit, adjusts the service bandwidth of described first communication unit to preset value.
9. a security certification system, it is characterised in that described system includes:
The network equipment, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;When determining that described terminal unit is legal according to described first request, generate the first identifying code, send described first identifying code extremely described terminal unit;Receive described terminal unit and send the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first;It is verified according to described second identifying code in described second request, when being verified, sends described second and ask to server;
Server, for processing according to the operation of destination object in applying for first in described second request.
10. system according to claim 9, it is characterised in that the described network equipment includes:
First communication unit, for receiving the first request that in coverage, described terminal unit is sent, described first request is the request obtaining the identifying code for the first application;
Authentication ' unit, for when determining that described terminal unit is legal according to described first request, generating the first identifying code, sends described first identifying code extremely described terminal unit by the first communication unit;It is verified according to described second identifying code in described second request, when being verified, send described second by second communication unit to ask to server so that described server processes according to the operation of destination object in applying for first in described second request;
Second communication unit, is used for receiving described terminal unit and sends the second request, the operation of destination object in carrying the second identifying code that terminal unit sends in described second request and applying for first.
11. system according to claim 10, it is characterised in that the described network equipment also includes:
Service list unit, for when described authentication result be authentication pass through time, the identification information of described terminal unit is added in service list;
Accordingly, described authentication ' unit, it is additionally operable to receive the 3rd request that terminal unit is sent, described 3rd request is the described terminal unit logging request for the first application;Send the described 3rd by second communication unit to ask to server so that described server carries out authentication according to described 3rd request, obtains authentication result;Receive the described authentication result that described server is sent.
12. system according to claim 11, it is characterized in that, described authentication ' unit, be additionally operable to judge in the whether described service list already recorded in described service list unit of the identification information in described first request, if it is, determine that described terminal unit is legal.
13. system according to claim 10, it is characterised in that the described network equipment also includes:
Bandwidth adjustment unit, adjusts the service bandwidth of described first communication unit to preset value.
14. system according to claim 9, it is characterised in that described server includes:
Communication unit, for receiving the second request that the network equipment sends, carries the second identifying code that terminal unit sends and the delivery operation for the first application in described second request;Receiving the 3rd request that the described network equipment is sent, described 3rd request is the terminal unit logging request for the first application;
Certificate Authority unit, for extracting the delivery operation for the first application in described second request;Delivery operation according to described first application processes, and completes the delivery operation of described terminal unit;It is verified according to described 3rd request, is verified result;Send the described the result extremely described network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410805859.XA CN105763526B (en) | 2014-12-19 | 2014-12-19 | A kind of safety certifying method, the network equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410805859.XA CN105763526B (en) | 2014-12-19 | 2014-12-19 | A kind of safety certifying method, the network equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105763526A true CN105763526A (en) | 2016-07-13 |
| CN105763526B CN105763526B (en) | 2019-01-01 |
Family
ID=56341401
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410805859.XA Active CN105763526B (en) | 2014-12-19 | 2014-12-19 | A kind of safety certifying method, the network equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105763526B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106454823A (en) * | 2016-08-12 | 2017-02-22 | 中国南方电网有限责任公司 | Authentication method for network security access and authentication system for implementing method |
| WO2023179320A1 (en) * | 2022-03-25 | 2023-09-28 | 华为技术有限公司 | Method for verifying position of terminal device, and communication apparatus |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101014958A (en) * | 2004-07-09 | 2007-08-08 | 松下电器产业株式会社 | System and method for managing user authentication and service authorization to achieve single-sign-on to access multiple network interfaces |
| CN101311953A (en) * | 2007-05-25 | 2008-11-26 | 上海电虹软件有限公司 | Network payment method and system based on voiceprint authentication |
| CN101841528A (en) * | 2010-03-05 | 2010-09-22 | 中国电信股份有限公司 | Service multi-terminal presentation method of uniform roaming authorization in IMS (Information Management System) environment as well as system thereof |
| CN103929402A (en) * | 2013-01-11 | 2014-07-16 | 深圳市腾讯计算机系统有限公司 | Sensitive operation verification method, terminal device, servers and verification system |
| CN104079527A (en) * | 2013-03-26 | 2014-10-01 | 联想(北京)有限公司 | Information processing method and electronic equipment |
-
2014
- 2014-12-19 CN CN201410805859.XA patent/CN105763526B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101014958A (en) * | 2004-07-09 | 2007-08-08 | 松下电器产业株式会社 | System and method for managing user authentication and service authorization to achieve single-sign-on to access multiple network interfaces |
| CN101311953A (en) * | 2007-05-25 | 2008-11-26 | 上海电虹软件有限公司 | Network payment method and system based on voiceprint authentication |
| CN101841528A (en) * | 2010-03-05 | 2010-09-22 | 中国电信股份有限公司 | Service multi-terminal presentation method of uniform roaming authorization in IMS (Information Management System) environment as well as system thereof |
| CN103929402A (en) * | 2013-01-11 | 2014-07-16 | 深圳市腾讯计算机系统有限公司 | Sensitive operation verification method, terminal device, servers and verification system |
| CN104079527A (en) * | 2013-03-26 | 2014-10-01 | 联想(北京)有限公司 | Information processing method and electronic equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106454823A (en) * | 2016-08-12 | 2017-02-22 | 中国南方电网有限责任公司 | Authentication method for network security access and authentication system for implementing method |
| WO2023179320A1 (en) * | 2022-03-25 | 2023-09-28 | 华为技术有限公司 | Method for verifying position of terminal device, and communication apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105763526B (en) | 2019-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105119939B (en) | The cut-in method and device, providing method and device and system of wireless network | |
| CN104077689B (en) | A kind of method of Information Authentication, relevant apparatus and system | |
| CN107086979B (en) | User terminal verification login method and device | |
| CN103874069B (en) | A kind of wireless terminal MAC authentication devices and method | |
| CN105187431A (en) | Log-in method, server, client and communication system for third party application | |
| CN103368913A (en) | Account login method, apparatus and system, and network server | |
| CN103905194B (en) | Identity traceability authentication method and system | |
| CN104917727A (en) | Account authentication method, system and apparatus | |
| CN103200159B (en) | A kind of Network Access Method and equipment | |
| CN103888255A (en) | Identity authentication method, device and system | |
| CN105323253A (en) | Identity verification method and device | |
| CN107113613A (en) | Server, mobile terminal, real-name network authentication system and method | |
| CN105681258B (en) | Session method and conversational device based on third-party server | |
| CN104580104A (en) | Method, device and system for identity verification | |
| CN106034134A (en) | Method and device and auxiliary method and device for implementing identity authentication request in webpage application | |
| CN107645471A (en) | A kind of method and system for mobile terminal user identity certification | |
| CN106203021B (en) | A kind of more certification modes are integrated to apply login method and system | |
| CN106331003A (en) | Method and device for accessing application portal system on cloud desktop | |
| CN107317807A (en) | A kind of apparatus bound method, apparatus and system | |
| CN106549909A (en) | A kind of authority checking method and apparatus | |
| CN105825377A (en) | Secure payment verification method, payment verification device, server and system | |
| CN106161475A (en) | The implementation method of subscription authentication and device | |
| CN105515781A (en) | Login system of application platform and login method thereof | |
| CN105516054B (en) | A kind of method and device of subscriber authentication | |
| CN106452763A (en) | Method for employing cipher key through remote virtual USB device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |