CN106302502B

CN106302502B - A kind of secure access authentication method, user terminal and server-side

Info

Publication number: CN106302502B
Application number: CN201610757520.6A
Authority: CN
Inventors: 郭铮铮
Original assignee: Individual
Current assignee: Guo Zhengzheng
Priority date: 2016-04-03
Filing date: 2016-08-29
Publication date: 2019-08-02
Anticipated expiration: 2036-08-29
Also published as: CN105743916A; CN106302502A

Abstract

The present embodiments relate to a kind of secure access authentication method, user terminal and server-side, the secure access authentication methods, comprising: user terminal establishes equipment safety registration relationship to equipment application relationship service for checking credentials end sending device registration message；Authorization request message is sent to equipment application relationship service for checking credentials end in user terminal, application and account is established and equipment safety registers relationship；User terminal provides server-side sending application log on request message to application；Equipment application is required to verify message to user terminal transmission using server-side is provided；User terminal provides server-side sending device application access credential message to application；Using providing server-side processing and to equipment application relationship service for checking credentials end sending device application access credential message；Equipment application relationship service for checking credentials end provides server-side sending application to application and has secure access to authentication result to equipment application access credentials information authentication；The log on request message for responding user terminal using server-side is provided.

Description

A kind of secure access authentication method, user terminal and server-side

It is a kind of " information processing for enhancing access safety that the application, which is incorporated on 04 03rd, 2016 patent name submitted, No. 201610204634.8 Chinese patent application of method, system and equipment ".Above-mentioned application is incorporated by reference herein.

Technical field

The present embodiments relate to field of information security technology, and in particular to a kind of secure access authentication method is used Family terminal and server-side.

Background technique

Internet user is susceptible to using user identity, and the stolen attack of the private informations such as password threatens, and invader makes Infringements of access user privacy information, consume or transfer accounts etc. on unauthorized third party device with the private information of acquisition behaviour Make.

There is new technology to reinforce safety when user logs at present, such as two-pass cipher verification technique, needs to log in every time and answer With, the dynamic key that when network or system is inputted using additional identifying code or the token device of input peripheral generates, such as Software token and RSA hardware token method, these approaches increases the cost for being manually entered identifying code step or hardware management, The process for improving safety increases user and uses complexity；Needing one kind not only to improve safety but also simplified or do not increase user makes With the technology of complexity.

Much it is used to identify equipment using the parameter of the mounting hardware of intelligent movable equipment, such as IMEI, calculates owner Machine name, MAC Address, IMSI, the combination of computer hardware sequence number information or computer system preset parameter are calculated Information etc., but these information are easy to simulate, obtain or leaked be not able to satisfy it is higher for uniquely identifying for equipment Demand for security, so cannot be used for the authority source of certification access mandate.A kind of effective voucher of dynamic authentication is needed to guarantee Confidentiality and validity.

Client certificate certification theoretically can solve uniqueness certification of the user when logging in, but due to expensive solution Certainly management cost under scheme and line, interconnection architecture, which cannot achieve, at present provides this for most of client device access internet Security service needs the technology enhancing user of automation that is a kind of cheap and being easily managed to log in, the verifying of service.

Currently used for verifying and the hardware adaptor Key of identification, such as the U-shield that bank uses, the SecurID of RSA company, Key is stored using portable hardware cell, guarantees safety using offline mode distribution customer terminal key, uses offline and static person The mode of work maintenance loads server-side key, is associated with signature key by the hardware sequence number or device id that store key and tests Key is demonstrate,proved, this mode solves safety problem, also significantly limits versatility；This method needs user management attached simultaneously The cost of stiffened part, especially if secret key lifetime is limited to the phase, current commercial hardware Key equipment, only such as RSA SecurID The method for exchanging new hardware for can be taken；Need one kind that can generate and update client key and server-side key online simultaneously certainly Move associated technology and systems.

Present phone number and mail are the transmitting major ways of identifying code and authorization code that people are commonly used, if awarded The authorization message of message code or other forms, two dimensional code are weighed, mail is stolen, it is possible to other equipment access be authorized to apply account Family authorizes illegality equipment or is set by what is falsely used in the case where needing a kind of technology to prevent authorization code or identifying code from being falsely used Standby access user account and service had both needed a kind of authority checking code is uniquely corresponding to specify using account and service to designated user The authorization or verification technique method of end equipment.

It is verified used in network at present, the safe practices method such as signature requires to face, birthday attack, Brute Force The threat of attack or man-in-the-middle attack to the key for generating voucher, needs one kind that can improve or enhance violence and cracks attack, The threat of birthday attack can detect the technology of man-in-the-middle attack threat to improve security level.

With mobile computing device rapid proliferation, wearable device and Internet of Things development have setting for intelligence computation ability Standby to expand rapidly, the equipment for needing to be certified can steeply rise the key demand of certification, it is desirable to provide the key of certification There is huge scalability, is capable of providing identification and managerial ability of the huge extending space for the following Internet of Things various equipment.

In existing method, shared code still is verified based on more dynamic devices without a kind of, dynamic key identifies shared code mixing Individual secure unit is used to provide the access verification technique of equipment application and account access voucher to solve the above problems.

Summary of the invention

Technical problems to be solved are how to improve the safety of user's access.

For the defects in the prior art, it is whole to provide a kind of secure access authentication method, user for the embodiment of the present invention End and server-side can effectively improve the safety of user's access.

In a first aspect, the embodiment of the invention provides a kind of secure access authentication methods, comprising:

User terminal establishes equipment safety registration relationship to equipment application relationship service for checking credentials end sending device registration message；

Authorization request message is sent to the equipment application relationship service for checking credentials end in the user terminal, and according to described Equipment safety registers relationship and establishes application and account and equipment safety registration relationship；

The user terminal provides server-side sending application log on request message to application；

The application provides server-side and requires equipment application to verify message to user terminal transmission；

The user terminal provides server-side sending device application access credential message to the application；

The application provides server-side processing and sends the equipment application to the equipment application relationship service for checking credentials end Access credentials message；

The equipment application relationship service for checking credentials end is according to the application and account with equipment safety registration relationship to described Equipment application access credentials information authentication, and provide server-side sending application to application and have secure access to authentication result；

Log on request is applied according to application secure access authentication result response user terminal using server-side is provided Message.

Optionally, the user terminal establishes equipment peace to equipment application relationship service for checking credentials end sending device registration message Registration relationship includes entirely；

The user terminal and the equipment application relationship service for checking credentials end negotiate the first dynamic device verify shared code and Second dynamic device verifies shared code, is respectively stored in user terminal and the equipment application relationship service for checking credentials end；It is described to set Standby application relationship service for checking credentials end is that the shared code of first dynamic device verifying distributes corresponding first dynamic device verifying altogether Code registration ID is enjoyed, corresponding second dynamic device of shared code distribution is verified for second dynamic device and verifies shared code registration ID；

The equipment application relationship service for checking credentials end is dynamic according to described the first of the equipment application relationship service for checking credentials end Code is shared in state device authentication and the second dynamic device verifies shared code and generates the shared code of the first dynamic key identification；

The equipment application relationship service for checking credentials end is sent with first dynamic device verifying altogether to the user terminal It enjoys code registration ID and the second dynamic device verifies the shared code verifying message of dynamic device of shared code registration ID；Wherein, it dynamically sets Standby shared code verifying message includes: that dynamic device shares the sub- message body voucher of code verifying message, dynamic device shares code verifying and disappears Breath signature；

The user terminal verifies shared code according to first dynamic device of the user terminal and the second dynamic is set The standby shared code verifying dynamic device of verifying shares code and verifies the sub- message body voucher of message, is taken using equipment application relationship verifying Dynamic device described in device public key verifications of being engaged in shares code and verifies information signature, is verified rear generating device registration voucher；

The user terminal is sent to the equipment application relationship service for checking credentials end carries the facility registration voucher, described First dynamic device verifies shared code registration ID and the second dynamic device verifies the facility registration message of shared code registration ID；

The equipment application relationship service for checking credentials end is tested according to first dynamic device in the facility registration message Demonstrate,prove shared code registration ID and the second dynamic device to verify shared code registration ID corresponding at equipment application relationship service for checking credentials end First dynamic device verifies shared code, second dynamic device verifies shared code and verifies the facility registration message；

After the facility registration information authentication passes through, the equipment application relationship service for checking credentials end is taken to user terminal feedback Carrying device accreditation verification result and first dynamic key identify the facility registration confirmation message of shared code.

Optionally, the facility registration message includes: facility registration voucher, the shared code registration of the first dynamic device verifying ID, the second dynamic device verify one of shared code registration ID or a variety of.

Optionally, the shared code verifying message of the dynamic device includes:

Dynamic device shares code and verifies main message body and the shared code verifying information signature of dynamic device；

It includes that dynamic device shares the code verifying sub- message body of message that the dynamic device, which shares the code verifying main message body of message, The code verifying sub- message body voucher of message is shared with dynamic device；

The sub- message body includes that the first dynamic device verifies shared code registration ID and the shared code of the second dynamic device verifying Register ID and random number salt figure；

The dynamic device share the code verifying sub- message body voucher of message be first dynamic device verify shared code and Second dynamic device verifies what shared code generated；

It is that the equipment application relationship authentication server uses private key that the dynamic device, which shares code verifying information signature, What the code verifying main message body of message was signed is shared to dynamic device.

Optionally, authorization request message is sent to the equipment application relationship service for checking credentials end in the user terminal, and Registering relationship foundation application and account with equipment safety registration relationship according to the equipment safety includes:

The application provides the application authorization request message processing that server-side receives the user terminal, and is sent to described Equipment application relationship service for checking credentials end；

The equipment application relationship service for checking credentials end generates dynamic authorization code ciphertext according to the application authorization request message And it is sent to the application and server-side is provided；

The application provides server-side and sequentially sends the dynamic authorization code ciphertext and random generation to the user terminal Number；

The user terminal generates the authorization sound with authorized certificate according to the dynamic authorization code and the random number that generates It answers information and sending to the application to provide server-side, includes the random generation number and dynamic authorization code in the authorization messages Ciphertext；

The application provides the authorization response message processing that server-side receives the user terminal, and is sent to the equipment Using relationship service for checking credentials end；

The relationship verifying authorization response is registered according to the equipment safety and is disappeared in the equipment application relationship service for checking credentials end After breath, then verifies the dynamic authorization code ciphertext and provide server-side by the application and feed back application confirmation knot to user terminal Fruit.

Optionally, the equipment application relationship service for checking credentials end generates dynamic authorization according to the application authorization request message Code ciphertext include:

Dynamic authorization code is generated according to the authorization request message；

Dynamic authorization key is generated according to the authorization request message；

Use dynamic authorization code encryption described in the dynamic authorization key pair；

It will include that the dynamic authorization code ciphertext and the first dynamic key identify that the authorization code message of shared code is sent to institute It states using offer server-side.

Optionally, the equipment application relationship service for checking credentials end registers relationship according to the equipment safety and verifies the authorization After response message, then verifies authorization code ciphertext and provide server-side by the application and feed back application confirmation result to user terminal Include:

Whether matched using the authorized certificate in equipment safety registration relationship verifying message；Then it is registered using equipment safety The authorization code key decryption and authorization code ciphertext at relation service end, authorization code and the equipment application relationship after verifying decryption are verified Whether the authorization code of server-side distribution matches；

If all by matching, by the corresponding application of the authorization code, User ID, authorization service operations and authorize the time and Device relationships are added in equipment application list.

Optionally, further include updating the equipment safety registration relationship:

The user terminal and the equipment application relationship service for checking credentials end negotiate third dynamic device verify shared code and 4th dynamic device verifies shared code, is respectively stored in user terminal and the equipment application relationship service for checking credentials end；

The equipment application relationship service for checking credentials end is dynamic according to the third at the equipment application relationship service for checking credentials end Code is shared in state device authentication and the 4th dynamic device verifies shared code and generates the shared code of the second dynamic key identification；

The equipment application relationship service for checking credentials end is sent with second dynamic key identification altogether to the user terminal It enjoys code and the first dynamic key identifies the requirement equipment update message of shared code；

The user terminal verifies shared code, the second dynamic device according to first dynamic device of the user terminal Verify shared code, first dynamic key identifies that shared code, third dynamic device verify shared code, the verifying of the 4th dynamic device Shared code and the second dynamic key identify that shared code generates dynamic equipment upgrading message, and are sent to the equipment application relationship and test Demonstrate,prove server-side；The dynamic equipment upgrading message include user terminal more new registration voucher, first dynamic key identification altogether It enjoys code and second dynamic key identifies shared code；

The equipment application relationship service for checking credentials end is set according to first dynamic at the equipment application relationship service for checking credentials end Standby shared code, the shared code of the second dynamic device verifying, first dynamic key verified identifies that shared code, third dynamic device are tested Demonstrate,prove shared code, the 4th dynamic device verifies shared code and the second dynamic key identifies that shared code verifies the dynamic equipment upgrading and disappears Breath；

The equipment application relationship service for checking credentials end is set according to the third dynamic at the equipment application relationship service for checking credentials end Standby shared code, the shared code of the 4th dynamic device verifying, the second dynamic key verified identifies that shared code, the verifying of the first dynamic device are total Enjoy code, the second dynamic device verifies shared code and first dynamic key identifies that shared code generating device updates confirmation message；

The equipment application relationship service for checking credentials end updates accreditation verification result to user terminal feedback device.

Optionally, the equipment application relationship service for checking credentials end updates accreditation verification result packet to user terminal feedback device It includes:

The equipment application relationship service for checking credentials end updates confirmation message to user terminal feedback device；

The user terminal identifies that the corresponding third dynamic of shared code is set according to the second dynamic key of the user terminal Code is shared in standby verifying and the 4th dynamic device verifies shared code and calculates the main message body voucher that the equipment updates confirmation message, and Identify that corresponding first dynamic device of shared code is verified shared code and second and moved according to the first dynamic key of the user terminal State device authentication shares code and calculates the sub- message body voucher that the equipment updates confirmation message, the main message body voucher that will be calculated It is verified compared with the main message body voucher of the correspondence sent in message and sub- message body voucher with sub- message body voucher；

If verifying all passes through, then the third dynamic device of the user terminal is verified shared code by the user terminal, the Four dynamic devices verify shared code and corresponding second dynamic key identifies that shared code is set as the state of succeeding in registration；

The user terminal saves second dynamic key and identifies shared code；

The user terminal sends the carried using the user terminal to the equipment application relationship service for checking credentials end Three dynamic devices verify shared code and the 4th dynamic device verifies the facility registration voucher and second dynamic that shared code generates Key identifies the equipment more new registration message of shared code；

The equipment application relationship service for checking credentials end is set according to the third dynamic at the equipment application relationship service for checking credentials end Standby shared code, the shared code of the 4th dynamic device verifying and the second dynamic key verified identifies that shared code verifies the equipment update note Volume message；

Optionally, the user terminal more new registration voucher include the main message body voucher of the dynamic equipment upgrading message and The sub- message body voucher of dynamic equipment upgrading message:

The sub- message body voucher of dynamic equipment upgrading message is the user terminal according to the user terminal Third dynamic device verifies shared code and the 4th dynamic device verifies what shared code was calculated；

The main message body voucher of dynamic equipment upgrading message is the user terminal according to the user terminal First dynamic device verifies shared code and the second dynamic device verifies what shared code was calculated.

Optionally, described that equipment application verifying message is required to carry Dialog processing ID.

Optionally, the user terminal includes: to application offer server-side sending device application access credential message

Generate equipment application access credentials message body including the Dialog processing ID；It calculates and ID pairs of the Dialog processing The equipment application access credentials message body voucher answered；

Generate the equipment application including equipment application access credentials message body and equipment application access credentials message body voucher Access credentials message；

Sending device application access credential message gives application to provide server.

Optionally, relationship is registered according to the application and account and equipment safety in the equipment application relationship service for checking credentials end To the equipment application access credentials information authentication:

Identify that shared code is searched the first dynamic device in application relationship authentication server and verified using the first dynamic key Shared code and the second dynamic device verify shared code；

Verify shared code using the first dynamic device and the second dynamic device verify shared code calculate equipment application access with Demonstrate,prove the message body voucher of message；

Whether consistent compare the voucher for calculating and sending in gained voucher and message；If result is consistent, further check Whether corresponding application and account and equipment safety registration relationship have the authorization relationship of the application and account requested in message, from And obtain inspection result.

On the other hand, the embodiment of the present invention also provides a kind of secure access certification user terminal, comprising:

Facility registration unit, for establishing equipment safety to equipment application relationship service for checking credentials end sending device registration message Registration relationship；

Using authorization unit, it is used for equipment application relationship service for checking credentials end transmission authorization request message, and according to The equipment safety registration relationship establishes application and account and equipment safety registers relationship；

Log on request unit, for providing server-side sending application log on request message to application；

Safety certification request unit is sent out for providing server-side by application to the equipment application relationship service for checking credentials end Send equipment application checking request message；The equipment application access credentials message is to apply to provide server-side to the log on request What the requirement equipment application verifying message that unit is sent generated；

Login unit, the response results that log in for providing server-side according to the application respond log on request message, institute State log in response results be using provide server-side applied according to the equipment application relationship service for checking credentials end and account with Equipment safety registers relationship to generating after the equipment application access credentials information authentication.

Optionally, facility registration unit, comprising:

First dynamic device verifies shared code negotiation element, for negotiating to produce with the equipment application relationship service for checking credentials end Raw first dynamic device verifies shared code and the second dynamic device verifies shared code, and is respectively stored in user terminal and described sets It is standby to apply relationship service for checking credentials end；

Facility registration request unit, for generating and sending Portable device note to the equipment application relationship service for checking credentials end The facility registration message of volume voucher；The facility registration message includes: that the first dynamic device verifies shared code registration ID and second Dynamic device verifies shared code and registers ID；

First dynamic device verifies shared code registration ID and the shared code registration ID of second dynamic device verifying is The equipment application relationship service for checking credentials end is that first dynamic device verifies shared code and the verifying of the second dynamic device is shared What the corresponding registration ID of code distribution was sent after generating to the user terminal；

The facility registration message is the shared code of first dynamic device verifying that user terminal is stored according to Shared code is verified with the second dynamic device and first dynamic device verifies shared code registration ID and the second dynamic device is tested Demonstrate,prove what shared code registration ID was generated；

Facility registration confirmation unit, the first dynamic key for receiving the equipment application relationship service for checking credentials end identify Shared code and accreditation verification result verification simultaneously save, and the accreditation verification is the result is that equipment application relationship service for checking credentials end root Shared code is verified according to first dynamic device at the equipment application relationship service for checking credentials end, the second dynamic device is verified shared code and is total to It enjoys code and verifies and obtain after the facility registration message；

First dynamic key identifies that shared code is that the equipment application relationship service for checking credentials end is answered according to the equipment Shared code is verified with first dynamic device at relationship service for checking credentials end and the second dynamic device verifies what shared code generated.

Optionally, the facility registration message includes: facility registration voucher, the shared code registration of the first dynamic device verifying ID, the second dynamic device verify shared code and register ID.

Optionally, described using authorization unit, including；

Using authorization requests unit, send for generating and providing server-side by the application to equipment application pass It is that service for checking credentials end sends authorization request message；

Using authorization response unit, send for generating and providing server-side by the application to equipment application pass It is that service for checking credentials end sends authorization response message；The authorization response message is according to dynamic authorization code ciphertext and random generation number It generates, the authorization response message band authorized certificate；The dynamic authorization code ciphertext is the equipment application relationship verifying clothes Business end according to it is described generated using authorization request message after by the application provide server-side transmission, the random generation number The application is provided after server-side sends the dynamic authorization code to the user terminal and is sent；

Using license confirmation unit, for receiving the application license confirmation result at the equipment application relationship service for checking credentials end It verifies and saves, the license confirmation is the result is that the equipment application relationship service for checking credentials end is tested according to the equipment application relationship The first dynamic device for demonstrate,proving server-side verifies shared code, the second dynamic device verifies shared code and the identification of the first dynamic key is shared After code verifies the authorization response message, then verify what authorization code ciphertext obtained.

Optionally, the log on request unit further includes application access voucher unit for generate equipment application access with Demonstrate,prove message body；Calculate equipment application access credentials message body voucher；Generate includes equipment application access credentials message body and equipment The equipment application access credentials message of application access credential message body voucher；Server sending device application access is provided to application Credential message.

It optionally, further include facility registration updating unit, comprising:

Second dynamic device verifies shared code negotiation element, for negotiating to produce with the equipment application relationship service for checking credentials end Raw third dynamic device verifies shared code and the 4th dynamic device verifies shared code, and is respectively stored in user terminal and described sets It is standby to apply relationship service for checking credentials end；

Equipment more new registration request unit is set for generating and sending to carry to the equipment application relationship service for checking credentials end The standby dynamic equipment upgrading message for updating voucher；The dynamic equipment upgrading message is the root that user terminal is stored according to Shared code is verified according to first dynamic device of the user terminal, the second dynamic device verifies shared code, described first moves State key identifies that shared code, third dynamic device verify shared code, the 4th dynamic device verifies shared code and the second dynamic key Identify what shared code generated, second dynamic key identifies that shared code is the equipment application relationship service for checking credentials end according to institute The third dynamic device for stating equipment application relationship service for checking credentials end verifies shared code and the 4th dynamic device verifies shared code It is sent after generation to the user terminal；

Equipment updates accreditation verification unit, for receiving the accreditation verification result at the equipment application relationship service for checking credentials end It verifies and saves, the update accreditation verification is the result is that the equipment application relationship service for checking credentials end is closed according to the equipment application It is the shared code of the first dynamic device verifying, the verifying of the second dynamic device shared code, first dynamic key at service for checking credentials end Identify that shared code, the second dynamic device verify shared code, the shared code of third dynamic device verifying and the identification of the 4th dynamic key altogether It enjoys code and verifies and obtain after the dynamic equipment upgrading message.

Optionally, the user terminal more new registration voucher includes the main message body voucher of dynamic equipment upgrading message and dynamic The sub- message body voucher of equipment update message:

User terminal described in the main message body voucher of dynamic equipment upgrading message is according to described the of the user terminal One dynamic device verifies shared code and the second dynamic device verifies what shared code was calculated.

On the other hand, the embodiment of the invention also includes a kind of equipment application relationship service for checking credentials ends, which is characterized in that packet It includes:

Facility registration confirmation unit, the facility registration message for receiving user terminal transmission establish equipment safety registration pass System；

Using license confirmation unit, pacify for receiving the authorization request message of user terminal transmission, and according to the equipment Full registration relationship establishes application and account and equipment safety registers relationship；

Safety certification request confirmation unit, for receiving the equipment application access credentials for passing through application offer server-side and sending Message；The equipment application access credentials message is the requirement equipment sent using server-side is provided to the log on request unit What application verification message generated；

Response unit is logged in, for visiting according to the application and account and equipment safety registration relationship the equipment application Generation application has secure access to authentication result and logs in response results by application offer server-side transmission after asking credential message verifying, The user terminal responds log on request message according to the response results that log in that the application provides server-side.

Optionally, the facility registration confirmation unit includes:

First dynamic device verifies shared code negotiation element, negotiates the first dynamic device for generating with the user terminal It verifies shared code and the second dynamic device verifies shared code, and be respectively stored in user terminal and equipment application relationship verifying Server-side；Shared code is verified for first dynamic device and the second dynamic device verifies shared code distribution corresponding described first Dynamic device verifies shared code registration ID and the second dynamic device verifies shared code and registers ID；

First dynamic key identifies shared code generation unit, for the institute according to the equipment application relationship service for checking credentials end The first dynamic device is stated to verify shared code and the shared code generation of the second dynamic device verifying and send first to the user terminal Dynamic key identifies shared code；

Facility registration confirmation unit is answered for receiving the facility registration message that the user terminal is sent according to the equipment Shared code is verified with first dynamic device at relationship service for checking credentials end, the second dynamic device verifies shared code and the first dynamic key After identifying that shared code verifies the facility registration message, and to the user terminal sending device accreditation verification result；It is described to set Standby registration message is the shared code of first dynamic device verifying and the second dynamic device that user terminal is stored according to It verifies shared code and first dynamic device verifies shared code registration ID and the second dynamic device verifies shared code and registers ID Generate, facility registration message Portable device registration voucher and first dynamic device verify shared code registration ID and Second dynamic device verifies shared code and registers ID.

Optionally, include using license confirmation unit；

Using authorization requests processing unit, for receiving the authorization request message of user terminal transmission and according to the application Authorization request message generates dynamic authorization code ciphertext and is sent to the user terminal by application offer server-side；

Using authorization response processing unit, the authorization response message that user terminal is sent is received, and is answered according to the equipment Shared code is verified with first dynamic device at relationship service for checking credentials end, the second dynamic device verifies shared code and the first dynamic key After identifying that shared code verifies the authorization response message, then after verifying dynamic authorization code ciphertext, generates authorization notification message and simultaneously lead to It crosses and is sent to the user terminal using offer server-side；The authorization response message is the user terminal according to the dynamic What authorization code ciphertext and random generation number generated, the authorization response message band authorized certificate, the random generation number is described It is sent after sending dynamic authorization code ciphertext to the user terminal using offer server-side.

Optionally, the equipment application relationship service for checking credentials end generates dynamic authorization according to the application authorization request message Code include:

By the dynamic authorization code ciphertext and it is sent to the application server-side is provided.

Optionally, the generation authorization notification message includes:

Whether matched using the authorized certificate in equipment safety registration relationship verifying message；Then it is registered using equipment safety The authorization code ciphertext of the corresponding authorization code key decryption of relationship, authorization code and the equipment application relationship after verifying decryption are verified Whether the authorization code of server-side distribution matches；

If all by matching, by the corresponding application of the authorization code, User ID, authorization service operations and authorize the time with Device relationships are added in equipment application list.

Optionally, the response unit that logs in further includes that log on request authentication unit is used for,

It is whether consistent for comparing the voucher for calculating and sending in gained voucher and message；

If result is consistent, further check that corresponding application and account disappear with whether equipment safety registration relationship has The authorization relationship of the application and account requested in breath, to obtain inspection result.

Optionally, further include that facility registration updates confirmation unit:

Second dynamic device verifies shared code negotiation element, for testing with the user terminal negotiation third dynamic device that sets It demonstrate,proves shared code and the 4th dynamic device verifies shared code, and be respectively stored in user terminal and equipment application relationship verifying clothes Business end；

Second dynamic key identifies shared code generation unit, for the institute according to the equipment application relationship service for checking credentials end Third dynamic device is stated to verify shared code and the shared code generation of the 4th dynamic device verifying and send second to the user terminal Dynamic key identifies shared code.

Equipment more new registration request confirmation unit, for receiving the dynamic equipment upgrading message of user terminal transmission, and root Verify shared code according to first dynamic device at the equipment application relationship service for checking credentials end, the second dynamic device verifies shared code, First dynamic key identifies that shared code, third dynamic device verify shared code, the 4th dynamic device verifies shared code and the Two dynamic key, which identify, obtains updating registration confirmation message after shared code verifies the dynamic equipment upgrading message, and to the use Family terminal is sent；The dynamic equipment upgrading message is that the institute according to the user terminal of user terminal is stored according to State the first dynamic device verifies shared code, the second dynamic device verifies shared code, first dynamic key identifies shared code, the Three dynamic devices verify shared code, the 4th dynamic device verifies shared code and the second dynamic key identifies what shared code generated；It is dynamic State equipment update message Portable device more new registration voucher.

Optionally, the family terminal more new registration voucher includes that the main message body voucher of dynamic equipment upgrading message and dynamic are set The standby sub- message body voucher of update message:

As shown from the above technical solution, secure access authentication method provided in an embodiment of the present invention, user terminal and Application of the server-side by the way that user terminal can be effectively ensured by way of the double authentication of equipment certification and application and account authorization The Information Security for accessing application service end, can help the professional application network pipe of enterprise, mechanism through the embodiment of the present invention The boundary for application access of having got a haircut and equipment.User can pass through above-mentioned mode authorisation device and application and accounts.This Inventive embodiments are suitble to Self-Service mode, are suitble to changeable, flexible public user demand.Automation can be used in corporate intranet The mode that operation department is taken orally in affiliated enterprise automatically configures application and device relationships, to save the self-service authorization of each employee Process, to realize that enterprise IT accesses end equipment border control.The method of the embodiment of the present invention by using account by It authorizes and accesses authentication mechanism in the computer intelligence equipment of access, after password is stolen, third party device is due to being not authorized to And cannot access, system and account-holder are due to that can perceive password leakage at the first time and remedy security breaches in time.

Detailed description of the invention

In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to make one simply to introduce, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.

Fig. 1 is that authentication method flow diagram is had secure access in one embodiment of the invention；

Fig. 2 is user terminal in one embodiment of the invention, using providing server-side and the equipment application relationship service for checking credentials Hold linking relationship schematic diagram；

Fig. 3 is that user terminal structure is intended in one embodiment of the invention；

Fig. 4 is to establish equipment safety in one embodiment of the invention to register relationship flow diagram；

Fig. 5 is to establish equipment safety in another embodiment of the present invention to register relationship flow diagram；

Fig. 6 is that application and account and equipment safety registration relationship flow diagram are established in one embodiment of the invention；

Fig. 7 is that application and account and equipment safety registration relationship flow diagram are established in another embodiment of the present invention；

Fig. 8 is that user terminal logs in safety verification process schematic diagram in one embodiment of the invention；

Fig. 9 is that user terminal logs in safety verification process schematic diagram in another embodiment of the present invention；

Figure 10 is to update equipment safety in one embodiment of the invention to register relationship flow diagram；

Figure 11 is to update equipment safety in another embodiment of the present invention to register relationship flow diagram；

Figure 12 is that user terminal generates message voucher flow diagram in one embodiment of the invention；

Figure 13 is user terminal structural schematic diagram in one embodiment of the invention；

Figure 14 is the facility registration cellular construction schematic diagram of user terminal in one embodiment of the invention；

Figure 15 is the application authorization unit structural schematic diagram of user terminal in one embodiment of the invention；

Figure 16 is the facility registration updating unit structural schematic diagram of user terminal in one embodiment of the invention；

Figure 17 is equipment application relationship service for checking credentials end structure schematic diagram in one embodiment of the invention；

Figure 18 is the facility registration confirmation unit structure at equipment application relationship service for checking credentials end in one embodiment of the invention Schematic diagram；

Figure 19 is the application license confirmation cellular construction at equipment application relationship service for checking credentials end in one embodiment of the invention Schematic diagram；

Figure 20 is that the facility registration at equipment application relationship service for checking credentials end in one embodiment of the invention updates confirmation unit Structural schematic diagram.

Specific embodiment

In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.

As shown in Figure 1, the embodiment of the present invention provides a kind of secure access authentication method, comprising: user terminal is to setting It is standby to establish equipment safety registration relationship using relationship service for checking credentials end sending device registration message；To equipment application in user terminal Relationship service for checking credentials end sends authorization request message, and registers relationship according to equipment safety and establish application and account and equipment safety Registration relationship；User terminal provides server-side sending application log on request message to application；It is whole to user using server-side is provided End, which is sent, requires equipment application to verify message；User terminal provides server-side sending device application access credential message to application； Using providing server-side processing and to equipment application relationship service for checking credentials end sending device application access credential message；Equipment application Relationship service for checking credentials end according to the result after verifying equipment application access credentials message and provides server-side sending device to application Application verification results messages；It is tied using server-side is provided according to the application secure access certification in equipment application verification result message Fruit response user terminal applies log on request message.Below to by secure access authentication processing side provided in an embodiment of the present invention Method expansion detailed description.

As shown in Fig. 2, secure access authentication method provided in an embodiment of the present invention is mainly used in and is connected by network The user terminal that connects, using in the internet system for providing server-side and equipment application relationship service for checking credentials end.User terminal is When needing with using providing server-side and establishing security application and connect, the safety certification that needs further through safety certification to accord with it is each Kind communication equipment, such as mobile phone, PAD, PC, have various smart machines of networked capabilities etc..The equipment application relationship service for checking credentials End is the service equipment of the equipment application relationship client on managing user terminal, and equipment application relationship service for checking credentials end is sentenced Whether disconnected equipment application access credentials message authorizes the account access or service access of applications client application self Equipment and provide corresponding behavior be indicated to using provide server-side, for example, with safety certification function server To realize the embodiment of the present invention.Using providing server-side and referring to various the expected various servers serviced are provided for user terminal； The user equipment access relationship credential verification result that it utilizes equipment application relationship service for checking credentials end to provide using offer server-side To determine to can finally be provided to the service response of terminal user.Such as mail server, code security management server, archive information Management server, message management server etc..

As shown in figure 3, user terminal may include applications client, equipment application relationship client and individual secure list Member.Applications client refers to the various local programs for initiating the application service request that user specifies and application, is responsible for transferring this Ground equipment application relationship client end AP I (application programming interface, Application Programming Interface) is produced Raw user equipment access relationship voucher is simultaneously serviced obtaining in the process of this service insertion application.Wherein equipment application relationship client End, which refers to operate on ustomer premises access equipment, provides the service of initiating equipment access credentials, the safe encryption and decryption of local information for user's application The general name of all software assemblies of service, verifying and signature function provides exchange with the UI of user simultaneously, it is responsible directly and solely Vertical safe unit cooperates, and with equipment application relationship service for checking credentials end session, auxiliary or directly generation key update.Equipment It is that the function reality of safety certification or access credentials service and encrypting and decrypting service is provided applications client using relationship client Body；The unit for being capable of providing following any one or more ability that individual secure unit refers to user terminal and system includes, Including providing the computer untrusted location of credible and secure calculating, secure storage, safe UI service, embedded system, built-in security Hardware cell and system or firmware unit.Individual secure unit only provides clothes listed above to equipment application relationship client Business, in practical, partial function can be realized in equipment application relationship client.

As shown in figure 4, in embodiments of the present invention, user terminal needs to verify by equipment application relationship service for checking credentials end When, it needs first to submit equipment safety to register to use family terminal and the verifying of equipment application relationship to equipment application relationship service for checking credentials end Equipment safety registration relationship is established between server-side.Specifically, user terminal sends to equipment application relationship service for checking credentials end and sets It includes: that user terminal and equipment application relationship service for checking credentials end are negotiated first and moved that standby registration message, which establishes equipment safety registration relationship, Code is shared in state device authentication and the second dynamic device verifies shared code, is respectively stored in user terminal and the verifying of equipment application relationship Server-side；Equipment application relationship service for checking credentials end is that corresponding first dynamic device of the shared code distribution of the first dynamic device verifying is tested Shared code registration ID is demonstrate,proved, shared code is verified for the second dynamic device and distributes the corresponding shared code registration of second dynamic device verifying ID；Equipment application relationship service for checking credentials end according to first dynamic device at equipment application relationship service for checking credentials end verify shared code and Second dynamic device, which verifies shared code and generates the first dynamic key and identify, shares code；The equipment application relationship service for checking credentials end to The user terminal, which is sent, verifies shared code registration ID and the shared code note of the second dynamic device verifying with first dynamic device The dynamic device of volume ID shares code and verifies message；Wherein, it includes: that the shared code of dynamic device is tested that dynamic device, which shares code verifying message, Demonstrate,prove the sub- message body voucher of message, dynamic device shares code and verifies information signature；User terminal is according to the first of user terminal the dynamic Code is shared in device authentication and the second dynamic device verifies the shared shared code of code verifying dynamic device and verifies the sub- message body voucher of message, Code is shared using equipment application relationship authentication server public key verifications dynamic device and verifies information signature, is generated and is set after being verified Remarks volume voucher；User terminal sends Portable device registration voucher and the first dynamic device to equipment application relationship service for checking credentials end It verifies shared code registration ID and the second dynamic device verifies the facility registration message of shared code registration ID；The verifying of equipment application relationship Server-side verifies shared code registration ID according to the first dynamic device in facility registration message and the second dynamic device is verified and shared Corresponding the first dynamic device at application relationship service for checking credentials end of code registration ID verifies shared code, above-mentioned second dynamic device is tested Demonstrate,prove shared code verification device registers message；After facility registration information authentication passes through, equipment application relationship service for checking credentials end is to user Terminal feeds back Portable device accreditation verification result and the first dynamic key identifies the facility registration confirmation message of shared code.

When it is implemented, as being equipment application relationship client registers flow chart in the embodiment of the present invention in Fig. 5.In this hair When user terminal is registered to equipment application relationship service for checking credentials end in bright embodiment, user terminal needs elder generation and equipment application relationship Session connection is established at service for checking credentials end.Specifically, equipment application relationship client and equipment application relationship service for checking credentials end are established Plaintext session or encryption session connection；It is uncommon that equipment application relationship client, which verifies session other side by preset public key cryptography, The equipment application relationship service for checking credentials end of prestige.

As shown in figure 5, the first dynamic device is negotiated at user terminal and equipment application relationship service for checking credentials end verifies shared code Shared code is verified with the second dynamic device, is respectively stored in user terminal and equipment application relationship service for checking credentials end.

Specifically, step S21 generates the shared code of the first dynamic device verifying and is respectively stored in user terminal and equipment application Relationship service for checking credentials end；In step S21, the first dynamic device, which verifies shared code, can be used ECDH algorithm, Diffie-Hel Lman Diffie-Hellman or RSA key reliable delivery.Higher calculating preferably can be obtained using ECDH algorithm to imitate Rate, shorter key length under same security level.

Step S21, which needs to combine in equipment application relationship client and individual secure unit, calculates and saves key seed letter Breath then generates final key as the first dynamic device based on the seed information and verifies shared code.

Mode one: the open parameter of computation key is passed to independent peace by step S22 by equipment application relationship client Full unit calculates the seed information of key and the final key based on the seed information, this side in individual secure unit Method ensure that the higher level safety of seed information and key.

Mode two: step S21 calculates seed information by equipment application relationship client operation program, and generates finally close Key, i.e. the first dynamic device verify shared code, verify shared code note based on the dynamic device that seed information obtains by step S22 Volume arrives individual secure unit；Two safety of mode is slightly less than mode one, but realizes that difficulty is lower.

Preferably, seed information and key when specific implementation, i.e. the first dynamic device verify shared code in individual secure list It calculates and generates in member.When implementation, step S23 equipment application relationship service for checking credentials end distributes the first dynamic device and verifies shared code note Volume ID is corresponding with the shared code of the first dynamic device verifying；The first dynamic device is verified shared code registration ID and is used in inventive embodiments The first dynamic device of label verifies shared code in label subscriber terminal equipment registration process.As shown in figure 5, similarly, with step Rapid S21 is similar to step S22, and step S24 to step S25 generates the shared code of the second dynamic device verifying and is respectively stored in user's end End and equipment application relationship service for checking credentials end.The second dynamic device is distributed at step S26 equipment application relationship service for checking credentials end simultaneously It verifies shared code and registers ID.First dynamic device of step S23 and S26 distribution verifies shared code registration ID and the second dynamic device Verifying shared code registration ID has double action, illustrates so that the first dynamic device verifies shared code registration ID as an example below: a side Face, it is unique that the first dynamic device, which verifies the current registration of shared code registration ID label, if verifying in verifying process does not have Pass through, then current registration code just fails, to prevent Replay Attack；If on the other hand communication disruption during registration, The first dynamic device can be continued to use in newly-established link and verifies shared code registration ID completion process as shown in Figure 5, protected The integrality of communication process is hindered to adapt to changeable complex network environment.

As shown in figure 5, first dynamic of the equipment application relationship service for checking credentials end according to equipment application relationship service for checking credentials end Code is shared in device authentication and the second dynamic device verifies shared code and generates the shared code of the first dynamic key identification.Specifically, step When S27 calculating dynamic key identifies shared code, shared code is verified using the first dynamic device and the verifying of the second dynamic device is shared Code encryption generates, and Encryption Algorithm includes but is not limited to that can be AES256, AES192, preferably using AES256 or use and its The algorithm and key strength of the equivalent national authentication of security level；Security key length and algorithm are continuous with computer science Evolution, the embodiment of the present invention follows safety verification rank and uses the rule of industry evolution and the algorithm of national authentication.Specifically, Shared code encryption, which is verified, using the first dynamic device obtains the by the key identification id that equipment application relationship service for checking credentials end is distributed One ciphertext uses the second dynamic device to verify information obtained by shared the first ciphertext of code encryption shared as the identification of the first dynamic key Code；And this key identification id, the first dynamic key are identified that shared code, the first dynamic device verify shared code and the second dynamic Device authentication shares code and binds corresponding relationship.In the case where key identification id is constant, the first dynamic key identify shared code with The first dynamic device verify shared code and the second dynamic device is verified the transformation of shared code and changed.It is infused in individual secure unit First dynamic device of volume verifies shared code and the second dynamic device is verified shared code and can only be made by equipment application relationship client With；Other programs being not allowed to are cannot to be calculated using the key in individual secure unit, encrypt, verify.

It is tested as shown in figure 5, step S28 equipment application relationship service for checking credentials end sends the first dynamic device of band to user terminal The dynamic device for demonstrate,proving the shared code registration code ID and shared code registration code ID of the second dynamic device verifying shares code and verifies message.Specifically First dynamic device is verified shared code and registers ID by ground, equipment application relationship authentication server, and the verifying of the second dynamic device is shared Code registration ID, random number salt figure form dynamic device and share the code verifying sub- message body of message；It is verified altogether using the first dynamic device Enjoy code and the second dynamic device verify shared code be key be dynamic device share the sub- message body of code verifying message calculate generate it is dynamic State collaborative share code verifies the sub- message body voucher of message；Dynamic device is shared into the sub- message body of code verifying message and dynamic device is total to It enjoys the sub- message body voucher composition dynamic device of code verifying message and shares the code verifying main message body of message；Equipment application relationship verifying clothes Business device shares the main message body of code verifying message to dynamic device using private key and signs, and acquired results are signature Sig；Equipment application is closed It is that dynamic device is shared the main message body of code verifying message by authentication server and dynamic device shares code verifying information signature Sig group At dynamic device share code verifying message be sent to equipment application relationship client.

It is cipher key calculation verifying shared code and the shared code of the second dynamic device verifying using the first dynamic device in implementation The method for calculating message authentication code can be used when voucher, algorithm includes but is not limited to that one-way hash function is used to realize HMAC, or use DES, the methods of message authentication code that the block cipher of AES etc is realized etc. or algorithm.Preferably using unidirectional The HMAC that hash function is realized calculates message authentication code, in commercial computing platforms, especially intelligent movable platform compatibility Relatively strong, HMAC security level is unanimously approved in commercial network, is easy to marketing.

The equipment application relationship client of user terminal is signed using equipment application relationship authentication server public key verifications Sig；It is such as verified, then enters step, otherwise discard processing.Specific verification process is as follows: equipment application relationship client It extracts dynamic device and shares the code verifying sub- message body of message in end；Individual secure unit interface is called to calculate sub- message body voucher；Solely Vertical safe unit verifies shared code using the first dynamic device for being stored in user terminal and the second dynamic device verifies shared code It calculates dynamic device and shares the code verifying sub- message body voucher of message；Individual secure unit returns result to equipment application relationship visitor Family end；Equipment application relationship client compares the dynamic device for including in calculated result and message and shares the code verifying sub- message of message Body voucher；Continue follow-up equipment register flow path if consistent, otherwise replys error message and give the equipment application relationship service for checking credentials Device.

After being verified, the authentication method of the message voucher of subsequent communications is based on following two mode:

Method one: shared code is verified based on the first dynamic device and the second dynamic device verifies shared code and calculates message authentication The method of code voucher is realized；Using the first dynamic device, to verify shared code be key is that computing object calculates message authentication when implementation Code MAC value reuses the second dynamic device and verifies the MAC value ciphertext that shared code encryption MAC value obtains corresponding to computing object, will This MAC value ciphertext is as message body voucher or sub- message body voucher.Method two: increase equipment application on the basis of mode one The signature of relationship service for checking credentials end private key, message body method one generated when implementation and message body voucher zoarium Information Signature. Application method one can save the step of operation and signature verification.

As shown in figure 5, user terminal verifies shared code according to the first dynamic device in user terminal and the second dynamic is set It is standby to verify shared code generating device registration voucher.Specifically, equipment application relationship client sends and calculates equipment note in step S29 Volume message body authentication code ciphertext is requested in individual secure unit；Step S210, individual secure unit are dynamic using save first Code is shared in state device authentication and the second dynamic device verifies shared code and calculates facility registration message body voucher；Step S211 return disappears Body voucher is ceased, this is returned the result as facility registration voucher.Step S29, the preferable operation place S210, S211 is independent peace Full unit.

Equipment application relationship client generates facility registration message, the client-side information allowed using user, such as the time One or more information without being limited thereto such as computer equipment model or brand are stabbed, the first dynamic device verifies shared code registration ID, the second dynamic device verify shared code registration ID, random number salt figure is synthetically produced message body C.It is tested using the first dynamic device It demonstrate,proves shared code and the second dynamic device verifies the voucher that shared code calculates message body C.

In plain text using the part in equipment application relationship authentication server encrypted public key encrypted message body, such as random number salt figure Obtain random number salt figure ciphertext.This ciphertext is replaced into the corresponding plaintext in message C, final message body C1 is formed, by message body The voucher component devices registration message of C1 and message body C.Equipment application relationship client sending device registration message is answered to equipment With relationship authentication server.

After verifying shared code using the second dynamic device, even if hacker captures this message, Brute Force the is substantially increased One dynamic device verifies shared code and the second dynamic device verifies the threshold of shared code；It is all employed in all subsequent interactions This method improves security level.As shown in figure 5, the user terminal message body voucher that returns to S211 as facility registration with Card, user terminal send the facility registration message of Portable device registration voucher to equipment application relationship service for checking credentials end.Specifically, Step S212 facility registration message, it is preferred that the client-side information for providing user's license registers equipment for describing, such as registers Time, device type and description, position etc..

As shown in figure 5, equipment application relationship service for checking credentials end according to the first dynamic device verify shared code registration code ID and Second dynamic device is verified corresponding first dynamic device in shared code registration code ID lookup equipment application relationship service for checking credentials end and is tested Demonstrate,prove shared code, the second dynamic device verifies shared code verification device registers message.Specifically, it includes first dynamic that step S213, which is sent, State key identifies the facility registration confirmation message of shared code, gives subscriber terminal equipment application relationship client.Specifically, equipment is answered Shared code registration ID is verified in the equipment application relationship service for checking credentials according to the first dynamic device in message with relationship authentication server Corresponding first dynamic device is searched in device and verifies shared code, is searched and is corresponded to using the shared code registration ID of the second dynamic device verifying The second dynamic device verify shared code.Equipment application relationship authentication server decrypts the message body C1 received using decrypted private key In ciphertext, restore the message body of plaintext；Shared code is verified using the first dynamic device and the second dynamic device verifies shared code The voucher of message body C is calculated, whether the voucher for verifying the message body C sent in the voucher and message of calculating is consistent；As result is logical It crosses, is then judged as facility registration success, the first dynamic device is verified shared code and second by equipment application relationship authentication server It is to succeed in registration that dynamic device, which verifies shared code labeling,.

Facility registration confirmation message includes message body and the facility registration confirmation message body voucher of facility registration confirmation message； Wherein the message body of facility registration confirmation message includes at least the first dynamic device and verifies shared code registration ID, the second dynamic device It verifies shared code registration ID, registering result, the first dynamic key and identifies shared code, random number.It is verified using the first dynamic device It is cipher key calculation facility registration confirmation message body voucher that shared code and the second dynamic device, which verify shared code,.Equipment application relationship is tested Server is demonstrate,proved by facility registration confirmation message, is sent to equipment application relationship client.

Beneficial effect, dynamic device share code verifying message and judge message from believable equipment by main message body signature Using relationship authentication server, by sub- message body credential verification down direction equipment application relationship authentication server for generating First dynamic device of voucher verifies shared code and the second dynamic device verifies pair of shared code and equipment application relationship client Key is answered to be consistent；Facility registration message, by server public key cryptography encrypted transmission, only possesses private using random number salt figure The server of key can just calculate the voucher of correct clear-text message body, ensure that the consistency of up direction, thus detecting and Prevent possible go-between during generating the shared code of the first dynamic device verifying and the second dynamic device verifies shared code Attack and integrity violations.

As shown in figure 5, equipment application relationship service for checking credentials end is to user terminal feedback device accreditation verification result.Specifically The first dynamic key being verified is identified that shared code is saved in the secure storage that individual secure unit provides by ground, step S214 Area；Confirm that the first dynamic device verifies shared code and the second dynamic device verifies shared code and succeeds in registration simultaneously；It can be application Client provides service state.

Equipment application relationship client verifies shared code using the first dynamic device and the second dynamic device verifies shared code Verify message body voucher；It is such as verified, equipment application relationship client requirements individual secure unit saves dynamic key identification Shared code, then facility registration success and process completion；Otherwise report is wrong and terminates process.

As shown in fig. 6, in embodiments of the present invention, application and account and the equipment application relationship client of user terminal are established Relationship is registered in application and account and equipment safety between end and equipment application relationship service for checking credentials end, in the application of user terminal When client is logged in by the verifying of equipment application relationship service for checking credentials end, further provided to equipment application relationship service for checking credentials end Using and account and equipment safety registration relationship certification.Specifically, the applications client in user terminal is to equipment application relationship Service for checking credentials end sends authorization request message, and registers relationship foundation application and account according to equipment safety and register with equipment safety Relationship includes: the authorization request message processing for receiving user terminal using server-side is provided, and is sent to equipment application relationship and tests Demonstrate,prove server-side；Equipment application relationship service for checking credentials end generates dynamic authorization code ciphertext according to authorization request message and is sent to application Server-side is provided；Dynamic authorization code ciphertext and random generation number sequentially are sent to user terminal using server-side is provided；User is whole End generates the authorization response message with authorized certificate with random generation number according to dynamic authorization code ciphertext and is sent to using offer Server-side includes dynamic authorization code ciphertext in authorization response message and random generates number；User's end is received using server-side is provided The authorization response message at end is handled, and is sent to equipment application relationship service for checking credentials end；Equipment application relationship service for checking credentials end root After equipment safety registration relationship verifying authorization response message, then verifies dynamic authorization code ciphertext and provide server-side by application Application confirmation result is fed back to user terminal.

When it is implemented, if Fig. 7 is to establish application and account in the embodiment of the present invention to register relationship registration with equipment safety Flow chart；User terminal initiates application and account to equipment application relationship service for checking credentials end in embodiments of the present invention and equipment is pacified When full registration relationship registration, user terminal and application provide server device application relationship service for checking credentials end and establish session connection. Mail and account are initiated to equipment application relationship service for checking credentials end with user terminal below and equipment safety registers relationship registration To making to establish application between user terminal and equipment application relationship service for checking credentials end and account and equipment safety are registered for process Relationship illustrates.

As shown in fig. 7, application provides the application authorization request message processing that server-side receives user terminal, and it is sent to and sets It is standby to apply relationship service for checking credentials end.Specifically, applications client is e-mail applications client, is electricity using server-side is provided Sub- mail applications provide server.E-mail applications client is interacted with equipment application relationship client.Step S31 is to step S32 is calculated as computing object using authorization request message body voucher using the application authorization request message body submitted, and equipment is answered The message body voucher calculation method that step S29, S210 and S211 completes request in Fig. 5 with relationship client references calculates application Authorization request message body voucher simultaneously returns to equipment application relationship client, and equipment application relationship client will apply authorization requests Message body voucher returns to e-mail applications client by S32, this is applied authorization requests by e-mail applications client Message body voucher is included in S33 authorization request message and issues.When it is implemented, believing in step S33 and S35 authorization request message Breath include but is not limited to application ID, User ID, the first dynamic key identify shared code, using the time limit of authorization, using supplement Authorization message.Such as write, login movement,.Wherein, the first dynamic key identifies that shared code is by equipment application relationship client API inquiry is held to obtain.When it is implemented, S34 step can determine the information checked and option by application.

Applications client obtains dynamic key by the API that equipment application relationship client provides and identifies shared code, application Client will include but is not limited to Apply Names or number, using User ID, authorized content, service provider information, it is desirable that The authorization code mode of intelligence transmission, the first dynamic key identify that shared code forms authorization request message body；Wherein authorization code information passes Pass mode include but is not limited to by wireless communication, limited fixed network communication, short message, two dimensional code, Email etc..Using The voucher of client call equipment application relationship client end AP I calculating authorization request message body；Applications client is asked using authorization Message body and authorization request message body voucher component devices application authorization request message are asked, authorization request message is sent and is mentioned to application For server.

Authorization conjunction rule inspection is done using server is provided, such as passes through, then equipment application relationship authentication server is required to verify Authorization, forwarding authorization request message give equipment application relationship authentication server.

As shown in fig. 7, equipment application relationship service for checking credentials end is generated according to application authorization request message carries dynamic authorization The authorization code information and sending of code ciphertext to application provides server-side.Equipment application relationship service for checking credentials end is asked according to using authorization Asking message to generate dynamic authorization code includes: to generate dynamic authorization code according to authorization request message；It is wrapped according in authorization request message The authorization code mode of intelligence transmission included generates the authorization code key of corresponding types；To dynamic authorization code encryption；By dynamic authorization code Ciphertext and the first dynamic key identify that the authorization code message of shared code composition is sent to using offer server-side.

Specifically, equipment application relationship service for checking credentials end generates dynamic authorization code ciphertext packet according to application authorization request message It includes: dynamic authorization code is generated according to authorization request message；Dynamic authorization key is generated according to authorization request message；Using dynamically awarding Weigh key pair dynamic authorization code encryption；It will include that dynamic authorization code ciphertext and the first dynamic key identify that the authorization code of shared code disappears Breath is sent to using offer server-side.Equipment application relationship authentication server is identified according to the dynamic key in authorization request message Shared code, the equipment that confirmation sends the authorization request message is the equipment to have succeeded in registration, and is verified in equipment application relationship Corresponding first dynamic device is searched in server verifies shared code and the shared code of the second dynamic device verifying；Use the first dynamic Device authentication, which shares code and verifies shared code using the second dynamic device, verifies authorization request message body voucher；Such as the authorization of calculating The message body voucher for including in request message body voucher and authorization request message is equal, then according to desired authorization message transmitting side Formula is that dynamic key identifies that shared code distributes corresponding authorization code key；Dynamic authorization code is generated, it is dynamic using authorization code key pair State authorization code encryption generates dynamic authorization code ciphertext M.

Specifically, the dynamic authorization code that step S36 is generated is used to mark the scope of authority and authorization in current authorization requests Relationship；The authorization code message length of dynamic authorization code is determined by the transfer mode of dynamic authorization code.The transmitting side of dynamic authorization code Formula includes but is not limited to short message, two dimensional code, Email, phone, video, QQ, wechat etc..It the use of short message is such as information transmitting Mode then uses shorter key.Such as using the mode of two dimensional code or Email, then longer information can be transmitted, it can To use AES256 algorithm for encryption.Authorization code message is issued e-mail applications and provides server-side by step S39.Specific implementation When, authorization code message is sent to application, server-side is provided, since terminal client and application provide the pact for having service between server-side It is fixed, it is advantageous to, it is the more optimal way that authorization code ciphertext is sent using server-side is provided.

In embodiments of the present invention, shared code uniquely corresponding authorization code key encryption authorization is identified using with dynamic key Code, so that authorization only identifies that the shared corresponding device authorization of code is effective to current dynamic key, so that authorization code be prevented to be emitted Infringement.For equipment application relationship authentication server by authorization code ciphertext M, dynamic key identifies that shared code composition authorization code disappears Breath is sent to using offer server.

Dynamic authorization code sequentially is sent to user terminal and generates number at random as shown in fig. 7, application provides server-side.Specifically Ground sends dynamic authorization code to user terminal using server-side is provided.Using offer server answering according to present application authorization Authorization code transfer mode and contact method transmitting the authorization code ciphertext M selected with account is to user；Using providing server to answering Challenge random number N is sent for marking the current act of authorization with client.Step S311 inputs authorization code information, including but unlimited In screen UI input, the defeated scanning of camera, image recognition, from Mail Contents copy paste etc..Step S312 sends random raw It is the label that e-mail applications provide that server-side is used to manage this sub-authorization at number, while is also used for challenge client credentials, Client credentials are authorization response voucher.E-mail applications client using step S313 and S314 obtain authorization response with Card.

As shown in fig. 7, user terminal is according to the dynamic authorization code of input and the challenge generating random number band authorization received It responds the authorization response message of voucher and is sent to and offer server-side is provided, include generating number at random and moving in authorization response message State authorization code ciphertext.Specifically, step S315 authorization response message is sent to e-mail applications and provides server-side.Step S316 E-mail applications provide server-side record flow state and forward message；Step S317 forwarding authorization response message is answered to equipment With relationship service for checking credentials end.

Specifically, applications client according to receive authorization code ciphertext M, client using receive challenge random number N, the time Stamp, authorization code cipher-text information M and the first dynamic key identify that shared code constitutes authorization response message body Q, and equipment application is called to close It is client end AP I；Message body Q is calculated authorization response as parameter calling safe unit and disappeared by equipment application relationship client Body voucher is ceased, this authorization response message body voucher is returned to as the corresponding voucher of authorization by equipment application relationship client and is answered Use client；Applications client forms authorization response message using the authorization response voucher of message body Q and corresponding message body Q, will This message is sent to using offer server；Authorization response message is effectively forwarded afterwards using server inspection adjustment random number is provided To equipment application relationship service for checking credentials end.

As shown in fig. 7, relationship is registered according to equipment safety in equipment application relationship service for checking credentials end verifies authorization response message Afterwards, it then verifies authorization code ciphertext and confirms that result includes: that use is set to user terminal feedback application by application offer server-side Whether the authorized certificate in standby secure registration relationship verifying message matches；Then awarding using equipment safety registration relation service end Weighted code key decryption and authorization code ciphertext, the authorization code of authorization code and the distribution of equipment application relationship service for checking credentials end after verifying decryption Whether match；If all by matching, by the corresponding application of the authorization code, User ID, the service operations of authorization and authorization time It is added in equipment application list with device relationships.Specifically, step S318 equipment application relationship service for checking credentials end uses first The first dynamic key in message identifies that shared corresponding the first dynamic device at equipment application relationship service for checking credentials end of code is tested Demonstrate,prove whether the authorization response voucher that shared code and the second dynamic device are verified in shared code verifying message matches；Compare and calculates institute Whether the voucher of the message body Q sent in the voucher and authorization response message body of the authorization response message body Q obtained compares equal；Such as Fruit is equal, and whether the dynamic authorization code for then verifying the decryption of authorization code key, which identifies that shared code is corresponding with the first dynamic key, is moved State authorization code is consistent in plain text；If all by matching, by the corresponding e-mail applications of dynamic authorization code, User ID, authorization Service operations and authorization the time and device relationships be added in safety equipment list of application.Step S319 equipment application relationship is tested Card server-side, which sends authorization notification message informing e-mail applications offer server-side authorization flow, to be terminated.

Specifically, check that dynamic key records authorization flow after identifying shared code and challenging random number using offer server State, forwarding authorization response message give equipment application relationship authentication server.Equipment application relationship authentication server is according to authorization The first dynamic key identifies that shared code searches the first dynamic device and verifies shared code in response message, and the verifying of the second dynamic device is altogether It enjoys code and shares code and authorization code key.Shared code is verified using the first dynamic device and the second dynamic device is verified shared code and calculated Authorized response message body voucher；The authorization response message body voucher sent in message is disappeared with resulting authorization response is calculated Breath body voucher compares；As equal, continue to verify authorization code, otherwise stop licensing process.Equipment application relationship authentication server makes With the authorization code ciphertext M in corresponding authorization code key decryption message, it is with equipment application relationship authentication server in plain text with this Record compares the authorization code of sub-authorization distribution in plain text, if unanimously, the corresponding authorization project of this plaintext authorization code is just criticized Quasi- and record identifies in the shared corresponding equipment list item of code in this first dynamic key；Authorization notification message is sent simultaneously to answering With offer server；If it is inconsistent, related failure information, which is included in notice in authorization notification message, applies offer service Device.

Step S320 e-mail applications provide the Email of server-side forwarding authorization notification message informing user terminal Applications client.Equipment application relationship client receives authorization notification message, after verifying message body voucher passes through, terminates authorization stream Journey.Step S321 equipment application relationship client verifies shared code using the first dynamic device of equipment and the second dynamic device is verified Shared code verifies authorization notification message；Successful authorization application message is saved according to result e-mail applications client and is set It is standby to apply relationship client；Authorizing application message is, for example, email account, mail service quotient, mail service description information Deng.

Specifically, authorization notification message by authorization response message challenge random number and judging result form；Using mentioning The corresponding behavior of application is generated according to authorization notification message for server and notifies result to applications client；Equipment application relationship Client, which receives authorization notification message, application and account and the licensing process of equipment safety registration relationship, to be terminated.

As shown in figure 8, providing server-side to application by the user terminal that facility registration and application and account authorization authenticate It initiates log on request and is such that user's end by the detailed process that equipment application relationship service for checking credentials end executes safety certification It holds to application and server-side transmission log on request message is provided；Equipment application is required to test to user terminal transmission using server-side is provided Demonstrate,prove message；User terminal provides server-side sending device application access credential message to application；It is handled simultaneously using server-side is provided To equipment application relationship service for checking credentials end sending device application access credential message；Equipment application relationship service for checking credentials end is according to answering With and account and equipment safety registration relationship to equipment application access credentials information authentication, and to application provide server-side transmission set Standby application verification results messages；It is had secure access to using server-side is provided according to the application for including in equipment application verification result message The log on request message of authentication result response user terminal.The safety certifying method provided through the embodiment of the present invention can be automatic Change execution application and account access request is verified with device relationships, saves the step of user is manually entered identifying code.Below with Corporate intranet code access security login authentication process is that preference illustrates the embodiment of the present invention.

As shown in figure 9, user terminal provides server-side sending application log on request message to application.Applications client is initiated Access request provides server to application, needs equipment application relationship to authenticate using server judgement is provided, using the service of offer Device requires equipment application to verify message to user terminal transmission, wherein includes that Dialog processing ID is used to mark current verifying in message Session.Specifically, for example, code access client is initiated to apply login request message to code server-side.

Equipment application is required to verify message to user terminal transmission as shown in figure 9, application provides server-side.Specifically, it walks Rapid S42 code server-side, which is sent, requires the applications client execution equipment safety of equipment application verifying message calls user terminal to test Card.

As shown in figure 9, user terminal provides server-side sending device application access credential message to application.Specifically, it walks Rapid S43 calls equipment application relationship client end AP I, calculates equipment application access credentials message body voucher；Step S44 uses independent The voucher that safe unit calculates returns to code access applications client by equipment application relationship client；Step S45 code Access client sending device application access credential message gives code server-side.

Specifically, applications client receive require equipment application verify message after, client application call equipment answer With relationship client end AP I, submitting includes that the first dynamic key identifies shared code, Dialog processing ID, timestamp, application name, application Equipment application access credentials message body of the information such as service provider's information and user name, equipment application relationship client are current request Generate equipment application access credentials message.Equipment application access credentials message by message body and encrypted equipment application access with Demonstrate,prove message body voucher composition；Wherein message body include but is not limited to Apply Names, using account, using supplemental information, random number, Timestamp, Dialog processing ID, the first dynamic key identify shared code.Applications client calls equipment application relationship client end AP I Calculate equipment application access credentials message body voucher；Safe unit returns to voucher；Equipment application relationship client will include equipment The equipment application access credentials message of application access credential message body and equipment application access credentials message body voucher issues application Client；Applications client sending device application access credential message gives application to provide server.

As shown in figure 9, application provides server-side processing and visits to the application of equipment application relationship service for checking credentials end sending device Ask credential message.Specifically, step S46 code server-side authorization check is the response of current access request, checks Dialog processing Whether ID is effective；The equipment application access credentials message is forwarded to the verifying of equipment application relationship after checking and taken by step S47 Business end.After receiving equipment application access credentials message using offer server, after checking that Dialog processing ID is effective, message is sent To equipment application relationship authentication server.

As shown in figure 9, relationship is registered to setting according to application and account and equipment safety in equipment application relationship service for checking credentials end Standby application access credential message is verified, and provides server-side sending device application verification results messages to application；Using offer clothes The application for the application secure access authentication result response user terminal that business end includes according to equipment application verification result message logs in Request message.Step S48 equipment application relationship service for checking credentials end is close using the first dynamic in equipment application access credentials message Key identifies that shared code searches the first corresponding dynamic device at equipment application relationship service for checking credentials end and verifies shared code and the Two dynamic devices verify shared code and calculate equipment application access credentials message body validating documents；The equipment application verified in message is visited Ask whether credential message body voucher is consistent with the validating documents result of calculating.If consistent, equipment application list is continued checking It whether include the account requested in message and code application authorization and authorization, to generate current application and the visit of account Ask whether the judging result of the user terminal from authorization.Equipment application verification result message is sent to code clothes by step S49 Business end, code verification server-side determine to authorize the service of current request according to the result indicated in message.

Specifically, equipment application relationship authentication server receives equipment application access credentials message, close using the first dynamic Key identifies that shared code searches the shared code of the first dynamic device verifying in application relationship authentication server and the second dynamic device is tested Demonstrate,prove shared code.Verify shared code using the first dynamic device and the second dynamic device verify shared code calculate equipment application access with Demonstrate,prove the message body voucher of message.Whether consistent compare the voucher for calculating and sending in gained voucher and message.If result is consistent, Whether have the authorization of application, account or behavior, to obtain inspection result if further checking corresponding equipment.Generate equipment Application verification results messages include Dialog processing ID, judging result and result supplemental information, send this message to application and provide clothes Business device；Wherein message content includes but is not limited to the information enumerated, and is disappeared using server is provided according to equipment application verification result Result and supplemental information in breath determine the need service to be offered specifically accessed.

As shown in Figure 10, in embodiments of the present invention, in order to further ensure user terminal and application provide server-side it Between the safety that communicates, need to register relationship setting life cycle to equipment safety, needed after life cycle expires further Update equipment safety registration relationship.Under specific update equipment safety registration relational process enters: user terminal and equipment application are closed It is that the shared code of third dynamic device verifying is negotiated at service for checking credentials end and the 4th dynamic device verifies shared code, is respectively stored in user Terminal and equipment application relationship service for checking credentials end；Equipment application relationship service for checking credentials end is according to equipment application relationship service for checking credentials end Third dynamic device verify shared code and the 4th dynamic device verifies shared code and generates the second dynamic key and identifies shared code；If Standby application relationship service for checking credentials end sends the second dynamic key of band to user terminal and identifies shared code and the identification of the first dynamic key The requirement equipment update message of shared code；User terminal is moved according to the shared code of the first dynamic device of user terminal verifying, second Code is shared in state device authentication, the first dynamic key identifies that shared code, third dynamic device verify shared code, the 4th dynamic device is tested It demonstrate,proves shared code and the second dynamic key identifies that shared code generates dynamic equipment upgrading message, and be sent to the verifying of equipment application relationship Server-side；Dynamic equipment upgrading message includes user terminal more new registration voucher, the shared code and second of the first dynamic key identification Dynamic key identifies shared code；Equipment application relationship service for checking credentials end is according to the first of equipment application relationship service for checking credentials end the dynamic Code is shared in device authentication, the second dynamic device verifies shared code, the first dynamic key identifies shared code, the verifying of third dynamic device Shared code, the 4th dynamic device verify shared code and the second dynamic key identifies that shared code verifies dynamic equipment upgrading message；If It is moved according to the shared code of the third dynamic device at equipment application relationship service for checking credentials end verifying, the 4th at standby application relationship service for checking credentials end Code is shared in state device authentication, the second dynamic key identifies that shared code, the first dynamic device verify shared code, the second dynamic device is tested It demonstrate,proves shared code and the first dynamic key identifies that shared code generating device updates confirmation message；Equipment application relationship service for checking credentials end to User terminal feedback device updates accreditation verification result.

As shown in figure 11, it in the embodiment of the present invention, shares the process that code updates and is sent out for maintainability and automatic system side The update risen is initiated to update by equipment application relationship service for checking credentials end: equipment application relationship service for checking credentials end is each registration Successful first dynamic device verifies shared code and the second dynamic device verifies shared code and sets life cycle；When life cycle consumes The first dynamic device of starting verifies shared code before to the greatest extent, and the second dynamic device verifies shared code and dynamic key identifies shared code Renewal process；Preferably, initiating the process of shared code update to guarantee that system exists from equipment application relationship service for checking credentials end side Attack is detected, there is healthy and strong safety.

As shown in figure 11, the shared code of third dynamic device verifying is negotiated at user terminal and equipment application relationship service for checking credentials end Shared code is verified with the 4th dynamic device, is respectively stored in user terminal and equipment application relationship service for checking credentials end.Step S71 is set Standby application relationship service for checking credentials end and equipment application relationship client generate third dynamic device and verify shared code；Step S72 note Volume third dynamic device verifies shared code to individual secure unit；Identical as step S71, step S73 generates the 4th dynamic device Verify shared code；Step S74 registers the 4th dynamic device and verifies shared code to individual secure unit.

As shown in figure 11, equipment application relationship service for checking credentials end is according to the third at equipment application relationship service for checking credentials end dynamic Code is shared in device authentication and the 4th dynamic device verifies shared code and generates the shared code of the second dynamic key identification.Specifically, step S75 equipment application relationship service for checking credentials end verifies shared code using new third dynamic device and the 4th dynamic device is verified and shared Code calculates the second dynamic key and identifies shared code.

As shown in figure 11, equipment application relationship service for checking credentials end sends the identification of the second dynamic key of band to user terminal and shares The requirement equipment update message of code.Specifically, step S76 equipment application relationship service for checking credentials end use by server-side random number U, First dynamic key identifies that shared code, the second dynamic key identify the message body of shared code composition requirement equipment update message, uses Equipment application relationship service for checking credentials end private key is that the requirement equipment of the signature composition of the message body of equipment update message is required to update Message is sent to equipment application relationship client.

Specifically, equipment application relationship authentication server generation requires equipment update message, and it is random to include at least server Number U, current first dynamic key identifies that shared code, the second dynamic key identify the message body of shared code composition, and is answered with equipment It is formed with signature of the relationship authentication server private key to message body；Equipment application relationship authentication server will require equipment update to disappear Breath is sent to equipment application relationship client.

As shown in figure 11, user terminal verifies shared code, the second dynamic device according to the first dynamic device of user terminal Verify shared code, code is shared in the identification of the first dynamic key, third dynamic device verifies shared code, the verifying of the 4th dynamic device is shared Code and the second dynamic key identify that shared code generates dynamic equipment upgrading message, and are sent to the equipment application relationship service for checking credentials End.Specifically, equipment application relationship client requires equipment using preset equipment application relationship service for checking credentials end public key verifications The signature of update message.Dynamic device is set up with new information by step S77 and step S78: user terminal more new registration voucher Including the main message body voucher of dynamic equipment upgrading message and the sub- message body voucher of dynamic equipment upgrading message: dynamic equipment upgrading disappears Ceasing sub- message body voucher is that user terminal verifies shared code according to the third dynamic device of user terminal and the 4th dynamic device is tested Demonstrate,prove what shared code was calculated；The main message body voucher of dynamic equipment upgrading message is that user terminal is dynamic according to the first of user terminal Code is shared in state device authentication and the second dynamic device verifies what shared code was calculated.Step S77 equipment application relationship client It uses, server-side random number U, timestamp, sub- message random number, the first dynamic key identify that shared code, the second dynamic key are known It Gong Xiang not the code composition message body of dynamic equipment upgrading message.Shared code and the 4th dynamic device are verified using third dynamic device It verifies shared code and calculates the sub- message body voucher of dynamic equipment upgrading message.The sub- message body of step S78 dynamic equipment upgrading message is moved The sub- message body voucher of state equipment update message and the main message body of main message random number component devices update message, use current first Dynamic device verifies shared code and current second dynamic device verifies shared code and calculates the main message body voucher of equipment update message；Step Rapid S79 equipment application relationship client generates dynamic equipment upgrading message, by the main message body of dynamic equipment upgrading message and dynamic The main message body voucher of equipment update message forms dynamic equipment upgrading message, is sent to equipment application relationship service for checking credentials end.

Specifically, equipment application relationship client requires equipment more using equipment application relationship authentication server public key verifications The signature of new information；If otherwise abandoned by continuing following renewal process.Equipment application relationship client generates dynamic device With new information, identify that shared code, second move using server random number U, timestamp, sub- message random number, the first dynamic key State key identifies that shared code forms the sub- message body of dynamic equipment upgrading message.Shared code and the 4th is verified using third dynamic device Dynamic device verifies shared code and calculates the sub- message body voucher of dynamic equipment upgrading message.By the sub- message of dynamic equipment upgrading message The sub- message body voucher of body, dynamic equipment upgrading message and main message random number form the main message body of dynamic equipment upgrading message, make Shared code is verified with the first dynamic device and the second dynamic device verifies shared code and calculates the main message body of dynamic equipment upgrading message Voucher；Dynamic equipment upgrading is formed by the main message body of dynamic equipment upgrading message and the main message body voucher of dynamic equipment upgrading message Message is sent to equipment application relationship authentication server.

As shown in figure 11, equipment application relationship service for checking credentials end is according to the first of equipment application relationship service for checking credentials end the dynamic Code is shared in device authentication, the second dynamic device verifies shared code, the first dynamic key identifies shared code, the verifying of third dynamic device Shared code, the 4th dynamic device verify shared code and the second dynamic key identifies that shared code verifies dynamic equipment upgrading message.Step Rapid S710 identifies that corresponding first dynamic device of shared code verifies shared code and the second dynamic device is tested using the first dynamic key It demonstrate,proves shared code and calculates the main message body voucher of dynamic equipment upgrading message, it is whether consistent compared with the correspondence voucher sent in message. Step S711 identifies that the corresponding third dynamic device of shared code verifies shared code and the 4th dynamic device using the second dynamic key It verifies shared code verifying and calculates the gained message body voucher of dynamic equipment upgrading message, if with the dynamic device for including in message The sub- message voucher of update message is consistent.If unanimously continuing following procedure, otherwise abandon；This verifying shows that sender of the message holds First dynamic key identifies that shared code and the second dynamic key identify shared code.

Specifically, equipment application relationship service for checking credentials end receives dynamic equipment upgrading message, uses current dynamic key Identify that the shared code shared code of corresponding current first dynamic device verifying and the shared code of current second dynamic device verifying are calculated and moved The message body voucher of state equipment update message, it is whether consistent compared with the main message body voucher of the dynamic equipment upgrading message of transmission； If unanimously continuing following procedure, otherwise abandon.Identify that shared code and the identification of the 4th dynamic key are shared with third dynamic key Code calculates the sub- message body voucher of dynamic equipment upgrading message, with the dynamic equipment upgrading message sent in dynamic equipment upgrading message If sub- message body voucher compares unanimously, new shared code succeeds in registration, and otherwise abandons.

Step S712 equipment application relationship service for checking credentials end identifies shared code, second using random number, the second dynamic key Dynamic key identifies that shared code character forming apparatus updates the sub- message body of confirmation message, verifies shared code and the using the first dynamic device Two dynamic devices verify shared code and calculate the equipment update sub- message body voucher of confirmation message.

Step S713 equipment application relationship service for checking credentials end updates the sub- message body of confirmation message using equipment, equipment updates really Recognize the sub- message body voucher of message and the main random number component devices that disappear update the main message body of confirmation message, is tested using third dynamic device It demonstrate,proves shared code and the 4th dynamic device verifies shared code and calculates equipment and update and confirms main message body voucher.

As shown in figure 11, equipment application relationship service for checking credentials end updates accreditation verification result packet to user terminal feedback device Include: equipment application relationship service for checking credentials end updates confirmation message to user terminal feedback device；User terminal is according to user terminal The second dynamic key identify that the corresponding third dynamic device of shared code verifies shared code and the 4th dynamic device verifies shared code The main message body voucher that equipment updates confirmation message is calculated, and identifies that shared code is corresponding according to the first dynamic key of user terminal The first dynamic device verify shared code and the second dynamic device verifies shared code and calculates the sub- message that equipment updates confirmation message Body voucher lives the corresponding firmly message body voucher and son sent in message body voucher and sub- message body voucher and message for what is calculated Message body voucher compares verifying；If verifying all passes through, then the third dynamic device of user terminal is verified shared code by user terminal, 4th dynamic device verifies shared code and corresponding second dynamic key identifies that shared code is set as the state of succeeding in registration；User is whole End saves the second dynamic key and identifies shared code；User terminal, which sends to carry to equipment application relationship service for checking credentials end, uses user The third dynamic device of terminal verifies shared code and the 4th dynamic device verifies the facility registration voucher and second that shared code generates Dynamic key identifies shared decoding apparatus more new registration message；It is verified according to equipment application relationship at equipment application relationship service for checking credentials end The third dynamic device of server-side verifies shared code, the 4th dynamic device verifies shared code and the second dynamic key identifies shared code Verify equipment more new registration message；Equipment application relationship service for checking credentials end updates accreditation verification knot to user terminal feedback device Fruit.Specifically, step S714 generates equipment and updates confirmation message, verifies shared code using third dynamic device when implementation and calculates master Message body and the 4th dynamic device verify shared code and calculate the equipment update main message body voucher of confirmation message, are updated using equipment true Recognize the main message body voucher of message and equipment updates the main message body component devices of confirmation message and updates confirmation message.

Specifically, equipment application relationship authentication server generates equipment update confirmation message.Equipment, which updates confirmation message, to be made Identify that shared code, the second dynamic key identify that shared code forms sub- message with sub- message random number, timestamp, the first dynamic key Body verifies shared code using the first dynamic device and the shared code calculating equipment of the second dynamic device verifying updates confirmation message and disappears Cease body voucher；Equipment application relationship authentication server updates the sub- message body of confirmation message using equipment, equipment updates confirmation message Sub- message body voucher and the main random number component devices that disappear update the main message body of confirmation message, are verified using third dynamic device shared Code and the 4th dynamic device verify shared code calculating equipment and update the main message body voucher of confirmation message.Confirmation is updated using equipment to disappear It ceases main message body and equipment updates the main message body voucher of confirmation message and collectively constitutes equipment update confirmation message.Application apparatus relationship Authentication server sending device updates confirmation message and gives equipment application relationship client.

Step S714 application apparatus relationship service for checking credentials end sending device updates confirmation message and gives equipment application relationship client End.In specific implementation, equipment application relationship client checks that the second dynamic key identifies whether shared code is correct；Using corresponding Third dynamic device verifies shared code and the 4th dynamic device verify shared code calculate equipment update the main message body of confirmation message with Card, compared with it is updated the equipment update main message body voucher of confirmation message sent in confirmation message with equipment；If consistent, Continue follow-up process, otherwise abandons；Shared code is verified using the first dynamic device and the second dynamic device is verified shared code and calculated Equipment updates the sub- message body voucher of confirmation message, it is updated the equipment sent in confirmation message with equipment and updates confirmation message Message body voucher compares；If judged all to pass through twice, then third dynamic device is verified shared code by equipment application relationship client Shared code, which is verified, with the second dynamic device is set as the state of succeeding in registration.

Step S715 equipment application relationship client will verify shared code, the verifying of the 4th dynamic device with third dynamic device Shared code and the second dynamic key identify that shared code is updated to current shared code verifying identification and key, generate equipment more new registration Message.Equipment application relationship client identifies that shared code, third are dynamic using client random number, timestamp, the second dynamic key Code is shared in state device authentication and the 4th dynamic device verifies shared code generating device more new registration message and is sent to equipment application pass It is authentication server.

Second dynamic key is identified that shared code is updated to current key identification by step S716 equipment application relationship client Shared code is simultaneously saved in individual secure unit.Process is verified according to equipment more new registration message in equipment application relationship service for checking credentials end After completing verifying, shared code, the second dynamic will be verified with the shared code of third dynamic device verifying, the 4th dynamic device in server-side Key identifies that shared code identifies that shared code, the first dynamic device verify shared code, the second dynamic as current first dynamic key Device authentication shares code and shares code for later verifying.Step S717 equipment application relationship service for checking credentials end sending device is with new End message gives equipment application relationship client.The message confirmation equipment application relationship service for checking credentials end and equipment application relationship visitor Family end is all switched to new shared code as verifying authority source, and renewal process terminates.

Specifically, equipment application relationship authentication server identifies that shared code is looked into using the second dynamic key for including in message Look for that corresponding third dynamic device verifies shared code and the 4th dynamic device verifies shared code, calculate message body voucher and by its with The equipment sent in message compares with new registration message body voucher, and after being verified, the second dynamic key is identified shared code, right The third dynamic device answered verifies shared code and the 4th dynamic device verifies shared code and is updated to the shared code of current authentication；Transmission is set The standby end message that updates gives equipment application relationship client.It includes that current first dynamic key identification is total that equipment, which updates end message, Enjoy code, random number.Shared code is verified using third dynamic device and the 4th dynamic device is verified the equipment that shared code calculates and updated The message body voucher of end message.Equipment application relationship client receives equipment and updates end message, checks current key identification Shared code verifies shared code using third dynamic device and the shared code of the 4th dynamic device verifying calculates equipment and updates end message Body voucher, compared with the voucher sent in message, after being verified, equipment application relationship authentication server and equipment application relationship Client is all completed to be switched to third dynamic device and verify to share code, and the 4th dynamic device verifies shared code and new second dynamically Key identifies shared code as verifying authority source, and renewal process terminates.

As shown in Fig. 3, Figure 12, the various Service Ticket generation process for client message in the embodiment of the present invention is in this way : illustrate the generation process of message voucher in embodiments of the present invention by taking a kind of message as an example below；Step S81 application client The first dynamic key of request current device is held to identify shared code.Step S82 equipment application relationship client is moved first State key identifies that shared code returns to applications client.Step S83 applications client is by message body as included but is not limited to correlation Apply Names or ID, User ID or user name, the service type of access, Dialog processing ID, using specified supplemental information, challenge The message sequence of the compositions such as random number submits equipment application relationship client, and request calculates message body voucher.Step S84 equipment is answered Message body is submitted to individual secure unit with relationship client.Step S85 individual secure unit uses equipment application relationship visitor Corresponding first dynamic device in family end verifies shared code and calculates message voucher.Step S86 individual secure unit uses corresponding the Two dynamic devices verify shared code and calculate voucher.Voucher is returned to equipment application relationship client by step S87 individual secure unit End.Voucher is returned to applications client by step S88 equipment application relationship client.

Further to embody secure access authentication method provided in an embodiment of the present invention, superiority, the present invention is real It applies example and a kind of user terminal using the above method is also provided.As shown in figure 13, which includes: facility registration confirmation unit, For establishing equipment safety registration relationship to equipment application relationship service for checking credentials end sending device registration message；Using license confirmation Unit for sending authorization request message to equipment application relationship service for checking credentials end, and is registered relationship according to equipment safety and is established Using and account and equipment safety register relationship；Safety certification request confirmation unit, for providing server-side to setting by application It is standby to apply relationship service for checking credentials end sending device application access credential message；Equipment application access credentials message is using offer clothes What the equipment application verifying message that business end is sent to log on request unit generated；Login unit, for according to using offer service End application log in response message response application log on request message, using log in response message be using provide server-side according to It is equipment application relationship service for checking credentials end to being generated after equipment application access credentials message authentication result.Below to of the invention real The secure access certification user terminal expansion detailed description of example and offer is provided.Safety certification user provided in an embodiment of the present invention The working principle and process of terminal are similar with above-mentioned safety certification, are referred to above-mentioned safety certifying method, again no longer It repeats one by one.

As shown in figure 14, facility registration unit, comprising: the first dynamic device verifies shared code negotiation element, for set The shared code of the first dynamic device verifying is negotiated at standby application relationship service for checking credentials end and the second dynamic device verifies shared code, and respectively It is stored in user terminal and equipment application relationship service for checking credentials end；Facility registration request unit, for generating and to equipment application Relationship service for checking credentials end sends the facility registration message of Portable device registration voucher；Facility registration message is whole according to user is stored in First dynamic device at end verifies shared code and the second dynamic device verifies what shared code generated, and the identification of the first dynamic key is shared Code is equipment application relationship service for checking credentials end according to the shared code of first dynamic device at equipment application relationship service for checking credentials end verifying Shared code, which is verified, with the second dynamic device generates what rear line terminal was sent；Facility registration confirmation unit is used for receiving device Using relationship service for checking credentials end accreditation verification result verification and save, accreditation verification is the result is that the equipment application relationship service for checking credentials Shared code is verified according to first dynamic device at equipment application relationship service for checking credentials end in end, the second dynamic device verifies shared code and It is obtained after the shared code verification device registers message of first dynamic key identification；First dynamic key identifies that shared code is institute Equipment application relationship service for checking credentials end is stated to be verified according to first dynamic device at the equipment application relationship service for checking credentials end Shared code and the second dynamic device verify what shared code generated.Facility registration message include: facility registration voucher, registion time, Device type and description and device location.

As shown in figure 15, using authorization unit, including；Using authorization requests unit, for generating and being provided by application Server-side sends to equipment application relationship service for checking credentials end and sends authorization request message；Using authorization response unit, for generating And server-side is provided by application and is sent to equipment application relationship service for checking credentials end transmission authorization response message；Authorization response message It is to be generated according to dynamic authorization code ciphertext and the random number that generates, authorization response message band authorization response voucher；Dynamic authorization code Ciphertext is to provide server-side by application after equipment application relationship service for checking credentials end is generated according to application authorization request message to send , random generate after number sends dynamic authorization code to user terminal using offer server-side sends；Using license confirmation list Member, for receiving device application relationship service for checking credentials end application license confirmation result verification and save, accreditation verification the result is that Equipment application relationship service for checking credentials end shared code, second are verified according to first dynamic device at equipment application relationship service for checking credentials end Dynamic device verifies shared code and the first dynamic key identifies after sharing code verifying authorization response message, then verifies authorization code ciphertext It obtains.

The log on request unit of secure access certification user terminal, further includes application access voucher unit, sets for generating Standby application access credential message body；Calculate equipment application access credentials message body voucher；Generating includes equipment application access credentials The equipment application access credentials message of message body and equipment application access credentials message body voucher；Server is provided to application to send Equipment application access credentials message.

As shown in figure 16, secure access certification user terminal, further includes facility registration updating unit, comprising: the second dynamic Code negotiation element is shared in device authentication, verifies shared code for negotiating third dynamic device with equipment application relationship service for checking credentials end Shared code is verified with the 4th dynamic device, and is respectively stored in user terminal and equipment application relationship service for checking credentials end；Equipment is more New registration request unit, for generating and sending the dynamic of Portable device more new registration voucher to equipment application relationship service for checking credentials end State equipment update message；Dynamic equipment upgrading message is that basis is stored in setting according to the first dynamic of user terminal for user terminal Standby shared code, the shared code of the second dynamic device verifying, the first dynamic key verified identifies that shared code, the verifying of third dynamic device are total It enjoys code, the shared code of the 4th dynamic device verifying and the second dynamic key and identifies what shared code generated, the second dynamic key identifies altogether Enjoying code is that equipment application relationship service for checking credentials end is shared according to the verifying of the third dynamic device at equipment application relationship service for checking credentials end Code and the 4th dynamic device verify shared code and generate what rear line terminal was sent；Equipment updates accreditation verification unit, for connecing The accreditation verification result verification at receiving unit application relationship service for checking credentials end simultaneously saves, and updates accreditation verification the result is that equipment application is closed It is that service for checking credentials end is tested according to the shared code of first dynamic device at equipment application relationship service for checking credentials end verifying, the second dynamic device Demonstrate,prove shared code, the first dynamic key identifies that shared code, third dynamic device verify shared code, the 4th dynamic device verifies shared code It identifies with the second dynamic key and to obtain after shared code verifying dynamic equipment upgrading message.Wherein, user terminal more new registration with Card includes the main message body voucher of dynamic equipment upgrading message and the sub- message body voucher of dynamic equipment upgrading message: dynamic equipment upgrading The sub- message body voucher of message is user terminal according to the shared code of the third dynamic device of user terminal verifying and the 4th dynamic device Verify what shared code was calculated；The main message body voucher of dynamic equipment upgrading message is user terminal according to the first of user terminal Dynamic device verifies shared code and the second dynamic device verifies what shared code was calculated.

For the superiority for further embodying secure access authentication method provided in an embodiment of the present invention, the present invention is implemented Example also provides a kind of server-side using the above method, as shown in figure 17, the equipment application relationship service for checking credentials end, comprising: set Remarks volume confirmation unit, the facility registration message for receiving user terminal transmission establish equipment safety registration relationship；Using awarding Confirmation unit is weighed, for receiving the authorization request message of user terminal transmission, and relationship is registered according to equipment safety and establishes application And account and equipment safety register relationship；Safety certification request confirmation unit is sent for receiving by application offer server-side Equipment application checking request message；Equipment application access credentials message is to send using offer server-side to log on request unit Equipment application checking request message generate；Authenticate-acknowledge unit is had secure access to, is received to equipment application access credentials message The equipment application verification result message and the application by sending using offer server-side generated after verifying logs in response message, uses Family terminal is handled according to the response results response that logs in that application provides server-side.It is provided in an embodiment of the present invention application and account with Equipment safety register relationship verifying application service end access working principle and process it is similar with above-mentioned safety certification, can be with Referring to above-mentioned safety certifying method, no longer repeat one by one again.

As shown in figure 18, facility registration confirmation unit includes: that the first dynamic device verifies shared code negotiation element, for User terminal negotiates the first dynamic device and verifies shared code and the shared code of the second dynamic device verifying, and is respectively stored in user's end End and equipment application relationship service for checking credentials end；Shared code is verified for first dynamic device and the verifying of the second dynamic device is shared Corresponding first dynamic device of code distribution verifies shared code registration ID and the second dynamic device verifies shared code and registers ID；The One dynamic key identifies shared code generation unit, for being verified according to first dynamic device at equipment application relationship service for checking credentials end Shared code and the second dynamic device verify shared code and generate and identify shared code to user terminal the first dynamic key of transmission.Equipment Accreditation verification unit, for receiving the facility registration message of user terminal transmission according to the of equipment application relationship service for checking credentials end One dynamic device verifies shared code, the second dynamic device verifies shared code and the first dynamic key identifies shared code verifying equipment note After volume message, and to user terminal sending device accreditation verification result；Facility registration message is according to being stored in user terminal First dynamic device verifies shared code and the second dynamic device verifies what shared code generated, the registration of facility registration message Portable device Voucher and first dynamic device verify shared code registration ID and the second dynamic device verifies shared code and registers ID.

As shown in figure 19, include using license confirmation unit；Using authorization requests processing unit, for receiving user terminal The authorization request message of transmission simultaneously passes through application offer server-side according to application authorization request message generation dynamic authorization code ciphertext It is sent to the user terminal；Using authorization response processing unit, the authorization response message that user terminal is sent is received, and according to equipment Shared code is verified using first dynamic device at relationship service for checking credentials end, the second dynamic device verifies shared code and the first dynamic is close After key identifies shared code verifying authorization response message, then after verifying dynamic authorization code ciphertext, generates authorization notification message and simultaneously pass through It is sent to the user terminal using server-side is provided；Authorization response message is user terminal according to dynamic authorization code ciphertext and random life At number generation, authorization response message band authorization response voucher, the random number that generates is to send out using offer server-side to user terminal It send and sends after dynamic authorization code ciphertext.Specifically, equipment application relationship service for checking credentials end is raw according to application authorization request message It include: that dynamic authorization code is generated according to authorization request message at dynamic authorization code；Dynamic authorization is generated according to authorization request message Key；Use dynamic authorization code encryption described in the dynamic authorization key pair；Dynamic authorization code ciphertext is sent to apply and is provided Server-side.Generate authorization notification message includes: whether to match using the authorized certificate in equipment safety registration relationship verifying message； Then using the authorization code ciphertext of equipment safety registration relationship corresponding authorization code key decryption, authorization code after verifying decryption with Whether the authorization code of the equipment application relationship service for checking credentials end distribution matches；If all by matching, the authorization code is corresponding Application, User ID, authorization service operations and authorization the time be added in equipment application list with device relationships.

It further includes that log on request authentication unit is used that equipment application relationship service for checking credentials end also described, which logs in response unit, In identifying that shared code searches the first dynamic device in application relationship authentication server and verifies shared code using the first dynamic key Shared code is verified with the second dynamic device；Shared code is verified using the first dynamic device and the second dynamic device verifies shared code meter Calculate the message body voucher of equipment application access credentials message；Whether the voucher sent in gained voucher and message is calculated for comparing Unanimously；If result is consistent, further check whether corresponding application and account and equipment safety registration relationship have message The application of middle request and the authorization relationship of account, to obtain inspection result.

As shown in figure 20, equipment application relationship service for checking credentials end further includes that facility registration updates confirmation unit: the second dynamic Code negotiation element is shared in device authentication, verifies shared code and the 4th dynamic device for negotiating third dynamic device with user terminal Shared code is verified, and is respectively stored in user terminal and equipment application relationship service for checking credentials end；The identification of second dynamic key is shared Code generation unit, for being set according to the shared code of the third dynamic device at equipment application relationship service for checking credentials end verifying and the 4th dynamic It is standby to verify shared code generation and identify shared code to user terminal the second dynamic key of transmission.Equipment more new registration request confirmation form Member, for receiving the dynamic device of user terminal transmission with new information, and according to the first of equipment application relationship service for checking credentials end Dynamic device verifies shared code, the second dynamic device verifies shared code, the first dynamic key identifies shared code, third dynamic device Verify shared code, the 4th dynamic device verifies shared code and the second dynamic key identifies that shared code verifies dynamic equipment upgrading message After obtain equipment update confirmation message, and to user terminal send；Dynamic equipment upgrading message is that basis is stored in user terminal Shared code is verified according to the first dynamic device of user terminal, the second dynamic device verifies shared code, the first dynamic key is known Not Gong Xiang code, third dynamic device verifies shared code, the 4th dynamic device verifies shared code and the identification of the second dynamic key is shared What code generated；Dynamic equipment upgrading message Portable device more new registration voucher.Wherein, user terminal more new registration voucher includes dynamic The main message body voucher of state equipment update message and the sub- message body voucher of dynamic equipment upgrading message: dynamic equipment upgrading message disappears Breath body voucher is that user terminal verifies shared code according to the third dynamic device of user terminal and the 4th dynamic device is verified and shared What code was calculated；The main message body voucher of dynamic equipment upgrading message is first dynamic device of the user terminal according to user terminal It verifies shared code and the second dynamic device verifies what shared code was calculated.

In an implementation, the present invention is when it is implemented, have equipment safety registration relationship capacity extension ability；The present invention is implemented Example is realized by the method that the second dynamic device verifies shared code enhancing and is tested based on the shared code of the first dynamic device verifying Card, analogy can extend to be generated the 5th dynamic device using same method and verified and share code, the technology and process entirely invented The promotion of equipment management number is obtained in the case where constant；When it is implemented, the 5th dynamic device, which can be used, shares code to by the One dynamic device verifies shared code and the second dynamic device verifies the re-encrypted side of voucher that shared code generates for cipher key calculation Method extension；First dynamic key identifies that corresponding first dynamic device of shared code verifies shared code, and the verifying of the second dynamic device is shared Code and the 5th dynamic device verify shared code.It is only to verify shared code and second with the first dynamic device to move in above-described embodiment State device authentication shares code and has done corresponding illustration as a preferred embodiment, it should be understood that this law invention not only limits In this, other, which verify the embodiment that shared code is verified using dynamic device, also may be implemented the present invention.Specifically for example, one dynamic Code is shared in state device authentication, three dynamic devices verify shared code or five dynamic devices verify shared code etc..Specific embodiment party Case is essentially identical with above-described embodiment, is referred to the above embodiments and does corresponding adaptive change, does not just remake at this It repeats one by one.

When implementation, the second dynamic device is not enabled and verifies shared code, and remaining technology, method, system and equipment are constant In the case where the embodiment of the present invention still can dispose, can obtain automatic, safety and not increase end in access verification process The method and system of end subscriber operation complexity.Similarly in the case where the 5th dynamic device of increase verifies shared code, effect It is consistent that shared code is verified with method with the second dynamic device.

When it is implemented, anti-violence attack threatens when not enabling the second dynamic device and verifying shared code function Ability can decline, such as the threat of birthday attack；Single key length range limits management equipment application relationship number clients simultaneously The upper limit, it is possible to the number of devices of management greatly reduces, but for some enterprise-specific scenes, such as client device Few scene is enough；

When it is implemented, in the case where verifying shared code without using the second dynamic device, the caused transformation of when implementation is such as Under: the first dynamic key identifies that shared code only corresponds to the first dynamic device and verifies shared code in the embodiment of the present invention；By using One dynamic authentication shares code and the second dynamic authentication shares code calculating and verifying message body voucher is transformed to only carry out the first dynamic Device authentication is shared the relevant calculating of code and is compared；Dynamic device application relationship client and equipment application relationship authentication server Do not manage and distribute resource relevant to the shared code of the second dynamic device verifying and data.

In conclusion secure access authentication method, user terminal and server-side provided in an embodiment of the present invention pass through The application access application service end of user terminal can be effectively ensured in the mode of the double authentication of equipment certification and application authorization Information Security.Prevent attacker from passing through by dynamic device access credentials technology in the case where user account and stolen password The intrusion behavior of third party's unauthorized device access service or application account-related information.The present invention passes through the stream persistently automated Journey generates dynamic device voucher, and encryption and verifying save each user and be manually entered secondary user's checking code using account access Step.The present invention prevents man-in-the-middle attack by doubled sign mechanism to guarantee the end-to-end security of shared code.The present invention is logical It crosses dynamic device and verifies shared ink recorder system raising violence attack and antibiosis day attacking ability；Authorization intelligent movable equipment of the present invention Verifying shared code verification mode based on dynamic device by verifying prevents from authorizing other equipment after authority checking code is stolen；The present invention A kind of safety is also provided, the system that quick and automatic key updating mode reaches low cost threaten reply cost and maintenance at This；The present invention provides a kind of mode of extended authentication client key, is not increasing Encryption Algorithm realization difficulty and is not influencing to execute Extension is realized in the case where efficiency, greatly increases the client device that can be managed, solves the problems, such as versatility.The present invention The method using account in password by, by accessing authentication mechanism in the computer intelligence equipment of authorization access, being stolen Afterwards, third party device cannot be accessed due to being not authorized to, and system and account-holder are close due to that can perceive at the first time Code is revealed and remedies security breaches in time.

The professional application network management of enterprise, mechanism can be helped to initiate the boundary of application access through the invention, and set It is standby.User can pass through above-mentioned mode authorisation device application relationship.The present invention is suitble to Self-Service mode, is suitble to changeable, spirit Public user demand living.The mode that operation department for oral administration, automation affiliated enterprise can be used in corporate intranet, which automatically configures, answers With and device relationships, to save the process of the self-service authorization of each employee, to realize that enterprise IT accesses end equipment border control.

It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.

The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.

These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.

It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.Term " on ", "lower" etc. refer to The orientation or positional relationship shown is to be based on the orientation or positional relationship shown in the drawings, and is merely for convenience of the description present invention and simplifies Description, rather than the device or element of indication or suggestion meaning must have a particular orientation, constructed and grasped with specific orientation Make, therefore is not considered as limiting the invention.Unless otherwise clearly defined and limited, term " installation ", " connected ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected；It can be Mechanical connection, is also possible to be electrically connected；It can be directly connected, two can also be can be indirectly connected through an intermediary Connection inside element.For the ordinary skill in the art, above-mentioned term can be understood at this as the case may be Concrete meaning in invention.

In specification of the invention, numerous specific details are set forth.Although it is understood that the embodiment of the present invention can To practice without these specific details.In some instances, well known method, structure and skill is not been shown in detail Art, so as not to obscure the understanding of this specification.Similarly, it should be understood that disclose in order to simplify the present invention and helps to understand respectively One or more of a inventive aspect, in the above description of the exemplary embodiment of the present invention, each spy of the invention Sign is grouped together into a single embodiment, figure, or description thereof sometimes.However, should not be by the method solution of the disclosure Release is in reflect an intention that i.e. the claimed invention requires more than feature expressly recited in each claim More features.More precisely, as the following claims reflect, inventive aspect is less than single reality disclosed above Apply all features of example.Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, It is wherein each that the claims themselves are regarded as separate embodiments of the invention.It should be noted that in the absence of conflict, this The feature in embodiment and embodiment in application can be combined with each other.The invention is not limited to any single aspect, It is not limited to any single embodiment, is also not limited to any combination and/or displacement of these aspects and/or embodiment.And And can be used alone each aspect and/or embodiment of the invention or with other one or more aspects and/or its implementation Example is used in combination.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations；To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement；And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme should all cover within the scope of the claims and the description of the invention.

Claims

1. a kind of secure access authentication method characterized by comprising

Authorization request message is sent to the equipment application relationship service for checking credentials end in the user terminal, and according to the equipment Secure registration relationship establishes application and account and equipment safety registers relationship；

The application provides server-side processing and sends the equipment application access to the equipment application relationship service for checking credentials end Credential message；

The equipment application relationship service for checking credentials end is according to the application and account and equipment safety registration relationship to the equipment The verifying of application access credential message, and provide server-side sending application to application and have secure access to authentication result；

Log on request message is applied according to application secure access authentication result response user terminal using server-side is provided；

Wherein, the user terminal establishes equipment safety registration to equipment application relationship service for checking credentials end sending device registration message Relationship includes；

The user terminal and the equipment application relationship service for checking credentials end negotiate the first dynamic device and verify shared code and second Dynamic device verifies shared code, is respectively stored in user terminal and the equipment application relationship service for checking credentials end；The equipment is answered It is that first dynamic device verifies the corresponding shared code of first dynamic device verifying of shared code distribution with relationship service for checking credentials end ID is registered, corresponding second dynamic device is distributed for the shared code of second dynamic device verifying and verifies shared code registration ID；

The equipment application relationship service for checking credentials end is set according to first dynamic at the equipment application relationship service for checking credentials end Code is shared in standby verifying and the shared code of the second dynamic device verifying generates the identification of the first dynamic key and shares code；

The equipment application relationship service for checking credentials end sends to the user terminal and verifies shared code with first dynamic device The dynamic device for registering the ID and shared code registration ID of the second dynamic device verifying shares code and verifies message；Wherein, dynamic device is total Enjoying code verifying message includes: that dynamic device shares the sub- message body voucher of code verifying message, dynamic device shares code verifying message label Name；

The user terminal verifies shared code according to first dynamic device of the user terminal and the second dynamic device is tested It demonstrate,proves shared code verifying dynamic device and shares the code verifying sub- message body voucher of message, use the equipment application relationship authentication server Dynamic device described in public key verifications shares code and verifies information signature, is verified rear generating device registration voucher；

The user terminal is sent to the equipment application relationship service for checking credentials end carries the facility registration voucher, and described first Dynamic device verifies shared code registration ID and the second dynamic device verifies the facility registration message of shared code registration ID；

It is verified altogether according to first dynamic device in the facility registration message at the equipment application relationship service for checking credentials end Enjoy code registration ID and the second dynamic device to verify shared code registration ID corresponding described in the equipment application relationship service for checking credentials end First dynamic device verifies shared code, second dynamic device verifies shared code and verifies the facility registration message；

After the facility registration information authentication passes through, the equipment application relationship service for checking credentials end carries to user terminal feedback and sets Standby accreditation verification result and first dynamic key identify the facility registration confirmation message of shared code.

2. secure access authentication method according to claim 1, which is characterized in that the facility registration message package Include: facility registration voucher, the first dynamic device verify shared code registration ID, the second dynamic device is verified in shared code registration ID It is one or more.

3. secure access authentication method according to claim 1, which is characterized in that the dynamic device is shared code and tested Demonstrate,proving message includes:

The shared code verifying main message body of message of the dynamic device includes that dynamic device is shared the code verifying sub- message body of message and moved State collaborative share code verifies the sub- message body voucher of message；

The sub- message body includes that the first dynamic device verifies shared code registration ID and the shared code registration of the second dynamic device verifying ID and random number salt figure；

It is that first dynamic device verifies shared code and described that the dynamic device, which shares the code verifying sub- message body voucher of message, Second dynamic device verifies what shared code generated；

It is that the equipment application relationship authentication server uses private key to dynamic that the dynamic device, which shares code verifying information signature, The state collaborative share code verifying main message body of message is signed.

4. secure access authentication method according to claim 1, which is characterized in that Xiang Suoshu in the user terminal Equipment application relationship service for checking credentials end sends authorization request message, and registers relationship according to the equipment safety and establish application and account Family includes: with equipment safety registration relationship

The application provides the application authorization request message processing that server-side receives the user terminal, and is sent to the equipment Using relationship service for checking credentials end；

The equipment application relationship service for checking credentials end is concurrent according to application authorization request message generation dynamic authorization code ciphertext It send to the application and server-side is provided；

The application provides server-side and sequentially sends the dynamic authorization code ciphertext and random generation number to the user terminal；

The user terminal generates the authorization response with authorized certificate according to the dynamic authorization code and the random generation number and disappears It ceases and is sent to the application and server-side is provided, include that the random generation number and dynamic authorization code are close in the authorization messages Text；

The application provides the authorization response message processing that server-side receives the user terminal, and is sent to the equipment application Relationship service for checking credentials end；

After the relationship verifying authorization response message is registered according to the equipment safety in the equipment application relationship service for checking credentials end, The dynamic authorization code ciphertext is verified again and provides server-side by the application feeds back application confirmation result to user terminal.

5. secure access authentication method according to claim 4, which is characterized in that the equipment application relationship verifying Server-side generates dynamic authorization code ciphertext according to the application authorization request message

It will include that the dynamic authorization code ciphertext and the first dynamic key identify that the authorization code message of shared code is sent to described answer With offer server-side.

6. secure access authentication method according to claim 4, which is characterized in that the equipment application relationship verifying After server-side registers the relationship verifying authorization response message according to the equipment safety, then verifies authorization code ciphertext and pass through institute It states to feed back using offer server-side to user terminal and includes: using confirmation result

Whether matched using the authorized certificate in equipment safety registration relationship verifying message；Then relationship is registered using equipment safety The authorization code key decryption and authorization code ciphertext of server-side, authorization code and the equipment application relationship service for checking credentials after verifying decryption Whether the authorization code of end distribution matches；

If all by matching, by the corresponding application of the authorization code, User ID, the service operations of authorization and authorization time and equipment Relationship is added in equipment application list.

7. secure access authentication method according to claim 1, which is characterized in that further include updating the equipment peace Full registration relationship:

The user terminal and the equipment application relationship service for checking credentials end negotiate third dynamic device and verify shared code and the 4th Dynamic device verifies shared code, is respectively stored in user terminal and the equipment application relationship service for checking credentials end；

The equipment application relationship service for checking credentials end is set according to the third dynamic at the equipment application relationship service for checking credentials end Code is shared in standby verifying and the shared code of the 4th dynamic device verifying generates the identification of the second dynamic key and shares code；

The equipment application relationship service for checking credentials end sends to the user terminal and identifies shared code with second dynamic key The requirement equipment update message of shared code is identified with the first dynamic key；

The user terminal verifies shared code according to first dynamic device of the user terminal, the second dynamic device is verified Shared code, first dynamic key identify that shared code, the shared code of third dynamic device verifying, the verifying of the 4th dynamic device are shared Code and the second dynamic key identify that shared code generates dynamic equipment upgrading message, and are sent to the equipment application relationship verifying clothes Business end；The dynamic equipment upgrading message includes user terminal more new registration voucher, the shared code of first dynamic key identification Shared code is identified with second dynamic key；

The equipment application relationship service for checking credentials end is tested according to first dynamic device at the equipment application relationship service for checking credentials end Demonstrate,prove shared code, the second dynamic device is verified and shares code, the shared code of first dynamic key identification, the verifying of third dynamic device altogether Enjoy code, the 4th dynamic device verifies shared code and the second dynamic key identifies that shared code verifies the dynamic equipment upgrading message；

The equipment application relationship service for checking credentials end is tested according to the third dynamic device at the equipment application relationship service for checking credentials end Demonstrate,prove shared code, the 4th dynamic device verifies shared code, the second dynamic key identifies shared code, the verifying of the first dynamic device is shared Code, the second dynamic device verify shared code and first dynamic key identifies that shared code generating device updates confirmation message；

8. secure access authentication method according to claim 7, which is characterized in that the equipment application relationship verifying Server-side updates accreditation verification result to user terminal feedback device

The user terminal identifies that the shared corresponding third dynamic device of code is tested according to the second dynamic key of the user terminal It demonstrate,proves shared code and the 4th dynamic device is verified and shares the main message body voucher that code calculates the equipment update confirmation message, and according to First dynamic key of the user terminal identifies that corresponding first dynamic device of shared code verifies shared code and the second dynamic is set The standby sub- message body voucher verified shared code and calculate the equipment update confirmation message, the main message body voucher and son that will be calculated Message body voucher is verified compared with the main message body voucher of the correspondence sent in message and sub- message body voucher；

If verifying all passes through, then the third dynamic device of the user terminal is verified shared code by the user terminal, and the 4th is dynamic Code is shared in state device authentication and corresponding second dynamic key identifies that shared code is set as the state of succeeding in registration；

The user terminal saves second dynamic key and identifies shared code；

The user terminal is sent to carry to the equipment application relationship service for checking credentials end and be moved using the third of the user terminal Code is shared in state device authentication and the 4th dynamic device verifies facility registration voucher and second dynamic key that shared code generates Identify the equipment more new registration message of shared code；

The equipment application relationship service for checking credentials end is tested according to the third dynamic device at the equipment application relationship service for checking credentials end Demonstrate,prove shared code, the 4th dynamic device verifies shared code and the second dynamic key identifies that shared code verifies the equipment more new registration and disappears Breath；

9. secure access authentication method according to claim 7, which is characterized in that the user terminal more new registration Voucher includes the main message body voucher of dynamic equipment upgrading message and the sub- message body voucher of dynamic equipment upgrading message:

The sub- message body voucher of dynamic equipment upgrading message is the third of the user terminal according to the user terminal Dynamic device verifies shared code and the 4th dynamic device verifies what shared code was calculated；

The main message body voucher of dynamic equipment upgrading message is the user terminal according to described the first of the user terminal Dynamic device verifies shared code and the second dynamic device verifies what shared code was calculated.

10. secure access authentication method according to claim 1, which is characterized in that described that equipment application is required to test It demonstrate,proves message and carries Dialog processing ID.

11. secure access authentication method according to claim 1, which is characterized in that the user terminal is to described Include: using server-side sending device application access credential message is provided

Generate equipment application access credentials message body including Dialog processing ID；Calculate equipment corresponding with the Dialog processing ID Application access credential message body voucher；

Generate the equipment application access including equipment application access credentials message body and equipment application access credentials message body voucher Credential message；

12. secure access authentication method according to claim 1, which is characterized in that the equipment application relationship is tested Server-side is demonstrate,proved according to the application and account and equipment safety registration relationship to the equipment application access credentials information authentication:

It identifies that shared code is searched the first dynamic device and verified in application relationship authentication server using the first dynamic key to share Code and the second dynamic device verify shared code；

Shared code is verified using the first dynamic device and the second dynamic device verifies shared code calculating equipment application access credentials and disappears The message body voucher of breath；

Whether consistent compare the voucher for calculating and sending in gained voucher and message；If result is consistent, further checks and correspond to Application and account and equipment safety registration relationship whether have requested in message application and account authorization relationship, thus To inspection result.

13. a kind of secure access authenticates user terminal characterized by comprising

Facility registration unit, for establishing equipment safety registration to equipment application relationship service for checking credentials end sending device registration message Relationship；

Using authorization unit, for sending authorization request message to the equipment application relationship service for checking credentials end, and according to described Equipment safety registers relationship and establishes application and account and equipment safety registration relationship；

Safety certification request unit is set for providing server-side by application to equipment application relationship service for checking credentials end transmission Standby application verification request message；The equipment application access credentials message is to apply to provide server-side to the log on request unit What the requirement equipment application verifying message of transmission generated；

Login unit, the response results that log in for providing server-side according to the application respond log on request message, described to step on Land response results are applied according to the equipment application relationship service for checking credentials end and account and equipment using providing server-side Secure registration relationship is to generating after the equipment application access credentials information authentication；

Wherein, facility registration unit, comprising:

First dynamic device verifies shared code negotiation element, for negotiating to generate the with the equipment application relationship service for checking credentials end One dynamic device verifies shared code and the second dynamic device verifies shared code, and is respectively stored in user terminal and the equipment is answered With relationship service for checking credentials end；

Facility registration request unit, for generate and to the equipment application relationship service for checking credentials end send Portable device registration with The facility registration message of card；The facility registration message includes: that the first dynamic device verifies shared code registration ID and second dynamic Device authentication shares code and registers ID；

It is described that first dynamic device, which verifies shared code registration ID and the shared code registration ID of second dynamic device verifying, Equipment application relationship service for checking credentials end is that first dynamic device verifies shared code and the second dynamic device verifies shared code point What the corresponding registration ID matched was sent after generating to the user terminal；

The facility registration message is to be stored in first dynamic device of user terminal according to verify shared code and the Two dynamic devices verify shared code and first dynamic device verifies shared code registration ID and the verifying of the second dynamic device altogether Enjoy what code registration ID was generated；

Facility registration confirmation unit, the first dynamic key for receiving the equipment application relationship service for checking credentials end identify shared Code and accreditation verification result verification simultaneously save, the accreditation verification the result is that the equipment application relationship service for checking credentials end according to institute The first dynamic device for stating equipment application relationship service for checking credentials end verifies shared code, the second dynamic device verifies shared code and shares code It verifies and obtains after the facility registration message；

First dynamic key identifies that shared code is that the equipment application relationship service for checking credentials end is closed according to the equipment application It is that the shared code of first dynamic device verifying at service for checking credentials end and the second dynamic device are verified shared code and generated.

14. secure access according to claim 13 authenticates user terminal, which is characterized in that the facility registration message package Include: facility registration voucher, the first dynamic device verify shared code registration ID, the second dynamic device verifies shared code registration ID.

15. secure access according to claim 13 authenticates user terminal, which is characterized in that it is described to apply authorization unit, Including；

Using authorization requests unit, tested for generating and being sent by application offer server-side to the equipment application relationship It demonstrate,proves server-side and sends authorization request message；

Using authorization response unit, tested for generating and being sent by application offer server-side to the equipment application relationship It demonstrate,proves server-side and sends authorization response message；The authorization response message is generated according to dynamic authorization code ciphertext and the random number that generates , the authorization response message band authorized certificate；The dynamic authorization code ciphertext is the equipment application relationship service for checking credentials end According to it is described generated using authorization request message after by the application provide server-side send, the random generation number is institute It states and sends using providing after server-side to the user terminal sends the dynamic authorization code；

Using license confirmation unit, for receiving the application license confirmation result verification at the equipment application relationship service for checking credentials end And save, the license confirmation is the result is that clothes are verified according to the equipment application relationship in the equipment application relationship service for checking credentials end First dynamic device at business end verifies shared code, the second dynamic device verifies shared code and the first dynamic key identifies that shared code is tested After demonstrate,proving the authorization response message, then verify what authorization code ciphertext obtained.

16. secure access according to claim 13 authenticates user terminal, which is characterized in that the log on request unit, It further include application access voucher unit for generating equipment application access credentials message body；Calculate equipment application access credentials message Body voucher；The equipment application including equipment application access credentials message body and equipment application access credentials message body voucher is generated to visit Ask credential message；Server sending device application access credential message is provided to application.

17. secure access according to claim 13 authenticates user terminal, which is characterized in that further include that facility registration is more New unit, comprising:

Second dynamic device verifies shared code negotiation element, for negotiating to generate the with the equipment application relationship service for checking credentials end Three dynamic devices verify shared code and the 4th dynamic device verifies shared code, and are respectively stored in user terminal and the equipment is answered With relationship service for checking credentials end；

Equipment more new registration request unit, for generating and sending Portable device more to the equipment application relationship service for checking credentials end The dynamic equipment upgrading message of new voucher；The dynamic equipment upgrading message be stored according to user terminal according to institute The first dynamic device for stating user terminal verifies shared code, the second dynamic device verifies shared code, the first dynamic key identifies altogether Enjoy code, third dynamic device verifies shared code, the 4th dynamic device verifies shared code and the second dynamic key identifies that shared code is raw At, second dynamic key identifies that shared code is that the equipment application relationship service for checking credentials end is closed according to the equipment application It is that the shared code of third dynamic device verifying at service for checking credentials end and the 4th dynamic device verify Xiang Suoshu after shared code generates What user terminal was sent；

Equipment updates accreditation verification unit, for receiving the accreditation verification result verification at the equipment application relationship service for checking credentials end And save, accreditation verification is updated the result is that clothes are verified according to the equipment application relationship in the equipment application relationship service for checking credentials end The shared code of first dynamic device verifying, second dynamic device at business end verify shared code, first dynamic key is identified and shared Code, the second dynamic device verify shared code, third dynamic device verifies shared code and the 4th dynamic key identifies shared code verifying It is obtained after the dynamic equipment upgrading message.

18. secure access according to claim 14 authenticates user terminal, which is characterized in that user terminal more new registration with Card includes the main message body voucher of dynamic equipment upgrading message and the sub- message body voucher of dynamic equipment upgrading message:

The sub- message body voucher of dynamic equipment upgrading message is third dynamic of the user terminal according to the user terminal Code is shared in device authentication and the 4th dynamic device verifies what shared code was calculated；

User terminal described in the main message body voucher of dynamic equipment upgrading message is dynamic according to described the first of the user terminal Code is shared in state device authentication and the second dynamic device verifies what shared code was calculated.

19. a kind of equipment application relationship service for checking credentials end characterized by comprising

Facility registration confirmation unit, the facility registration message for receiving user terminal transmission establish equipment safety registration relationship；

Using license confirmation unit, infused for receiving the authorization request message of user terminal transmission, and according to the equipment safety Volume relationship establishes application and account and equipment safety registers relationship；

Safety certification request confirmation unit is disappeared for receiving by the equipment application access credentials that application provides server-side transmission Breath；The equipment application access credentials message is that the requirement equipment application sent using offer server-side to log on request unit is tested Demonstrate,prove what message generated；

Log in response unit, for according to it is described application and account and equipment safety registration relationship to the equipment application access with Application secure access authentication result is generated after card information authentication and provides server-side transmission by application logs in response results, it is described User terminal responds log on request message according to the response results that log in that the application provides server-side；

Wherein, the facility registration confirmation unit includes:

First dynamic device verifies shared code negotiation element, negotiates the verifying of the first dynamic device for generating with the user terminal Shared code and the second dynamic device verify shared code, and are respectively stored in user terminal and the equipment application relationship service for checking credentials End；Shared code is verified for first dynamic device and the second dynamic device verifies corresponding first dynamic of shared code distribution Code registration ID is shared in device authentication and the second dynamic device verifies shared code and registers ID；

First dynamic key identifies shared code generation unit, for according to described the of the equipment application relationship service for checking credentials end One dynamic device verifies shared code and the second dynamic device verifies shared code and generates and send the first dynamic to the user terminal Key identifies shared code；

Facility registration confirmation unit is closed for receiving the facility registration message that the user terminal is sent according to the equipment application It is the shared code of the first dynamic device verifying, the shared code of the second dynamic device verifying and the identification of the first dynamic key at service for checking credentials end After shared code verifies the facility registration message, and to the user terminal sending device accreditation verification result；The equipment note Volume message is that the shared code of first dynamic device verifying and the verifying of the second dynamic device of user terminal are stored according to Shared code and first dynamic device verify shared code registration ID and the second dynamic device is verified shared code registration ID and generated , the facility registration message Portable device registration voucher and first dynamic device verify shared code and register ID and second Dynamic device verifies shared code and registers ID.

20. equipment application relationship service for checking credentials end according to claim 19, which is characterized in that apply license confirmation unit Including；

Using authorization requests processing unit, for receiving the authorization request message of user terminal transmission and according to using authorization requests Message generates dynamic authorization code ciphertext and is sent to the user terminal by application offer server-side；

Using authorization response processing unit, the authorization response message that user terminal is sent is received, and is closed according to the equipment application It is the shared code of the first dynamic device verifying, the shared code of the second dynamic device verifying and the identification of the first dynamic key at service for checking credentials end After shared code verifies the authorization response message, then after verifying dynamic authorization code ciphertext, authorization notification message is generated and by answering The user terminal is sent to offer server-side；The authorization response message is the user terminal according to the dynamic authorization What code ciphertext and random generation number generated, the authorization response message band authorized certificate, the random generation number is the application What offer server-side was sent after sending dynamic authorization code ciphertext to the user terminal.

21. equipment application relationship service for checking credentials end according to claim 19, which is characterized in that the equipment application relationship Service for checking credentials end generates dynamic authorization code according to the application authorization request message

22. equipment application relationship service for checking credentials end according to claim 20, which is characterized in that the generation authorization notification Message includes:

Whether matched using the authorized certificate in equipment safety registration relationship verifying message；Then relationship is registered using equipment safety The authorization code ciphertext of corresponding authorization code key decryption, authorization code and the equipment application relationship service for checking credentials after verifying decryption Whether the authorization code of end distribution matches；

If all by matching, by the corresponding application of the authorization code, User ID, the service operations of authorization and authorization time with equipment Relationship is added in equipment application list.

23. equipment application relationship service for checking credentials end according to claim 19, which is characterized in that described to log in response unit It further include that log on request authentication unit is used for,

If result is consistent, further check whether corresponding application and account and equipment safety registration relationship have in message The application of request and the authorization relationship of account, to obtain inspection result.

24. equipment application relationship service for checking credentials end according to claim 19, which is characterized in that further include facility registration Update confirmation unit:

Second dynamic device verifies shared code negotiation element, shared for negotiating the verifying of third dynamic device with the user terminal Code and the 4th dynamic device verify shared code, and are respectively stored in user terminal and the equipment application relationship service for checking credentials end；

Second dynamic key identifies shared code generation unit, for according to described the of the equipment application relationship service for checking credentials end Three dynamic devices verify shared code and the 4th dynamic device verifies shared code and generates and send the second dynamic to the user terminal Key identifies shared code；

Equipment more new registration request confirmation unit, for receiving the dynamic equipment upgrading message of user terminal transmission, and according to institute The first dynamic device for stating equipment application relationship service for checking credentials end verifies shared code, the second dynamic device verifies shared code, first Dynamic key identifies that shared code, third dynamic device verify shared code, the 4th dynamic device verifies shared code and the second dynamic is close Key identifies to be obtained updating registration confirmation message after shared code verifies the dynamic equipment upgrading message, and is sent out to the user terminal It send；The dynamic equipment upgrading message is that moving according to described the first of the user terminal for user terminal is stored according to Code is shared in state device authentication, the second dynamic device verifies shared code, first dynamic key identifies shared code, third dynamic is set Standby shared code, the shared code of the 4th dynamic device verifying and the second dynamic key verified identifies what shared code generated；Dynamic device is more New information Portable device more new registration voucher.

25. equipment application relationship service for checking credentials end according to claim 24, which is characterized in that user terminal more new registration Voucher includes the main message body voucher of dynamic equipment upgrading message and the sub- message body voucher of dynamic equipment upgrading message: