CN109165498A - A kind of point-to-point uniform authentication method of decentralization formula - Google Patents
A kind of point-to-point uniform authentication method of decentralization formula Download PDFInfo
- Publication number
- CN109165498A CN109165498A CN201810860511.9A CN201810860511A CN109165498A CN 109165498 A CN109165498 A CN 109165498A CN 201810860511 A CN201810860511 A CN 201810860511A CN 109165498 A CN109165498 A CN 109165498A
- Authority
- CN
- China
- Prior art keywords
- website
- user
- point
- bill
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
Abstract
The present invention provides a kind of point-to-point uniform authentication methods of decentralization formula, belong to information security and interaction technique field.The present invention gives full play to the authentication logic of operation system having been carried out, agreement is trusted by designing point-to-point identity, on the basis of completing own identification certification, authentication information can be communicated securely in peer system, form the network of identity information transmitting, safe, efficient verification process is not only realized between operation system, solve the problems, such as all kinds of of centralization formula unified certification simultaneously, achieve the purpose that improve efficiency, reduce cost, also avoids the excessive problem of center type certificate server pressure.
Description
Technical field
The invention belongs to information security and interaction technique field, in particular to a kind of point-to-point unified certification of decentralization formula
Method.
Background technique
With the development of information technology, many business departments all establish various information system, and have largely built
The unified certification system of " centralization " formula needs such as having found the unified identity authentication service based on standard agreement (such as OAUTH2.0)
Dispose independent certificate server.
This traditional unified certification system has deprived the authentication logic of each operation system itself, by unified certification service
Device acts on behalf of user identity authentication process of completing as authentication center, and authentication result is returned to operation system, to realize list
The unified certification mode of point this centralization formula of login function has the problem that
(1) the huge of authentication center's server stress is since all operation systems needs are all from authentication center's verifying user's body
Part, login process is completed, even if authentication center is relieved stress using technological means such as cachings, still it is difficult to ensure that its stability,
Once authentication center collapses, it will lead to the paralysis of entire campus operation system, bring extremely serious loss;
(2) the big of operation system secondary development amount is by taking the CAS platform being widely used as an example, even if being based on standard agreement, each
Operation system must all carry out a large amount of secondary development and docking configuration work, and the workload of the system reform is very big;
(3) must individually build, dispose, certificate server of safeguarding unity, bring additional human and material resources, financial resources at
This.
Summary of the invention
To solve the above-mentioned problems, the invention proposes a kind of point-to-point uniform authentication methods of decentralization formula, sufficiently
The authentication logic having been carried out for playing operation system is trusted agreement by designing point-to-point identity, is recognized completing own identification
On the basis of card, authentication information can be communicated securely in peer system, form the network of identity information transmitting.
A kind of point-to-point uniform authentication method of decentralization formula, comprising the following steps:
Step 1, user logs in the first website, and the first server in station end generates vote of confidence according to the identity information of user
According to, and will be in the trust bill mapping table for being stored in first website corresponding with identity information;
Step 2, the trust bill is recycled to user client by first website;
Step 3, after logging in first website, user accesses the second site resource hyperlink or by way of jumping,
Access request is sent to second website, wherein the access request includes the vote of confidence for accessing the first website of source, user
According to;
Step 4, second website receives the access request, and the trust bill of user is sent to access source first
Website carries out authentication;
Step 5, the trust bill that first website is sent according to second website, in the mapping table of the first website
Identity information corresponding with the trust bill that second website is sent is inquired, and is sent to second website;
Step 6, second website receives the identity information that first website is sent, and completes user in the second station
The authentication of point.
Further, the step 1 includes following below scheme:
Step 11, user logs on to the first website A with identity information UID;
Step 12, first server in station end generates the trust bill TK of user, wherein TK=hash (session
ID), hash is hash operation, and session ID is the identification string of user;
Step 13, the trust bill TK of the identity information UID of user and user are corresponded and are saved by first website
Into the mapping table UTMap_A of the first website.
Further, the step 2 includes following below scheme:
The trust bill TK of user is sent to the corresponding user client of trust bill by first website.
Further, the step 3 includes following below scheme:
After user logs on to the first website A, the resource R of the second website B is accessed hyperlink or by way of jumping,
Access request is sent to the second website B, wherein access request includes from=siteA, ticket=TK, from=
SiteA indicates trust bill of the access source for the first website A, ticket=TK for user.
Further, the step 4 includes following below scheme:
Second website B receives the access request of user, and the trust bill TK of user is sent to access source siteA and is carried out
Authentication.
Further, the step 5 includes following below scheme:
Step 51, the first website A receives the trust bill TK that the second website B is sent, in the first website A
Mapping table UTMap_A in inquiry trust the corresponding subscriber identity information of bill;
Step 52, judge whether query result is empty;
Step 53, when not inquiring what the second website B was sent in the mapping table UTMap_A of the first website A
Trust the corresponding identity information of bill TK, indicates that the user is not logged in or has dropped out the first website A, the first website A transmission
To the second website B, the second website B is to user's transmission error message and requires to log in for error message;
Step 54, when the first website A inquires the trust that the second website B is sent in mapping table UTMap_A
When the corresponding identity information UID of bill TK, the identity information UID to the second website B being verified is sent.
Further, the step 6 includes following below scheme:
The second website B receives the identity information UID that the first website A is sent, and completes the identity information UID of user
In the login of the second website B.
Beneficial effects of the present invention: the present invention provides a kind of point-to-point uniform authentication methods of decentralization formula, sufficiently
The authentication logic having been carried out for playing operation system is trusted agreement by designing point-to-point identity, is recognized completing own identification
On the basis of card, authentication information can be communicated securely in peer system, form the network of identity information transmitting, not only exist
Safe, efficient verification process is realized between operation system, while solving the problems, such as all kinds of of centralization formula unified certification, is reached
The purpose for improving efficiency, reducing cost also avoids the excessive problem of center type certificate server pressure.
Detailed description of the invention
Fig. 1 is flow chart of the invention.
Fig. 2 is the flow chart of step 1 in Fig. 1.
Fig. 3 is the flow chart of step 5 in Fig. 1.
Specific embodiment
The embodiment of the present invention is described further with reference to the accompanying drawing.
Referring to Fig. 1, a kind of point-to-point uniform authentication method of decentralization formula proposed by the present invention, passes through following steps
It realizes:
Step 1, user logs in the first website, and the first server in station end generates vote of confidence according to the identity information of user
According to, and will be in the trust bill mapping table for being stored in first website corresponding with identity information.
Referring to Fig. 2, step 1 is realized by following below scheme:
Step 11, user logs on to the first website A with identity information UID.
In the present embodiment, HTTP itself is a kind of stateless agreement, WEB server in order to save user information, when with
After family logins successfully, can server end generate record user session state an identification string, referred to as Session ID. with
Family log in after during the entire process of access system, which is constant, and the Session ID value of each user
It is different.User successfully logs in website A, address siteA with account UID.
Step 12, first server in station end generates the trust bill TK of user, wherein TK=hash (session
ID), hash is hash operation, and session ID is the identification string of user.
In the present embodiment, Session ID is as private data, due to safety concerns, cannot directly pass between the systems
It passs.In point-to-point authentication system, transmitted again after Session ID value is carried out hash operation, calculated result is irreversible.The Kazakhstan
Uncommon value is referred to as " trusting bill (TK, Trust ticket) ", i.e. TK=hash (session ID).Typical hash algorithm can
Using MD5 or SHA1.Each Session ID has life cycle, after user exits from system, or time-out fails, service
Device will delete these Session ID values, also just delete corresponding TK value of course simultaneously.
Step 13, the trust bill TK of the identity information UID of user and user are corresponded and are saved by first website
Into the mapping table UTMap_A of the first website.
In the present embodiment, can be seen that there are TK and UID a mappings from the principle of Session ID, i.e., each
TK corresponds to unique UID, for the quick search mapping relations, designs the mapping table UTMap of TK to UID, wherein index key
Key=TK, query result value Value=UID.For example, generating TK=hash after the user of UID=001 logs in the first website A
(session ID)=a1b2c3d4e5, then this is recorded in storage organization such as following table (one) in UTMap_A:
Table (one) UTMap structure table
Step 2, the trust bill is recycled to user client by first website.
In the present embodiment, the trust bill TK of user is sent to the corresponding user client of the trust bill by the first website A
End, to can be used as parameter transmitting when jumping to next website.
Step 3, after logging in first website, user accesses the second site resource hyperlink or by way of jumping,
Access request is sent to second website, wherein the access request includes the vote of confidence for accessing the first website of source, user
According to.
In the present embodiment, after user logs on to the first website A, the second website B is accessed hyperlink or by way of jumping
Resource R, send access request to the second website B, wherein access request includes from=siteA, ticket=TK,
From=siteA indicates trust bill of the access source for the first website A, ticket=TK for user.
Step 4, second website receives the access request, and the trust bill of user is sent to access source first
Website carries out authentication.
In the present embodiment, the second website B receives the access request of user, and the trust bill TK of user is sent to access and is come
Source siteA carries out authentication.
Step 5, the trust bill that first website is sent according to second website, in the mapping table of the first website
Identity information corresponding with the trust bill that second website is sent is inquired, and is sent to second website.
Referring to Fig. 3, step 5 is realized by following below scheme:
Step 51, the first website A receives the trust bill TK that the second website B is sent, in the first website A
Mapping table UTMap_A in inquiry trust the corresponding subscriber identity information of bill.
In the present embodiment, the trust bill TK that the second website is sent, in the mapping table of access the first website of source A
Corresponding UID is inquired in UTMap_A.
Step 52, judge whether query result is empty.
In the present embodiment, find function is defined:
The inquiry corresponding UID of TK in the mapping table, and if only if UTMap there is no specified TK value (user be not logged in or
Have dropped out) when, otherwise find (TK)=null can directly inquire to obtain corresponding UID.
Step 53, when not inquiring what the second website B was sent in the mapping table UTMap_A of the first website A
Trust the corresponding identity information of bill TK, indicates that the user is not logged in or has dropped out the first website A, the first website A transmission
To the second website B, the second website B is to user's transmission error message and requires to log in for error message;
Step 54, when the first website A inquires the trust that the second website B is sent in mapping table UTMap_A
When the corresponding identity information UID of bill TK, the identity information UID to the second website B being verified is sent.
Step 6, second website receives the identity information that first website is sent, and completes user in the second station
The authentication of point.
In the present embodiment, the second website B receives the identity information UID that the first website A is sent, and completes the identity of user
Login of the information UID in the second website B.According to user UID in the access authority of the second website B, the money that user can access is determined
Source.
In UID after the second website B is logined successfully, equally it can generate and protect in the mapping table UTMap_B of the second website
It deposits and trusts bill TKBValue.It, will be according to identical step realization when user accesses other websites from the second website B
Unified certification can transmit TK between multiple operation systems and establish trusting relationship, to realize by point-to-point authentication mode
User accesses resource without repeat logon freely between each operation system.
Point-to-point framework makes each website be the supplier of authentication service, to share user authentication process
In order to further improve the security, https agreement can be used in load, the problem for avoiding center type certificate server pressure excessive
Instead of http agreement, safety transmitting of the billing information on network is realized, but this has no effect on entire authenticating step and logic.
Those of ordinary skill in the art will understand that the embodiments described herein, which is to help reader, understands this hair
Bright principle, it should be understood that protection scope of the present invention is not limited to such specific embodiments and embodiments.This field
Those of ordinary skill disclosed the technical disclosures can make according to the present invention and various not depart from the other each of essence of the invention
The specific variations and combinations of kind, these variations and combinations are still within the scope of the present invention.
Claims (7)
1. a kind of point-to-point uniform authentication method of decentralization formula, which comprises the following steps:
Step 1, user logs in the first website, and the first server in station end is generated according to the identity information of user trusts bill, and
It will be in the trust bill mapping table for being stored in first website corresponding with identity information;
Step 2, the trust bill is recycled to user client by first website;
Step 3, after logging in first website, user accesses the second site resource hyperlink or by way of jumping, and sends
Access request is to second website, wherein the access request includes the trust bill for accessing the first website of source, user;
Step 4, second website receives the access request, and the trust bill of user is sent to access the first website of source
Carry out authentication;
Step 5, the trust bill that first website is sent according to second website, is inquired in the mapping table of the first website
Identity information corresponding with the trust bill that second website is sent, and it is sent to second website;
Step 6, second website receives the identity information that first website is sent, and completes user in second website
Authentication.
2. the point-to-point uniform authentication method of decentralization formula as described in claim 1, which is characterized in that the step 1 includes
Following below scheme:
Step 11, user logs on to the first website A with identity information UID;
Step 12, first server in station end generates the trust bill TK of user, wherein TK=hash (session
ID), hash is hash operation, and session ID is the identification string of user;
Step 13, the trust bill TK of the identity information UID of user and user are corresponded and are saved to the by first website
In the mapping table UTMap_A of one website.
3. the point-to-point uniform authentication method of decentralization formula as claimed in claim 2, which is characterized in that the step 2 includes
Following below scheme:
The trust bill TK of user is sent to the corresponding user client of trust bill by first website.
4. the point-to-point uniform authentication method of decentralization formula as claimed in claim 3, which is characterized in that the step 3 includes
Following below scheme:
After user logs on to the first website A, the resource R of the second website B is accessed hyperlink or by way of jumping, and is sent
Access request is to the second website B, wherein access request includes from=siteA, ticket=TK, from=siteA table
Show trust bill of the access source for the first website A, ticket=TK for user.
5. the point-to-point uniform authentication method of decentralization formula as claimed in claim 4, which is characterized in that the step 4 includes
Following below scheme:
Second website B receives the access request of user, and the trust bill TK of user is sent to access source siteA and carries out identity
Verifying.
6. the point-to-point uniform authentication method of decentralization formula as claimed in claim 5, which is characterized in that the step 5 includes
Following below scheme:
Step 51, the first website A receives the trust bill TK that the second website B is sent, in reflecting for the first website A
The corresponding subscriber identity information of bill is trusted in inquiry in firing table UTMap_A;
Step 52, judge whether query result is empty;
Step 53, when the trust for not inquiring the second website B transmission in the mapping table UTMap_A of the first website A
The corresponding identity information of bill TK indicates that the user is not logged in or has dropped out the first website A, the first website A and sends mistake
For information to the second website B, the second website B is to user's transmission error message and requires to log in;
Step 54, when the first website A inquires the trust bill that the second website B is sent in mapping table UTMap_A
When the corresponding identity information UID of TK, the identity information UID to the second website B being verified is sent.
7. the point-to-point uniform authentication method of decentralization formula as claimed in claim 6, which is characterized in that the step 6 includes
Following below scheme:
The second website B receives the identity information UID that the first website A is sent, and completes the identity information UID of user the
The login of two website B.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810860511.9A CN109165498A (en) | 2018-08-01 | 2018-08-01 | A kind of point-to-point uniform authentication method of decentralization formula |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810860511.9A CN109165498A (en) | 2018-08-01 | 2018-08-01 | A kind of point-to-point uniform authentication method of decentralization formula |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109165498A true CN109165498A (en) | 2019-01-08 |
Family
ID=64898454
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810860511.9A Pending CN109165498A (en) | 2018-08-01 | 2018-08-01 | A kind of point-to-point uniform authentication method of decentralization formula |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109165498A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102710759A (en) * | 2012-05-22 | 2012-10-03 | 中国联合网络通信集团有限公司 | Web server, business logging method and system |
CN104038503A (en) * | 2014-06-24 | 2014-09-10 | 北京奇虎科技有限公司 | Cross-site logging method, cross-site logging device and cross-site logging system |
US20160006629A1 (en) * | 2013-07-07 | 2016-01-07 | George Ianakiev | Appliance clearinghouse with orchestrated logic fusion and data fabric - architecture, system and method |
CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
CN107359996A (en) * | 2016-05-09 | 2017-11-17 | 阿里巴巴集团控股有限公司 | Automatic logging method and device between more websites |
-
2018
- 2018-08-01 CN CN201810860511.9A patent/CN109165498A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102710759A (en) * | 2012-05-22 | 2012-10-03 | 中国联合网络通信集团有限公司 | Web server, business logging method and system |
US20160006629A1 (en) * | 2013-07-07 | 2016-01-07 | George Ianakiev | Appliance clearinghouse with orchestrated logic fusion and data fabric - architecture, system and method |
CN104038503A (en) * | 2014-06-24 | 2014-09-10 | 北京奇虎科技有限公司 | Cross-site logging method, cross-site logging device and cross-site logging system |
CN105450637A (en) * | 2015-11-09 | 2016-03-30 | 歌尔声学股份有限公司 | Single sign-on method and device for multiple application systems |
CN107359996A (en) * | 2016-05-09 | 2017-11-17 | 阿里巴巴集团控股有限公司 | Automatic logging method and device between more websites |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109617698B (en) | Method for issuing digital certificate, digital certificate issuing center and medium | |
KR101816651B1 (en) | Method for providing login flow via authentication based on public key infrastructure in response to user’s login request for using service provided by service provider server in use of blockchain database with unspent transaction output based protocol and server using the same | |
CN110958111B (en) | Block chain-based identity authentication mechanism of electric power mobile terminal | |
US7698736B2 (en) | Secure delegation using public key authentication | |
CN110069908A (en) | A kind of authority control method and device of block chain | |
US20020116619A1 (en) | Digital signature verification and program transmission | |
US20110314532A1 (en) | Identity provider server configured to validate authentication requests from identity broker | |
US11411746B2 (en) | Systems, methods, and storage media for permissioned delegation in a computing environment | |
Chen et al. | BIdM: A blockchain-enabled cross-domain identity management system | |
EP2321760B1 (en) | Representing security identities using claims | |
CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
CN1433537A (en) | Security link management in dynamic networks | |
KR20170106515A (en) | Multi-factor certificate authority | |
CN113779605A (en) | Industrial internet Handle identification system analysis authentication method based on alliance chain | |
KR101816652B1 (en) | Method for providing login flow via authentication based on public key infrastructure in response to user’s login request for using service provided by service provider server in use of merkle tree structure on the basis of unspent transaction output protocol and server using the same | |
CN105429991A (en) | Efficient data transmission method for mobile terminal | |
CN109981287A (en) | A kind of code signature method and its storage medium | |
CN107566393A (en) | A kind of dynamic rights checking system and method based on trust certificate | |
KR102356725B1 (en) | Authentication and Policy Management Methods Using Layer Blockchain | |
KR20200064017A (en) | Method for generating fido2.o public key and private key based on blockchain | |
US20220318356A1 (en) | User registration method, user login method and corresponding device | |
CN109165498A (en) | A kind of point-to-point uniform authentication method of decentralization formula | |
KR20190114422A (en) | Method for sso service through blockchain, and terminal and server using the same | |
TWI717071B (en) | Certificate management system and method thereof | |
CN116055051A (en) | Data processing method based on block chain network and related equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190108 |
|
RJ01 | Rejection of invention patent application after publication |