CN107070917A - A kind of network application login method and system - Google Patents

A kind of network application login method and system Download PDF

Info

Publication number
CN107070917A
CN107070917A CN201710244614.8A CN201710244614A CN107070917A CN 107070917 A CN107070917 A CN 107070917A CN 201710244614 A CN201710244614 A CN 201710244614A CN 107070917 A CN107070917 A CN 107070917A
Authority
CN
China
Prior art keywords
cipher key
information
pin code
intelligent cipher
key equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710244614.8A
Other languages
Chinese (zh)
Other versions
CN107070917B (en
Inventor
李东声
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tendyron Corp
Tendyron Technology Co Ltd
Original Assignee
Tendyron Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tendyron Technology Co Ltd filed Critical Tendyron Technology Co Ltd
Priority to CN201710244614.8A priority Critical patent/CN107070917B/en
Publication of CN107070917A publication Critical patent/CN107070917A/en
Application granted granted Critical
Publication of CN107070917B publication Critical patent/CN107070917B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a kind of network application login method and system, wherein method includes:After intelligent cipher key equipment and terminal are set up and be connected, terminal triggering checking equipment performs the PIN code checking flow of intelligent cipher key equipment;It is verified, authentication server preserves PIN code and is verified information;Flow for authenticating ID is performed between intelligent cipher key equipment and router;Router certification by when, be terminal distribution IP address, preserve the binding information of intelligent cipher key equipment identity information and IP address;Terminal is sent to application server applies Sign-On services solicited message, the flow determined with the intelligent cipher key equipment identity information of terminal coupling is performed between triggering router and application server, application server obtains the intelligent cipher key equipment identity information determined;Application server sends PIN code proofing state inquiry request to authentication server;In the case where obtaining PIN code checking completion confirmation, provided the terminal with by router and apply Sign-On services.

Description

A kind of network application login method and system
Technical field
The present invention relates to a kind of electronic technology field, more particularly to a kind of network application login method and system.
Background technology
Router is LAN, the equipment of wide area network in connection internet, and it can be automatically selected according to the situation of channel It is route with setting and transmits signal.When user's using terminal equipment (computer, mobile phone etc.) is surfed the Net, it can be answered by router connection Use server.In order to ensure the security of application data, the terminal device of user is when logging in application server it is generally necessary to defeated Enter this and apply corresponding password, for example:User using during computer login mailbox, it is necessary to input the password of mailbox.Answered due to each Password may be different, and user is needed to remember the corresponding password of each application, and input is required for when logging in application every time Corresponding password, thus cause user log in application process it is more numerous and diverse.Therefore, a kind of method that application is logged in now is needed badly, On the premise of application data security is ensured, reduction user logs in triviality during different application by router.
The content of the invention
Present invention seek to address that one of above mentioned problem.
It is a primary object of the present invention to provide a kind of network application login method.
Another object of the present invention is to provide a kind of network application login system.
To reach above-mentioned purpose, what technical scheme was specifically realized in:
One aspect of the present invention provides a kind of network application login method, and this method includes:In intelligent cipher key equipment and end End is set up after connection, and terminal triggering checking equipment performs the PIN code checking flow of intelligent cipher key equipment;If being verified, identity Certificate server, which obtains and preserves PIN code, is verified information;Intelligent cipher key equipment is by performing body between terminal and router Part identifying procedure;Router flow for authenticating ID result be certification by when, be terminal distribution IP address, preserve intelligent key The binding information of equipment identity information and IP address, intelligent cipher key equipment identity information is that intelligent cipher key equipment certificate or intelligence are close Key device id;Terminal is sent to application server by router and applies Sign-On services solicited message, triggering router and application Perform and determined according to the IP address and intelligent cipher key equipment identity information and the binding information of IP address of terminal between server With the flow of the intelligent cipher key equipment identity information of terminal coupling, application server obtains the intelligent cipher key equipment identity determined Information;Application server sends PIN code proofing state inquiry request by router to authentication server;Authentication takes Device of being engaged in receives PIN code proofing state inquiry request, and whether inquiry has that PIN code is verified information and inquiry PIN code checking is logical The state of information is crossed, PIN code is verified information and PIN code is verified the state of information if authentication server has To be effective, then PIN code checking sent to application server by router and complete confirmation;Application server is obtaining PIN In the case that code checking completes confirmation, carried according to the intelligent cipher key equipment identity information determined by router to terminal Supply Sign-On services.
In addition, triggering checking equipment performs the PIN code checking flow of intelligent cipher key equipment, including:Terminal notifying PIN code is defeated Enter prompt message, receive PIN code and generate PIN code checking information, PIN code checking information is sent to intelligent cipher key equipment, intelligence Energy key devices receive PIN code checking information and verified, if being verified, and generation PIN code is verified information, and passes through end End and router are sent to authentication server;Or, terminal notifying PIN code input prompt message receives PIN code and generated PIN code checking information, PIN code checking information is sent to authentication server, authentication server receives PIN code checking Information is simultaneously verified, if being verified, and generation PIN code is verified information;Or, terminal sends out PIN code input prompt message Intelligent cipher key equipment is delivered to, intelligent cipher key equipment receives PIN code input prompt message and pointed out, and receives PIN code and verifies, if testing Card passes through, then generates PIN code and be verified information, and sent by terminal and router to authentication server;Or, eventually End sends PIN code input prompt message to intelligent cipher key equipment, and intelligent cipher key equipment receives PIN code input prompt message and carried Show, receive PIN code and generate PIN code checking information, PIN code checking information is sent to authentication by terminal and router Server, authentication server receives PIN code checking information and verified, if being verified, and generation PIN code is verified letter Breath.
In addition, terminal by router to application server send apply Sign-On services solicited message, triggering router with The IP address and intelligent cipher key equipment identity information and the binding information of IP address according to terminal are performed between application server It is determined that the flow with the intelligent cipher key equipment identity information of terminal coupling, application server obtains the intelligent cipher key equipment determined Identity information, including:Terminal is sent to application server by router and applies Sign-On services solicited message, using Sign-On services Solicited message includes intelligent cipher key equipment identity information and IP address;Application server receives application Sign-On services and asks letter Breath, sends intelligent cipher key equipment authentication request, it is close that intelligent cipher key equipment authentication request includes intelligence to router Key equipment identity information and IP address;Router receives intelligent cipher key equipment authentication request, is believed according to IP address and binding Breath, is verified to the intelligent cipher key equipment identity information carried in intelligent cipher key equipment authentication request, obtains intelligence close Key authentication object information is simultaneously sent to application server;Application server receives intelligent cipher key equipment authentication knot Fruit information, if intelligent cipher key equipment authentication object information is is verified, is carried in application Sign-On services solicited message Intelligent cipher key equipment identity information be the intelligent cipher key equipment identity information determined;Or, terminal by router to should Sent with server and apply Sign-On services solicited message, include IP address using Sign-On services solicited message;Application server Sent with least including IP in intelligent cipher key equipment identity information request, intelligent cipher key equipment identity information request to router Location;Router receives intelligent cipher key equipment authentication request, according to IP address and binding information, obtains intelligent cipher key equipment body Part information is simultaneously sent to application server;Application server receives intelligent cipher key equipment identity information, intelligent cipher key equipment identity Information is the intelligent cipher key equipment identity information determined;Or, terminal sends to router and applies Sign-On services solicited message, Include IP address using Sign-On services solicited message;Router receiving terminal send application Sign-On services solicited message it Afterwards, according to IP address and binding information, intelligent cipher key equipment identity information is obtained;Router sends application to application server and stepped on Land service request information and intelligent cipher key equipment identity information, application server, which is received, applies Sign-On services solicited message and intelligence Key devices identity information, intelligent cipher key equipment identity information is the intelligent cipher key equipment identity information determined.
It is verified in addition, authentication server obtains and preserves PIN code after information, method also includes:Terminal is examined When the connection for measuring terminal and intelligent cipher key equipment disconnects, connection to authentication server is sent by router disconnected and notify Information;Authentication server performs the behaviour for making PIN code be verified information failure after connection disconnection announcement information is received Make;Or, when the connection that router detects router and terminal disconnects, send equipment to authentication server and leave letter Breath, and when detecting router and terminal is again coupled to, equipment access information is sent to authentication server;Authentication Server receives equipment leave message, and timing is started using timer, if connect before timing reaches the first preset time Equipment access information is received, then maintains PIN code to be verified information effectively, if do not had before timing reaches the first preset time Equipment access information is received, then performs the operation for making PIN code be verified information failure;Or, authentication server Start timing using timer, before timing reaches the second preset time, maintain PIN code to be verified information effectively, in meter When reach the second preset time after, perform the operation for making PIN code be verified information failure.
Another aspect of the present invention provides a kind of network application login system, and the system includes:Terminal, intelligent key are set Standby, router, authentication server and application server;Terminal, for after being connected with intelligent cipher key equipment foundation, touching Hair checking equipment performs the PIN code checking flow of intelligent cipher key equipment;Authentication server, for verifying flow in PIN code When being verified, obtain and preserve PIN code and be verified information;Intelligent cipher key equipment, for by between terminal and router Perform flow for authenticating ID;Router, for flow for authenticating ID result be certification by when, be terminal distribution IP address, Intelligent cipher key equipment identity information and the binding information of IP address are preserved, intelligent cipher key equipment identity information is intelligent cipher key equipment Certificate or intelligent cipher key equipment ID;Terminal, is additionally operable to send application Sign-On services request letter to application server by router Breath, performs the IP address and intelligent cipher key equipment identity information and IP according to terminal between triggering router and application server The binding information of address determines the flow with the intelligent cipher key equipment identity information of terminal coupling;Application server, for obtaining The intelligent cipher key equipment identity information determined, and looked into by router to authentication server transmission PIN code proofing state Ask request;Authentication server, is additionally operable to receive PIN code proofing state inquiry request, it is logical whether inquiry has PIN code checking Cross information and inquiry PIN code be verified the state of information, if authentication server have PIN code be verified information and The state that PIN code is verified information is effective, then sends PIN code checking to application server by router and complete confirmation letter Breath;Application server, is additionally operable in the case where obtaining PIN code checking completion confirmation, according to the intelligent key determined Equipment identity information is provided the terminal with by router and applies Sign-On services.
In addition, when checking equipment is intelligent cipher key equipment, terminal, specifically for prompting PIN code input prompt message, is received PIN code simultaneously generates PIN code checking information, and PIN code checking information is sent to intelligent cipher key equipment;Intelligent cipher key equipment, specifically For receiving PIN code checking information and verifying, if being verified, generation PIN code is verified information, and passes through terminal and road Sent by device to authentication server;Or, when checking equipment is authentication server, terminal, specifically for prompting PIN Code input prompt message, receives PIN code and generates PIN code checking information, PIN code checking information is sent to identity authentication service Device;Authentication server, specifically for receiving PIN code checking information and verifying, if being verified, generation PIN code checking Pass through information;Or, when checking equipment is intelligent cipher key equipment, terminal, specifically in terminal by PIN code input prompt message Send to intelligent cipher key equipment;Intelligent cipher key equipment, specifically for receiving PIN code input prompt message and pointing out, receives PIN code And verify, if being verified, generation PIN code is verified information, and is sent by terminal and router to authentication clothes Business device;Or, when checking equipment is authentication server, terminal, specifically for sending out PIN code input prompt message in terminal Deliver to intelligent cipher key equipment;Intelligent cipher key equipment, specifically for receiving PIN code input prompt message and pointing out, receives PIN code simultaneously PIN code checking information is generated, PIN code checking information is sent to authentication server by terminal and router;Identity is recognized Server is demonstrate,proved, specifically for receiving PIN code checking information and verifying, if being verified, generation PIN code is verified information.
In addition, terminal, applies Sign-On services solicited message, application specifically for being sent by router to application server Sign-On services solicited message includes intelligent cipher key equipment identity information and IP address;Application server, should specifically for receiving Sign-On services solicited message is used, intelligent cipher key equipment authentication request, intelligent cipher key equipment authentication are sent to router Request includes intelligent cipher key equipment identity information and IP address;Router, is tested specifically for receiving intelligent cipher key equipment identity Card request, according to IP address and binding information, to the intelligent cipher key equipment body carried in intelligent cipher key equipment authentication request Part information is verified, is obtained intelligent cipher key equipment authentication object information and is sent to application server;Application server, Specifically for receiving intelligent cipher key equipment authentication object information, if intelligent cipher key equipment authentication object information is checking Pass through, be then the intelligent cipher key equipment determined using the intelligent cipher key equipment identity information carried in Sign-On services solicited message Identity information;Or, terminal applies Sign-On services solicited message specifically for being sent by router to application server, should Include IP address with Sign-On services solicited message;Application server, specifically for sending intelligent cipher key equipment body to router At least include IP address in part information request, intelligent cipher key equipment identity information request;Router, it is close specifically for receiving intelligence Key authentication is asked, according to IP address and binding information, is obtained intelligent cipher key equipment identity information and is sent to application Server;Application server, specifically for receiving intelligent cipher key equipment identity information, intelligent cipher key equipment identity information is determination The intelligent cipher key equipment identity information gone out;Or, terminal applies Sign-On services solicited message specifically for being sent to router, Include IP address using Sign-On services solicited message;Router, the application Sign-On services sent specifically for receiving terminal please Ask after information, according to IP address and binding information, obtain intelligent cipher key equipment identity information, and should to application server transmission With Sign-On services solicited message and intelligent cipher key equipment identity information;Application server, Sign-On services are applied specifically for receiving Solicited message and intelligent cipher key equipment identity information, intelligent cipher key equipment identity information are the intelligent cipher key equipment identity determined Information.
In addition, terminal, it is additionally operable to when the connection for detecting terminal and intelligent cipher key equipment disconnects, by router to body Part certificate server sends connection and disconnects announcement information;Authentication server, is additionally operable to receiving connection disconnection notice letter After breath, the operation for making PIN code be verified information failure is performed;Or, router is additionally operable to detecting router and terminal Connection when disconnecting, send equipment leave message to authentication server, and be again coupled to detecting router with terminal When, send equipment access information to authentication server;Authentication server, is additionally operable to receiving equipment leave message When, start timing using timer, if receiving equipment access information before timing reaches the first preset time, maintain PIN code is verified information effectively, if being not received by equipment access information before timing reaches the first preset time, Perform the operation for making PIN code be verified information failure;Or, authentication server is also used for timer and starts meter When, before timing reaches the second preset time, maintain PIN code to be verified information effectively, timing reach second it is default when Between after, perform make PIN code be verified information failure operation.
When user's using terminal equipment (computer, mobile phone etc.) is surfed the Net, router access application server can be passed through.It is existing The mode for logging in application server do not use intelligent cipher key equipment, but using terminal is directly logged in by router, by Flow is not verified by PIN code in existing this landing approach, does not store PIN code checking flow by information, because This, user is required for inputting this again using corresponding close when each using terminal logs in application server by router Code.And the method and system of the present embodiment offer is provided, user can use intelligent cipher key equipment to be connected with terminal, pass through intelligence After the PIN code checking flow of energy key devices, terminal connects application server by router, due to intelligent cipher key equipment High security, this method is safer when application server can be made accessed.Also, in the PIN for completing intelligent cipher key equipment After code checking flow, authentication server can preserve PIN code and be verified information, and user, which reuses, is connected with above-mentioned intelligence When the terminal of energy key devices is by the router access application server, because user passes through the intelligent cipher key equipment PIN code verifies flow, then PIN code be verified information it is effective in the case of, user without inputting application server again Password can log in application server, so as to simplify the process that user logs in application.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, being used required in being described below to embodiment Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill in field, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is the flow chart for the network application login method that the embodiment of the present invention 1 is provided;
Fig. 2 is the PIN code checking stream that a kind of triggering checking equipment that the embodiment of the present invention 1 is provided performs intelligent cipher key equipment The flow chart of journey;
Fig. 3 is the PIN code checking that another triggering checking equipment that the embodiment of the present invention 1 is provided performs intelligent cipher key equipment The flow chart of flow;
Fig. 4 is the PIN code checking that another triggering checking equipment that the embodiment of the present invention 1 is provided performs intelligent cipher key equipment The flow chart of flow;
Fig. 5 is the PIN code checking that another triggering checking equipment that the embodiment of the present invention 1 is provided performs intelligent cipher key equipment The flow chart of flow;
Fig. 6 is a kind of structural representation for network application login system that the embodiment of the present invention 2 is provided.
Embodiment
With reference to the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Ground is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.Based on this The embodiment of invention, the every other implementation that those of ordinary skill in the art are obtained under the premise of creative work is not made Example, belongs to protection scope of the present invention.
In the description of the invention, it is to be understood that term " " center ", " longitudinal direction ", " transverse direction ", " on ", " under ", The orientation or position relationship of the instruction such as "front", "rear", "left", "right", " vertical ", " level ", " top ", " bottom ", " interior ", " outer " are Based on orientation shown in the drawings or position relationship, it is for only for ease of the description present invention and simplifies description, rather than indicate or dark Specific orientation must be had, with specific azimuth configuration and operation by showing the device or element of meaning, therefore it is not intended that right The limitation of the present invention.In addition, term " first ", " second " are only used for describing purpose, and it is not intended that indicating or implying and be relative Importance or quantity or position.
In the description of the invention, it is necessary to illustrate, unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can To be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected to by intermediary, Ke Yishi The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this Concrete meaning in invention.
The embodiment of the present invention is described in further detail below in conjunction with accompanying drawing.
Embodiment 1
A kind of flow chart for network application login method that Fig. 1 provides for the present embodiment, method as shown in Figure 1 is implemented Example, comprises the following steps (S1-S7):
Step S1, after intelligent cipher key equipment and terminal are set up and be connected, terminal triggering checking equipment performs intelligent key and set Standby PIN code checking flow;If being verified, authentication server, which obtains and preserves PIN code, is verified information;
Step S2, intelligent cipher key equipment is by performing flow for authenticating ID between terminal and router;
Step S3, router flow for authenticating ID result be certification by when, be terminal distribution IP address, preserve intelligence The binding information of key devices identity information and IP address, intelligent cipher key equipment identity information is intelligent cipher key equipment certificate or intelligence Can key devices ID;
Step S4, terminal is sent to application server by router and applies Sign-On services solicited message, triggers router The binding letter of the IP address and intelligent cipher key equipment identity information and IP address according to terminal is performed between application server Breath determines the flow with the intelligent cipher key equipment identity information of terminal coupling, and application server obtains the intelligent key determined and set Standby identity information;
Step S5, application server sends PIN code proofing state inquiry request by router to authentication server;
Step S6, authentication server receives PIN code proofing state inquiry request, and whether inquiry has PIN code checking The state of information is verified by information and inquiry PIN code, if authentication server has PIN code and is verified information And PIN code be verified information state be it is effective, then by router to application server send PIN code checking complete confirm Information;
Step S7, application server is in the case where obtaining PIN code checking completion confirmation, according to the intelligence determined Key devices identity information is provided the terminal with by router applies Sign-On services.
When user's using terminal equipment (computer, mobile phone etc.) is surfed the Net, router access application server can be passed through.It is existing The mode for logging in application server do not use intelligent cipher key equipment, but using terminal is directly logged in by router, by Flow is not verified by PIN code in existing this landing approach, does not store PIN code checking flow by information, because This, user is required for inputting this again using corresponding close when each using terminal logs in application server by router Code.And using the method for the present embodiment offer, user can use intelligent cipher key equipment to be connected with terminal, pass through intelligent key After the PIN code checking flow of equipment, terminal connects application server by router, due to the high safety of intelligent cipher key equipment Property, this method is safer when application server can be made accessed.Also, complete the PIN code checking of intelligent cipher key equipment After flow, authentication server can preserve PIN code and be verified information, and user, which reuses, is connected with above-mentioned intelligent key When the terminal of equipment is by the router access application server, because user passes through the PIN code of the intelligent cipher key equipment Verify flow, then PIN code be verified information it is effective in the case of, user without again input application server password Application server can be logged in, so as to simplify the process that user logs in application.
The step S1-S7 of the present embodiment is specifically described below:
Step S1, after intelligent cipher key equipment and terminal are set up and be connected, terminal triggering checking equipment performs intelligent key and set Standby PIN code checking flow;If being verified, authentication server, which obtains and preserves PIN code, is verified information;
In this step, terminal includes the electronic equipments such as computer, mobile phone, and intelligent cipher key equipment includes but is not limited to electronic signature There is equipment, smart card, intelligent cipher key equipment built-in security chip, its safety chip encryption, signature etc. to ensure Information Security Function.
In this step, as an alternative embodiment, terminal can set wired communication interface, for example, working as terminal During for computer, the USB interface set on computer can be its wired communication interface;When terminal is mobile phone, set on mobile phone COBBAIF can be its wired communication interface.Intelligent cipher key equipment is set up with terminal and is connected, and specifically includes:Intelligent cipher key equipment It is attached by way of wired connection with the communication interface of terminal.As another optional embodiment, terminal can be with Wireless communication module, the communication module such as WIFI, bluetooth, NFC are set.Intelligent cipher key equipment is set up with terminal and is connected, specifically Including:Intelligent cipher key equipment is set up with terminal by wireless connection (WIFI, bluetooth, NFC etc.) and is connected.Thus, terminal can be borrowed Intelligent cipher key equipment is helped to realize security function.
In this step, triggering checking equipment performs the PIN code checking flow of the intelligent cipher key equipment, at least including following Either type in four kinds of modes:
Mode one
In the manner, checking equipment is intelligent cipher key equipment, and Fig. 2 performs intelligent cipher key equipment for a kind of triggering checking equipment PIN code verify flow flow chart, as shown in Fig. 2 the flow is specifically included:
Step S101, terminal notifying PIN code input prompt message;
In this step, terminal can show on screen or report PIN code input prompt message, example by speaker sound Such as:Terminal is shown " please input password " on screen.
Step S102, terminal receives PIN code and generates PIN code checking information;
In this step, after terminal is pointed out, user can be with the side such as input through keyboard, mouse selection, phonetic entry Formula inputs PIN code, or, user can input PIN code in the way of biological information typing.Terminal generates PIN after receiving PIN code Code checking information, alternatively, PIN code checking information can be the encryption data generated after terminal-pair PIN code is encrypted, the encryption side Formula can include symmetric key encryption or asymmetric-key encryption, thus, it is possible to make PIN code enter between terminal and other equipment It is safer during row transmission.
Step S103, terminal sends PIN code checking information to intelligent cipher key equipment;
Step S104, intelligent cipher key equipment receives PIN code checking information and verified, if being verified, and generation PIN code is tested Card passes through information;
In this step, alternatively, if the encryption data that PIN code checking information is generated after being encrypted for PIN code, intelligent key The PIN code checking information that equipment interconnection is received, which is decrypted, obtains PIN code.Intelligent cipher key equipment can prestore PIN code, will be from The PIN code obtained in PIN code checking information is compared with the PIN code that intelligent cipher key equipment is prestored, if comparing unanimously PIN code checking information is verified.Or, intelligent cipher key equipment can prestore PIN code MAC value, receive PIN code checking letter After breath, computing is carried out to the PIN code in PIN code checking information and obtains MAC value, obtained MAC value and the PIN code prestored will be calculated MAC value is compared, if comparing unanimously, PIN code checking information is verified.
Step S105, PIN code is verified information and sent by terminal and router to identity by intelligent cipher key equipment to be recognized Demonstrate,prove server.
In the optional embodiment, PIN code verifies that flow is initiated by terminal and PIN code input prompt message is carried out Prompting;PIN code is verified by intelligent cipher key equipment;If being verified, by authentication server storage PIN code checking Pass through information.
Mode two
The difference of the manner and mode one is:In the manner, checking equipment is authentication server.The authentication Server is set up by wired or wireless mode with router and is connected.It is close that Fig. 3 performs intelligence for another triggering checking equipment The PIN code of key equipment verifies the flow chart of flow, as shown in figure 3, the flow is specifically included:
Step S111, terminal notifying PIN code input prompt message;
Step S112, terminal receives PIN code and generates PIN code checking information;
Step S113, terminal sends PIN code checking information to authentication server;
In this step, terminal can be sent PIN code checking information to authentication server by router.
Step S114, authentication server receives PIN code checking information and verified, if being verified, generates PIN code It is verified information.
As an alternative embodiment, the PIN code that can be prestored in authentication server, is tested receiving PIN code Demonstrate,prove after information, the PIN code in PIN code checking information and the PIN code that prestores are compared, if comparing unanimously, be verified. Or, can be prestored PIN code MAC value in authentication server, after PIN code checking information is received, and PIN code is verified and believed PIN code in breath carries out computing and obtains MAC value, will calculate PIN code MAC value of the obtained MAC value with prestoring and is compared, if than To consistent, then it is verified.
In the optional embodiment, PIN code verifies that flow is initiated by terminal and PIN code input prompt message is carried out Prompting;PIN code is verified by authentication server, if being verified, storage PIN code is verified information.With side The embodiment provided in formula one is compared, participation of the PIN code checking flow without intelligent cipher key equipment in the manner.
Mode three
In the manner, checking equipment is intelligent cipher key equipment.The difference of the manner and mode one is:In the manner, by Intelligent cipher key equipment points out PIN code input prompt message and receives PIN code.Fig. 4 performs intelligence for another triggering checking equipment The PIN code of key devices verifies the flow chart of flow, as shown in figure 4, the flow is specifically included:
Step S121, terminal sends PIN code input prompt message to intelligent cipher key equipment;
Step S122, intelligent cipher key equipment receives PIN code input prompt message and pointed out;
In this step, intelligent cipher key equipment can show on screen or report PIN code input by speaker sound and carry Show information, for example:Intelligent cipher key equipment is shown " please input password " on its screen.
Step S123, intelligent cipher key equipment receives PIN code and verified, if being verified, and generation PIN code is verified letter Breath;
In this step, after intelligent cipher key equipment is pointed out, user can be with input through keyboard, mouse selection, voice The modes such as input input PIN code, or, user can input PIN code in the way of biological information typing.
Step S124, PIN code is verified information and sent by terminal and router to identity by intelligent cipher key equipment to be recognized Demonstrate,prove server.
In the optional embodiment, PIN code checking flow is initiated by terminal;It is defeated to PIN code by intelligent cipher key equipment Enter prompt message to be pointed out, and PIN code is verified;If being verified, by ID authentication device storage PIN code checking Pass through information.In addition, in the optional embodiment, because intelligent cipher key equipment directly receives PIN code and is verified, because This PIN code or the data that obtain after handling PIN code without be transmitted between the individual devices, so that PIN code Security is improved.
Mode four
In the manner, checking equipment is authentication server.The difference of the manner and mode one is also resided in:The manner In, point out PIN code input prompt message by intelligent cipher key equipment and receive PIN code.Fig. 5 performs for another triggering checking equipment The PIN code of intelligent cipher key equipment verifies the flow chart of flow, as shown in figure 5, the flow is specifically included:
Step S131, terminal sends PIN code input prompt message to intelligent cipher key equipment;
Step S132, intelligent cipher key equipment receives PIN code input prompt message and pointed out;
Step S133, intelligent cipher key equipment receives PIN code and generates PIN code checking information;
Step S134, PIN code checking information is sent to authentication server by terminal and router;
Step S135, authentication server receives PIN code checking information and verified, if being verified, generates PIN code It is verified information.
In the optional embodiment, PIN code checking flow is initiated by terminal;It is defeated to PIN code by intelligent cipher key equipment Enter prompt message to be pointed out;PIN code is verified by authentication server, if being verified, generation is verified Information is simultaneously stored.
In step sl, by any of the above-described optional embodiment, checking equipment can be tested by way of PIN code is verified The identity of user is demonstrate,proved, after being verified, authentication server, which can obtain and preserve PIN code, is verified information, after being Continuous application logon operation provides basis.
, can also be to the effective of PIN code checking information after PIN code is verified in order to further improve security Property is safeguarded.For example, elapsed time is long after user's input PIN code or terminal of user disconnects with router When connection, authentication server can be verified information to the PIN code of preservation and carry out expiration operation, and user needs weight It is new to carry out PIN code checking, network application logon operation could be carried out again.
Validity maintenance below to PIN code checking information is illustrative:
In a kind of optional embodiment of the present embodiment, after step S1, this method also includes:Terminal detects terminal When connection with intelligent cipher key equipment disconnects, connection is sent to authentication server by router and disconnects announcement information;Body Part certificate server performs the operation for making PIN code be verified information failure after connection disconnection announcement information is received.At this In optional embodiment, a state parameter can be set, for representing that PIN code is verified letter in authentication server Whether breath is effective status.Specifically, a bit binary number can be used to represent state parameter, with different numeral difference tables Show effective status and failure state.For example, can represent that PIN code is verified information for effective status with digital " 1 ", with numeral " 0 " represents that PIN code is verified information for failure state;Or, it can also represent that PIN code is verified information with digital " 0 " For effective status, represent that PIN code is verified information for failure state with digital " 1 ", be not especially limited herein.Specific real During applying, after step S1, when the connection that terminal detects terminal and intelligent cipher key equipment disconnects, by router to body Part certificate server sends connection and disconnects announcement information;Authentication server is after connection disconnection announcement information is received, then The state parameter that the intelligent cipher key equipment PIN code prestored is verified into information is revised as failure state, for example, with number Word " 1 " represents that PIN code is verified information in the case of effective status, authentication server repaiies state parameter from " 1 " It is changed to " 0 ".
In the optional embodiment, state parameter can also be not provided with authentication server, but pass through identity Intelligent cipher key equipment PIN code whether is stored in certificate server to be verified information to judge that intelligent cipher key equipment PIN code is verified It is whether effective by information.Specifically, after step S1, terminal detects terminal and the connection of intelligent cipher key equipment disconnects When, connection is sent to authentication server by router and disconnects announcement information;Authentication server is receiving connection Disconnect after announcement information, then the intelligent cipher key equipment PIN code of storage is verified information deletion.Thus, as long as recognizing in identity Intelligent cipher key equipment PIN code is found in card server and is verified information, it is determined that the intelligent cipher key equipment PIN prestored Code is verified information for effective status, is otherwise failure state.When the connection of terminal and the equipment of intelligent key disconnects, have Be probably other people outside user in using terminal access network, therefore, PIN code is verified information and is defined as mistake Effect state, can avoid other people un-authorised access to network outside user;When user is by intelligent cipher key equipment and end After end is reconnected, user needs to input PIN code again to complete new PIN code checking flow.
In another optional embodiment of the present embodiment, after step S1, this method also includes:Router is detected When the connection of router and terminal disconnects, equipment leave message is sent to authentication server, and detect router with When terminal is again coupled to, equipment access information is sent to authentication server;Authentication server receives equipment and left Information, timing is started using timer, if receiving equipment access information before timing reaches the first preset time, is tieed up Hold PIN code and be verified information effectively, if being not received by equipment access information before timing reaches the first preset time, Then perform the operation for making PIN code be verified information failure.For example, the first preset time be 10 minutes, then if terminal with After router is disconnected, set up and be connected with router again in 10 minutes, then carried out newly without input PIN code again PIN code verifies flow;If the time that terminal disconnects with router was more than 10 minutes, after terminal is again coupled to router, Need to input the new PIN code checking flow of PIN code progress again.
In the optional embodiment, be referred to that a kind of optional embodiment provides in identity authentication service A state parameter is set to represent that PIN code is verified whether information is effective status in device, in specific implementation process, identity Certificate server receives equipment leave message, and timing is started using timer, if timing reach the first preset time it Before receive equipment access information, then authentication server does not change its state parameter, if timing reach first preset Equipment access information is not received by before time, then authentication server modifies its state parameter, for example, Represent that PIN code is verified information in the case of effective status with digital " 1 ", authentication server by state parameter from " 1 " is revised as " 0 ";Or, in the optional embodiment, authentication server receives equipment leave message, uses Timer starts timing, if being not received by equipment access information before timing reaches the first preset time, identity is recognized The PIN code that itself is stored is verified information deletion by card server, thus, as long as finding intelligence in authentication server Energy key devices PIN code is verified information, it is determined that the intelligent cipher key equipment PIN code prestored is verified information to have Effect state, is otherwise failure state.When terminal is connected the overlong time disconnected with router, the terminal and intelligent key are used The user of equipment may be altered, and PIN code now is verified into information is defined as failure state, can avoid user Outside other people un-authorised access to network;If user reuse the terminal and intelligent cipher key equipment log in again should With server, then logon operation can be carried out by inputting PIN code again.
In another optional embodiment of the present embodiment, after step S1, this method also includes:Identity authentication service Device starts timing using timer, before timing reaches the second preset time, maintains PIN code to be verified information effectively, Timing is reached after the second preset time, performs the operation for making PIN code be verified information failure.For example, the second preset time For 8 hours, then after user completes the checking of PIN code, it can carry out by router exempting from what is input password in 8 hours Network application logon operation, after more than 8 hours, user, which needs to complete a PIN code checking flow again, can just continue Carry out the network application for exempting to input password.
In the optional embodiment, be referred to that the first optional embodiment provides in identity authentication service A state parameter is set to represent that PIN code is verified whether information is effective status in device, in specific implementation process, identity Certificate server starts timing using timer, before timing reaches the second preset time, and its state parameter is not changed;In meter When reach the second preset time after, its state parameter is modified, for example, representing that PIN code checking is logical with digital " 1 " Information is crossed in the case of effective status, state parameter is revised as " 0 " by authentication server from " 1 ";Or, it is optional at this Embodiment in, authentication server starts timing using timer, after timing reaches the second preset time, identity The PIN code that itself is stored is verified information deletion by certificate server, thus, as long as being found in authentication server Intelligent cipher key equipment PIN code is verified information, it is determined that the intelligent cipher key equipment PIN code prestored is verified information and is Effective status, is otherwise failure state.
Step S2, intelligent cipher key equipment is by performing flow for authenticating ID between terminal and router;
In this step, router has identity authentication function, specifically:In router built-in security chip, safety chip Be stored with digital certificate and/or private key;Or router embedded software is to realize digital certificate functionality;Or the external intelligence of router Can key devices.Intelligent cipher key equipment is to possess independent processor inside the equipment with safety chip, safety chip and deposit Storage unit, can store PKI digital certificates, the key of type and other characteristics such as private key, encryption and decryption key, authentication secret According to being encrypted, decrypt to data, signing, sign test computing, providing the user data encryption and identity authentication service.Specific In implementation process, the authentication to intelligent cipher key equipment can be accomplished by the following way in router:Verified using root certificate The digital certificate of the intelligent cipher key equipment of reception, and/or, using the digital certificate of intelligent cipher key equipment to being set using intelligent key The signed data of standby private key signature carries out sign test.Intelligent cipher key equipment, which can be accomplished by the following way, to be recognized the identity of router Card:The digital certificate of the router received is verified using root certificate, and/or, using the digital certificate of router to using route The signed data of device private key signature carries out sign test.Unidirectional authentication can be only carried out between router and intelligent cipher key equipment, I.e. router carries out authentication to intelligent cipher key equipment, or intelligent cipher key equipment carries out authentication to router;Route Bidirectional identity authentication, i.e. router can also be carried out between device and intelligent cipher key equipment authentication is carried out to intelligent cipher key equipment And intelligent cipher key equipment carries out authentication to router.
It is illustrative to performing the flow of bidirectional identity authentication between intelligent cipher key equipment and router below:
Step S201, intelligent cipher key equipment generation random number R 1, to the private key KS1 of its own to random number R 1 and intelligence Key devices ID sign obtaining signed data S1;
In implementation process, intelligent cipher key equipment can splice to random number R 1 and intelligent cipher key equipment ID, obtain Splicing result.For example:Random number R 1 is " 7195 ", and intelligent cipher key equipment ID is " 1000001 ", then close to random number R 1 and intelligence The splicing result that key device id progress sequential concatenation is obtained is " 71951000001 ".Certainly, random number R 1 and intelligent key are set The mode that standby ID is spliced is not limited to sequential concatenation, can also be spliced with other rules, not limited herein.Intelligence is close Key equipment carries out HASH computings to the splicing result, obtains the message X1 that makes a summary, and using the private key KS1 of its own to the summary report Literary X1 carries out signature computing and obtains signed data S1.
Step S202, intelligent cipher key equipment is by random number R 1, intelligent cipher key equipment ID, signed data S1 and intelligent key Device certificate is sent to router by terminal;
Step S203, router utilizes intelligence in intelligent cipher key equipment certificate after checking intelligent cipher key equipment certificate is legal The public key KP1 of energy key devices carries out sign test to signed data S1, and utilizes its own safety chip to produce by rear in sign test Random number R 2.
In implementation process, router utilizes the public key KP1 docking of the intelligent cipher key equipment in intelligent cipher key equipment certificate The signed data S1 received carries out computing and obtains operation result X2, and the random number R 1 received and intelligent cipher key equipment ID are entered Row splicing, obtains splicing result, wherein, the splicing rule in above-mentioned splicing rule and intelligent cipher key equipment is consistent.Route Device carries out HASH computings to obtained splicing result and obtains the message X3 that makes a summary, and operation result X2 is compared with summary message X3 Right, if comparison result is consistent, router passes through to signed data S1 sign test.
Step S204, router is encrypted to random number R 1 and R2 using the public key KP1 of intelligent cipher key equipment and obtains close Literary data E1, and ciphertext data E1 sign to obtain signed data S2 using the private key KS2 of router;
In this step, the idiographic flow for carrying out signature operation by router is set with what is provided in step S201 by intelligent key The standby flow for carrying out signature operation is consistent, will not be repeated here.
The certificate of ciphertext data E1, signed data S2 and router is sent to by step S205, router by terminal Intelligent cipher key equipment;
Step S206, intelligent cipher key equipment is using the public key KP2 of the router in the certificate received to signed data S2 Sign test is carried out, and ciphertext data E1 is decrypted using the private key KS1 of intelligent cipher key equipment and obtains random by rear in sign test Number R1 and R2;
In this step, the idiographic flow operated by intelligent cipher key equipment progress sign test in step S203 with providing by routeing The flow that device carries out sign test operation is consistent, will not be repeated here.
Step S207, intelligent cipher key equipment is compared the random number R 1 that the random number R 1 that decryption is obtained is generated with itself Right, if more consistent than result, the identity authentication result between intelligent cipher key equipment and router is to pass through.
Above-mentioned steps (S201-S207) are only a kind of optional flow for authenticating ID, intelligent cipher key equipment and router it Between and can using other modes carry out authentication, be not limited thereto.By above-mentioned steps, intelligent cipher key equipment and route Both devices can verify whether other side's identity legal mutually, in addition, in step S206, intelligent cipher key equipment decryption obtain with Machine number R2 can be as session key, and in intelligent cipher key equipment and router transmission data, random number R 2 can be solved as adding Key, the security of transmission data is improved with this.
Step S3, router flow for authenticating ID result be certification by when, be terminal distribution IP address, preserve intelligence The binding information of key devices identity information and IP address, intelligent cipher key equipment identity information is intelligent cipher key equipment certificate or intelligence Can key devices ID;
In this step, router can get the identity information of intelligent cipher key equipment in flow for authenticating ID, for example The above flow described in step S202.Thus, router can set up intelligent cipher key equipment identity information and close with the intelligence The one-to-one relationship of the IP address of the connected terminal of key equipment.
Step S4, terminal is sent to application server by router and applies Sign-On services solicited message, triggers router The binding letter of the IP address and intelligent cipher key equipment identity information and IP address according to terminal is performed between application server Breath determines the flow with the intelligent cipher key equipment identity information of terminal coupling, and application server obtains the intelligent key determined and set Standby identity information;
In the present embodiment, step S4 can at least be realized by the either type in following three kinds of modes:
Mode one
Step S401, terminal is sent to application server by router and applies Sign-On services solicited message;
Wherein, intelligent cipher key equipment identity information and IP address are included using Sign-On services solicited message.Intelligent key Equipment identity information is the device certificate or device id of intelligent cipher key equipment being connected with the terminal, IP address in step S3, Router flow for authenticating ID result be certification by when, for the terminal distribution IP address.
Step S402, application server, which is received, applies Sign-On services solicited message, and intelligent cipher key equipment is sent to router Authentication request;
Wherein, intelligent cipher key equipment authentication request includes intelligent cipher key equipment identity information and IP address.
Step S403, router receives intelligent cipher key equipment authentication request, according to IP address and binding information, to intelligence The intelligent cipher key equipment identity information carried in energy key devices authentication request is verified, obtains intelligent cipher key equipment body Part the result information is simultaneously sent to application server;
Specifically, due to router flow for authenticating ID result be certification by when, can be terminal distribution IP address, And preserving intelligent cipher key equipment identity information and the binding information of IP address, i.e. router establishes intelligent cipher key equipment identity The one-to-one relationship of the IP address of information and the terminal being connected with the intelligent cipher key equipment.Router receives intelligent key and set Standby authentication request, wherein, the intelligent cipher key equipment authentication request includes:Intelligent cipher key equipment identity information A1 and IP Address, router can be according to the IP address carried in the intelligent cipher key equipment authentication request, the binding preserved at itself Intelligent cipher key equipment identity information A2 corresponding with the IP address is searched in information, and verifies the intelligent cipher key equipment body received Whether part information A1 is consistent with the intelligent cipher key equipment identity information A2 preserved, if unanimously, obtaining intelligent cipher key equipment body Part the result information and the result is are verified;If inconsistent, intelligent cipher key equipment authentication result letter is obtained Cease and the result does not pass through for checking.Thus, the application that router can be initiated terminal using the binding information preserved is stepped on Entrained IP address and intelligent cipher key equipment identity information are verified in the service request information of land, due to the binding information Router flow for authenticating ID result by certification by when preserve, therefore terminal can be verified by this step send out Whether the application Sign-On services solicited message sent is legal, if being verified, and this is legal using Sign-On services solicited message.
Step 404, application server receives intelligent cipher key equipment authentication object information, if intelligent cipher key equipment identity The result information is then true using the intelligent cipher key equipment identity information carried in Sign-On services solicited message to be verified The intelligent cipher key equipment identity information made;
For example, if intelligent cipher key equipment authentication object information is is verified, i.e., in step S403, receive To intelligent cipher key equipment identity information A1 it is consistent with the intelligent cipher key equipment identity information A2 preserved, then intelligent cipher key equipment Identity information A1 is the intelligent cipher key equipment identity information determined.Thus, can to obtain legal intelligence close for application server Key equipment identity information is subsequent applications server, and provided the terminal with according to intelligent cipher key equipment identity information by router should Basis is provided with Sign-On services.
In the optional embodiment, sent from terminal to application server and apply Sign-On services solicited message, and application Sign-On services solicited message includes IP address and intelligent cipher key equipment identity information, and sends intelligent close in application server After the request of key authentication, completed by router to the checking of the intelligent cipher key equipment identity information received, to obtain The intelligent cipher key equipment identity information that must be determined.
Mode two
Step S411, terminal is sent to application server by router and applies Sign-On services solicited message;
In this step, include IP address using Sign-On services solicited message.In addition, this applies Sign-On services solicited message In can not include intelligent cipher key equipment identity information.
Step S412, application server sends intelligent cipher key equipment identity information request to router,
Wherein, IP address is at least included in intelligent cipher key equipment identity information request;
Step S413, router receives intelligent cipher key equipment authentication request, according to IP address and binding information, obtains Intelligent cipher key equipment identity information is simultaneously sent to application server;
Specifically, due to router flow for authenticating ID result be certification by when, can be terminal distribution IP address, And preserving intelligent cipher key equipment identity information and the binding information of IP address, i.e. router establishes intelligent cipher key equipment identity The one-to-one relationship of the IP address of information and the terminal being connected with the intelligent cipher key equipment, thus, router can be at itself Intelligent cipher key equipment identity information corresponding with the IP address received is found out in the binding information of preservation.Also, due to road The binding information preserved in device be router flow for authenticating ID result by certification by when preserve, therefore pass through this The intelligent cipher key equipment identity information that step is obtained is safe, legal.
Step S414, application server receives intelligent cipher key equipment identity information, and intelligent cipher key equipment identity information is true The intelligent cipher key equipment identity information made;
In the optional embodiment, sent from terminal to application server and apply Sign-On services solicited message, and should answered Include IP address with Sign-On services solicited message, and application server send intelligent cipher key equipment authentication request it Afterwards, legal intelligent cipher key equipment identity information is obtained according to the IP address using binding information by router, and this is legal Intelligent cipher key equipment identity information send to application server, be subsequent applications server believes according to intelligent cipher key equipment identity Breath is provided the terminal with by router and provides basis using Sign-On services.
Mode three
Step S421, terminal sends to router and applies Sign-On services solicited message;
In the optional embodiment, include IP address using Sign-On services solicited message.In addition, the application logs in clothes Intelligent cipher key equipment identity information can not be included in business solicited message.
After step S422, the application Sign-On services solicited message that router receiving terminal is sent, according to IP address and tying up Determine information, obtain intelligent cipher key equipment identity information;
Specifically, due to router flow for authenticating ID result be certification by when, can be terminal distribution IP address, And preserving intelligent cipher key equipment identity information and the binding information of IP address, i.e. router establishes intelligent cipher key equipment identity The one-to-one relationship of the IP address of information and the terminal being connected with the intelligent cipher key equipment, thus, router can be at itself Intelligent cipher key equipment identity information corresponding with the IP address received is found out in the binding information of preservation.Also, due to road The binding information preserved in device be router flow for authenticating ID result by certification by when preserve, therefore pass through this The intelligent cipher key equipment identity information that step is obtained is safe, legal.
Step S423, router sends to application server and applies Sign-On services solicited message and intelligent cipher key equipment identity Information, application server, which is received, applies Sign-On services solicited message and intelligent cipher key equipment identity information, intelligent cipher key equipment body Part information is the intelligent cipher key equipment identity information determined.
In the optional embodiment, sent from terminal to router and apply Sign-On services solicited message, and the application is stepped on Land service request information includes IP address, and it is close by router using binding information to obtain legal intelligence according to the IP address Key equipment identity information, the legal intelligent cipher key equipment identity information is sent to application server, is subsequent applications service Device is provided the terminal with by router according to intelligent cipher key equipment identity information and provides basis using Sign-On services.
In step s 4, by any of the above-described optional embodiment, it can complete to hold between router and application server Row is determined and terminal coupling according to the IP address and intelligent cipher key equipment identity information and the binding information of IP address of terminal The flow of intelligent cipher key equipment identity information, so that application server obtains the intelligent cipher key equipment identity information determined. Also, it is legal by the intelligent cipher key equipment identity information determined that any optional embodiment is obtained in step S4 's.Stepped on thus, it is possible to ensure that application server provides the terminal with to apply according to intelligent cipher key equipment identity information by router The security of land service.
Step S5, application server sends PIN code proofing state inquiry request by router to authentication server;
Step S6, authentication server receives PIN code proofing state inquiry request, and whether inquiry has PIN code checking The state of information is verified by information and inquiry PIN code, if authentication server has PIN code and is verified information And PIN code be verified information state be it is effective, then by router to application server send PIN code checking complete confirm Information;
In the present embodiment, step S5 and S6, with " being performed in step S4 between triggering router and application server according to end The IP address and intelligent cipher key equipment identity information and the binding information of IP address at end determine the intelligent key with terminal coupling The execution sequence of the flow of equipment identity information, the intelligent cipher key equipment identity information that application server acquisition is determined " does not have Limit.That is, after terminal sends application Sign-On services solicited message by router to application server, Ke Yixian Step S4 is performed, then performs step S5, S6;Or, step S5, S6 can be first carried out, then perform step S4;Or, can be simultaneously Step S4 and step S5, S6 are performed capablely.No matter above-mentioned any execution sequence, it is only necessary to make application server obtain PIN In the case that code checking completes confirmation, obtain the intelligent cipher key equipment identity information determined and can proceed with follow-up step Suddenly.
In the present embodiment, if the PIN code checking flow verification of the intelligent cipher key equipment in step S1 does not pass through, identity is recognized Also just information is verified in card server in the absence of PIN code, then, taken in application server by router to authentication It is engaged in after device transmission PIN code proofing state inquiry request, authentication server, which inquires itself not preserving PIN code and verify, to be led to Information is crossed, in this case, application server can not provide the terminal with and apply Sign-On services.
In addition, in the case where this method includes PIN code checking information validity maintenance, even if in authentication server Preserve PIN code and be verified information, but disconnected due to occurring the connection of intelligent cipher key equipment and terminal, or terminal and route It is probably failure that the PIN code preserved in the abnormal conditions of the connection disconnection of device etc., authentication server, which is verified information, State.Therefore, if the PIN code checking flow verification of the intelligent cipher key equipment in step S1 passes through, but there are above-mentioned abnormal feelings Condition, after application server sends PIN code proofing state inquiry request by router to authentication server, identity is recognized It is failure state, in this case, application service that card server lookup, which has PIN code to itself to be verified information but its state, Device can not provide the terminal with and apply Sign-On services.
Thus, by the step S5 and S6 of the present embodiment, application server is being provided the terminal with using before Sign-On services, Can be by router to authentication server transmission PIN code proofing state inquiry request, to inquire about whether identity server deposits There is effective PIN code to be verified information, so that whether the terminal that confirmation request logs in application server is that safety is legal, After confirming that terminal identity is legal, application server can just provide the terminal with follow-up application Sign-On services, it is ensured that network application The security of landfall process.
Step S7, application server is in the case where obtaining PIN code checking completion confirmation, according to the intelligence determined Key devices identity information is provided the terminal with by router applies Sign-On services.
In this step, application server gets PIN code checking completion confirmation and illustrates that request logs in application service The identity of the terminal of device is that safety is legal, and in this case, application server can be according to the determination obtained in step S4 The intelligent cipher key equipment identity information gone out, which can be provided the terminal with, applies Sign-On services.Thus, ensureing that network application logs in peace In the case of full property, terminal can directly by router access application server, without in login application server again Password is inputted, logs in network application more convenient.
When user's using terminal equipment (computer, mobile phone etc.) is surfed the Net, router access application server can be passed through.It is existing The mode for logging in application server do not use intelligent cipher key equipment, but using terminal is directly logged in by router, by Flow is not verified by PIN code in existing this landing approach, does not store PIN code checking flow by information, because This, user is required for inputting this again using corresponding close when each using terminal logs in application server by router Code.And using the method for the present embodiment offer, user can use intelligent cipher key equipment to be connected with terminal, pass through intelligent key After the PIN code checking flow of equipment, terminal connects application server by router, due to the high safety of intelligent cipher key equipment Property, this method is safer when application server can be made accessed.Also, complete the PIN code checking of intelligent cipher key equipment After flow, authentication server can preserve PIN code and be verified information, and user, which reuses, is connected with above-mentioned intelligent key When the terminal of equipment is by the router access application server, because user passes through the PIN code of the intelligent cipher key equipment Verify flow, then PIN code be verified information it is effective in the case of, user without again input application server password Application server can be logged in, so as to simplify the process that user logs in application.
Embodiment 2
The structural representation for a kind of network application login system that Fig. 6 provides for the present embodiment, as shown in fig. 6, the system Including:Intelligent cipher key equipment 10, terminal 20, router 30, authentication server 40 and application server 50;Wherein,
Terminal 20, for after intelligent cipher key equipment 10 and terminal 20 are set up and be connected, the triggering checking equipment of terminal 20 to be performed The PIN code checking flow of intelligent cipher key equipment 10.
In the present embodiment, terminal 20 includes the electronic equipments such as computer, mobile phone, and intelligent cipher key equipment 10 includes but is not limited to electricity There is sub- signature device, smart card, the built-in security chip of intelligent cipher key equipment 10, its safety chip encryption, signature etc. to ensure number According to the function of security.
As an alternative embodiment, terminal 20 can set wired communication interface, for example, when terminal 20 is computer When, the USB interface set on computer can be its wired communication interface;When terminal 20 is mobile phone, the audio set on mobile phone Interface can be its wired communication interface.Intelligent cipher key equipment 10 is set up with terminal 20 and is connected, and specifically includes:Intelligent cipher key equipment 10 communication interface with terminal 20 by way of wired connection is attached.It is used as another optional embodiment, terminal 20 can set wireless communication module, the communication module such as WIFI, bluetooth, NFC.Intelligent cipher key equipment 10 is set up with terminal 20 Connection, is specifically included:Intelligent cipher key equipment 10 is set up with terminal 20 by wireless connection (WIFI, bluetooth, NFC etc.) and is connected.By This, terminal 20 can realize security function by intelligent cipher key equipment 10.
In the present embodiment, triggering checking equipment performs the PIN code checking flow of the intelligent cipher key equipment 10, at least includes Either type in following four mode:
Mode one
In the manner, checking equipment is intelligent cipher key equipment 10, and terminal 20 is believed specifically for prompting PIN code input prompting Breath, terminal 20 receives PIN code and generates PIN code checking information, and PIN code checking information is sent to intelligent cipher key equipment 10;Its In, terminal 20 can show on screen or report PIN code input prompt message by speaker sound, for example:Terminal 20 exists " password please be input " is shown on screen.After terminal 20 is pointed out, user can be with input through keyboard, mouse selection, voice The modes such as input input PIN code, or, user can input PIN code in the way of biological information typing.Alternatively, PIN code is tested Card information can be the encryption data generated after terminal 20 is encrypted to PIN code, and the cipher mode can include symmetric key encryption Or asymmetric-key encryption, thus, it is possible to safer when PIN code is transmitted between terminal 20 and other equipment.Intelligence Energy key devices 10, specifically for receiving PIN code checking information and verifying, if being verified, generation PIN code is verified letter Breath, and sent by terminal 20 and router 30 to authentication server.Alternatively, if PIN code checking information adds for PIN code The encryption data of generation after close, then the PIN code checking information that 10 pairs of intelligent cipher key equipment is received, which is decrypted, obtains PIN code. Intelligent cipher key equipment 10 can prestore PIN code, and the PIN code obtained from PIN code checking information and intelligent cipher key equipment 10 is pre- The PIN code first stored is compared, and PIN code checking information is verified if comparing unanimously.Or, intelligent cipher key equipment 10 can With the PIN code MAC value that prestores, after PIN code checking information is received, computing is carried out to the PIN code in PIN code checking information and obtained MAC value, will calculate PIN code MAC value of the obtained MAC value with prestoring and is compared, if comparing consistent, PIN code checking information It is verified.
In the optional embodiment, PIN code checking flow is initiated by terminal 20 and PIN code input prompt message is entered Row prompting;PIN code is verified by intelligent cipher key equipment 10;If being verified, PIN is stored by authentication server 40 Code is verified information.
Mode two
The difference of the manner and mode one is:In the manner, checking equipment is authentication server 40.The identity is recognized Card server 40 is set up with router 30 by wired or wireless mode to be connected.Terminal 20, specifically for prompting PIN code input Prompt message, receives PIN code and generates PIN code checking information, PIN code checking information is sent to authentication server 40. Wherein, terminal 20 can be sent PIN code checking information to authentication server 40 by router 30.Identity authentication service Device 40, specifically for receiving PIN code checking information and verifying, if being verified, generation PIN code is verified information.As Can prestore PIN code in a kind of optional embodiment, authentication server 40, after PIN code checking information is received, will PIN code in PIN code checking information is compared with the PIN code prestored, if comparing consistent, is verified.Or, identity is recognized Can prestore PIN code MAC value in card server 40, after PIN code checking information is received, to the PIN in PIN code checking information Code carries out computing and obtains MAC value, will calculate PIN code MAC value of the obtained MAC value with prestoring and be compared, if comparing unanimously, It is verified.
In the optional embodiment, PIN code checking flow is initiated by terminal 20 and PIN code input prompt message is entered Row prompting;PIN code is verified by authentication server 40, if being verified, storage PIN code is verified information. Compared with the embodiment provided in mode one, participation of the PIN code checking flow without intelligent cipher key equipment 10 in the manner.
Mode three
In the manner, checking equipment is intelligent cipher key equipment 10.The difference of the manner and mode one is:In the manner, PIN code input prompt message is pointed out by intelligent cipher key equipment 10 and receives PIN code.Terminal 20, specifically for PIN code input is carried Show that information is sent to intelligent cipher key equipment 10.Intelligent cipher key equipment 10, specifically for receiving PIN code input prompt message and carrying Show, receive PIN code and verify, if being verified, generation PIN code is verified information, and passes through terminal 20 and router 30 Send to authentication server 40.
In the optional embodiment, intelligent cipher key equipment 10 can show or be broadcast by speaker sound on screen PIN code input prompt message is reported, for example:Intelligent cipher key equipment 10 is shown " please input password " on its screen.In intelligent key After equipment 10 is pointed out, user can input PIN code with modes such as input through keyboard, mouse selection, phonetic entries, or, User can input PIN code in the way of biological information typing.
In the optional embodiment, PIN code checking flow is initiated by terminal 20;By intelligent cipher key equipment 10 to PIN Code input prompt message is pointed out, and PIN code is verified;If being verified, PIN code is stored by ID authentication device It is verified information.PIN code and verified further, since intelligent cipher key equipment 10 is directly received, therefore PIN code or to PIN The data that code is obtained after being handled without being transmitted between the individual devices, so that the security of PIN code is improved.
Mode four
In the manner, checking equipment is authentication server 40.The difference of the manner and mode one is also resided in:The manner In, point out PIN code input prompt message by intelligent cipher key equipment 10 and receive PIN code.Terminal 20, specifically for PIN code is defeated Enter prompt message to send to intelligent cipher key equipment 10;Intelligent cipher key equipment 10, specifically for receiving PIN code input prompt message simultaneously Prompting, receives PIN code and generates PIN code checking information, PIN code checking information is sent to body by terminal 20 and router 30 Part certificate server 40;Authentication server 40, specifically for receiving PIN code checking information and verifying, if being verified, Generation PIN code is verified information.
In the optional embodiment, PIN code checking flow is initiated by terminal 20;By intelligent cipher key equipment 10 to PIN Code input prompt message is pointed out;PIN code is verified by authentication server 40, if being verified, generation is tested Card is by information and is stored.
In the present embodiment, by any of the above-described optional embodiment, checking equipment can be tested by way of PIN code is verified The identity of user is demonstrate,proved, after being verified, authentication server 40, which can obtain and preserve PIN code, is verified information, is Subsequent applications logon operation provides basis.
Authentication server 40, for the PIN code verify flow verification by when, obtain and preserve PIN code checking Pass through information.
, can also be to the effective of PIN code checking information after PIN code is verified in order to further improve security Property is safeguarded.For example, elapsed time is long after user's input PIN code or terminal 20 of user and router 30 When disconnecting, authentication server 40 can be verified information to the PIN code of preservation and carry out expiration operation, user Need to re-start PIN code checking, network application logon operation could be carried out again.
Validity maintenance below to PIN code checking information is illustrative:
In a kind of optional embodiment of the present embodiment, terminal 20 is additionally operable to detect terminal 20 and intelligent cipher key equipment When 10 connection disconnects, connection is sent to authentication server 40 by router 30 and disconnects announcement information;Authentication takes Business device 40, is additionally operable to after connection disconnection announcement information is received, performs the operation for making PIN code be verified information failure. One state parameter can be set in the optional embodiment, in authentication server 40, for representing that PIN code checking is logical Whether cross information is effective status.Specifically, a bit binary number can be used to represent state parameter, with different numeral point Biao Shi not effective status and failure state.For example, can represent that PIN code is verified information for effective status, uses with digital " 1 " Digital " 0 " represents that PIN code is verified information for failure state;Or, it can also represent that PIN code is verified with digital " 0 " Information is effective status, represents that PIN code is verified information for failure state with digital " 1 ", is not especially limited herein.In tool In body implementation process, terminal 20 when the connection for detecting terminal 20 and intelligent cipher key equipment 10 disconnects, by router 30 to Authentication server 40 sends connection and disconnects announcement information;Authentication server 40 is receiving connection disconnection announcement information Afterwards, then the state parameter for the PIN code prestored being verified into information is revised as failure state, for example, with digital " 1 " table Show that PIN code is verified information in the case of effective status, state parameter is revised as by authentication server 40 from " 1 " “0”。
In the optional embodiment, state parameter can also be not provided with authentication server 40, but pass through body Intelligent cipher key equipment PIN code whether is stored in part certificate server 40 to be verified information to judge intelligent cipher key equipment PIN code Whether effective it is verified information.Specifically, terminal 20, for breaking in the connection for detecting terminal 20 and intelligent cipher key equipment 10 When opening, connection is sent to authentication server 40 by router 30 and disconnects announcement information;Authentication server 40, is used for After connection disconnection announcement information is received, then the intelligent cipher key equipment PIN code of storage is verified information deletion.Thus, As long as intelligent cipher key equipment PIN code is found in authentication server 40 is verified information, it is determined that prestore Intelligent cipher key equipment PIN code is verified information for effective status, is otherwise failure state.When setting for terminal 20 and intelligent key When standby connection disconnects, it may be possible to which other people outside user are in the access network of using terminal 20, therefore, by PIN code It is verified information and is defined as failure state, other people un-authorised access to network outside user can be avoided;When user's sheet After people reconnects intelligent cipher key equipment 10 and terminal 20, user needs to input PIN code again to complete new PIN code checking Flow.
In another optional embodiment of the present embodiment, router 30 is additionally operable to detect router 30 and terminal 20 Connection when disconnecting, send equipment leave message to authentication server 40, and detecting router 30 and terminal 20 again During secondary connection, equipment access information is sent to authentication server 40;Authentication server 40, is additionally operable to set receiving During standby leave message, timing is started using timer, if receiving equipment access before timing reaches the first preset time Information, then maintain PIN code to be verified information effectively, if being not received by equipment before timing reaches the first preset time Access information, then perform the operation for making PIN code be verified information failure.For example, the first preset time is 10 minutes, then such as After fruit terminal 20 is disconnected with router 30, set up and be connected with router 30 again in 10 minutes, then without inputting again PIN code carries out new PIN code checking flow;If the time that terminal 20 disconnects with router 30 was more than 10 minutes, terminal 20 It is again coupled to rear with router 30, it is necessary to which input PIN code carries out new PIN code checking flow again.
In the optional embodiment, be referred to that a kind of optional embodiment provides in identity authentication service A state parameter is set to represent that PIN code is verified whether information is effective status in device 40, in specific implementation process, body Part certificate server 40 receives equipment leave message, and timing is started using timer, if timing reach first it is default when Between before receive equipment access information, then authentication server 40 does not change its state parameter, if reaching the in timing Equipment access information is not received by before one preset time, then authentication server 40 modifies its state parameter, For example, in the case where representing that PIN code is verified information for effective status with digital " 1 ", authentication server 40 will State parameter is revised as " 0 " from " 1 ";Or, in the optional embodiment, authentication server 40, for receiving Equipment leave message, timing is started using timer, if being not received by equipment before timing reaches the first preset time Access information, then authentication server 40, for the PIN code itself stored to be verified into information deletion, thus, as long as Intelligent cipher key equipment PIN code is found in authentication server 40 and is verified information, it is determined that the intelligence prestored is close Key equipment PIN code is verified information for effective status, is otherwise failure state.When terminal 20 is connected what is disconnected with router 30 , may be altered using the user of the terminal 20 and intelligent cipher key equipment 10 during overlong time, now PIN code is verified Information is defined as failure state, can avoid other people un-authorised access to network outside user;If user is again It is secondary to log in application server 50 again using the terminal 20 and intelligent cipher key equipment 10, then inputting PIN code again can be carried out Logon operation.
In another optional embodiment of the present embodiment, authentication server 40 is also used for timer and started Timing, before timing reaches the second preset time, maintains PIN code to be verified information effectively, reaches that second presets in timing After time, the operation for making PIN code be verified information failure is performed.For example, the second preset time be 8 hours, then when with Family is completed after a PIN code checking, and the network application that can carry out exempting to input password by router 30 in 8 hours logs in behaviour Make, after more than 8 hours, user, which needs to complete a PIN code checking flow again, can just proceed to exempt from what is input password Network application.
In the optional embodiment, be referred to that the first optional embodiment provides in identity authentication service A state parameter is set to represent that PIN code is verified whether information is effective status in device 40, in specific implementation process, body Part certificate server 40, for starting timing using timer, before timing reaches the second preset time, its state is not changed Parameter;After timing reaches the second preset time, its state parameter is modified, for example, being represented with digital " 1 " PIN code is verified information in the case of effective status, state parameter is revised as " 0 " by authentication server 40 from " 1 "; Or, in the optional embodiment, authentication server 40, for starting timing using timer, reaches in timing After second preset time, the PIN code that itself is stored is verified information deletion by authentication server 40, thus, as long as Intelligent cipher key equipment PIN code is found in authentication server 40 and is verified information, it is determined that the intelligence prestored Key devices PIN code is verified information for effective status, is otherwise failure state.
Intelligent cipher key equipment 10, for by performing flow for authenticating ID between terminal 20 and router 30.
In the present embodiment, router 30 has identity authentication function, specifically:The built-in security chip of router 30, safety Be stored with digital certificate and/or private key in chip;Or the embedded software of router 30 is to realize digital certificate functionality;Or route The external intelligent cipher key equipment 10 of device 30.Intelligent cipher key equipment 10 is to possess inside the equipment with safety chip, safety chip solely Vertical processor and memory cell, can store PKI digital certificates, the key of the type such as private key, encryption and decryption key, authentication secret with And other characteristics, data are encrypted, decrypted, are signed, sign test computing, providing the user data encryption and authentication Service.In specific implementation process, the authentication to intelligent cipher key equipment 10 can be accomplished by the following way in router 30: The digital certificate of the intelligent cipher key equipment 10 received is verified using root certificate, and/or, demonstrate,proved using the numeral of intelligent cipher key equipment 10 Book using the signed data of the private key signature of intelligent cipher key equipment 10 to carrying out sign test.Intelligent cipher key equipment 10 can be by with lower section Formula realizes the authentication to router 30:The digital certificate of the router 30 received is verified using root certificate, and/or, use The digital certificate of router 30 using the signed data of the private key signature of router 30 to carrying out sign test.Router 30 and intelligent key Unidirectional authentication, i.e. router 30 can be only carried out between equipment 10 authentication is carried out to intelligent cipher key equipment 10, or Intelligent cipher key equipment 10 carries out authentication to router 30;It can also be carried out between router 30 and intelligent cipher key equipment 10 double Authentication and intelligent cipher key equipment 10 are carried out to intelligent cipher key equipment 10 to router 30 to authentication, i.e. router 30 Carry out authentication.
Exemplary theory is carried out to the flow that bidirectional identity authentication is performed between intelligent cipher key equipment 10 and router 30 below It is bright:
Intelligent cipher key equipment 10, for generating random number R 1, to close to random number R 1 and intelligence with the private key KS1 of its own Key device id sign obtaining signed data S1.In implementation process, intelligent cipher key equipment 10 can be to random number R 1 and intelligence Energy key devices ID is spliced, and obtains splicing result.For example:Random number R 1 is " 7195 ", and intelligent cipher key equipment ID is " 1000001 ", then be to the splicing result that random number R 1 and intelligent cipher key equipment ID progress sequential concatenations are obtained “71951000001”.Certainly, sequential concatenation is not limited to random number R 1 and intelligent cipher key equipment the ID mode spliced, also It can be spliced with other rules, not limited herein.10 pairs of splicing results of intelligent cipher key equipment carry out HASH computings, obtain Signed data S1 is obtained to summary message X1 progress signature computings to summary message X1, and using the private key KS1 of its own.Intelligence Energy key devices 10, are additionally operable to lead in random number R 1, intelligent cipher key equipment ID, signed data S1 and intelligent cipher key equipment certificate Cross terminal 20 and be sent to router 30.
Router 30, is additionally operable to after checking intelligent cipher key equipment certificate is legal, utilizes intelligence in intelligent cipher key equipment certificate The public key KP1 of energy key devices 10 carries out sign test to signed data S1, and utilizes its own safety chip to produce by rear in sign test Raw random number R 2.In implementation process, router 30 utilizes the public key of the intelligent cipher key equipment 10 in intelligent cipher key equipment certificate KP1 carries out computing to the signed data S1 that receives and obtains operation result X2, and by the random number R 1 and intelligent key that receive Device id is spliced, and obtains splicing result, wherein, the splicing rule in above-mentioned splicing rule and intelligent cipher key equipment 10 is consistent .The splicing result that 30 pairs of router is obtained carries out HASH computings and obtains the message X3 that makes a summary, and by operation result X2 with making a summary Message X3 is compared, if comparison result is consistent, router 30 passes through to signed data S1 sign test.Router 30, also Random number R 1 and R2 are encrypted for the public key KP1 using intelligent cipher key equipment 10 and obtain ciphertext data E1, and utilizes road Ciphertext data E1 sign to obtain signed data S2 by the private key KS2 of device 30.Wherein, signature operation is carried out by router 30 Idiographic flow it is consistent with the above-mentioned flow for carrying out signature operation by intelligent cipher key equipment 10, will not be repeated here.Router 30, It is additionally operable to the certificate of ciphertext data E1, signed data S2 and router 30 being sent to intelligent cipher key equipment by terminal 20 10。
Intelligent cipher key equipment 10, is additionally operable to the public key KP2 using the router 30 in the certificate received to signed data S2 carries out sign test, and ciphertext data E1 is decrypted using the private key KS1 of intelligent cipher key equipment 10 and obtained by rear in sign test Random number R 1 and R2.Wherein, the idiographic flow that sign test operates is carried out by intelligent cipher key equipment 10 to be carried out by router 30 with above-mentioned The flow of sign test operation is consistent, will not be repeated here.Intelligent cipher key equipment 10, be additionally operable to decrypt obtained random number R 1 with from The random number R 1 of body generation is compared, if more consistent than result, the identity between intelligent cipher key equipment 10 and router 30 is recognized Card result is to pass through.
Above-mentioned flow for authenticating ID is only a kind of optional flow for authenticating ID, intelligent cipher key equipment 10 and router 30 it Between and can using other modes carry out authentication, be not limited thereto.By above-mentioned flow for authenticating ID, intelligent key is set It can verify whether other side's identity is legal mutually for both 10 and router 30, in addition, intelligent cipher key equipment 10 decrypts what is obtained Random number R 2 can be as session key, and in intelligent cipher key equipment 10 and the transmission data of router 30, random number R 2 can be made For encryption and decryption key, the security of transmission data is improved with this.
Router 30, for flow for authenticating ID result be certification by when, be terminal 20 distribution IP address, preserve intelligence Can key devices identity information and IP address binding information, intelligent cipher key equipment identity information be intelligent cipher key equipment certificate or Intelligent cipher key equipment ID.In the present embodiment, router 30 can get intelligent cipher key equipment 10 in flow for authenticating ID Identity information.Thus, router 30 can set up intelligent cipher key equipment identity information and be connected with the intelligent cipher key equipment 10 The one-to-one relationship of the IP address of terminal 20.
Terminal 20, is additionally operable to send to application server 50 by router 30 and applies Sign-On services solicited message, triggering The IP address and intelligent cipher key equipment identity information and IP according to terminal 20 are performed between router 30 and application server 50 The binding information of address determines the flow of the intelligent cipher key equipment identity information matched with terminal 20.Application server 50, is used for The intelligent cipher key equipment identity information determined is obtained, and PIN code is sent to authentication server 40 by router 30 and is tested Demonstrate,prove status query request.
In the present embodiment, at least intelligent cipher key equipment identity can be determined by the either type in following three kinds of modes Information:
Mode one
Terminal 20, Sign-On services solicited message is applied specifically for being sent by router 30 to application server 50.Its In, include intelligent cipher key equipment identity information and IP address using Sign-On services solicited message.Intelligent cipher key equipment identity is believed The device certificate or device id of the intelligent cipher key equipment 10 to be connected with the terminal 20 are ceased, IP address is that router 30 is recognized in identity Demonstrate,prove result of flow be certification by when, for the terminal 20 distribute IP address.Application server 50, is logged in specifically for receiving application Service request information, the authentication request of intelligent cipher key equipment 10 is sent to router 30.Wherein, the identity of intelligent cipher key equipment 10 Checking request includes intelligent cipher key equipment identity information and IP address.Router 30, specifically for receiving intelligent cipher key equipment 10 authentication requests, according to IP address and binding information, to the intelligence carried in the authentication request of intelligent cipher key equipment 10 Key devices identity information is verified, is obtained the authentication object information of intelligent cipher key equipment 10 and is sent to application server 50。
Specifically, due to router 30 flow for authenticating ID result be certification by when, can for terminal 20 distribute IP Address, and preserve intelligent cipher key equipment identity information and the binding information of IP address, i.e. router 30 establishes intelligent key and set The one-to-one relationship of the IP address of standby identity information and the terminal 20 being connected with the intelligent cipher key equipment 10.Router 30 is received To the authentication request of intelligent cipher key equipment 10, wherein, the authentication request of intelligent cipher key equipment 10 includes:Intelligent key is set Standby identity information A1 and IP address, router 30 can be according to the IP carried in the authentication request of intelligent cipher key equipment 10 Location, searches intelligent cipher key equipment identity information A2 corresponding with the IP address in the binding information that itself is preserved, and checking connects Whether the intelligent cipher key equipment identity information A1 received is consistent with the intelligent cipher key equipment identity information A2 preserved, if unanimously, Then obtain the authentication object information of intelligent cipher key equipment 10 and the result is to be verified;If inconsistent, intelligence is obtained The authentication object information of key devices 10 and the result do not pass through for checking.Thus, router 30 can utilize preservation Entrained IP address and intelligent cipher key equipment body in the application Sign-On services solicited message that binding information is initiated terminal 20 Part information verified, by the binding information be router 30 flow for authenticating ID result by certification by when preserve , thus can verify terminal 20 transmission application Sign-On services solicited message it is whether legal, if being verified, the application Sign-On services solicited message is legal.
Application server 50, specifically for receiving the authentication object information of intelligent cipher key equipment 10, if intelligent key is set Standby 10 authentication object informations is are verified, then using the intelligent cipher key equipment identity carried in Sign-On services solicited message Information is the intelligent cipher key equipment identity information determined.For example, if the authentication object information of intelligent cipher key equipment 10 To be verified, that is, the intelligent cipher key equipment identity information A1 received and the intelligent cipher key equipment identity information A2 mono- preserved Cause, then intelligent cipher key equipment identity information A1 is the intelligent cipher key equipment identity information determined.Thus, application server 50 can It is that subsequent applications server 50 is logical according to intelligent cipher key equipment identity information to obtain legal intelligent cipher key equipment identity information Cross router 30 and provide application Sign-On services offer basis to terminal 20.
In the optional embodiment, sent from terminal 20 to application server 50 using Sign-On services solicited message, and Include IP address and intelligent cipher key equipment identity information using Sign-On services solicited message, and sent in application server 50 After the authentication request of intelligent cipher key equipment 10, completed by router 30 to the intelligent cipher key equipment identity information that receives Checking, to obtain the intelligent cipher key equipment identity information determined.
Mode two
Terminal 20, Sign-On services solicited message is applied specifically for being sent by router 30 to application server 50.Its In, include IP address using Sign-On services solicited message.In addition, this, which is applied in Sign-On services solicited message, can not include intelligence Can key devices identity information.Application server 50, please specifically for sending intelligent cipher key equipment identity information to router 30 Ask.Wherein, IP address is at least included in intelligent cipher key equipment identity information request.Router 30, it is close specifically for receiving intelligence The authentication request of key equipment 10, according to IP address and binding information, obtains intelligent cipher key equipment identity information and sends extremely should With server 50.
Specifically, due to router 30 flow for authenticating ID result be certification by when, can for terminal 20 distribute IP Address, and preserve intelligent cipher key equipment identity information and the binding information of IP address, i.e. router 30 establishes intelligent key and set The one-to-one relationship of the IP address of standby identity information and the terminal 20 being connected with the intelligent cipher key equipment 10, thus, router 30 can find out intelligent cipher key equipment identity information corresponding with the IP address received in the binding information that itself is preserved. Also, by the binding information preserved in router 30 be router 30 flow for authenticating ID result by certification by when protect Deposit, therefore intelligent cipher key equipment identity information is safe, legal.
Application server 50, specifically for receiving intelligent cipher key equipment identity information, intelligent cipher key equipment identity information is The intelligent cipher key equipment identity information determined.
In the optional embodiment, sent from terminal 20 to application server 50 using Sign-On services solicited message, and This includes IP address using Sign-On services solicited message, and sends the authentication of intelligent cipher key equipment 10 in application server 50 After request, legal intelligent cipher key equipment identity information is obtained according to the IP address using binding information by router 30, and The legal intelligent cipher key equipment identity information is sent to application server 50, is that subsequent applications server 50 is close according to intelligence Key equipment identity information provides application Sign-On services to terminal 20 by router 30 and provides basis.
Mode three
Terminal 20, sends to router 30 and applies Sign-On services solicited message.Wherein, using in Sign-On services solicited message Including IP address.In addition, this, which is applied in Sign-On services solicited message, can not include intelligent cipher key equipment identity information.Router 30, specifically for after the application Sign-On services solicited message that receiving terminal 20 is sent, according to IP address and binding information, obtaining To intelligent cipher key equipment identity information.
Specifically, due to router 30 flow for authenticating ID result be certification by when, can for terminal 20 distribute IP Address, and preserve intelligent cipher key equipment identity information and the binding information of IP address, i.e. router 30 establishes intelligent key and set The one-to-one relationship of the IP address of standby identity information and the terminal 20 being connected with the intelligent cipher key equipment 10, thus, router 30 can find out intelligent cipher key equipment identity information corresponding with the IP address received in the binding information that itself is preserved. Also, by the binding information preserved in router 30 be router 30 flow for authenticating ID result by certification by when protect Deposit, therefore intelligent cipher key equipment identity information is safe, legal.
Router 30, Sign-On services solicited message and intelligent cipher key equipment are applied specifically for being sent to application server 50 Identity information.Application server 50, Sign-On services solicited message and intelligent cipher key equipment identity information are applied specifically for receiving, Intelligent cipher key equipment identity information is the intelligent cipher key equipment identity information determined.
In the optional embodiment, sent using Sign-On services solicited message, and should answered from terminal 20 to router 30 Include IP address with Sign-On services solicited message, and obtain legal according to the IP address using binding information by router 30 Intelligent cipher key equipment identity information, the legal intelligent cipher key equipment identity information is sent to application server 50, is follow-up Application server 50 provides application Sign-On services to terminal 20 by router 30 according to intelligent cipher key equipment identity information and provided Basis.
In the present embodiment, by any of the above-described optional embodiment, can complete router 30 and application server 50 it Between perform according to the IP address and intelligent cipher key equipment identity information and the binding information of IP address of terminal 20 determine and terminal The flow of the intelligent cipher key equipment identity information of 20 matchings, so that application server 50 obtains the intelligent cipher key equipment determined Identity information.Also, the intelligent cipher key equipment identity information determined obtained by any of the above-described optional embodiment is Legal.Thus, it is possible to ensure application server 50 according to intelligent cipher key equipment identity information by router 30 to terminal 20 The security of application Sign-On services is provided.
Authentication server 40, is additionally operable to receive PIN code proofing state inquiry request, whether inquiry, which has PIN code, is tested The state that information is verified by information and inquiry PIN code is demonstrate,proved, is verified if authentication server 40 has PIN code The state that information and PIN code are verified information is effective, then sends PIN code to application server 50 by router 30 and verify Complete confirmation.
In the present embodiment, if the PIN code checking flow verification of intelligent cipher key equipment 10 does not pass through, authentication server Also just information is verified in 40 in the absence of PIN code, then, in application server 50 by router 30 to identity authentication service Device 40 is sent after PIN code proofing state inquiry request, and authentication server 40, which is inquired, itself does not preserve PIN code checking By information, in this case, application server 50 provides without normal direction terminal 20 and applies Sign-On services.
In addition, in the case where the system includes PIN code checking information validity maintenance, even if authentication server 40 In preserve PIN code and be verified information, but disconnected due to occurring intelligent cipher key equipment 10 and the connection of terminal 20, or terminal 20 abnormal conditions disconnected etc. with the connection of router 30, the PIN code preserved in authentication server 40 is verified letter Breath is probably failure state.Therefore, if the PIN code checking flow verification of intelligent cipher key equipment 10 passes through, but exist above-mentioned different Reason condition, PIN code proofing state inquiry request is sent in application server 50 by router 30 to authentication server 40 Afterwards, authentication server 40 inquires that itself to have PIN code to be verified information but its state be failure state, in the feelings Under condition, application server 50 provides without normal direction terminal 20 and applies Sign-On services.
Thus, application server 50, can be by router 30 to identity before application Sign-On services are provided to terminal 20 Certificate server 40 sends PIN code proofing state inquiry request, to inquire about whether identity server has effective PIN code checking By information, so that whether the terminal 20 that confirmation request logs in application server 50 is that safety is legal, the body of terminal 20 is being confirmed After part is legal, application server 50 can just provide follow-up application Sign-On services to terminal 20, it is ensured that network application was logged in The security of journey.
Application server 50, is additionally operable in the case where obtaining PIN code checking completion confirmation, according to the intelligence determined Energy key devices identity information is provided to terminal 20 by router 30 and applies Sign-On services.
In the present embodiment, application server 50 gets PIN code checking completion confirmation and illustrates that request logs in application The identity of the terminal 20 of server 50 is that safety is legal, in this case, and application server 50 can be according to determining Intelligent cipher key equipment identity information can provide to terminal 20 and apply Sign-On services.Thus, ensureing that network application logs in safety Property in the case of, terminal 20 can directly by router 30 access application server 50, without log in application server 50 Shi Zaici inputs password, logs in network application more convenient.
When the equipment of user's using terminal 20 (computer, mobile phone etc.) is surfed the Net, application server can be accessed by router 30 50.The existing mode for logging in application server 50 does not use intelligent cipher key equipment 10, but using terminal 20 passes through route Device 30 is directly logged in, and because existing this landing approach does not verify flow by PIN code, PIN code is not verified into flow Stored by information, therefore, user is required for again when each using terminal 20 logs in application server 50 by router 30 It is secondary to input this using corresponding password.And use the present embodiment provide system, user can use intelligent cipher key equipment 10 with Terminal 20 is connected, and after flow is verified by the PIN code of intelligent cipher key equipment 10, terminal 20 is connected by router 30 and applied Server 50, it is safer when can be accessed application server 50 due to the high security of intelligent cipher key equipment 10.And And, after the PIN code checking flow of intelligent cipher key equipment 10 is completed, it is logical that authentication server 40 can preserve PIN code checking Cross information, user, which reuses, to be connected with the terminal 20 of above-mentioned intelligent cipher key equipment 10 and pass through the router 30 and access application service During device 50, because user has verified flow by the PIN code of the intelligent cipher key equipment 10, then be verified letter in PIN code In the case of breath is effective, user can log in application server 50 without the password of input application server 50 again, so that simple The process that user logs in application is changed.
Any process described otherwise above or method description are construed as in flow chart or herein, represent to include Module, fragment or the portion of the code of one or more executable instructions for the step of realizing specific logical function or process Point, and the scope of the preferred embodiment of the present invention includes other realization, wherein can not be by shown or discussion suitable Sequence, including according to involved function by it is basic simultaneously in the way of or in the opposite order, carry out perform function, this should be of the invention Embodiment person of ordinary skill in the field understood.
It should be appreciated that each several part of the present invention can be realized with hardware, software, firmware or combinations thereof.Above-mentioned In embodiment, the software that multiple steps or method can in memory and by suitable instruction execution system be performed with storage Or firmware is realized.If, and in another embodiment, can be with well known in the art for example, realized with hardware Any one of row technology or their combination are realized:With the logic gates for realizing logic function to data-signal Discrete logic, the application specific integrated circuit with suitable combinational logic gate circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
Those skilled in the art are appreciated that to realize all or part of step that above-described embodiment method is carried Rapid to can be by program to instruct the hardware of correlation to complete, described program can be stored in a kind of computer-readable storage medium In matter, the program upon execution, including one or a combination set of the step of embodiment of the method.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing module, can also That unit is individually physically present, can also two or more units be integrated in a module.Above-mentioned integrated mould Block can both be realized in the form of hardware, it would however also be possible to employ the form of software function module is realized.The integrated module is such as Fruit is realized using in the form of software function module and as independent production marketing or in use, can also be stored in a computer In read/write memory medium.
Storage medium mentioned above can be read-only storage, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means to combine specific features, structure, material or the spy that the embodiment or example are described Point is contained at least one embodiment of the present invention or example.In this manual, to the schematic representation of above-mentioned term not Necessarily refer to identical embodiment or example.Moreover, specific features, structure, material or the feature of description can be any One or more embodiments or example in combine in an appropriate manner.
Although embodiments of the invention have been shown and described above, it is to be understood that above-described embodiment is example Property, it is impossible to limitation of the present invention is interpreted as, one of ordinary skill in the art is not departing from the principle and objective of the present invention In the case of above-described embodiment can be changed within the scope of the invention, change, replace and modification.The scope of the present invention By appended claims and its equivalent limit.

Claims (8)

1. a kind of network application login method, it is characterised in that including:
After intelligent cipher key equipment and terminal are set up and be connected, the terminal triggering checking equipment performs the intelligent cipher key equipment PIN code verifies flow;If being verified, authentication server, which obtains and preserves the PIN code, is verified information;
The intelligent cipher key equipment between the terminal and router by performing flow for authenticating ID;
The router the flow for authenticating ID result be certification by when, be the terminal distribution IP address, preserve intelligence Energy key devices identity information and the binding information of the IP address, the intelligent cipher key equipment identity information are that the intelligence is close Key device certificate or intelligent cipher key equipment ID;
The terminal is sent to the application server by the router and applies Sign-On services solicited message, triggers the road The IP address and the intelligent cipher key equipment identity information according to the terminal are performed between device and the application server The flow with the intelligent cipher key equipment identity information of the terminal coupling is determined with the binding information of the IP address, it is described Application server obtains the intelligent cipher key equipment identity information determined;
The application server sends the inquiry of PIN code proofing state by the router to the authentication server please Ask;
The authentication server receives the PIN code proofing state inquiry request, and whether inquiry has the PIN code checking The state of information is verified by information and the inquiry PIN code, if the authentication server has the PIN code Be verified information and the PIN code to be verified the state of information be effective, then taken by the router to the application Business device sends PIN code checking and completes confirmation;
The application server is in the case where obtaining the PIN code checking completion confirmation, according to the intelligence determined Energy key devices identity information is provided to the terminal by the router and applies Sign-On services.
2. according to the method described in claim 1, it is characterised in that the triggering checking equipment performs the intelligent cipher key equipment PIN code checking flow, including:
PIN code input prompt message described in the terminal notifying, receives PIN code and generates PIN code checking information, by the PIN Code checking information is sent to the intelligent cipher key equipment, and the intelligent cipher key equipment receives the PIN code checking information and verified, If being verified, generate the PIN code and be verified information, and sent by the terminal and the router to the body Part certificate server;Or,
PIN code input prompt message described in the terminal notifying, receives PIN code and generates PIN code checking information, by the PIN Code checking information is sent to authentication server, and the authentication server receives the PIN code checking information and verified, If being verified, generate the PIN code and be verified information;Or,
The terminal sends the PIN code input prompt message to the intelligent cipher key equipment, and the intelligent cipher key equipment connects Receive the PIN code input prompt message and point out, receive PIN code and verify, if being verified, generate the PIN code checking Sent by information, and by the terminal and the router to the authentication server;Or,
The terminal sends the PIN code input prompt message to the intelligent cipher key equipment, and the intelligent cipher key equipment connects Receive the PIN code input prompt message and point out, receive PIN code and generate PIN code checking information, the PIN code is verified and believed Breath is sent to authentication server by the terminal and the router, and the authentication server receives the PIN Code checking information is simultaneously verified, if being verified, and generation PIN code is verified information.
3. according to the method described in claim 1, it is characterised in that
The terminal is sent to the application server by the router and applies Sign-On services solicited message, triggers the road The IP address and the intelligent cipher key equipment identity information according to the terminal are performed between device and the application server The flow with the intelligent cipher key equipment identity information of the terminal coupling is determined with the binding information of the IP address, it is described Application server obtains the intelligent cipher key equipment identity information determined, including:
The terminal is sent to the application server by the router and applies Sign-On services solicited message, and the application is stepped on Land service request information includes the intelligent cipher key equipment identity information and the IP address;The application server receives institute State using Sign-On services solicited message, intelligent cipher key equipment authentication request, the intelligent key are sent to the router Authentication request includes the intelligent cipher key equipment identity information and the IP address;The router receives described Intelligent cipher key equipment authentication request, according to the IP address and the binding information, to the intelligent cipher key equipment identity The intelligent cipher key equipment identity information carried in checking request is verified, obtains intelligent cipher key equipment authentication result Information is simultaneously sent to the application server;The application server receives the intelligent cipher key equipment authentication result letter Breath, if the intelligent cipher key equipment authentication object information is is verified, in the application Sign-On services solicited message The intelligent cipher key equipment identity information carried is the intelligent cipher key equipment identity information determined;
Or,
The terminal is sent to the application server by the router and applies Sign-On services solicited message, and the application is stepped on Land service request information includes the IP address;The application server sends intelligent cipher key equipment identity to the router At least include the IP address in information request, the intelligent cipher key equipment identity information request;The router receives described Intelligent cipher key equipment authentication request, according to the IP address and the binding information, obtains the intelligent cipher key equipment body Part information is simultaneously sent to the application server;The application server receives the intelligent cipher key equipment identity information, described Intelligent cipher key equipment identity information is the intelligent cipher key equipment identity information determined;
Or,
The terminal sends to apply in Sign-On services solicited message, the application Sign-On services solicited message to the router and wrapped Include the IP address;The router is received after the application Sign-On services solicited message that the terminal is sent, according to institute IP address and the binding information are stated, the intelligent cipher key equipment identity information is obtained;The router is to the application service Device sends the application Sign-On services solicited message and the intelligent cipher key equipment identity information, and the application server receives institute State using Sign-On services solicited message and the intelligent cipher key equipment identity information, the intelligent cipher key equipment identity information is institute State the intelligent cipher key equipment identity information determined.
4. according to the method described in claim 1, it is characterised in that the authentication server obtains and preserves the PIN Code is verified after information, and methods described also includes:
When the connection that the terminal detects the terminal and the intelligent cipher key equipment disconnects, by the router to described Authentication server sends connection and disconnects announcement information;The authentication server is receiving the connection disconnection notice After information, the operation for making the PIN code be verified information failure is performed;Or,
When the router detects the router and the connection disconnection of the terminal, sent to the authentication server Equipment leave message, and when detecting the router and the terminal is again coupled to, sent out to the authentication server Send equipment access information;The authentication server receives the equipment leave message, starts timing using timer, such as Fruit receives the equipment access information before timing reaches the first preset time, then maintains the PIN code to be verified letter Breath is effective, if being not received by the equipment access information before timing reaches the first preset time, and execution makes described PIN code is verified the operation of information failure;Or,
The authentication server starts timing using timer, before timing reaches the second preset time, remains described PIN code is verified information effectively, after timing reaches the second preset time, and execution makes the PIN code be verified information The operation of failure.
5. a kind of network application login system, it is characterised in that including:Terminal, intelligent cipher key equipment, router, authentication Server and application server;
The terminal, for after being connected with intelligent cipher key equipment foundation, triggering checking equipment to perform the intelligent key The PIN code checking flow of equipment;
The authentication server, for the PIN code verify flow verification by when, obtain and preserve the PIN code It is verified information;
The intelligent cipher key equipment, for by performing flow for authenticating ID between the terminal and router;
The router, for the flow for authenticating ID result be certification by when, be the terminal distribution IP address, protect The binding information of intelligent cipher key equipment identity information and the IP address is deposited, the intelligent cipher key equipment identity information is the intelligence Can key devices certificate or intelligent cipher key equipment ID;
The terminal, is additionally operable to send to the application server by the router and applies Sign-On services solicited message, touch Send out to perform the IP address and the intelligent cipher key equipment according to the terminal described between router and the application server Identity information and the binding information of the IP address are determined and the intelligent cipher key equipment identity information of the terminal coupling Flow;
The application server, for obtaining the intelligent cipher key equipment identity information determined, and by the router to institute State authentication server and send PIN code proofing state inquiry request;
The authentication server, is additionally operable to receive the PIN code proofing state inquiry request, whether inquiry has described PIN code is verified information and the inquiry PIN code is verified the state of information, if the authentication server has The PIN code is verified information and the PIN code to be verified the state of information be effective, then by the router to institute State application server and send PIN code checking completion confirmation;
The application server, is additionally operable to, in the case where obtaining the PIN code checking completion confirmation, be determined according to described The intelligent cipher key equipment identity information gone out is provided to the terminal by the router and applies Sign-On services.
6. system according to claim 5, it is characterised in that
When the checking equipment is the intelligent cipher key equipment, the terminal, specifically for pointing out the PIN code input prompting to believe Breath, receives PIN code and generates PIN code checking information, the PIN code checking information is sent to the intelligent cipher key equipment;Institute Intelligent cipher key equipment is stated, specifically for receiving the PIN code checking information and verifying, if being verified, the PIN code is generated Information is verified, and is sent by the terminal and the router to the authentication server;Or,
When the checking equipment is the authentication server, the terminal, specifically for pointing out the PIN code input to point out Information, receives PIN code and generates PIN code checking information, the PIN code checking information is sent to authentication server;Institute Authentication server is stated, specifically for receiving the PIN code checking information and verifying, if being verified, the PIN is generated Code is verified information;Or,
When the checking equipment is the intelligent cipher key equipment, the terminal, specifically in the terminal that the PIN code is defeated Enter prompt message to send to the intelligent cipher key equipment;The intelligent cipher key equipment, is carried specifically for receiving the PIN code input Show information and point out, receive PIN code and verify, if being verified, generate the PIN code and be verified information, and pass through institute State terminal and the router is sent to the authentication server;Or,
When the checking equipment is the authentication server, the terminal, specifically in the terminal by the PIN code Input prompt message is sent to the intelligent cipher key equipment;The intelligent cipher key equipment, specifically for receiving the PIN code input Prompt message is simultaneously pointed out, and is received PIN code and is simultaneously generated PIN code checking information, by the PIN code checking information by the terminal and The router is sent to authentication server;The authentication server, believes specifically for receiving the PIN code checking Cease and verify, if being verified, generation PIN code is verified information.
7. system according to claim 5, it is characterised in that
The terminal, Sign-On services solicited message is applied specifically for being sent by the router to the application server, The application Sign-On services solicited message includes the intelligent cipher key equipment identity information and the IP address;The application clothes Business device, specifically for receiving the application Sign-On services solicited message, sends intelligent cipher key equipment identity to the router and tests Card request, the intelligent cipher key equipment authentication request is with including the intelligent cipher key equipment identity information and the IP Location;The router, specifically for receiving the intelligent cipher key equipment authentication request, according to the IP address and described is tied up Determine information, the intelligent cipher key equipment identity information carried in the intelligent cipher key equipment authentication request is tested Card, obtains intelligent cipher key equipment authentication object information and sends to the application server;The application server, specifically For receiving the intelligent cipher key equipment authentication object information, if the intelligent cipher key equipment authentication object information is It is verified, then the intelligent cipher key equipment identity information carried in the application Sign-On services solicited message determines to be described The intelligent cipher key equipment identity information gone out;
Or,
The terminal, Sign-On services solicited message is applied specifically for being sent by the router to the application server, The application Sign-On services solicited message includes the IP address;The application server, specifically for the router Send with least including the IP in intelligent cipher key equipment identity information request, the intelligent cipher key equipment identity information request Location;The router, specifically for receiving the intelligent cipher key equipment authentication request, according to the IP address and described is tied up Determine information, obtain the intelligent cipher key equipment identity information and send to the application server;The application server, specifically For receiving the intelligent cipher key equipment identity information, the intelligent cipher key equipment identity information is close for the intelligence determined Key equipment identity information;
Or,
The terminal, Sign-On services solicited message is applied specifically for being sent to the router, and the application Sign-On services please Information is asked to include the IP address;The router, specifically for logging in clothes in the application for receiving the terminal transmission After solicited message of being engaged in, according to the IP address and the binding information, the intelligent cipher key equipment identity information is obtained, and to The application server sends the application Sign-On services solicited message and the intelligent cipher key equipment identity information;The application Server, specifically for receiving the application Sign-On services solicited message and the intelligent cipher key equipment identity information, the intelligence Energy key devices identity information is the intelligent cipher key equipment identity information determined.
8. the system stated according to claim 5, it is characterised in that
The terminal, is additionally operable to, when detecting the terminal and the connection of the intelligent cipher key equipment disconnects, pass through the road Connection is sent to the authentication server disconnect announcement information from device;The authentication server, is additionally operable to receiving Disconnected to the connection after announcement information, perform the operation for making the PIN code be verified information failure;
Or,
The router, is additionally operable to when detecting the router and the connection of the terminal disconnects, to the authentication Server sends equipment leave message, and when detecting the router and the terminal is again coupled to, recognizes to the identity Demonstrate,prove server and send equipment access information;The authentication server, is additionally operable to when receiving the equipment leave message, Start timing using timer, if receiving the equipment access information before timing reaches the first preset time, tie up Hold the PIN code and be verified information effectively, if being not received by the equipment before timing reaches the first preset time Access information, then perform the operation for making the PIN code be verified information failure;
Or,
The authentication server, is also used for timer and starts timing, before timing reaches the second preset time, dimension Hold the PIN code and be verified information effectively, after timing reaches the second preset time, execution makes the PIN code checking logical Cross the operation of information failure.
CN201710244614.8A 2017-04-14 2017-04-14 Network application login method and system Active CN107070917B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710244614.8A CN107070917B (en) 2017-04-14 2017-04-14 Network application login method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710244614.8A CN107070917B (en) 2017-04-14 2017-04-14 Network application login method and system

Publications (2)

Publication Number Publication Date
CN107070917A true CN107070917A (en) 2017-08-18
CN107070917B CN107070917B (en) 2020-04-10

Family

ID=59601105

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710244614.8A Active CN107070917B (en) 2017-04-14 2017-04-14 Network application login method and system

Country Status (1)

Country Link
CN (1) CN107070917B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143102A (en) * 2021-12-06 2022-03-04 深圳市共进电子股份有限公司 Router secret-free login method, router secret-free login equipment and computer equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1556449A (en) * 2004-01-08 2004-12-22 中国工商银行 Device and method for proceeding encryption and identification of network bank data
CN101340285A (en) * 2007-07-05 2009-01-07 杭州中正生物认证技术有限公司 Method and system for identity authentication by finger print USBkey
CN101938473A (en) * 2010-08-24 2011-01-05 北京易恒信认证科技有限公司 Single-point login system and single-point login method
CN103905206A (en) * 2014-04-03 2014-07-02 江苏先安科技有限公司 Cross-equipment and cross-application identity authentication method based on data image coding
CN105553674A (en) * 2016-01-11 2016-05-04 飞天诚信科技股份有限公司 Interaction system, intelligent key device, server and working method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1556449A (en) * 2004-01-08 2004-12-22 中国工商银行 Device and method for proceeding encryption and identification of network bank data
CN101340285A (en) * 2007-07-05 2009-01-07 杭州中正生物认证技术有限公司 Method and system for identity authentication by finger print USBkey
CN101938473A (en) * 2010-08-24 2011-01-05 北京易恒信认证科技有限公司 Single-point login system and single-point login method
CN103905206A (en) * 2014-04-03 2014-07-02 江苏先安科技有限公司 Cross-equipment and cross-application identity authentication method based on data image coding
CN105553674A (en) * 2016-01-11 2016-05-04 飞天诚信科技股份有限公司 Interaction system, intelligent key device, server and working method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143102A (en) * 2021-12-06 2022-03-04 深圳市共进电子股份有限公司 Router secret-free login method, router secret-free login equipment and computer equipment
CN114143102B (en) * 2021-12-06 2024-01-26 深圳市共进电子股份有限公司 Router secret-free login method, secret-free login device and computer device

Also Published As

Publication number Publication date
CN107070917B (en) 2020-04-10

Similar Documents

Publication Publication Date Title
CN108512846B (en) Bidirectional authentication method and device between terminal and server
CN111416807B (en) Data acquisition method, device and storage medium
WO2021022701A1 (en) Information transmission method and apparatus, client terminal, server, and storage medium
CN105119939B (en) The cut-in method and device, providing method and device and system of wireless network
US11736304B2 (en) Secure authentication of remote equipment
CN103269271B (en) A kind of back up the method and system of private key in electronic signature token
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN106330856A (en) Hearing device and method of hearing device communication
CN109714168A (en) Trusted remote method of proof, device and system
CN103326862B (en) Electronically signing method and system
US11546699B2 (en) Hearing device with service mode and related method
KR101410764B1 (en) Apparatus and method for remotely deleting important information
CN109873808A (en) Communication means and device, storage medium and electronic equipment between block chain node
EP3668120A1 (en) Hearing device with service mode and related method
CN105262597A (en) Network access authentication method, client terminal, access device and authentication device
EP2643944A1 (en) A method, device and system for verifying communication sessions
CN106571915A (en) Terminal master key setting method and apparatus
CN105635062A (en) Network access equipment verification method and device
JP2021007233A (en) Device and related method for secure hearing device communication
CN107135205A (en) A kind of method for network access and system
CN107360124A (en) Access authentication method and device, WAP and user terminal
CN106878122A (en) A kind of method for network access and system
CN107070918B (en) A kind of network application login method and system
CN106330529A (en) Hearing device with communication logging and related method
US20220100493A1 (en) METHOD FOR UPGRADING IoT TERMINAL DEVICE AND ELECTRONIC DEVICE THEREOF

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant