CN106230603B - A kind of authentication authority method - Google Patents
A kind of authentication authority method Download PDFInfo
- Publication number
- CN106230603B CN106230603B CN201610832308.1A CN201610832308A CN106230603B CN 106230603 B CN106230603 B CN 106230603B CN 201610832308 A CN201610832308 A CN 201610832308A CN 106230603 B CN106230603 B CN 106230603B
- Authority
- CN
- China
- Prior art keywords
- user
- client
- message
- service
- certification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1432—Metric aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
- H04L12/1432—Metric aspects
- H04L12/1439—Metric aspects time-based
Abstract
The invention discloses a kind of authentication authority methods, including the first data preparation step, the first query steps, authenticating step, application step, the second data preparation step, the second query steps, authorisation step and service to receive step.Authentication authority method of the invention simplifies logic in terms of client and server two, reduces number of communications, to realize the lightweight of entire authentication and authorization system, while also assuring enough safeties.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of authentication authority methods.
Background technique
With the fast development of internet, invasion grows in intensity with countering intrusions, network attack and defensive measure, network security
Problem is increasingly severe.Therefore, how to guarantee the information of communicating pair it is safe and reliable on the internet carry out transmission be people one
The problem of straight concern.In view of this, various authentication protocols and permission describe method and come into being.
The existing research achievement of comprehensive analysis forefathers, describing method for authentication protocol and permission, there are problems.Tool
Body includes:
(1) current authentication protocol and permission describe method and both correspond to large scale system, complicated permission description, Yong Hufan
The situation that more, Network status is complicated, safety condition is severe, however apply it to less mini-system, user, service and business
Uncomplicated, the uncomplicated situation of safety condition is simultaneously not suitable for;
(2) authentication protocol of lightweight for have the intelligent terminal of certain computing capability or other need lightweight, subtract
Light consumption simplifies the research of the case where client seldom, and existing technology is typically all full-featured but complicated or simple
Single but function is few.For how to seek to balance between function and lightweight, also need more to study.
Therefore, a kind of authentication authority method is urgently proposed at present, it is authentication and authorization system is light-weighted while also having
Enough safeties.
Summary of the invention
The purpose to be realized of the present invention is, designs light weight for mini-system, intelligent terminal and the less situation of user
Change authentication protocol and permission describes method, simplifies logic in terms of client and server two, reduce energy and power consumption, subtract
Few number of communications, thus by entire authentication and authorization system lightweight, while making every effort to that there is enough peaces on the basis of light-weighted
Quan Xing.
To achieve the above object, the invention proposes a kind of authentication authority method, with realize it is light-weighted on the basis of can also
Guarantee enough safeties.
The technical solution of the present invention is as follows:
A kind of authentication authority method, comprising:
The hashed value of User Identity is sent to certificate server by the first data preparation step, client;
First query steps, the certificate server inquire user data according to the hashed value of the User Identity
Library, obtains the first query result, and first query result includes user information corresponding with the user and user right;
Authenticating step, the certificate server judge whether user passes through certification according to first query result, and
When the user passes through certification, certification bill corresponding with the user is sent to the client, the certification bill
Including the user right;
Second data preparation step, the client use client bill and client corresponding with the user
Family application service identifiers are sent to authorization server;
Second query steps, the authorization server are applied for service identifiers query service database according to authorized user, are obtained
To the second query result, second query result includes that service corresponding with authorized user application service identifiers is weighed
Limit;The authorization server carries out binary expansion to the user right and the Service Privileges respectively, corresponded to described in
The user right of user right describes and the Service Privileges description of the corresponding Service Privileges;
Authorisation step, the authorization server are described according to user right description and the Service Privileges, determine institute
State whether user has the right to apply for service associated with authorized user application service identifiers.
Preferably, the user right be decimal number or hexadecimal number, the Service Privileges be decimal number or
Hexadecimal number.
Preferably, the authorisation step includes:
Judgement constitutes the binary expansion item of the Service Privileges description and constitutes the binary system of the user right description
Whether expansion item has intersection;
Judging to constitute the two of the binary expansion item that the Service Privileges describe and the composition user right description
When system expansion item has intersection, determine that the user has the right to apply for clothes associated with authorized user application service identifiers
Business.
Preferably,
In first data preparation step, first message is sent to certificate server by the client, wherein institute
State the hashed value that first message includes the first serial data and the User Identity, the client using user key to by
The serial data that client user's identity, the first client random value and first message timestamp are constituted encrypts, with
To first serial data;
In first query steps, the certificate server receives the first message, and disappears using described first
The hashed value of User Identity in breath inquires customer data base, obtains first query result, the first inquiry knot
Fruit include with certification User Identity and the user information of user password, the user right, user right remaining time,
User right residue degree and session key;
In the authenticating step, the certificate server is sentenced according to the first message and first query result
Whether disconnected user passes through certification, and when judging that the user passes through certification, second message and third message are sent respectively
To the client and authorization server;Wherein, the second message includes the certification bill, is encrypted by the user key
Session key and the second serial data, the certificate server is using the session key to by the first certification random value, the
The serial data that two message times stamp and the second certification random value are constituted is encrypted, to obtain second serial data;It is described to recognize
Demonstrate,prove server by utilizing server shared key to by it is described second certification random value, the certification bill, the session key and
The serial data that the hashed value of the User Identity is constituted is encrypted, to obtain the third message;
The method also includes applying for that step, the client receive the second message, and according to the first message
With the second message, judge whether the certificate server is legal, when judging that the certificate server is legal, receives institute
Second message is stated, and execute second data preparation step;When judging that the certificate server is illegal, refuse institute
State second message, and termination process;
In second data preparation step, the 4th message is sent to authorization server by the client, and described
Four message include the hashed value of the client bill, third serial data, User Identity, and the client utilizes the meeting
It talks about key pair and service identifiers and third client is applied for by the second client random value, the 4th message time stamp, client user
The serial data that random value is constituted is encrypted, to obtain the third serial data;
In second query steps, the authorization server receives the 4th message, and according to the client
The expired state of bill, the third message and the 4th message judge whether the user has the right query service database;
And judge the user have the right query service database when, utilize authorized user to apply for that service identifiers inquire the service number
According to library, second query result is obtained, second query result includes applying for that service identifiers are opposite with the authorized user
The Service Privileges answered;The authorization server carries out binary expansion to the user right and the Service Privileges respectively, obtains
To the user right description of the correspondence user right and the Service Privileges description of the corresponding Service Privileges;
In the authorisation step, the authorization server is retouched according to user right description and the Service Privileges
It states, determines whether the user has the right to apply for service associated with authorized user application service identifiers, and in the use
When the service is had the right to apply in family, the 5th message is sent to the client, the authorization server by the authorization server
Apply for service identifiers, the 5th message time stamp and third authorization random value structure to by the authorized user using the session key
At serial data encrypted, to obtain the 5th message;The method also includes services to receive step, client's termination
The 5th message is received, and utilizes the 4th message and the 5th message, judges whether the authorization server is legal,
When judging that the authorization server is legal, receive the 5th message, and receive service;Judging the authorization server
When illegal, refuse the 5th message, and termination process.
Preferably, in the authenticating step, the certificate server is looked into according to the first message and described first
It askes as a result, judge whether user passes through certification, specifically includes:
Judge that the user right remaining time, user right residue degree, client user's identity and first disappear
Whether breath timestamp meets the first preset condition, and when judging to meet first preset condition, determines user by recognizing
Card;Wherein, first preset condition includes: the user right remaining time non-zero, and the user right residue degree is non-
Zero, client user's identity first message timestamp consistent and described with the certification User Identity with
The interval of the current timestamp of the certificate server is less than preset time interval threshold value;Or
Judge whether the user right remaining time, client user's identity and first message timestamp meet
Two preset conditions, and when judging to meet second preset condition, determine that user passes through certification;Wherein, described second is pre-
If condition includes: the user right remaining time non-zero, client user's identity and the certification user identity
When mark is unanimously and the interval of the first message timestamp and the current timestamp of the certificate server is less than preset
Between interval threshold.Preferably, in the application step, the client disappears according to the first message and described second
Breath, judges whether the certificate server is legal, specifically includes:
Judge whether the first certification random value and second message timestamp meet third preset condition, and is judging
When meeting the third preset condition, determine that the certificate server is legal;Wherein, the third preset condition includes: described
First certification random value is consistent with first client random value, and the second message timestamp is worked as with the client
The interval of preceding timestamp is less than preset time interval threshold value.
Preferably, in second query steps, the authorization server is expired according to the client bill
State, the third message and the 4th message judge that whether the user has the right query service database, specifically includes:
Judge that the expired state, the client bill, the second client random value and the 4th of the client bill disappear
Whether breath timestamp meets the 4th preset condition, and when judging to meet four preset condition, determines that user has the right to look into
Ask service database;Wherein, the 4th preset condition includes: that the client bill is not out of date, the client bill with
The certification bill is consistent, and second client random value is consistent with the second certification random value, and the described 4th disappears
The interval for ceasing timestamp and the current timestamp of the authorization server is less than preset time interval threshold value.
Preferably, receive in step in the service, the client is disappeared using the 4th message and the described 5th
Breath, judges whether the authorization server is legal, specifically includes:
Judge that the authorized user applies for whether service identifiers, the third authorization random value and the 5th message time stamp are full
The 5th preset condition of foot, and when judging to meet five preset condition, determine that the authorization server is legal;Wherein,
5th preset condition includes: that the authorized user applies for that service identifiers and the client user apply for service identifiers one
It causes, the third authorization random value is consistent with third client random value, and the 5th message time stamp and the client
The interval of current timestamp is held to be less than preset time interval threshold value.
Preferably, the method further include:
When the expired state of the client bill characterization client bill is expired, Certificate Authority is re-initiated;
The Certificate Authority that re-initiates includes:
In first data preparation step, the client is using the session key to by client user's identity
The serial data that mark, the first client random value and first message timestamp are constituted is encrypted, to obtain first data
String;
In first query steps, first query result includes having certification User Identity and user close
User information, the user right, user right remaining time, user right residue degree and the new session key of code;
In the authenticating step, the second message include the certification bill, encrypted by the session key it is new
Session key and the second serial data, the certificate server is using the new session key to random by first certification
The serial data that value, second message timestamp and the second certification random value are constituted is encrypted, to obtain second serial data;Institute
Certificate server is stated using server shared key to by the second certification random value, the certification bill, the new session
The serial data that the hashed value of key and the User Identity is constituted is encrypted, to obtain the third message;
In second data preparation step, the client is using the new session key to by second client
The serial data for holding random value, the 4th message time stamp, client user's application service identifiers and third client random value to constitute
It is encrypted, to obtain the third serial data;
In the authorisation step, the authorization server is applied using the new session key by the authorized user
The serial data that service identifiers, the 5th message time stamp and third authorization random value are constituted is encrypted, and is disappeared with obtaining the described 5th
Breath.
Preferably, when the expired state of the client bill characterization client bill is not out of date, institute is utilized
Client bill application is stated repeatedly to service.
Compared with prior art, one or more embodiments in above scheme can have following advantage or beneficial to effect
Fruit:
1) authentication authority method provided in an embodiment of the present invention is applied, realizes the lightweight of authentication and authorization system, simultaneously
Also assure enough safeties.
2) present invention support temporally with two kinds of charging modes of number, it is sufficient to meet the needs of servicing to a certain degree.
3) bill in the present invention only includes user identity and user right, so that can apply within the validity period of bill
Repeatedly service.
4) present invention is very suitable for the mini-system for having certain calculating few with the intelligent terminal of power-performance and user
With.
Other features and advantages of the present invention will be illustrated in the following description, and partly becomes from specification
It is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by wanting in specification, right
Specifically noted structure is sought in book and attached drawing to be achieved and obtained.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, with reality of the invention
It applies example and is used together to explain the present invention, be not construed as limiting the invention.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of authentication authority method of the embodiment of the present invention;
Fig. 2 shows another flow diagrams of authentication authority method of the embodiment of the present invention.
Specific embodiment
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings and examples, how to apply to the present invention whereby
Technological means solves technical problem, and the realization process for reaching technical effect can fully understand and implement.It needs to illustrate
As long as not constituting conflict, each feature in each embodiment and each embodiment in the present invention can be combined with each other,
It is within the scope of the present invention to be formed by technical solution.
In the prior art, in order to guarantee the information of communicating pair safety and reliability on the internet, it has been suggested that more
Kind authentication protocol and permission describe method.
Specifically, about certification, it has been suggested that IPsec authentication protocol, SSL authentication protocol, kerberos authentication agreement and
Radius authentication protocol.Wherein, IPsec authentication protocol is a kind of use RSA, Diffie-Hellman, md5, SHA-1 scheduling algorithm
Network security scheme, can authenticate and user identity and securely communicate, but it is a kind of scheme of heavyweight.SSL certification
Agreement is a kind of security protocol established and authenticated on the basis of TCP/IP using CA certificate, realizes that SSL needs additional CA base
Infrastructure.IPsec and SSL is the safety approach of bussiness class, is to have its scope of application for pc/web Environment Design, lacks
Weary scalability.Kerberos authentication agreement can be realized the two-way authentication of client and server, the session key of variation and plus
Close bill enhances the safety of agreement, is widely used.However its certification and licensing process are excessively cumbersome, average application is primary
6 message are wanted in service, and can only the service that provides of the same server of continuation application, if replacing the clothes of other servers offer
Business it is necessary to authenticate from the beginning.Existing research is more for the improvement of Kerberos agreement, generally uses elliptic curve system
Or safety is carried out to it for other asymmetry samplings and limited lightweight improves, although safety is improved,
But the lightweight problem without fundamentally solving Kerberos.Lightweight will be set about from comprehensive, only one aspect, one
Kind algorithm is inadequate.Radius authentication protocol is a kind of authentication protocol of lightweight, but it does not include two-way authentication, is only capable of
It realizes the certification of server to client, and bogus server attack cannot be coped with.It is existing to grind for light-weight authentication agreement
Study carefully it is most for RFID or other need the equipment of strict control power consumption, they the advantages of be lightweight, power consumption it is very low, to setting
Standby computing capability is of less demanding.
It is described about permission, current permission descriptive model is conceived to complete system mostly and the permission of complexity is retouched
It states, generally comprises main body, object, permission, constraint and demand.Main body authorized object access right in restriction range, and to visitor
Body proposes that demand could use authorization.Although such model can adapt to complex environment, meet various demands, but complicated
And it is not easily accomplished.
Based on above-mentioned analysis, existing technology is typically all full-featured but complicated or simple but function is few.It is right
In how to seek to balance between function and lightweight, also need more to study.
The purpose of the embodiment of the present invention is: designing light weight for mini-system, intelligent terminal and the less situation of user
Change authentication protocol and permission describes method, simplifies logic in terms of client and server two, reduce energy and power consumption, subtract
Few number of communications, while making every effort to that there is enough safeties.To achieve the above object, the embodiment of the invention provides one kind to pass through
Authentication authority method made of lightweight authentication protocol and the description of binary system permission combine, to realize entire authentication and authorization system
Lightweight, reduce links consumption, mitigate server and client side burden, to user provide it is more convenient more flexible
It services and there is enough safeties.
Embodiment one
Fig. 1 shows a kind of flow diagram of authentication authority method of the embodiment of the present invention.Referring to Fig.1, the present invention is implemented
Example authentication authority method mainly includes step 101 to step 106.
In a step 101, i.e. the hashed value of User Identity is sent to certification by the first data preparation step, client
Server.
In a step 102, i.e. the first query steps, certificate server inquire user according to the hashed value of User Identity
Database obtains the first query result.Here, first query result include user information corresponding with the user and
User right.
In step 103, whether authentication authorization and accounting step, the certificate server judge user according to first query result
By certification, and when the user passes through certification, certification bill corresponding with the user is sent to the client.
Wherein, the certification bill includes the user right.
At step 104, i.e. the second data preparation step, the client by client bill and with user's phase
Corresponding client user applies for that service identifiers are sent to authorization server.
In step 105, i.e. the second query steps, the authorization server apply for that service identifiers are inquired according to authorized user
Service database obtains the second query result.Second query result includes applying for service identifiers phase with the authorized user
Corresponding Service Privileges.The authorization server carries out binary expansion to the user right and the Service Privileges respectively,
Obtain corresponding to the user right description of the user right and the Service Privileges description of the corresponding Service Privileges.
In step 106, authorisation step, the authorization server is according to user right description and the Service Privileges
Description, determines whether the user has the right to apply for service associated with authorized user application service identifiers.
The Certificate Authority process of lightweight is embodied using authentication authority method described in the present embodiment.Specifically, this reality
Example is applied to simplify logic in terms of client and server two, reduce energy and power consumption, reduce number of communications, thus
By entire authentication and authorization system lightweight.The present embodiment is realized simply, so as to provide more convenient, more flexible clothes for user
Business.
Embodiment two
The present embodiment in embodiment one user right and Service Privileges advanced optimized.
In the present embodiment, user right is decimal number or hexadecimal number.The Service Privileges be decimal number or
Hexadecimal number.
When judging whether the user has the right to apply service associated with authorized user's application service identifiers, need first
User right and Service Privileges are subjected to binary expansion respectively, then judgement constitutes the binary system of the Service Privileges description
Whether expansion item and the binary expansion item for constituting the user right description have intersection.Judging to constitute the Service Privileges
When the binary expansion item of description and the binary expansion item for constituting the user right description have intersection, determine that the user has
Power application service associated with authorized user application service identifiers.
Binary data is expressed as to the form (by taking integer as an example) of weighting coefficient, i.e. (an-1an-2an-3…a0)2=an-1×
2n-1+an-2×2n-2+an-3×2n-3+…+a0×20.Wherein, an-1、an-2、an-3…a0Value be respectively 0 or 1.By above-mentioned calculation
Formula (an-1an-2an-3…a0)2=an-1×2n-1+an-2×2n-2+an-3×2n-3+…+a0×20Left side be converted to the decimal system or ten
Senary just obtains 202122…2nA kind of linear expression of (n → ∞) for each ten's digit or hexadecimal digit.
Due to the uniqueness of number, the linear expression of each ten's digit or hexadecimal digit is different, and coefficient is all 0 or 1.
Preferably by binary expansion item 2 in the present embodiment02122…2nThe permission description or service power of (n → ∞) as user right
The permission of limit describes.For each user, there is the use indicated by decimal number or hexadecimal number corresponding with the user
Family permission or Service Privileges.It is divided into n group in actual application, that is, user, wherein n is the integer of non-zero, and with two
Item 2 is unfolded in system02122…2nAs the mark of grouping, that is, the first grouping, second packet, the 4th grouping, the 8th grouping,
16th grouping etc..If some user is pertaining only to the 4th grouping, his permission is exactly 4.If some user belongs to simultaneously
In the 4th grouping and the 16th grouping, then the permission of the user is exactly 4+16=20.Generally, such grouping is corresponding
The service of packing, or it is called business, and user may subscribe to one or more business.
The unique identification of service is that user applies for service identifiers.Each user applies for that service identifiers allow by binary expansion
Item 202122…2nThe user of (n → ∞) description applies for service.That is each user applies for that service identifiers allow one or more
User in a user group applies for service.For example, some user applies for that service identifiers allow the first grouping, second packet and the tenth
The application of six groupings, then the Service Privileges of the user are exactly 1+2+16=19.If some user applies for that service identifiers allow
The application that 4th grouping, the 8th grouping and the 32nd are grouped, then the power Service Privileges of the user are exactly 4+8+32=44.Cause
This, as long as user applies for that service identifiers allow the different (business that the service identifiers of user's application in other words belong to of the user group applied
Grouping is different), then their Service Privileges are also different.
Design based on user right and Service Privileges, Certificate Authority database need to establish at least two tables a: use
Family information and user right table (table is stored in customer data base), (table is stored in service data to a Service Privileges table
In library), and the two is all one-to-one table.Specifically, server (certificate server or authorization server) receives
When user applies for the request of service, User Identity can be obtained and user applies for service identifiers.Server by utilizing user's body
Part mark inquiry customer data base, to obtain user right.Server by utilizing user applies for service identifiers query service database,
To obtain Service Privileges.User right and Service Privileges are subjected to binary expansion respectively, if user right corresponding two into
System expansion item and the corresponding binary expansion item of Service Privileges are having the same one or more, then user service is just given,
Otherwise user service is not given.For example, Service Privileges are 45, user right is described as 4, then Service Privileges 45 are decomposed into 32
+8+4+1.As can be seen that binary expansion item 32+8+4+1 includes binary expansion item 4, therefore give user service.Example again
Such as, Service Privileges 45, user right 20 decompose user right 20 then Service Privileges 45 are decomposed into 32+8+4+1
For 16+4.As can be seen that binary expansion item 32+8+4+1 and binary expansion item 16+4 possess common permission and describe 4 (these
Illustrate that this user has subscribed business 4, and this service is just included in business 4), therefore give user service.If clothes
Without intersection (the two does not include identical one or more) between permission of being engaged in description and user right description, then just refusal user
Request.
Method is described using binary system permission described in the present embodiment, by carrying out respectively to user right and Service Privileges
Binary expansion simultaneously judges to be unfolded whether item has intersection, to determine whether user has the right to apply applying for that service identifiers are related to user
The service of connection.In addition, database only needs a user information and user right table and a Service Privileges table, permission description field
Simply, it is easily handled and judges.As it can be seen that the binary system permission described in through this embodiment describes method and further improves certification
Authorize lightweight.
Embodiment three
In order to clearly show the scheme and beneficial effect of the embodiment of the present invention, illustrate third of the invention in specific expansion
Before a specific embodiment, some definition are carried out first:
C → S: indicate that this message is to issue certificate server from client
S → C: indicate that this message is to issue client from certificate server
C → S': indicate that this message is to issue authorization server from client
S' → C: indicate that this message is to issue client from authorization server
S → S': indicate that this message is to issue authorization server from certificate server
S' → S: indicate that this message is to issue certificate server from authorization server
E(text1,text2,…;K): indicating to be connected in series text1 and text2 etc. with key K encryption
ID: User Identity
R1, R2, R3: random number or random value
Timestamp: timestamp
Kc: user key, client and server-side are shared
Kcss: session key
Kcss': old session key
SID: user applies for service identifiers
Ks: server shared key
E (text1, K1), E (text2, K2): indicate this piece of news by the text1 that is encrypted by K1 with encrypted by K2
Text2 is composed in series
First message: C → S:E (client id, client R1, first message Timestamp;Kc),Hash(ID)
Second message: S → C:E (certification ID, Timestamp, Character;Ks), E (Kcss, Kc), E (certification R1, the
Two message Timestamp authenticate R2;Kcss)
Wherein, first part E (certification ID, Timestamp, Character;Ks) also referred to as certification ServerTicket
(certification bill), referred to as authenticates ST.Although being illustrated here with the certification ST not comprising Number, certification ST actually may
Include Number.Therefore, the position of Number, which must reserve, comes, must be in the reserved of Number if not including Number
Place the special label that will not be obscured in position.But in statement, E is expressed as if not having Number in certification ST and (is recognized
Demonstrate,prove ID, Timestamp, Character;Ks), if comprising Number, authenticate ST be expressed as E (certification ID, Timestamp,
Character, Number;Ks).In the representation method of client ST, other than replacing certification ID with client id,
Remaining parameter is all consistent with certification ST, and also has comprising Number and do not include two kinds of situations of Number.
Third message: (certification R2, authenticates ST, Kcss, Hash (ID) to S → S':E;Ks)
4th message: C → S': client ST, E (client R2, the 4th message Timestamp, client SID, client
R3;Kcss),Hash(ID)
5th message: (authorization SID, the 5th message Timestamp, authorize R3 to S' → C:E;Kcss)
6th message: C → S:E (client id, client R1, the 6th message Timestamp;Kcss'),Hash(ID)
7th message: S → C:E (certification ID, Timestamp, Character, Ks), E (Kcss, Kcss'), E (certification
R1, the 7th message Timestamp authenticate R2;Kcss)
8th message: S' → S:E (Number, Hash (ID);Ks)
For above-mentioned message definition, it should be understood that client ST refers to what client was received from certificate server
ST, certification ST refer to that certificate server issues the ST of client or authorization server.Client R1 (the first client random value)
Refer to that the R1 that client generates, certification R1 (the first certification random value) refer to the R1 that certificate server is received from client.Visitor
Family end R2 (the second client random value) refers to that client from the received R2 of certificate server, authenticates R2 (the second certification random value)
Refer to R2 and authorization server that certificate server generates from the received R2 of certificate server.Client R3 (third client
Random value) refer to the R3 that client generates, authorization R3 (third authorization random value) refers to that authorization server is received from client
R3.Client id is the ID that client obtains, and certification ID is the ID inquired from customer data base.Client SID refers to visitor
The SID that family end obtains, authorization SID refer to that authorization server receives the SID of client.First message Timestamp, the 4th message
When Timestamp and the 6th message Timestamp refers respectively to client transmission first message, the 4th message and six message
Timestamp, second message Timestamp and the 7th message Timestamp refer respectively to certificate server send second
Timestamp when message and seven message, the 5th message Timestamp refer to when authorization server sends five message
Timestamp.Timestamp in client ST refers to the expired Timestamp of client ST, i.e. client ST expired moment
Timestamp, authenticate ST in Timestamp refer to certification ST expired Timestamp, the authentication authorization and accounting ST expired moment
Timestamp。
Customer data base field:
Service database field:
Authenticate SID | Service Privileges |
It authenticates user and applies for service identifiers | Service Privileges |
Fig. 2 shows another flow diagrams of authentication authority method of the embodiment of the present invention.As shown in Fig. 2, according to this
Embodiment authentication authority method, specific agreement workflow include step 201 to step 208.
In step 201, i.e. the first data preparation step, client obtain ID and Password, generate client R1, the
One message Timestamp, Kc encrypts client id, client R1, first time Timestamp using Kc, and attached behind
Hash (ID) composition first message is added to be sent to certificate server.
In the specific implementation process, certification is re-initiated when client ST is expired.Client obtains ID, Kcss', generates
Client R1, the 6th message Timestamp add client id, client R1, the 6th message Timestamp using Kcss'
It is close, and add the 6th message of Hash (ID) composition behind and be sent to certificate server.
In step 202, i.e. the first query steps, certificate server the request for receiving first message or the 6th message it
Inquire customer data base using Hash (ID) afterwards, find the first query result: certification ID, Password, Character,
Timeleft, Number, Kcss, and the first query result is returned to certificate server by customer data base.
In step 203, authentication authorization and accounting step, it is first after certificate server receives the first query result of customer data base
First check that service is charged in due order or temporally subscribed to.If service is charged in due order, need further to judge visitor
The expired state of family end ST and the state (mistake is returned when Number is zero) of Number.If service is temporally to subscribe to
, the state of the expired state and Timeleft that need further to judge client ST (returns wrong when Timeleft is zero
Accidentally).It is specifically divided into following four situation.
The first situation, in the case where service is charged in due order, when client ST is not out of date and Number is not zero: first
Kc first is generated using certification ID, Password, decrypts the first message received, takes out in client id, with customer data base and returns
The certification ID returned compares, different then return to mistake, while checking the first message Timestamp and current authentication server received
Timestamp, the excessive return mistake of difference.Otherwise execute following steps: using certification ID, the expired Timestamp for authenticating ST,
Character, Number generate certification ST, and the Kcss of generation is encrypted with Kc, will authenticate R1, second message Timestamp, life
At certification R2 encrypted with Kcss, three parts are combined into second message and are sent to client.
Second situation, in the case where service is charged in due order, when client ST is expired and Number is not zero: first
Decrypt the 6th message that receives with Kcss', take out client id, compared with the certification ID returned in customer data base, it is different then
Mistake is returned, while checking the 6th message Timestamp and current authentication server Timestamp received, difference is excessive to be returned
Return mistake.Otherwise following steps are executed: using certification ID, authenticating the expired Timestamp of ST, Character, Number are generated
ST is authenticated, the Kcss of generation is encrypted with Kcss', will authenticate R1, the certification R2 of the 7th message Timestamp, generation are added with Kcss
Close, three parts are combined into the 7th message and are sent to client.
The third situation, in the case where service is temporally subscribed to, when client ST is not out of date and Timeleft is not zero
When: Kc is generated using certification ID, Password first, decrypts the first message received, takes out in client id, with database and returns
The certification ID returned compares, different then return to mistake, while checking the first message Timestamp and current authentication server received
Timestamp, the excessive return mistake of difference.Otherwise following steps are executed: first determining whether Timeleft value is less than certification ST
Validity period, if it is lower, so authenticate ST expired Timestamp be equal to current authentication server Timestamp with
Otherwise the sum of Timeleft is the validity period of certification ST.Then, using authenticate ID, authenticate ST expired Timestamp,
Character generates certification ST, and the Kcss of generation is encrypted with Kc, will authenticate R1, second message Timestamp, generation is recognized
Card R2 is encrypted with Kcss, and three parts are combined into second message and are sent to client.
4th kind of situation, in the case where service is temporally subscribed to, when client ST is expired and Timeleft is not zero:
The 6th message received is decrypted with Kcss' first, takes out client id, compared with the certification ID returned in customer data base, no
It is same then return to mistake, while checking the 6th message Timestamp and current authentication server Timestamp received, difference mistake
It is big to return to mistake.Otherwise following steps are executed: first determining whether Timeleft value is less than the validity period of certification ST, if small
In, then certification ST expired Timestamp be equal to the sum of current authentication server Timestamp and Timeleft, otherwise for
Authenticate the validity period of ST.Then, using certification ID, the expired Timestamp of ST is authenticated, Character generates certification ST, generates
Kcss encrypted with Kcss', R1 will be authenticated, the certification R2 of the 7th message Timestamp, generation are encrypted with Kcss, three parts group
It synthesizes the 7th message and is sent to client.
In step 204, that is, apply for step, client receives second message or the 7th message represents client and passed through and recognizes
The certification ST for demonstrate,proving and having received representative capacity is exactly the process for judging whether certificate server is legal later:
If client receives second message, Kcss is decrypted using Kc first, and decrypts certification R1, the using Kcss
Two message Timestamp, certification R2, and check the value of certification R1 and second message Timestamp, if certification R1 and client
R1 difference or second message Timestamp and active client Timestamp difference are excessive, are returned to mistake.If without mistake
Accidentally, determine that certificate server is legal, user applies for service.And within client ST validity period, it is more that ST application can be used
Secondary service.
If client receives the 7th message, Kcss is decrypted using Kcss' first, and decrypt certification using Kcss
R1, the 7th message Timestamp, certification R2, and check certification R1 and the 7th message Timestamp value, if certification R1 and
Client R1 difference or the 7th message Timestamp and active client Timestamp difference are excessive, are returned to mistake.If
There is no mistake, determine that certificate server is legal, user applies for service.And within client ST validity period, ST can be used
Application repeatedly service.
In step 205, i.e. the second data preparation step, client obtains SID, and properly generates client R3, the 4th
Message Timestamp is encrypted client R2, the 4th message Timestamp, client SID, client R3 with Kcss, with visitor
Family end ST together, and at last additional Hash (ID), is sent to authorization server with the format of the 4th message, to apply servicing.
In step 206, i.e., the second query steps first determine whether after authorization server receives the request of the 4th message
Whether authorization server is identical as certificate server, and checks that service is charged in due order or temporally subscribed to.Specifically
It is divided into following four situation.
The first situation is awarded if authorization server is different from certificate server and service is temporally subscribed to
Power server will receive third message, decrypt certification R2, certification ST, Kcss, Hash (ID) using Ks.It is reflected using Hash (ID)
The message that other client is sent, first the client ST in the certification ST that third message decrypts and the 4th message received
It is compared, returns to mistake if different;If identical, using Ks decrypted authentication ST, and check in certification ST
Timestamp returns to mistake if certification ST is expired;If not out of date, Character storage is obtained from certification ST
It is spare.The 4th message received is decrypted using correct Kcss, obtains client R2, the 4th message Timestamp, client
Whether SID, client R3 item by item: it is identical to first check for the certification R2 that client R2 and third message obtain if being checked, different then return
Return mistake;Identical then the 4th message Timestamp of further inspection and current grant server Timestamp, difference are excessive then
Return to mistake.If, using authorization SID query service database, obtaining the second query result without mistake, described second
Query result includes Service Privileges corresponding with the authorization SID.The authorization server respectively to the user right and
The Service Privileges carry out binary expansion, obtain the user right description for corresponding to the user right and the corresponding service
The Service Privileges of permission describe.
Second situation is awarded if authorization server is identical as certificate server and service is temporally subscribed to
Power server can be by way of interprocess communication or other channels receive certification R2, certification ST, Kcss, Hash (ID).Make
Identify the message sent of client with Hash (ID), first the certification ST received from certificate server decrypt and with receipts
To the 4th message in client ST be compared, return to mistake if different;If identical, Ks decrypted authentication is used
ST, and check the Timestamp in certification ST, mistake is returned if certification ST is expired;If not out of date, from certification
It is spare that Character storage is obtained in ST.The 4th message that receives is decrypted using correct Kcss, obtains client R2, the
Four message Timestamp, client SID, client R3, check item by item: first checking for client R2 with obtained certification R2 is
It is no identical, it is different then return to mistake;Identical then the 4th message Timestamp of further inspection and current grant server
Timestamp, difference is excessive, returns to mistake.If, using authorization SID query service database, obtained without mistake
Second query result, second query result include Service Privileges corresponding with the authorization SID.The authorization clothes
Device be engaged in respectively to the user right and Service Privileges progress binary expansion, obtains the user for corresponding to the user right
Permission description and the Service Privileges description of the corresponding Service Privileges.
The third situation is awarded if authorization server is different from certificate server and service is subscribed to by number
Power server will receive third message, decrypt certification R2, certification ST, Kcss, Hash (ID) using Ks.It is reflected using Hash (ID)
The message that other client is sent, first the client ST in the certification ST that third message decrypts and the 4th message received
Compare, returns to mistake if different;If identical, using Ks decrypted authentication ST, Timestamp and Number are checked, if
Certification ST is expired or Number is 0, returns to mistake;Otherwise, it is spare that Character, Number storage are obtained from certification ST.
The 4th message received is decrypted using correct Kcss, obtains client R2, the 4th message Timestamp, client SID, visitor
Whether family end R3 item by item: it is identical to first check for the certification R2 that client R2 and third message obtain if being checked, different then return to mistake
Accidentally;Identical then the 4th message Timestamp of further inspection and current grant server Timestamp, difference is excessive, returns
Mistake.If, using authorization SID query service database, obtaining second query result without mistake, described second
Query result includes Service Privileges corresponding with the authorization SID.The authorization server respectively to the user right and
The Service Privileges carry out binary expansion, obtain the user right description for corresponding to the user right and corresponding with service permission
Service Privileges description.
4th kind of situation is awarded if authorization server is identical as certificate server and service is subscribed to by number
Power server can be by way of interprocess communication or other channels receive certification R2, certification ST, Kcss, Hash (ID).Make
Identify the message sent of client with Hash (ID), first the certification ST received from certificate server decrypt and with receipts
To the 4th message in client ST be compared, return to mistake if different;If identical, Ks decrypted authentication is used
ST checks Timestamp and Number, if certification ST is expired or Number is 0, returns to mistake;Otherwise, from certification ST
It is spare to obtain Character, Number storage.The 4th message that receives is decrypted using correct Kcss, obtains client R2, the
Four message Timestamp, client SID, client R3, check item by item: first checking for client R2 with obtained certification R2 is
It is no identical, it is different then return to mistake;Identical then the 4th message Timestamp of further inspection and current grant server
Timestamp, difference is excessive, returns to mistake.If, using authorization SID query service database, obtained without mistake
Second query result, second query result include Service Privileges corresponding with the authorization SID.The authorization clothes
Device be engaged in respectively to the user right and Service Privileges progress binary expansion, obtains the user for corresponding to the user right
Permission description and the Service Privileges description of the corresponding Service Privileges.
In step 207, i.e., authorisation step, the authorization server are weighed according to user right description and the service
Limit description determines whether the user has the right to apply for service associated with the authorization SID using the method in embodiment two.
If authenticating ST includes Number, that is, the service of charge type in due order, then the Number if user has permission
=Number-1 encrypts Number and Hash (ID) with Ks, is sent to certificate server with the 8th message format, and will receive
Authorization SID, the 5th message Timestamp, authorization R3 encrypted with Kcss, client is sent to the 5th message format.If
User does not have permission, then returns to mistake.
If authenticating ST does not include Number, that is, the service temporally subscribed to, then will be received if user has permission
To authorization SID, the 5th message Timestamp, authorization R3 encrypted with Kcss, client is sent to the 5th message format.Such as
Fruit does not have permission, then returns to mistake.
In a step 208, i.e., service receives step, and client is received the 5th message, decrypted using Kcss, authorized
SID, the 5th message Timestamp, authorization R3 make comparisons authorization SID with the client SID in the 4th message, if different
Then return to mistake;It is identical, by the 5th message Timestamp compared with active client Timestamp, if difference is excessive
Return to mistake;The authorization R3 and client R3 in the 4th message is compared if not occurring mistake, is returned if different
Mistake;If determining that authorization server is legal, user receives service without mistake.So far Certificate Authority process is all complete
At.
It should be noted that excessive two timestamps for referring to needs and being compared of difference involved in the present embodiment
Between interval be less than preset time interval threshold value.In the specific implementation process, those skilled in the art can be according to practical need
Set the time interval threshold value.
In conclusion using authentication authority method provided in an embodiment of the present invention, it is simple in terms of client and server two
Logic is changed, reduce energy and power consumption, has reduced number of communications, to realize the light weight of entire authentication and authorization system
Change, while also assuring enough safeties.In addition, the present embodiment support temporally with two kinds of charging modes of number, it is sufficient to it is full
The demand that foot services to a certain degree.Bill in the present embodiment only includes user identity and user right, so that having in bill
It can apply repeatedly servicing within the effect phase.The present embodiment for have it is certain calculate and the intelligent terminal of power-performance and user it is few
Mini-system is applicable in very much.
While it is disclosed that embodiment content as above but described only to facilitate understanding the present invention and adopting
Embodiment is not intended to limit the invention.Any those skilled in the art to which this invention pertains are not departing from this
Under the premise of the disclosed spirit and scope of invention, any modification and change can be made in the implementing form and in details,
But protection scope of the present invention still should be subject to the scope of the claims as defined in the appended claims.
Claims (10)
1. a kind of authentication authority method characterized by comprising
The hashed value of User Identity is sent to certificate server by the first data preparation step, client;
First query steps, the certificate server are inquired customer data base according to the hashed value of the User Identity, are obtained
To the first query result, first query result includes user information corresponding with the user and user right;
Authenticating step, the certificate server judge whether user passes through certification according to first query result, and described
When user passes through certification, certification bill corresponding with the user is sent to the client, the certification bill includes
The user right;
Second data preparation step, the client is by client bill and client user corresponding with user Shen
Please service identifiers be sent to authorization server;
Second query steps, the authorization server apply for service identifiers query service database according to authorized user, obtain the
Two query results, second query result include Service Privileges corresponding with authorized user application service identifiers;Institute
It states authorization server and binary expansion is carried out to the user right and the Service Privileges respectively, obtain corresponding to user's power
The user right of limit describes and the Service Privileges description of the corresponding Service Privileges;And
Authorisation step, the authorization server are described according to user right description and the Service Privileges, determine the use
Whether family has the right to apply for service associated with authorized user application service identifiers,
Wherein, client bill is the bill that client is received from certificate server, and certification bill is that certificate server is issued
The bill of client or authorization server, client user apply for that service identifiers are that the user that client obtains applies for service mark
Know, authorized user applies for that service identifiers are user's application service identifiers that authorization server receives client.
2. the method according to claim 1, wherein the user right be decimal number or hexadecimal number,
The Service Privileges are decimal number or hexadecimal number.
3. according to the method described in claim 2, it is characterized in that, the authorisation step includes:
Judgement constitutes the binary expansion item of the Service Privileges description and constitutes the binary expansion of the user right description
Whether item has intersection;
Judging to constitute the binary expansion item of the Service Privileges description and is constituting the binary system of the user right description
When expansion item has intersection, determine that the user has the right to apply for service associated with authorized user application service identifiers.
4. according to the method in any one of claims 1 to 3, which is characterized in that
In first data preparation step, first message is sent to certificate server by the client, wherein described
One message includes the hashed value of the first serial data and the User Identity, and the client is using user key to by client
The serial data that end subscriber identity, the first client random value and first message timestamp are constituted is encrypted, to obtain
State the first serial data;
In first query steps, the certificate server receives the first message, and using in the first message
User Identity hashed value inquire customer data base, obtain first query result, the first query result packet
Including has certification User Identity and the user information of user password, the user right, user right remaining time, user
Permission residue degree and session key;
In the authenticating step, the certificate server judges to use according to the first message and first query result
Whether family passes through certification, and when judging that the user passes through certification, and second message and third message are sent respectively to institute
State client and authorization server;Wherein, the meeting that it certification bill that the second message, which includes described, is encrypted by the user key
Key and the second serial data are talked about, the certificate server is disappeared using the session key to by the first certification random value, second
The serial data that breath timestamp and the second certification random value are constituted is encrypted, to obtain second serial data;The certification clothes
Be engaged in device using server shared key to by the second certification random value, the certification bill, the session key and described
The serial data that the hashed value of User Identity is constituted is encrypted, to obtain the third message;
The method also includes applying for that step, the client receive the second message, and according to the first message and institute
Second message is stated, judges whether the certificate server is legal, when judging that the certificate server is legal, receives described the
Two message, and execute second data preparation step;When judging that the certificate server is illegal, refusal described second
Message, and termination process;
In second data preparation step, the 4th message is sent to authorization server by the client, and the described 4th disappears
Breath includes the hashed value of the client bill, third serial data, User Identity, and the client is close using the session
Key applies for that service identifiers and third client are random to by the second client random value, the 4th message time stamp, client user
The serial data that value is constituted is encrypted, to obtain the third serial data;
In second query steps, the authorization server receives the 4th message, and according to the client bill
Expired state, the third message and the 4th message, judge whether the user has the right query service database;And
Judge the user have the right query service database when, utilize authorized user to apply for that service identifiers inquire the service data
Library, obtains second query result, and second query result includes applying for that service identifiers are corresponding with the authorized user
Service Privileges;The authorization server carries out binary expansion to the user right and the Service Privileges respectively, obtains
The user right description of the corresponding user right and the Service Privileges description of the corresponding Service Privileges;
In the authorisation step, the authorization server is described according to user right description and the Service Privileges, really
Whether the fixed user has the right to apply for service associated with authorized user application service identifiers, and has the right in the user
When applying for the service, the 5th message is sent to the client by the authorization server, and the authorization server utilizes institute
It states session key and applies for service identifiers, the number that the 5th message time stabs and third authorization random value is constituted to by the authorized user
It is encrypted according to string, to obtain the 5th message;
The method also includes services to receive step, and the client receives the 5th message, and utilizes the 4th message
With the 5th message, judge whether the authorization server is legal, when judging that the authorization server is legal, receives institute
The 5th message is stated, and receives service;When judging that the authorization server is illegal, refuse the 5th message, and terminate
Process.
5. according to the method described in claim 4, it is characterized in that,
In the authenticating step, the certificate server judges to use according to the first message and first query result
Whether family passes through certification, specifically includes:
When judging the user right remaining time, user right residue degree, client user's identity and first message
Between stab whether meet the first preset condition, and when judging to meet first preset condition, determine that user passes through certification;Its
In, first preset condition includes: the user right remaining time non-zero, the user right residue degree non-zero, institute
Client user's identity first message timestamp consistent and described with the certification User Identity is stated to recognize with described
The interval for demonstrate,proving the current timestamp of server is less than preset time interval threshold value;Or
It is pre- to judge whether the user right remaining time, client user's identity and first message timestamp meet second
If condition, and when judging to meet second preset condition, determine that user passes through certification;Wherein, the described second default item
Part includes: the user right remaining time non-zero, client user's identity and the certification User Identity
Unanimously and the interval of the first message timestamp and the current timestamp of the certificate server was less than between the preset time
Every threshold value.
6. according to the method described in claim 4, it is characterized in that,
In the application step, the client judges the certification clothes according to the first message and the second message
Whether business device is legal, specifically includes:
Judge whether the first certification random value and second message timestamp meet third preset condition, and is judging to meet
When the third preset condition, determine that the certificate server is legal;Wherein, the third preset condition includes: described first
Authenticate that random value is consistent with first client random value, and the second message timestamp and the client are currently
The interval of timestamp is less than preset time interval threshold value.
7. according to the method described in claim 4, it is characterized in that,
In second query steps, expired state of the authorization server according to the client bill, the third
Message and the 4th message judge that whether the user has the right query service database, specifically includes:
When judging expired state, the client bill, the second client random value and four message of the client bill
Between stab whether meet the 4th preset condition, and when judging to meet four preset condition, determine that user has the right inquiry clothes
Business database;Wherein, the 4th preset condition includes: that the client bill is not out of date, the client bill with it is described
It is consistent to authenticate bill, second client random value is consistent with the second certification random value, and when four message
Between stamp with the interval of the current timestamp of the authorization server be less than preset time interval threshold value.
8. according to the method described in claim 4, it is characterized in that,
Receive in step in the service, the client utilizes the 4th message and the 5th message, awards described in judgement
It whether legal weighs server, specifically includes:
Judge that the authorized user applies for whether service identifiers, the third authorization random value and the 5th message time stamp meet the
Five preset conditions, and when judging to meet five preset condition, determine that the authorization server is legal;Wherein, described
5th preset condition includes: that the authorized user applies for that service identifiers apply for that service identifiers are consistent with the client user, institute
It is consistent with third client random value to state third authorization random value, and the 5th message time stamp is current with the client
Timestamp interval be less than preset time interval threshold value.
9. according to the method described in claim 4, it is characterized by further comprising:
When the expired state of the client bill characterization client bill is expired, Certificate Authority is re-initiated;
The Certificate Authority that re-initiates includes:
In first data preparation step, the client is using the session key to by client user's identity mark
The serial data that knowledge, the first client random value and first message timestamp are constituted is encrypted, to obtain first serial data;
In first query steps, first query result includes having certification User Identity and user password
User information, the user right, user right remaining time, user right residue degree and new session key;
In the authenticating step, the second message includes the new session for authenticating bill, being encrypted by the session key
Key and the second serial data, the certificate server is using the new session key to by the first certification random value, the
The serial data that two message times stamp and the second certification random value are constituted is encrypted, to obtain second serial data;It is described to recognize
Server by utilizing server shared key is demonstrate,proved to by the second certification random value, the certification bill, the new session key
The serial data constituted with the hashed value of the User Identity is encrypted, to obtain the third message;
In second data preparation step, the client using the new session key to by second client with
The serial data that machine value, the 4th message time stamp, client user apply for that service identifiers and third client random value are constituted carries out
Encryption, to obtain the third serial data;
In the authorisation step, the authorization server is applied servicing using the new session key to by the authorized user
The serial data that mark, the 5th message time stamp and third authorization random value are constituted is encrypted, to obtain the 5th message.
10. the method according to claim 1, wherein further include:
When the expired state of the client bill characterization client bill is not out of date, client bill Shen is utilized
Please repeatedly service.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610832308.1A CN106230603B (en) | 2016-09-19 | 2016-09-19 | A kind of authentication authority method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610832308.1A CN106230603B (en) | 2016-09-19 | 2016-09-19 | A kind of authentication authority method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106230603A CN106230603A (en) | 2016-12-14 |
CN106230603B true CN106230603B (en) | 2019-08-16 |
Family
ID=58076139
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610832308.1A Active CN106230603B (en) | 2016-09-19 | 2016-09-19 | A kind of authentication authority method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106230603B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107181757A (en) * | 2017-06-27 | 2017-09-19 | 新浪网技术(中国)有限公司 | Support Memcache Proxy Methods, the apparatus and system of certification and protocol conversion |
KR20220059506A (en) * | 2019-09-03 | 2022-05-10 | 구글 엘엘씨 | Systems and methods for security identification retrieval |
CN112367329B (en) * | 2020-11-17 | 2023-05-02 | 北京知道创宇信息技术股份有限公司 | Communication connection authentication method, device, computer equipment and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101631116A (en) * | 2009-08-10 | 2010-01-20 | 中国科学院地理科学与资源研究所 | Distributed dual-license and access control method and system |
CN102857488A (en) * | 2012-05-10 | 2013-01-02 | 中国人民解放军理工大学 | Network access control model as well as method and terminal thereof |
CN102882882A (en) * | 2012-10-10 | 2013-01-16 | 深圳数字电视国家工程实验室股份有限公司 | User resource authorization method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7647319B2 (en) * | 2004-09-06 | 2010-01-12 | Canon Kabushiki Kaisha | Information processing apparatus, information processing method, program, and storage medium |
-
2016
- 2016-09-19 CN CN201610832308.1A patent/CN106230603B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101631116A (en) * | 2009-08-10 | 2010-01-20 | 中国科学院地理科学与资源研究所 | Distributed dual-license and access control method and system |
CN102857488A (en) * | 2012-05-10 | 2013-01-02 | 中国人民解放军理工大学 | Network access control model as well as method and terminal thereof |
CN102882882A (en) * | 2012-10-10 | 2013-01-16 | 深圳数字电视国家工程实验室股份有限公司 | User resource authorization method |
Non-Patent Citations (1)
Title |
---|
通用认证与授权服务的设计与实现;朱志文;《中国优秀硕士学位论文全文数据库(信息科技辑)》;20120415(第4期);全文 |
Also Published As
Publication number | Publication date |
---|---|
CN106230603A (en) | 2016-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101401387B (en) | Access control protocol for embedded devices | |
WO2017042375A1 (en) | Access method to an on line service by means of access tokens and of a secure element restricting the use of these access tokens to their legitimate owner | |
WO2017042400A1 (en) | Access method to an on line service by means of access tokens and secure elements restricting the use of these access tokens to their legitimate owner | |
CN101951603B (en) | Access control method and system for wireless local area network | |
US20190213321A1 (en) | Method and system for verifying an access request | |
Cheung et al. | Credential-based privacy-preserving power request scheme for smart grid network | |
CN107483491A (en) | The access control method of distributed storage under a kind of cloud environment | |
CN101156352B (en) | Authentication method, system and authentication center based on mobile network P2P communication | |
Mustafa et al. | Roaming electric vehicle charging and billing: An anonymous multi-user protocol | |
CN106790064B (en) | The method that both sides are communicated in credible root server-cloud computing server model | |
Witkovski et al. | An IdM and key-based authentication method for providing single sign-on in IoT | |
CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
CN101741860A (en) | Computer remote security control method | |
CN106230603B (en) | A kind of authentication authority method | |
CN103634265B (en) | Method, equipment and the system of safety certification | |
CN106713279A (en) | Video terminal identity authentication system | |
CN105553666A (en) | Security authentication system and method for smart power terminal | |
CN102916965A (en) | Safety authentication mechanism and safety authentication system thereof for cloud service interfaces | |
CN101547097B (en) | Digital media management system and management method based on digital certificate | |
CN108965342A (en) | The method for authenticating and system of request of data side's access data source | |
CN110401613A (en) | A kind of authentication management method and relevant device | |
KR101063354B1 (en) | Billing system and method using public key based protocol | |
CN104657856A (en) | Position certification based intelligent mobile client payment method and server system | |
CN110876142A (en) | Identification-based wifi authentication method | |
CN114091009A (en) | Method for establishing secure link by using distributed identity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |