CN106230603B - A kind of authentication authority method - Google Patents

A kind of authentication authority method Download PDF

Info

Publication number
CN106230603B
CN106230603B CN201610832308.1A CN201610832308A CN106230603B CN 106230603 B CN106230603 B CN 106230603B CN 201610832308 A CN201610832308 A CN 201610832308A CN 106230603 B CN106230603 B CN 106230603B
Authority
CN
China
Prior art keywords
user
client
message
service
certification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610832308.1A
Other languages
Chinese (zh)
Other versions
CN106230603A (en
Inventor
杨成
沈萦华
吴晓雨
张楠
朱亚平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Communication University of China
Original Assignee
Communication University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Communication University of China filed Critical Communication University of China
Priority to CN201610832308.1A priority Critical patent/CN106230603B/en
Publication of CN106230603A publication Critical patent/CN106230603A/en
Application granted granted Critical
Publication of CN106230603B publication Critical patent/CN106230603B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • H04L12/1432Metric aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • H04L12/1432Metric aspects
    • H04L12/1439Metric aspects time-based

Abstract

The invention discloses a kind of authentication authority methods, including the first data preparation step, the first query steps, authenticating step, application step, the second data preparation step, the second query steps, authorisation step and service to receive step.Authentication authority method of the invention simplifies logic in terms of client and server two, reduces number of communications, to realize the lightweight of entire authentication and authorization system, while also assuring enough safeties.

Description

A kind of authentication authority method
Technical field
The present invention relates to network safety filed more particularly to a kind of authentication authority methods.
Background technique
With the fast development of internet, invasion grows in intensity with countering intrusions, network attack and defensive measure, network security Problem is increasingly severe.Therefore, how to guarantee the information of communicating pair it is safe and reliable on the internet carry out transmission be people one The problem of straight concern.In view of this, various authentication protocols and permission describe method and come into being.
The existing research achievement of comprehensive analysis forefathers, describing method for authentication protocol and permission, there are problems.Tool Body includes:
(1) current authentication protocol and permission describe method and both correspond to large scale system, complicated permission description, Yong Hufan The situation that more, Network status is complicated, safety condition is severe, however apply it to less mini-system, user, service and business Uncomplicated, the uncomplicated situation of safety condition is simultaneously not suitable for;
(2) authentication protocol of lightweight for have the intelligent terminal of certain computing capability or other need lightweight, subtract Light consumption simplifies the research of the case where client seldom, and existing technology is typically all full-featured but complicated or simple Single but function is few.For how to seek to balance between function and lightweight, also need more to study.
Therefore, a kind of authentication authority method is urgently proposed at present, it is authentication and authorization system is light-weighted while also having Enough safeties.
Summary of the invention
The purpose to be realized of the present invention is, designs light weight for mini-system, intelligent terminal and the less situation of user Change authentication protocol and permission describes method, simplifies logic in terms of client and server two, reduce energy and power consumption, subtract Few number of communications, thus by entire authentication and authorization system lightweight, while making every effort to that there is enough peaces on the basis of light-weighted Quan Xing.
To achieve the above object, the invention proposes a kind of authentication authority method, with realize it is light-weighted on the basis of can also Guarantee enough safeties.
The technical solution of the present invention is as follows:
A kind of authentication authority method, comprising:
The hashed value of User Identity is sent to certificate server by the first data preparation step, client;
First query steps, the certificate server inquire user data according to the hashed value of the User Identity Library, obtains the first query result, and first query result includes user information corresponding with the user and user right;
Authenticating step, the certificate server judge whether user passes through certification according to first query result, and When the user passes through certification, certification bill corresponding with the user is sent to the client, the certification bill Including the user right;
Second data preparation step, the client use client bill and client corresponding with the user Family application service identifiers are sent to authorization server;
Second query steps, the authorization server are applied for service identifiers query service database according to authorized user, are obtained To the second query result, second query result includes that service corresponding with authorized user application service identifiers is weighed Limit;The authorization server carries out binary expansion to the user right and the Service Privileges respectively, corresponded to described in The user right of user right describes and the Service Privileges description of the corresponding Service Privileges;
Authorisation step, the authorization server are described according to user right description and the Service Privileges, determine institute State whether user has the right to apply for service associated with authorized user application service identifiers.
Preferably, the user right be decimal number or hexadecimal number, the Service Privileges be decimal number or Hexadecimal number.
Preferably, the authorisation step includes:
Judgement constitutes the binary expansion item of the Service Privileges description and constitutes the binary system of the user right description Whether expansion item has intersection;
Judging to constitute the two of the binary expansion item that the Service Privileges describe and the composition user right description When system expansion item has intersection, determine that the user has the right to apply for clothes associated with authorized user application service identifiers Business.
Preferably,
In first data preparation step, first message is sent to certificate server by the client, wherein institute State the hashed value that first message includes the first serial data and the User Identity, the client using user key to by The serial data that client user's identity, the first client random value and first message timestamp are constituted encrypts, with To first serial data;
In first query steps, the certificate server receives the first message, and disappears using described first The hashed value of User Identity in breath inquires customer data base, obtains first query result, the first inquiry knot Fruit include with certification User Identity and the user information of user password, the user right, user right remaining time, User right residue degree and session key;
In the authenticating step, the certificate server is sentenced according to the first message and first query result Whether disconnected user passes through certification, and when judging that the user passes through certification, second message and third message are sent respectively To the client and authorization server;Wherein, the second message includes the certification bill, is encrypted by the user key Session key and the second serial data, the certificate server is using the session key to by the first certification random value, the The serial data that two message times stamp and the second certification random value are constituted is encrypted, to obtain second serial data;It is described to recognize Demonstrate,prove server by utilizing server shared key to by it is described second certification random value, the certification bill, the session key and The serial data that the hashed value of the User Identity is constituted is encrypted, to obtain the third message;
The method also includes applying for that step, the client receive the second message, and according to the first message With the second message, judge whether the certificate server is legal, when judging that the certificate server is legal, receives institute Second message is stated, and execute second data preparation step;When judging that the certificate server is illegal, refuse institute State second message, and termination process;
In second data preparation step, the 4th message is sent to authorization server by the client, and described Four message include the hashed value of the client bill, third serial data, User Identity, and the client utilizes the meeting It talks about key pair and service identifiers and third client is applied for by the second client random value, the 4th message time stamp, client user The serial data that random value is constituted is encrypted, to obtain the third serial data;
In second query steps, the authorization server receives the 4th message, and according to the client The expired state of bill, the third message and the 4th message judge whether the user has the right query service database; And judge the user have the right query service database when, utilize authorized user to apply for that service identifiers inquire the service number According to library, second query result is obtained, second query result includes applying for that service identifiers are opposite with the authorized user The Service Privileges answered;The authorization server carries out binary expansion to the user right and the Service Privileges respectively, obtains To the user right description of the correspondence user right and the Service Privileges description of the corresponding Service Privileges;
In the authorisation step, the authorization server is retouched according to user right description and the Service Privileges It states, determines whether the user has the right to apply for service associated with authorized user application service identifiers, and in the use When the service is had the right to apply in family, the 5th message is sent to the client, the authorization server by the authorization server Apply for service identifiers, the 5th message time stamp and third authorization random value structure to by the authorized user using the session key At serial data encrypted, to obtain the 5th message;The method also includes services to receive step, client's termination The 5th message is received, and utilizes the 4th message and the 5th message, judges whether the authorization server is legal, When judging that the authorization server is legal, receive the 5th message, and receive service;Judging the authorization server When illegal, refuse the 5th message, and termination process.
Preferably, in the authenticating step, the certificate server is looked into according to the first message and described first It askes as a result, judge whether user passes through certification, specifically includes:
Judge that the user right remaining time, user right residue degree, client user's identity and first disappear Whether breath timestamp meets the first preset condition, and when judging to meet first preset condition, determines user by recognizing Card;Wherein, first preset condition includes: the user right remaining time non-zero, and the user right residue degree is non- Zero, client user's identity first message timestamp consistent and described with the certification User Identity with The interval of the current timestamp of the certificate server is less than preset time interval threshold value;Or
Judge whether the user right remaining time, client user's identity and first message timestamp meet Two preset conditions, and when judging to meet second preset condition, determine that user passes through certification;Wherein, described second is pre- If condition includes: the user right remaining time non-zero, client user's identity and the certification user identity When mark is unanimously and the interval of the first message timestamp and the current timestamp of the certificate server is less than preset Between interval threshold.Preferably, in the application step, the client disappears according to the first message and described second Breath, judges whether the certificate server is legal, specifically includes:
Judge whether the first certification random value and second message timestamp meet third preset condition, and is judging When meeting the third preset condition, determine that the certificate server is legal;Wherein, the third preset condition includes: described First certification random value is consistent with first client random value, and the second message timestamp is worked as with the client The interval of preceding timestamp is less than preset time interval threshold value.
Preferably, in second query steps, the authorization server is expired according to the client bill State, the third message and the 4th message judge that whether the user has the right query service database, specifically includes:
Judge that the expired state, the client bill, the second client random value and the 4th of the client bill disappear Whether breath timestamp meets the 4th preset condition, and when judging to meet four preset condition, determines that user has the right to look into Ask service database;Wherein, the 4th preset condition includes: that the client bill is not out of date, the client bill with The certification bill is consistent, and second client random value is consistent with the second certification random value, and the described 4th disappears The interval for ceasing timestamp and the current timestamp of the authorization server is less than preset time interval threshold value.
Preferably, receive in step in the service, the client is disappeared using the 4th message and the described 5th Breath, judges whether the authorization server is legal, specifically includes:
Judge that the authorized user applies for whether service identifiers, the third authorization random value and the 5th message time stamp are full The 5th preset condition of foot, and when judging to meet five preset condition, determine that the authorization server is legal;Wherein, 5th preset condition includes: that the authorized user applies for that service identifiers and the client user apply for service identifiers one It causes, the third authorization random value is consistent with third client random value, and the 5th message time stamp and the client The interval of current timestamp is held to be less than preset time interval threshold value.
Preferably, the method further include:
When the expired state of the client bill characterization client bill is expired, Certificate Authority is re-initiated;
The Certificate Authority that re-initiates includes:
In first data preparation step, the client is using the session key to by client user's identity The serial data that mark, the first client random value and first message timestamp are constituted is encrypted, to obtain first data String;
In first query steps, first query result includes having certification User Identity and user close User information, the user right, user right remaining time, user right residue degree and the new session key of code;
In the authenticating step, the second message include the certification bill, encrypted by the session key it is new Session key and the second serial data, the certificate server is using the new session key to random by first certification The serial data that value, second message timestamp and the second certification random value are constituted is encrypted, to obtain second serial data;Institute Certificate server is stated using server shared key to by the second certification random value, the certification bill, the new session The serial data that the hashed value of key and the User Identity is constituted is encrypted, to obtain the third message;
In second data preparation step, the client is using the new session key to by second client The serial data for holding random value, the 4th message time stamp, client user's application service identifiers and third client random value to constitute It is encrypted, to obtain the third serial data;
In the authorisation step, the authorization server is applied using the new session key by the authorized user The serial data that service identifiers, the 5th message time stamp and third authorization random value are constituted is encrypted, and is disappeared with obtaining the described 5th Breath.
Preferably, when the expired state of the client bill characterization client bill is not out of date, institute is utilized Client bill application is stated repeatedly to service.
Compared with prior art, one or more embodiments in above scheme can have following advantage or beneficial to effect Fruit:
1) authentication authority method provided in an embodiment of the present invention is applied, realizes the lightweight of authentication and authorization system, simultaneously Also assure enough safeties.
2) present invention support temporally with two kinds of charging modes of number, it is sufficient to meet the needs of servicing to a certain degree.
3) bill in the present invention only includes user identity and user right, so that can apply within the validity period of bill Repeatedly service.
4) present invention is very suitable for the mini-system for having certain calculating few with the intelligent terminal of power-performance and user With.
Other features and advantages of the present invention will be illustrated in the following description, and partly becomes from specification It is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by wanting in specification, right Specifically noted structure is sought in book and attached drawing to be achieved and obtained.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, with reality of the invention It applies example and is used together to explain the present invention, be not construed as limiting the invention.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of authentication authority method of the embodiment of the present invention;
Fig. 2 shows another flow diagrams of authentication authority method of the embodiment of the present invention.
Specific embodiment
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings and examples, how to apply to the present invention whereby Technological means solves technical problem, and the realization process for reaching technical effect can fully understand and implement.It needs to illustrate As long as not constituting conflict, each feature in each embodiment and each embodiment in the present invention can be combined with each other, It is within the scope of the present invention to be formed by technical solution.
In the prior art, in order to guarantee the information of communicating pair safety and reliability on the internet, it has been suggested that more Kind authentication protocol and permission describe method.
Specifically, about certification, it has been suggested that IPsec authentication protocol, SSL authentication protocol, kerberos authentication agreement and Radius authentication protocol.Wherein, IPsec authentication protocol is a kind of use RSA, Diffie-Hellman, md5, SHA-1 scheduling algorithm Network security scheme, can authenticate and user identity and securely communicate, but it is a kind of scheme of heavyweight.SSL certification Agreement is a kind of security protocol established and authenticated on the basis of TCP/IP using CA certificate, realizes that SSL needs additional CA base Infrastructure.IPsec and SSL is the safety approach of bussiness class, is to have its scope of application for pc/web Environment Design, lacks Weary scalability.Kerberos authentication agreement can be realized the two-way authentication of client and server, the session key of variation and plus Close bill enhances the safety of agreement, is widely used.However its certification and licensing process are excessively cumbersome, average application is primary 6 message are wanted in service, and can only the service that provides of the same server of continuation application, if replacing the clothes of other servers offer Business it is necessary to authenticate from the beginning.Existing research is more for the improvement of Kerberos agreement, generally uses elliptic curve system Or safety is carried out to it for other asymmetry samplings and limited lightweight improves, although safety is improved, But the lightweight problem without fundamentally solving Kerberos.Lightweight will be set about from comprehensive, only one aspect, one Kind algorithm is inadequate.Radius authentication protocol is a kind of authentication protocol of lightweight, but it does not include two-way authentication, is only capable of It realizes the certification of server to client, and bogus server attack cannot be coped with.It is existing to grind for light-weight authentication agreement Study carefully it is most for RFID or other need the equipment of strict control power consumption, they the advantages of be lightweight, power consumption it is very low, to setting Standby computing capability is of less demanding.
It is described about permission, current permission descriptive model is conceived to complete system mostly and the permission of complexity is retouched It states, generally comprises main body, object, permission, constraint and demand.Main body authorized object access right in restriction range, and to visitor Body proposes that demand could use authorization.Although such model can adapt to complex environment, meet various demands, but complicated And it is not easily accomplished.
Based on above-mentioned analysis, existing technology is typically all full-featured but complicated or simple but function is few.It is right In how to seek to balance between function and lightweight, also need more to study.
The purpose of the embodiment of the present invention is: designing light weight for mini-system, intelligent terminal and the less situation of user Change authentication protocol and permission describes method, simplifies logic in terms of client and server two, reduce energy and power consumption, subtract Few number of communications, while making every effort to that there is enough safeties.To achieve the above object, the embodiment of the invention provides one kind to pass through Authentication authority method made of lightweight authentication protocol and the description of binary system permission combine, to realize entire authentication and authorization system Lightweight, reduce links consumption, mitigate server and client side burden, to user provide it is more convenient more flexible It services and there is enough safeties.
Embodiment one
Fig. 1 shows a kind of flow diagram of authentication authority method of the embodiment of the present invention.Referring to Fig.1, the present invention is implemented Example authentication authority method mainly includes step 101 to step 106.
In a step 101, i.e. the hashed value of User Identity is sent to certification by the first data preparation step, client Server.
In a step 102, i.e. the first query steps, certificate server inquire user according to the hashed value of User Identity Database obtains the first query result.Here, first query result include user information corresponding with the user and User right.
In step 103, whether authentication authorization and accounting step, the certificate server judge user according to first query result By certification, and when the user passes through certification, certification bill corresponding with the user is sent to the client. Wherein, the certification bill includes the user right.
At step 104, i.e. the second data preparation step, the client by client bill and with user's phase Corresponding client user applies for that service identifiers are sent to authorization server.
In step 105, i.e. the second query steps, the authorization server apply for that service identifiers are inquired according to authorized user Service database obtains the second query result.Second query result includes applying for service identifiers phase with the authorized user Corresponding Service Privileges.The authorization server carries out binary expansion to the user right and the Service Privileges respectively, Obtain corresponding to the user right description of the user right and the Service Privileges description of the corresponding Service Privileges.
In step 106, authorisation step, the authorization server is according to user right description and the Service Privileges Description, determines whether the user has the right to apply for service associated with authorized user application service identifiers.
The Certificate Authority process of lightweight is embodied using authentication authority method described in the present embodiment.Specifically, this reality Example is applied to simplify logic in terms of client and server two, reduce energy and power consumption, reduce number of communications, thus By entire authentication and authorization system lightweight.The present embodiment is realized simply, so as to provide more convenient, more flexible clothes for user Business.
Embodiment two
The present embodiment in embodiment one user right and Service Privileges advanced optimized.
In the present embodiment, user right is decimal number or hexadecimal number.The Service Privileges be decimal number or Hexadecimal number.
When judging whether the user has the right to apply service associated with authorized user's application service identifiers, need first User right and Service Privileges are subjected to binary expansion respectively, then judgement constitutes the binary system of the Service Privileges description Whether expansion item and the binary expansion item for constituting the user right description have intersection.Judging to constitute the Service Privileges When the binary expansion item of description and the binary expansion item for constituting the user right description have intersection, determine that the user has Power application service associated with authorized user application service identifiers.
Binary data is expressed as to the form (by taking integer as an example) of weighting coefficient, i.e. (an-1an-2an-3…a0)2=an-1× 2n-1+an-2×2n-2+an-3×2n-3+…+a0×20.Wherein, an-1、an-2、an-3…a0Value be respectively 0 or 1.By above-mentioned calculation Formula (an-1an-2an-3…a0)2=an-1×2n-1+an-2×2n-2+an-3×2n-3+…+a0×20Left side be converted to the decimal system or ten Senary just obtains 202122…2nA kind of linear expression of (n → ∞) for each ten's digit or hexadecimal digit. Due to the uniqueness of number, the linear expression of each ten's digit or hexadecimal digit is different, and coefficient is all 0 or 1. Preferably by binary expansion item 2 in the present embodiment02122…2nThe permission description or service power of (n → ∞) as user right The permission of limit describes.For each user, there is the use indicated by decimal number or hexadecimal number corresponding with the user Family permission or Service Privileges.It is divided into n group in actual application, that is, user, wherein n is the integer of non-zero, and with two Item 2 is unfolded in system02122…2nAs the mark of grouping, that is, the first grouping, second packet, the 4th grouping, the 8th grouping, 16th grouping etc..If some user is pertaining only to the 4th grouping, his permission is exactly 4.If some user belongs to simultaneously In the 4th grouping and the 16th grouping, then the permission of the user is exactly 4+16=20.Generally, such grouping is corresponding The service of packing, or it is called business, and user may subscribe to one or more business.
The unique identification of service is that user applies for service identifiers.Each user applies for that service identifiers allow by binary expansion Item 202122…2nThe user of (n → ∞) description applies for service.That is each user applies for that service identifiers allow one or more User in a user group applies for service.For example, some user applies for that service identifiers allow the first grouping, second packet and the tenth The application of six groupings, then the Service Privileges of the user are exactly 1+2+16=19.If some user applies for that service identifiers allow The application that 4th grouping, the 8th grouping and the 32nd are grouped, then the power Service Privileges of the user are exactly 4+8+32=44.Cause This, as long as user applies for that service identifiers allow the different (business that the service identifiers of user's application in other words belong to of the user group applied Grouping is different), then their Service Privileges are also different.
Design based on user right and Service Privileges, Certificate Authority database need to establish at least two tables a: use Family information and user right table (table is stored in customer data base), (table is stored in service data to a Service Privileges table In library), and the two is all one-to-one table.Specifically, server (certificate server or authorization server) receives When user applies for the request of service, User Identity can be obtained and user applies for service identifiers.Server by utilizing user's body Part mark inquiry customer data base, to obtain user right.Server by utilizing user applies for service identifiers query service database, To obtain Service Privileges.User right and Service Privileges are subjected to binary expansion respectively, if user right corresponding two into System expansion item and the corresponding binary expansion item of Service Privileges are having the same one or more, then user service is just given, Otherwise user service is not given.For example, Service Privileges are 45, user right is described as 4, then Service Privileges 45 are decomposed into 32 +8+4+1.As can be seen that binary expansion item 32+8+4+1 includes binary expansion item 4, therefore give user service.Example again Such as, Service Privileges 45, user right 20 decompose user right 20 then Service Privileges 45 are decomposed into 32+8+4+1 For 16+4.As can be seen that binary expansion item 32+8+4+1 and binary expansion item 16+4 possess common permission and describe 4 (these Illustrate that this user has subscribed business 4, and this service is just included in business 4), therefore give user service.If clothes Without intersection (the two does not include identical one or more) between permission of being engaged in description and user right description, then just refusal user Request.
Method is described using binary system permission described in the present embodiment, by carrying out respectively to user right and Service Privileges Binary expansion simultaneously judges to be unfolded whether item has intersection, to determine whether user has the right to apply applying for that service identifiers are related to user The service of connection.In addition, database only needs a user information and user right table and a Service Privileges table, permission description field Simply, it is easily handled and judges.As it can be seen that the binary system permission described in through this embodiment describes method and further improves certification Authorize lightweight.
Embodiment three
In order to clearly show the scheme and beneficial effect of the embodiment of the present invention, illustrate third of the invention in specific expansion Before a specific embodiment, some definition are carried out first:
C → S: indicate that this message is to issue certificate server from client
S → C: indicate that this message is to issue client from certificate server
C → S': indicate that this message is to issue authorization server from client
S' → C: indicate that this message is to issue client from authorization server
S → S': indicate that this message is to issue authorization server from certificate server
S' → S: indicate that this message is to issue certificate server from authorization server
E(text1,text2,…;K): indicating to be connected in series text1 and text2 etc. with key K encryption
ID: User Identity
R1, R2, R3: random number or random value
Timestamp: timestamp
Kc: user key, client and server-side are shared
Kcss: session key
Kcss': old session key
SID: user applies for service identifiers
Ks: server shared key
E (text1, K1), E (text2, K2): indicate this piece of news by the text1 that is encrypted by K1 with encrypted by K2 Text2 is composed in series
First message: C → S:E (client id, client R1, first message Timestamp;Kc),Hash(ID)
Second message: S → C:E (certification ID, Timestamp, Character;Ks), E (Kcss, Kc), E (certification R1, the Two message Timestamp authenticate R2;Kcss)
Wherein, first part E (certification ID, Timestamp, Character;Ks) also referred to as certification ServerTicket (certification bill), referred to as authenticates ST.Although being illustrated here with the certification ST not comprising Number, certification ST actually may Include Number.Therefore, the position of Number, which must reserve, comes, must be in the reserved of Number if not including Number Place the special label that will not be obscured in position.But in statement, E is expressed as if not having Number in certification ST and (is recognized Demonstrate,prove ID, Timestamp, Character;Ks), if comprising Number, authenticate ST be expressed as E (certification ID, Timestamp, Character, Number;Ks).In the representation method of client ST, other than replacing certification ID with client id, Remaining parameter is all consistent with certification ST, and also has comprising Number and do not include two kinds of situations of Number.
Third message: (certification R2, authenticates ST, Kcss, Hash (ID) to S → S':E;Ks)
4th message: C → S': client ST, E (client R2, the 4th message Timestamp, client SID, client R3;Kcss),Hash(ID)
5th message: (authorization SID, the 5th message Timestamp, authorize R3 to S' → C:E;Kcss)
6th message: C → S:E (client id, client R1, the 6th message Timestamp;Kcss'),Hash(ID)
7th message: S → C:E (certification ID, Timestamp, Character, Ks), E (Kcss, Kcss'), E (certification R1, the 7th message Timestamp authenticate R2;Kcss)
8th message: S' → S:E (Number, Hash (ID);Ks)
For above-mentioned message definition, it should be understood that client ST refers to what client was received from certificate server ST, certification ST refer to that certificate server issues the ST of client or authorization server.Client R1 (the first client random value) Refer to that the R1 that client generates, certification R1 (the first certification random value) refer to the R1 that certificate server is received from client.Visitor Family end R2 (the second client random value) refers to that client from the received R2 of certificate server, authenticates R2 (the second certification random value) Refer to R2 and authorization server that certificate server generates from the received R2 of certificate server.Client R3 (third client Random value) refer to the R3 that client generates, authorization R3 (third authorization random value) refers to that authorization server is received from client R3.Client id is the ID that client obtains, and certification ID is the ID inquired from customer data base.Client SID refers to visitor The SID that family end obtains, authorization SID refer to that authorization server receives the SID of client.First message Timestamp, the 4th message When Timestamp and the 6th message Timestamp refers respectively to client transmission first message, the 4th message and six message Timestamp, second message Timestamp and the 7th message Timestamp refer respectively to certificate server send second Timestamp when message and seven message, the 5th message Timestamp refer to when authorization server sends five message Timestamp.Timestamp in client ST refers to the expired Timestamp of client ST, i.e. client ST expired moment Timestamp, authenticate ST in Timestamp refer to certification ST expired Timestamp, the authentication authorization and accounting ST expired moment Timestamp。
Customer data base field:
Service database field:
Authenticate SID Service Privileges
It authenticates user and applies for service identifiers Service Privileges
Fig. 2 shows another flow diagrams of authentication authority method of the embodiment of the present invention.As shown in Fig. 2, according to this Embodiment authentication authority method, specific agreement workflow include step 201 to step 208.
In step 201, i.e. the first data preparation step, client obtain ID and Password, generate client R1, the One message Timestamp, Kc encrypts client id, client R1, first time Timestamp using Kc, and attached behind Hash (ID) composition first message is added to be sent to certificate server.
In the specific implementation process, certification is re-initiated when client ST is expired.Client obtains ID, Kcss', generates Client R1, the 6th message Timestamp add client id, client R1, the 6th message Timestamp using Kcss' It is close, and add the 6th message of Hash (ID) composition behind and be sent to certificate server.
In step 202, i.e. the first query steps, certificate server the request for receiving first message or the 6th message it Inquire customer data base using Hash (ID) afterwards, find the first query result: certification ID, Password, Character, Timeleft, Number, Kcss, and the first query result is returned to certificate server by customer data base.
In step 203, authentication authorization and accounting step, it is first after certificate server receives the first query result of customer data base First check that service is charged in due order or temporally subscribed to.If service is charged in due order, need further to judge visitor The expired state of family end ST and the state (mistake is returned when Number is zero) of Number.If service is temporally to subscribe to , the state of the expired state and Timeleft that need further to judge client ST (returns wrong when Timeleft is zero Accidentally).It is specifically divided into following four situation.
The first situation, in the case where service is charged in due order, when client ST is not out of date and Number is not zero: first Kc first is generated using certification ID, Password, decrypts the first message received, takes out in client id, with customer data base and returns The certification ID returned compares, different then return to mistake, while checking the first message Timestamp and current authentication server received Timestamp, the excessive return mistake of difference.Otherwise execute following steps: using certification ID, the expired Timestamp for authenticating ST, Character, Number generate certification ST, and the Kcss of generation is encrypted with Kc, will authenticate R1, second message Timestamp, life At certification R2 encrypted with Kcss, three parts are combined into second message and are sent to client.
Second situation, in the case where service is charged in due order, when client ST is expired and Number is not zero: first Decrypt the 6th message that receives with Kcss', take out client id, compared with the certification ID returned in customer data base, it is different then Mistake is returned, while checking the 6th message Timestamp and current authentication server Timestamp received, difference is excessive to be returned Return mistake.Otherwise following steps are executed: using certification ID, authenticating the expired Timestamp of ST, Character, Number are generated ST is authenticated, the Kcss of generation is encrypted with Kcss', will authenticate R1, the certification R2 of the 7th message Timestamp, generation are added with Kcss Close, three parts are combined into the 7th message and are sent to client.
The third situation, in the case where service is temporally subscribed to, when client ST is not out of date and Timeleft is not zero When: Kc is generated using certification ID, Password first, decrypts the first message received, takes out in client id, with database and returns The certification ID returned compares, different then return to mistake, while checking the first message Timestamp and current authentication server received Timestamp, the excessive return mistake of difference.Otherwise following steps are executed: first determining whether Timeleft value is less than certification ST Validity period, if it is lower, so authenticate ST expired Timestamp be equal to current authentication server Timestamp with Otherwise the sum of Timeleft is the validity period of certification ST.Then, using authenticate ID, authenticate ST expired Timestamp, Character generates certification ST, and the Kcss of generation is encrypted with Kc, will authenticate R1, second message Timestamp, generation is recognized Card R2 is encrypted with Kcss, and three parts are combined into second message and are sent to client.
4th kind of situation, in the case where service is temporally subscribed to, when client ST is expired and Timeleft is not zero: The 6th message received is decrypted with Kcss' first, takes out client id, compared with the certification ID returned in customer data base, no It is same then return to mistake, while checking the 6th message Timestamp and current authentication server Timestamp received, difference mistake It is big to return to mistake.Otherwise following steps are executed: first determining whether Timeleft value is less than the validity period of certification ST, if small In, then certification ST expired Timestamp be equal to the sum of current authentication server Timestamp and Timeleft, otherwise for Authenticate the validity period of ST.Then, using certification ID, the expired Timestamp of ST is authenticated, Character generates certification ST, generates Kcss encrypted with Kcss', R1 will be authenticated, the certification R2 of the 7th message Timestamp, generation are encrypted with Kcss, three parts group It synthesizes the 7th message and is sent to client.
In step 204, that is, apply for step, client receives second message or the 7th message represents client and passed through and recognizes The certification ST for demonstrate,proving and having received representative capacity is exactly the process for judging whether certificate server is legal later:
If client receives second message, Kcss is decrypted using Kc first, and decrypts certification R1, the using Kcss Two message Timestamp, certification R2, and check the value of certification R1 and second message Timestamp, if certification R1 and client R1 difference or second message Timestamp and active client Timestamp difference are excessive, are returned to mistake.If without mistake Accidentally, determine that certificate server is legal, user applies for service.And within client ST validity period, it is more that ST application can be used Secondary service.
If client receives the 7th message, Kcss is decrypted using Kcss' first, and decrypt certification using Kcss R1, the 7th message Timestamp, certification R2, and check certification R1 and the 7th message Timestamp value, if certification R1 and Client R1 difference or the 7th message Timestamp and active client Timestamp difference are excessive, are returned to mistake.If There is no mistake, determine that certificate server is legal, user applies for service.And within client ST validity period, ST can be used Application repeatedly service.
In step 205, i.e. the second data preparation step, client obtains SID, and properly generates client R3, the 4th Message Timestamp is encrypted client R2, the 4th message Timestamp, client SID, client R3 with Kcss, with visitor Family end ST together, and at last additional Hash (ID), is sent to authorization server with the format of the 4th message, to apply servicing.
In step 206, i.e., the second query steps first determine whether after authorization server receives the request of the 4th message Whether authorization server is identical as certificate server, and checks that service is charged in due order or temporally subscribed to.Specifically It is divided into following four situation.
The first situation is awarded if authorization server is different from certificate server and service is temporally subscribed to Power server will receive third message, decrypt certification R2, certification ST, Kcss, Hash (ID) using Ks.It is reflected using Hash (ID) The message that other client is sent, first the client ST in the certification ST that third message decrypts and the 4th message received It is compared, returns to mistake if different;If identical, using Ks decrypted authentication ST, and check in certification ST Timestamp returns to mistake if certification ST is expired;If not out of date, Character storage is obtained from certification ST It is spare.The 4th message received is decrypted using correct Kcss, obtains client R2, the 4th message Timestamp, client Whether SID, client R3 item by item: it is identical to first check for the certification R2 that client R2 and third message obtain if being checked, different then return Return mistake;Identical then the 4th message Timestamp of further inspection and current grant server Timestamp, difference are excessive then Return to mistake.If, using authorization SID query service database, obtaining the second query result without mistake, described second Query result includes Service Privileges corresponding with the authorization SID.The authorization server respectively to the user right and The Service Privileges carry out binary expansion, obtain the user right description for corresponding to the user right and the corresponding service The Service Privileges of permission describe.
Second situation is awarded if authorization server is identical as certificate server and service is temporally subscribed to Power server can be by way of interprocess communication or other channels receive certification R2, certification ST, Kcss, Hash (ID).Make Identify the message sent of client with Hash (ID), first the certification ST received from certificate server decrypt and with receipts To the 4th message in client ST be compared, return to mistake if different;If identical, Ks decrypted authentication is used ST, and check the Timestamp in certification ST, mistake is returned if certification ST is expired;If not out of date, from certification It is spare that Character storage is obtained in ST.The 4th message that receives is decrypted using correct Kcss, obtains client R2, the Four message Timestamp, client SID, client R3, check item by item: first checking for client R2 with obtained certification R2 is It is no identical, it is different then return to mistake;Identical then the 4th message Timestamp of further inspection and current grant server Timestamp, difference is excessive, returns to mistake.If, using authorization SID query service database, obtained without mistake Second query result, second query result include Service Privileges corresponding with the authorization SID.The authorization clothes Device be engaged in respectively to the user right and Service Privileges progress binary expansion, obtains the user for corresponding to the user right Permission description and the Service Privileges description of the corresponding Service Privileges.
The third situation is awarded if authorization server is different from certificate server and service is subscribed to by number Power server will receive third message, decrypt certification R2, certification ST, Kcss, Hash (ID) using Ks.It is reflected using Hash (ID) The message that other client is sent, first the client ST in the certification ST that third message decrypts and the 4th message received Compare, returns to mistake if different;If identical, using Ks decrypted authentication ST, Timestamp and Number are checked, if Certification ST is expired or Number is 0, returns to mistake;Otherwise, it is spare that Character, Number storage are obtained from certification ST. The 4th message received is decrypted using correct Kcss, obtains client R2, the 4th message Timestamp, client SID, visitor Whether family end R3 item by item: it is identical to first check for the certification R2 that client R2 and third message obtain if being checked, different then return to mistake Accidentally;Identical then the 4th message Timestamp of further inspection and current grant server Timestamp, difference is excessive, returns Mistake.If, using authorization SID query service database, obtaining second query result without mistake, described second Query result includes Service Privileges corresponding with the authorization SID.The authorization server respectively to the user right and The Service Privileges carry out binary expansion, obtain the user right description for corresponding to the user right and corresponding with service permission Service Privileges description.
4th kind of situation is awarded if authorization server is identical as certificate server and service is subscribed to by number Power server can be by way of interprocess communication or other channels receive certification R2, certification ST, Kcss, Hash (ID).Make Identify the message sent of client with Hash (ID), first the certification ST received from certificate server decrypt and with receipts To the 4th message in client ST be compared, return to mistake if different;If identical, Ks decrypted authentication is used ST checks Timestamp and Number, if certification ST is expired or Number is 0, returns to mistake;Otherwise, from certification ST It is spare to obtain Character, Number storage.The 4th message that receives is decrypted using correct Kcss, obtains client R2, the Four message Timestamp, client SID, client R3, check item by item: first checking for client R2 with obtained certification R2 is It is no identical, it is different then return to mistake;Identical then the 4th message Timestamp of further inspection and current grant server Timestamp, difference is excessive, returns to mistake.If, using authorization SID query service database, obtained without mistake Second query result, second query result include Service Privileges corresponding with the authorization SID.The authorization clothes Device be engaged in respectively to the user right and Service Privileges progress binary expansion, obtains the user for corresponding to the user right Permission description and the Service Privileges description of the corresponding Service Privileges.
In step 207, i.e., authorisation step, the authorization server are weighed according to user right description and the service Limit description determines whether the user has the right to apply for service associated with the authorization SID using the method in embodiment two.
If authenticating ST includes Number, that is, the service of charge type in due order, then the Number if user has permission =Number-1 encrypts Number and Hash (ID) with Ks, is sent to certificate server with the 8th message format, and will receive Authorization SID, the 5th message Timestamp, authorization R3 encrypted with Kcss, client is sent to the 5th message format.If User does not have permission, then returns to mistake.
If authenticating ST does not include Number, that is, the service temporally subscribed to, then will be received if user has permission To authorization SID, the 5th message Timestamp, authorization R3 encrypted with Kcss, client is sent to the 5th message format.Such as Fruit does not have permission, then returns to mistake.
In a step 208, i.e., service receives step, and client is received the 5th message, decrypted using Kcss, authorized SID, the 5th message Timestamp, authorization R3 make comparisons authorization SID with the client SID in the 4th message, if different Then return to mistake;It is identical, by the 5th message Timestamp compared with active client Timestamp, if difference is excessive Return to mistake;The authorization R3 and client R3 in the 4th message is compared if not occurring mistake, is returned if different Mistake;If determining that authorization server is legal, user receives service without mistake.So far Certificate Authority process is all complete At.
It should be noted that excessive two timestamps for referring to needs and being compared of difference involved in the present embodiment Between interval be less than preset time interval threshold value.In the specific implementation process, those skilled in the art can be according to practical need Set the time interval threshold value.
In conclusion using authentication authority method provided in an embodiment of the present invention, it is simple in terms of client and server two Logic is changed, reduce energy and power consumption, has reduced number of communications, to realize the light weight of entire authentication and authorization system Change, while also assuring enough safeties.In addition, the present embodiment support temporally with two kinds of charging modes of number, it is sufficient to it is full The demand that foot services to a certain degree.Bill in the present embodiment only includes user identity and user right, so that having in bill It can apply repeatedly servicing within the effect phase.The present embodiment for have it is certain calculate and the intelligent terminal of power-performance and user it is few Mini-system is applicable in very much.
While it is disclosed that embodiment content as above but described only to facilitate understanding the present invention and adopting Embodiment is not intended to limit the invention.Any those skilled in the art to which this invention pertains are not departing from this Under the premise of the disclosed spirit and scope of invention, any modification and change can be made in the implementing form and in details, But protection scope of the present invention still should be subject to the scope of the claims as defined in the appended claims.

Claims (10)

1. a kind of authentication authority method characterized by comprising
The hashed value of User Identity is sent to certificate server by the first data preparation step, client;
First query steps, the certificate server are inquired customer data base according to the hashed value of the User Identity, are obtained To the first query result, first query result includes user information corresponding with the user and user right;
Authenticating step, the certificate server judge whether user passes through certification according to first query result, and described When user passes through certification, certification bill corresponding with the user is sent to the client, the certification bill includes The user right;
Second data preparation step, the client is by client bill and client user corresponding with user Shen Please service identifiers be sent to authorization server;
Second query steps, the authorization server apply for service identifiers query service database according to authorized user, obtain the Two query results, second query result include Service Privileges corresponding with authorized user application service identifiers;Institute It states authorization server and binary expansion is carried out to the user right and the Service Privileges respectively, obtain corresponding to user's power The user right of limit describes and the Service Privileges description of the corresponding Service Privileges;And
Authorisation step, the authorization server are described according to user right description and the Service Privileges, determine the use Whether family has the right to apply for service associated with authorized user application service identifiers,
Wherein, client bill is the bill that client is received from certificate server, and certification bill is that certificate server is issued The bill of client or authorization server, client user apply for that service identifiers are that the user that client obtains applies for service mark Know, authorized user applies for that service identifiers are user's application service identifiers that authorization server receives client.
2. the method according to claim 1, wherein the user right be decimal number or hexadecimal number, The Service Privileges are decimal number or hexadecimal number.
3. according to the method described in claim 2, it is characterized in that, the authorisation step includes:
Judgement constitutes the binary expansion item of the Service Privileges description and constitutes the binary expansion of the user right description Whether item has intersection;
Judging to constitute the binary expansion item of the Service Privileges description and is constituting the binary system of the user right description When expansion item has intersection, determine that the user has the right to apply for service associated with authorized user application service identifiers.
4. according to the method in any one of claims 1 to 3, which is characterized in that
In first data preparation step, first message is sent to certificate server by the client, wherein described One message includes the hashed value of the first serial data and the User Identity, and the client is using user key to by client The serial data that end subscriber identity, the first client random value and first message timestamp are constituted is encrypted, to obtain State the first serial data;
In first query steps, the certificate server receives the first message, and using in the first message User Identity hashed value inquire customer data base, obtain first query result, the first query result packet Including has certification User Identity and the user information of user password, the user right, user right remaining time, user Permission residue degree and session key;
In the authenticating step, the certificate server judges to use according to the first message and first query result Whether family passes through certification, and when judging that the user passes through certification, and second message and third message are sent respectively to institute State client and authorization server;Wherein, the meeting that it certification bill that the second message, which includes described, is encrypted by the user key Key and the second serial data are talked about, the certificate server is disappeared using the session key to by the first certification random value, second The serial data that breath timestamp and the second certification random value are constituted is encrypted, to obtain second serial data;The certification clothes Be engaged in device using server shared key to by the second certification random value, the certification bill, the session key and described The serial data that the hashed value of User Identity is constituted is encrypted, to obtain the third message;
The method also includes applying for that step, the client receive the second message, and according to the first message and institute Second message is stated, judges whether the certificate server is legal, when judging that the certificate server is legal, receives described the Two message, and execute second data preparation step;When judging that the certificate server is illegal, refusal described second Message, and termination process;
In second data preparation step, the 4th message is sent to authorization server by the client, and the described 4th disappears Breath includes the hashed value of the client bill, third serial data, User Identity, and the client is close using the session Key applies for that service identifiers and third client are random to by the second client random value, the 4th message time stamp, client user The serial data that value is constituted is encrypted, to obtain the third serial data;
In second query steps, the authorization server receives the 4th message, and according to the client bill Expired state, the third message and the 4th message, judge whether the user has the right query service database;And Judge the user have the right query service database when, utilize authorized user to apply for that service identifiers inquire the service data Library, obtains second query result, and second query result includes applying for that service identifiers are corresponding with the authorized user Service Privileges;The authorization server carries out binary expansion to the user right and the Service Privileges respectively, obtains The user right description of the corresponding user right and the Service Privileges description of the corresponding Service Privileges;
In the authorisation step, the authorization server is described according to user right description and the Service Privileges, really Whether the fixed user has the right to apply for service associated with authorized user application service identifiers, and has the right in the user When applying for the service, the 5th message is sent to the client by the authorization server, and the authorization server utilizes institute It states session key and applies for service identifiers, the number that the 5th message time stabs and third authorization random value is constituted to by the authorized user It is encrypted according to string, to obtain the 5th message;
The method also includes services to receive step, and the client receives the 5th message, and utilizes the 4th message With the 5th message, judge whether the authorization server is legal, when judging that the authorization server is legal, receives institute The 5th message is stated, and receives service;When judging that the authorization server is illegal, refuse the 5th message, and terminate Process.
5. according to the method described in claim 4, it is characterized in that,
In the authenticating step, the certificate server judges to use according to the first message and first query result Whether family passes through certification, specifically includes:
When judging the user right remaining time, user right residue degree, client user's identity and first message Between stab whether meet the first preset condition, and when judging to meet first preset condition, determine that user passes through certification;Its In, first preset condition includes: the user right remaining time non-zero, the user right residue degree non-zero, institute Client user's identity first message timestamp consistent and described with the certification User Identity is stated to recognize with described The interval for demonstrate,proving the current timestamp of server is less than preset time interval threshold value;Or
It is pre- to judge whether the user right remaining time, client user's identity and first message timestamp meet second If condition, and when judging to meet second preset condition, determine that user passes through certification;Wherein, the described second default item Part includes: the user right remaining time non-zero, client user's identity and the certification User Identity Unanimously and the interval of the first message timestamp and the current timestamp of the certificate server was less than between the preset time Every threshold value.
6. according to the method described in claim 4, it is characterized in that,
In the application step, the client judges the certification clothes according to the first message and the second message Whether business device is legal, specifically includes:
Judge whether the first certification random value and second message timestamp meet third preset condition, and is judging to meet When the third preset condition, determine that the certificate server is legal;Wherein, the third preset condition includes: described first Authenticate that random value is consistent with first client random value, and the second message timestamp and the client are currently The interval of timestamp is less than preset time interval threshold value.
7. according to the method described in claim 4, it is characterized in that,
In second query steps, expired state of the authorization server according to the client bill, the third Message and the 4th message judge that whether the user has the right query service database, specifically includes:
When judging expired state, the client bill, the second client random value and four message of the client bill Between stab whether meet the 4th preset condition, and when judging to meet four preset condition, determine that user has the right inquiry clothes Business database;Wherein, the 4th preset condition includes: that the client bill is not out of date, the client bill with it is described It is consistent to authenticate bill, second client random value is consistent with the second certification random value, and when four message Between stamp with the interval of the current timestamp of the authorization server be less than preset time interval threshold value.
8. according to the method described in claim 4, it is characterized in that,
Receive in step in the service, the client utilizes the 4th message and the 5th message, awards described in judgement It whether legal weighs server, specifically includes:
Judge that the authorized user applies for whether service identifiers, the third authorization random value and the 5th message time stamp meet the Five preset conditions, and when judging to meet five preset condition, determine that the authorization server is legal;Wherein, described 5th preset condition includes: that the authorized user applies for that service identifiers apply for that service identifiers are consistent with the client user, institute It is consistent with third client random value to state third authorization random value, and the 5th message time stamp is current with the client Timestamp interval be less than preset time interval threshold value.
9. according to the method described in claim 4, it is characterized by further comprising:
When the expired state of the client bill characterization client bill is expired, Certificate Authority is re-initiated;
The Certificate Authority that re-initiates includes:
In first data preparation step, the client is using the session key to by client user's identity mark The serial data that knowledge, the first client random value and first message timestamp are constituted is encrypted, to obtain first serial data;
In first query steps, first query result includes having certification User Identity and user password User information, the user right, user right remaining time, user right residue degree and new session key;
In the authenticating step, the second message includes the new session for authenticating bill, being encrypted by the session key Key and the second serial data, the certificate server is using the new session key to by the first certification random value, the The serial data that two message times stamp and the second certification random value are constituted is encrypted, to obtain second serial data;It is described to recognize Server by utilizing server shared key is demonstrate,proved to by the second certification random value, the certification bill, the new session key The serial data constituted with the hashed value of the User Identity is encrypted, to obtain the third message;
In second data preparation step, the client using the new session key to by second client with The serial data that machine value, the 4th message time stamp, client user apply for that service identifiers and third client random value are constituted carries out Encryption, to obtain the third serial data;
In the authorisation step, the authorization server is applied servicing using the new session key to by the authorized user The serial data that mark, the 5th message time stamp and third authorization random value are constituted is encrypted, to obtain the 5th message.
10. the method according to claim 1, wherein further include:
When the expired state of the client bill characterization client bill is not out of date, client bill Shen is utilized Please repeatedly service.
CN201610832308.1A 2016-09-19 2016-09-19 A kind of authentication authority method Active CN106230603B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610832308.1A CN106230603B (en) 2016-09-19 2016-09-19 A kind of authentication authority method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610832308.1A CN106230603B (en) 2016-09-19 2016-09-19 A kind of authentication authority method

Publications (2)

Publication Number Publication Date
CN106230603A CN106230603A (en) 2016-12-14
CN106230603B true CN106230603B (en) 2019-08-16

Family

ID=58076139

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610832308.1A Active CN106230603B (en) 2016-09-19 2016-09-19 A kind of authentication authority method

Country Status (1)

Country Link
CN (1) CN106230603B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107181757A (en) * 2017-06-27 2017-09-19 新浪网技术(中国)有限公司 Support Memcache Proxy Methods, the apparatus and system of certification and protocol conversion
KR20220059506A (en) * 2019-09-03 2022-05-10 구글 엘엘씨 Systems and methods for security identification retrieval
CN112367329B (en) * 2020-11-17 2023-05-02 北京知道创宇信息技术股份有限公司 Communication connection authentication method, device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631116A (en) * 2009-08-10 2010-01-20 中国科学院地理科学与资源研究所 Distributed dual-license and access control method and system
CN102857488A (en) * 2012-05-10 2013-01-02 中国人民解放军理工大学 Network access control model as well as method and terminal thereof
CN102882882A (en) * 2012-10-10 2013-01-16 深圳数字电视国家工程实验室股份有限公司 User resource authorization method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7647319B2 (en) * 2004-09-06 2010-01-12 Canon Kabushiki Kaisha Information processing apparatus, information processing method, program, and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631116A (en) * 2009-08-10 2010-01-20 中国科学院地理科学与资源研究所 Distributed dual-license and access control method and system
CN102857488A (en) * 2012-05-10 2013-01-02 中国人民解放军理工大学 Network access control model as well as method and terminal thereof
CN102882882A (en) * 2012-10-10 2013-01-16 深圳数字电视国家工程实验室股份有限公司 User resource authorization method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
通用认证与授权服务的设计与实现;朱志文;《中国优秀硕士学位论文全文数据库(信息科技辑)》;20120415(第4期);全文

Also Published As

Publication number Publication date
CN106230603A (en) 2016-12-14

Similar Documents

Publication Publication Date Title
CN101401387B (en) Access control protocol for embedded devices
WO2017042375A1 (en) Access method to an on line service by means of access tokens and of a secure element restricting the use of these access tokens to their legitimate owner
WO2017042400A1 (en) Access method to an on line service by means of access tokens and secure elements restricting the use of these access tokens to their legitimate owner
CN101951603B (en) Access control method and system for wireless local area network
US20190213321A1 (en) Method and system for verifying an access request
Cheung et al. Credential-based privacy-preserving power request scheme for smart grid network
CN107483491A (en) The access control method of distributed storage under a kind of cloud environment
CN101156352B (en) Authentication method, system and authentication center based on mobile network P2P communication
Mustafa et al. Roaming electric vehicle charging and billing: An anonymous multi-user protocol
CN106790064B (en) The method that both sides are communicated in credible root server-cloud computing server model
Witkovski et al. An IdM and key-based authentication method for providing single sign-on in IoT
CN103312691A (en) Method and system for authenticating and accessing cloud platform
CN101741860A (en) Computer remote security control method
CN106230603B (en) A kind of authentication authority method
CN103634265B (en) Method, equipment and the system of safety certification
CN106713279A (en) Video terminal identity authentication system
CN105553666A (en) Security authentication system and method for smart power terminal
CN102916965A (en) Safety authentication mechanism and safety authentication system thereof for cloud service interfaces
CN101547097B (en) Digital media management system and management method based on digital certificate
CN108965342A (en) The method for authenticating and system of request of data side's access data source
CN110401613A (en) A kind of authentication management method and relevant device
KR101063354B1 (en) Billing system and method using public key based protocol
CN104657856A (en) Position certification based intelligent mobile client payment method and server system
CN110876142A (en) Identification-based wifi authentication method
CN114091009A (en) Method for establishing secure link by using distributed identity

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant