CN112997537B - Automatic digital identification system integrated between consumer device and back-end service - Google Patents

Automatic digital identification system integrated between consumer device and back-end service Download PDF

Info

Publication number
CN112997537B
CN112997537B CN201880099377.3A CN201880099377A CN112997537B CN 112997537 B CN112997537 B CN 112997537B CN 201880099377 A CN201880099377 A CN 201880099377A CN 112997537 B CN112997537 B CN 112997537B
Authority
CN
China
Prior art keywords
client device
service provider
authentication
access
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201880099377.3A
Other languages
Chinese (zh)
Other versions
CN112997537A (en
Inventor
伊戈尔·沙夫兰
伊塔玛·菲克
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Publication of CN112997537A publication Critical patent/CN112997537A/en
Application granted granted Critical
Publication of CN112997537B publication Critical patent/CN112997537B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Abstract

A system for managing secure access to backend services of different service providers, for: managing access to backend services of each of a plurality of different service providers by: receiving registration requests for accessing backend services of the service providers from service provider codes of the respective service providers, each registration request comprising: one or more access rules and a Unique Identifier (UID) on at least one client device; in response to each registration request of the plurality of registration requests: issuing a digital certificate for each client device; registering an access rule; sending the digital certificate to the corresponding client device; receiving a plurality of authentication requests; in response to each authentication request of the plurality of authentication requests: performing an authentication analysis on the corresponding authentication request; and sending the result of the authentication analysis to the corresponding service provider code.

Description

Automatic digital identification system integrated between consumer device and back-end service
Background
In some embodiments of the invention, the invention relates to digital management, and more particularly, but not exclusively, to supporting an automated digital identification management system integrated between a consumer device and a backend service.
A trust service is defined as an electronic service that contains one of three possible actions. The first action involves the creation, verification or verification of an electronic signature, as well as a timestamp or stamp, electronically registered delivery services and certificates required for these services. The second action involves creating, verifying and verifying credentials for authenticating the website. The third action is to save these electronic signatures, stamps or related certificates.
A trusted service provider is an individual or legal entity that provides and maintains digital certificates to create and verify electronic signatures and authenticate their signers. Trusted service providers are qualified certificate authorities, which are required in regulated electronic signature programs, for example, in the european union and switzerland.
Trusting service providers have the responsibility to ensure the integrity of the electronic identity of signers and services through powerful authentication, electronic signature, and digital certificate mechanisms.
For example, electronic identification digital authentication service (eIDAS) is a European regulation that defines criteria that trust a service provider how to perform its authentication and non-repudiation services. The regulations provide guidance on how to administer and admit trust service providers to european union membership countries.
Disclosure of Invention
It is an aim of some embodiments of the present invention to provide a system and method for digital identity management.
The above and other objects are achieved by the features claimed in the independent claims. Other implementations are apparent from the dependent claims, the description and the drawings.
According to a first aspect of the invention, a system for managing secure access to backend services of different service providers, comprises: at least one processor configured to execute code to: managing access to backend services of each of a plurality of different service providers by: receiving, from a service provider code of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprising: one or more access rules and a Unique Identifier (UID) on at least one client device; in response to each registration request of the plurality of registration requests: issuing a digital certificate for at least one client device; register one or more access rules associated with the UID; sending a digital certificate to at least one client device; receiving a plurality of authentication requests from respective service provider codes, each authentication request including an indication of a respective digital certificate; in response to each authentication request of the plurality of authentication requests: performing an authentication analysis on the respective authentication request based on the received indication and the respective one or more access rules; the result of the authentication analysis is sent to the respective service provider code to allow the respective service provider to determine access rights of the at least one respective client device to the respective one of the plurality of backend services.
According to a second aspect of the invention, a method for managing secure access to backend services of different service providers, comprises: receiving, from a service provider code of a respective service provider, a plurality of registration requests for accessing a plurality of backend services of the respective service provider, each registration request comprising: one or more access rules and a Unique Identifier (UID) on at least one client device; in response to each registration request of the plurality of registration requests: issuing a digital certificate for at least one client device; register one or more access rules associated with the UID; sending a digital certificate to at least one client device; receiving a plurality of authentication requests from respective service provider codes, each authentication request including an indication of a respective digital certificate; in response to each authentication request of the plurality of authentication requests: performing an authentication analysis on the respective authentication request based on the received indication and the respective one or more access rules; the results of the authentication analysis are sent to respective service provider codes to allow the respective service providers to determine access rights of at least one respective client device to respective ones of the plurality of backend services.
With reference to the first and second aspects of the present invention, in a first possible implementation manner of the first and second aspects, optionally, the one or more access rules determine the access to the plurality of backend services according to a predetermined spatial location and/or a predetermined time interval.
With reference to the first and second aspects of the present invention or the first implementation manner of the first and second aspects, in a second possible implementation manner of the first and second aspects, optionally, the method further includes sending an update related to the backend service from the service provider code to the client device, while the client device is authenticated to access the backend service.
With reference to the first and second aspects of the invention, or the first or second implementation manners of the first and second aspects, in a third possible implementation manner of the first and second aspects, optionally the service provider requires registrations, and each registration is valid within a limited time window associated with the respective registration.
With reference to the first aspect and the second aspect of the present invention, or the first, second, or third implementation manners of the first aspect and the second aspect, in a fourth possible implementation manner of the first aspect and the second aspect, optionally, the backend service is a wireless network service.
With reference to the first and second aspects of the present invention, or the first, second, third or fourth implementation manners of the first and second aspects, in a fifth possible implementation manner of the first and second aspects, optionally, the client device is used by the client and/or the vehicle.
With reference to the first and second aspects of the present invention, or the first, second, third, fourth or fifth implementation manners of the first and second aspects, in a sixth possible implementation manner of the first and second aspects, optionally, the service provider controls access to the accessory.
With reference to the first and second aspects of the invention or the first, second, third, fourth, fifth or sixth implementation manners of the first and second aspects, in a seventh possible implementation manner of the first and second aspects, optionally the client device is used by a person and/or vehicle requesting access to the accessory.
With reference to the first and second aspects of the invention or the first, second, third, fourth, fifth, sixth or seventh implementations of the first and second aspects, in an eighth possible implementation of the first and second aspects, optionally the backend service comprises access to the accessory by a person and/or a vehicle.
With reference to the first and second aspects of the present invention, or the first, second, third, fourth, fifth, sixth, seventh or eighth implementation manners of the first and second aspects, in a ninth possible implementation manner of the first and second aspects, optionally the person and/or the vehicle is authenticated by the service provider based on the respective UID and the one or more access rules.
Other systems, methods, features and advantages of the invention will be, or will become, apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the accompanying claims.
Unless defined otherwise, all technical and/or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Although methods and materials similar or equivalent to those described herein can be used in the practice or testing of embodiments of the present invention, exemplary methods and/or materials are described below. In case of conflict, the patent specification, including definitions, will control. In addition, the materials, methods, and examples are illustrative only and not intended to be limiting.
Drawings
Some embodiments of the invention are described herein, by way of example only, with reference to the accompanying drawings. With specific reference to the figures, it is stressed that the particulars shown are by way of example and for purposes of illustrative discussion of the embodiments of the present invention. Thus, it will be apparent to one skilled in the art from the description of the figures how embodiments of the invention may be practiced.
Wherein:
FIG. 1 is an exemplary layout of various components of an automated digital identification management system according to some embodiments of the present invention;
FIG. 2 is an exemplary data flow of a process for registering and authenticating a client device with a service provider code and an identity management code in accordance with some embodiments of the present invention;
FIG. 3 is an exemplary data flow of a process of authenticating at least one client device for connection to at least one backend service according to some embodiments of the present invention;
FIG. 4 is an exemplary data flow for SP and IM system registration and authentication of client devices, in accordance with some embodiments of the present invention;
fig. 5 is an exemplary data flow for SP and IM system registration and authentication of client devices and vehicles in accordance with some embodiments of the present invention.
Detailed Description
In some embodiments of the invention it relates to automatic digital identity management and more particularly, but not exclusively, to an automatic digital identity management system supporting integration between a consumer device and a back-end service.
According to some embodiments of the present invention, digital identification systems (also referred to herein as "digital authentication systems") and methods are provided in which a client and/or consumer is authenticated in order to bind a client/consumer device to at least one backend service according to access rules. For example, a service provider, such as an airline, may authenticate pre-registered passengers to access backend services including wireless networks installed at a receiving area of an airport terminal, where the access rules may be a time period until an airline flight boards.
According to some embodiments of the invention, a system for managing secure access to backend services of different service providers is provided.
According to some embodiments of the present invention, a method for managing secure access to backend services of different service providers is provided, comprising several functional stages. Initially, in accordance with some embodiments of the invention, an Identity Management (IM) code receives, from an SP code of a respective Service Provider (SP), a plurality of registration requests for accessing a plurality of backend services of the SP over a computer network.
Optionally, each registration request includes one or more access rules, and a Unique Identifier (UID) on at least one client device. After each registration request, the IM code issues a digital certificate (e.g., an x.509 digital certificate) for each respective client device, which may be implemented by a third party (e.g., a trusted service). Next, the IM code registers the one or more corresponding access rules and the corresponding UID (optionally in a local and/or cloud-based storage medium), and sends the digital certificate to the one or more corresponding client device codes, where the corresponding client device codes install the digital certificate on the one or more corresponding client devices and configure access to one or more of the plurality of backend services.
Next, the IM code may receive, over the computer network, a plurality of authentication requests, each request sent from a respective SP of the respective SP code, including an indication of the respective digital certificate.
For each of the received plurality of authentication requests, the IM code performs an authentication analysis based on the received indication and the respective one or more access rules associated with the respective digital certificate. The results of each authentication analysis are sent to a respective SP code that determines access rights of at least one respective client device to a respective backend service.
In order to bind client/consumer devices to backend services, existing solutions for client identity authentication typically require the use of dedicated service provider applications, not enabling generic and generic ways of managing client authentication independent of any particular service provider or particular backend service, unlike the systems described herein. Furthermore, existing solutions require client interaction to enable backend service initiation, typically including one or more of: keying in a password, accessing a portal, applying Near Field Communication (NFC) tagging or Quick Response (QR) code for configuration, or using a pre-installed digital certificate. Although active client interaction is not required for client device authentication using pre-installed digital certificates, existing solutions only support enterprise devices, such as EAP-TLS (extensible authentication protocol-transport layer scheme) bundled and leased devices over Local Area Networks (LANs).
The system described herein has several advantages over existing solutions:
1. the client device can access the backend services without any configuration when accessing.
2. The user experience of personalized updates from SP codes to on-board client devices is improved and discrete push data services are provided.
3. And rapidly deploying value-added services based on UID authentication of the client equipment.
Before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not necessarily limited in its application to the details of construction and to the arrangements of the components and/or methods set forth in the following description and/or illustrated in the drawings and/or examples. The invention is capable of other embodiments or of being practiced or carried out in various ways.
The present invention may be a system, method and/or computer program product. The computer program product may include a computer readable storage medium (medium or media) having computer readable program instructions therein for causing a processor to perform various aspects of the present invention.
The computer readable storage medium may be a tangible device capable of retaining and storing instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a corresponding computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network.
The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer, partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, an electronic circuit comprising a programmable logic circuit, a field-programmable gate array (FPGA), a Programmable Logic Array (PLA), or the like, may execute computer-readable program instructions to perform aspects of the present invention by personalizing the electronic circuit with state information of the computer-readable program instructions.
Aspects of the present invention are described herein in connection with flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products provided by embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Referring now to FIG. 1, FIG. 1 illustrates system components according to some embodiments of the inventions. The system is used to manage secure access to backend services of different service providers, independent of the service provider or the type of backend service. For example, the system may be used in hotels granting automatic wireless connectivity to registered customers for their subscription period, and/or hotels may allow access to free parking lots or any other services according to a plurality of access rules (e.g., VIP access by subscription period and/or valued customers).
Including three component types, the IM system 100, one or more SPs 108, each associated with one or more client devices 116. The IM system 100 includes an IM I/O interface 102, an IM memory 104, and one or more IM processors 106. The IM I/O interface 102 receives as input a registration request, a digital certificate, and an authentication request from a client device of the SP 108 and outputs the digital certificate to the corresponding client device 116 and a client device authentication verification to the SP code of the corresponding SP. The IM memory 104 stores client certificate requests and corresponding access rules, SP 108 registration details, and IM codes, including instructions for managing access to a plurality of backend services of a plurality of service providers. The one or more IM processors 106 are used to execute IM code located in the IM memory 104.
One or more SPs 108, each SP 108 having an SP I/O interface 110, an SP memory 112, and one or more SP processors 114. The SP I/O interface 110 outputs SP registration requests, client device 116 digital certificate issuance requests, client device authentication requests, value added service related updates for the client device to the IM system 100 and receives client device authentication analysis validation as input from the IM system. The SP memory 112 stores client registration details, client authentication verification, and code instructions for SP codes, including instructions for managing access by client devices to a plurality of backend services. One or more SP processors 114 are used to execute SP code located in SP memory 112.
One or more client devices 116, each client device 116 having a client device I/O interface 118, a client device memory 120, and one or more client device processors 122. The client device I/O interface 118 receives as input client registration data from the client, a client digital certificate from the IM code, and a service-related update from the SP code. The client device memory 120 is allocated on each client device by the respective client device and stores the respective digital certificate, backend service configuration values, and value added service updates for each client device. The client device memory also stores client device code, including instructions for receiving and installing digital certificates from the IM system and for configuring backend services of the respective SPs. One or more client device processors 122 are used to execute client device code located in client device memory 120.
Various system components may be implemented as software and/or firmware.
Referring also to fig. 2, fig. 2 is an exemplary data flow of a registration and digital authentication process of a client device according to some embodiments of the invention. First, as shown at 200, at least one client device, such as a mobile device and/or a laptop computer operated by the client, may access a service via a point of sale (POS) and/or a registration request as shown at 202. For example, the service may be a hotel room, which may be accessed through a website registered with the hotel or a third party. Next, the corresponding SP code receives a registration request from the client device, as shown at 204. Next, as shown at 206, the SP code sends a digital certificate request to the IM system 100 over the computer network in accordance with the client UID and corresponding access rules. For example, the client UID may be based on the client device phone number and the access rules may be derived by the service provider module from the registration, e.g., the access rules may be a time frame corresponding to a respective room subscription period. Next, the IM system receives the certificate over the computer network, as shown at 208, and the IM system processes the request according to the IM code and issues a digital certificate according to the client UID and corresponding access rules, as shown at 210. The digital certificate may comprise an x.509 certificate or the like, which may include a corresponding time period of certificate validity. As shown at 212, the IM system sends the digital authentication ticket over the computer network to the client device, which installs the digital authentication ticket and configures the requested backend service according to the instructions in the client device code.
Referring also to fig. 3, fig. 3 is an exemplary data flow of a process of authenticating at least one client device for connection to at least one backend service according to some embodiments of the present invention. After registering the client device and issuing the digital certificate as shown in fig. 2, the client may access the corresponding backend service. For example, the client may enter the location of a client device that automatically connects to a backend service, such as a wireless network.
First, as shown at 300, one or more client devices, such as mobile phones and/or laptops, access respective backend services of respective SPs. As shown in fig. 2, the corresponding digital certificate pre-installed on the client device after registration may be automatically sent by the client device as part of an authentication process to access the corresponding back-end service. Next, as shown at 302, the corresponding SP receives the digital certificate as a credential to be authenticated. Next, the SP code executing on the corresponding SP sends the digital certificate as an authentication request to the IM system, as shown at 304. Next, as shown at 306, the IM system code executing on the IM system processor performs a corresponding authentication analysis on the received authentication request based on the digital certificate and corresponding access rules. For example, the client certificate may contain a first time period that is out of range of a second time period defined by a respective access rule associated with a respective UID, and in this case, the authentication analysis performed by the IM system may return an access denial.
Next, the IM system sends the results of the authentication analysis to the respective SP over the computer network, which causes the respective client device to automatically access the registered backend service, as shown at 308. In addition, the SP code may occasionally send updates to the on-board client device. For example, a guest on vacation-holy grounds may receive updates on meal times or personalized messages based on the corresponding UID over a wireless network with his/her mobile phone.
Referring also to fig. 4, fig. 4 is an exemplary data flow for SP and IM system registration and authentication of client devices according to some embodiments of the present invention. For example, the SP may be a hotel computer connected to the IM system through a computer network, and the client device may be a mobile phone for a client to make a hotel reservation through a hotel website. As shown in 400, 402, 404, 406, four components are included in the example, a client device, a point of sale (POS)/registration, an SP supporting back-end services such as wireless networking, and an IM system. First, as shown at 408, the hotel computer registers with the IM system over a computer network such as the World Wide Web (WWW) and installs a computer program (app) that includes the SP code. Next, as shown at 410, a client operating a client device 400 (e.g., a mobile phone) subscribes to a service from a hotel computer 404, e.g., the client subscribes to a hotel room through a website (POS for the hotel) 402. Next, as shown at 412, the website 402 sends the reservation to the app installed on the hotel computer 404. Next, the app sends a digital authentication request to the IM system according to the client subscription, as shown at 414. (e.g., 24 hours). As indicated at 416, the IM system sends the digital certificate directly back to the client device, for example, by using the client UID, which may be a telephone number. Next, as shown at 418, the client device code installs the received digital authentication ticket and configures the wireless connection of the hotel wireless network.
Next, after the client successfully registers, the client may arrive at the hotel on the day of the subscription, and the client device accesses the hotel wireless network, as shown at 420. Next, the app on the hotel computer delegates authentication of the client device to the IM system, as shown at 422. The IM system performs an authentication analysis based on the records in the IM system memory and sends the authentication result to the app on the hotel computer, as shown at 424. If the client device is verified by the authentication result, the client device automatically connects to the hotel wireless network. Upon successful authentication of the client device, the hotel computer may send additional updates to the client device, as shown at 426, such as personalized messages, e.g., dinner time changes, special offers, and messages left at the reception desk for the respective client, which may improve the overall user experience.
Referring also to fig. 5, fig. 5 is an exemplary data flow for registration and authentication of a client device and a vehicle, according to some embodiments of the invention. For example, fig. 5 may describe registration and authentication of utility vehicles and drivers accessing gated communities to perform services (e.g., garbage cleaning).
As shown at 500, 502, 504, 506, four components are included in the example: respectively, client devices and trucks, community management offices, SPs supporting backend services (e.g., community computers controlling the gates of gated communities), and IM systems. First, the community computer registers with the IM system over a computer network such as the World Wide Web (WWW) and installs an app that includes the SP code, as shown at 508.
Next, as shown at 510, the community management office 502 registers the driver client device, e.g., cell phone/tablet, with the vehicle according to the UID. Next, as shown at 512, the community management office requests digital certificates for the respective driver devices and vehicles, which are then sent to the respective driver devices and vehicles 500 for installation, as shown at 514 and 516.
Next, after successful registration of the driver devices and vehicles, the respective drivers and vehicles may arrive at the gated community to perform garbage collection services, etc., as shown at 518. After the vehicle reaches the community computer/gate 504, the driver device may be detected by the proximity sensor, as shown at 520. Next, the driver device and vehicle are authenticated by the community computer/gate 504 by delegating authentication to the IM system as shown at 522. The IM system performs an authentication analysis on the respective driver device and vehicle, as shown at 524, and when the authentication analysis is valid, the community computer may grant automatic access to the driver device and vehicle to the gated community to perform the respective service. The example shown in fig. 5 may improve the security of a closed community, reduce the cost of service, and provide a seamless experience for the driver providing the service.
Other systems, methods, features and advantages of the invention will be, or will become, apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the accompanying claims.
The description of various embodiments of the present invention has been provided for purposes of illustration and is not intended to be exhaustive or limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles of the embodiments, the practical application, or technical advances, or to enable others skilled in the art to understand the embodiments disclosed herein, as compared to techniques available in the market.
It is expected that during the life of a patent maturing from this application many relevant systems, methods and computer programs will be developed and the scope of the term obfuscation is intended to include all such new technologies a priori.
The term "about" as used herein means ± 10%.
The terms "including", "having" and variations thereof mean "including but not limited to". This term includes the terms "consisting of (8230); 8230; composition" and "consisting essentially of (8230); 8230; composition".
The phrase "consisting essentially of 8230 \8230%; composition" means that the composition or method may include additional ingredients and/or steps, provided that the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
As used herein, the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise. For example, the term "compound" or "at least one compound" may comprise a plurality of compounds, including mixtures thereof.
The word "exemplary" is used herein to mean "serving as an example, instance, or illustration. Any "exemplary" embodiment is not necessarily to be construed as preferred or advantageous over other embodiments and/or to exclude the presence of other combinations of features of embodiments.
The word "optionally" is used herein to mean "provided in some embodiments and not provided in other embodiments". Any particular embodiment of the invention may include a plurality of "optional" features unless such features conflict.
In this application, various embodiments of the invention may be presented in a range format. It is to be understood that the description of the range format is merely for convenience and brevity and should not be construed as a permanent limitation on the scope of the present invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible sub-ranges as well as individual numerical values within that range. For example, a description of a range such as from 1 to 6 should be considered to have specifically disclosed sub-ranges from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6, etc., as well as individual numbers within that range such as 1, 2, 3, 4, 5, and 6. This applies regardless of the wide range.
When a range of numbers is indicated herein, the expression includes any number (fractional or integer) recited within the indicated range. The phrases "in the first indicated number and the second indicated number range" and "from the first indicated number to the second indicated number range" and used interchangeably herein are meant to include the first and second indicated numbers and all fractions and integers in between.
It is appreciated that certain features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as any other embodiment of the invention. Certain features described in the context of various embodiments are not considered essential features of those embodiments unless the embodiments are not otherwise invalid.
All publications, patents, and patent applications mentioned in this specification are herein incorporated in their entirety by reference into the specification, to the same extent as if each individual publication, patent, or patent application was specifically and individually indicated to be incorporated herein by reference. In addition, citation or identification of any reference in this application shall not be construed as an admission that such reference is available as prior art to the present invention. To the extent that section headings are used, they should not be construed as necessarily limiting.

Claims (11)

1. A system for managing secure access to backend services of a service provider, comprising:
at least one processor configured to execute code to:
receiving, from a service provider module of a service provider, a plurality of registration requests for accessing a plurality of backend services of the service provider, each registration request comprising: one or more access rules, a unique identifier UID of a client device, for defining a time period and/or a user for accessing the backend service;
in response to each registration request of the plurality of registration requests:
issuing a digital certificate for the client device in accordance with the UID and the corresponding one or more access rules;
register one or more access rules associated with the UID;
sending the digital certificate to the client device, wherein the digital certificate is used for installation of the client device and configuration of the requested back-end service;
receiving a plurality of authentication requests from the service provider module, each authentication request including an indication of the digital certificate;
in response to each authentication request of the plurality of authentication requests:
performing an authentication analysis on each authentication request based on the received indication and the corresponding one or more access rules;
sending a result of the authentication analysis to the service provider module to allow the service provider to determine access rights of the client device to respective ones of the plurality of backend services.
2. The system of claim 1, wherein the one or more access rules determine access to the plurality of backend services according to a predetermined spatial location and/or a predetermined time interval.
3. The system of claim 1 or 2, further comprising periodically sending updates related to backend services from the service provider module to the client device while the client device is authenticated to access the backend services.
4. The system of claim 3, wherein the service provider requires registrations, and wherein each registration is valid for a limited time window associated with the registration.
5. The system of claim 4, wherein the backend service is a wireless network service.
6. The system of claim 5, wherein the client device is used by a client and/or a vehicle.
7. The system of claim 1, wherein the service provider controls access to the accessory.
8. The system of claim 7, wherein the client device is used by a person and/or vehicle requesting access to the accessory.
9. The system of claim 8, wherein the backend service comprises accessing the accessory by the person and/or vehicle.
10. The system of claim 9, wherein the person and/or vehicle is authenticated by the service provider based on the respective UID and the one or more access rules.
11. A method for managing secure access to backend services of a service provider, comprising:
receiving, from a service provider module of a service provider, a plurality of registration requests for accessing a plurality of backend services of the service provider, each registration request comprising: one or more access rules, a unique identifier UID of a client device, for defining a time period and/or a user for accessing the backend service;
in response to each registration request of the plurality of registration requests:
issuing a digital certificate for the client device in accordance with the UID and the corresponding one or more access rules;
register one or more access rules associated with the UID;
sending the digital certificate to the client device, wherein the digital certificate is used for installation of the client device and configuration of the requested back-end service;
receiving a plurality of authentication requests from the service provider module, each authentication request including an indication of the digital certificate;
in response to each authentication request of the plurality of authentication requests:
performing an authentication analysis on the authentication request based on the received indication and the corresponding one or more access rules;
sending a result of the authentication analysis to the service provider module to allow the service provider to determine access rights of the client device to a backend service of the plurality of backend services.
CN201880099377.3A 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer device and back-end service Active CN112997537B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/081376 WO2020098941A1 (en) 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer devices and backend services

Publications (2)

Publication Number Publication Date
CN112997537A CN112997537A (en) 2021-06-18
CN112997537B true CN112997537B (en) 2022-10-18

Family

ID=64332080

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201880099377.3A Active CN112997537B (en) 2018-11-15 2018-11-15 Automatic digital identification system integrated between consumer device and back-end service

Country Status (3)

Country Link
EP (1) EP3861795A1 (en)
CN (1) CN112997537B (en)
WO (1) WO2020098941A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101331731A (en) * 2005-12-15 2008-12-24 国际商业机器公司 Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider
US8561142B1 (en) * 2012-06-01 2013-10-15 Symantec Corporation Clustered device access control based on physical and temporal proximity to the user
CN105933315A (en) * 2016-04-21 2016-09-07 浪潮集团有限公司 Network service security communication method, device and system
CN108206821A (en) * 2016-12-20 2018-06-26 航天信息股份有限公司 A kind of identity authentication method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8918881B2 (en) * 2012-02-24 2014-12-23 Appthority, Inc. Off-device anti-malware protection for mobile devices
US9800581B2 (en) * 2014-03-14 2017-10-24 Cable Television Laboratories, Inc. Automated wireless device provisioning and authentication
US10305885B2 (en) * 2016-03-03 2019-05-28 Blackberry Limited Accessing enterprise resources using provisioned certificates
WO2018002904A1 (en) * 2016-07-01 2018-01-04 Cnathanson Martin D System for authenticating and authorizing access to and accounting for wireless access vehicular environment consumption by client devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101331731A (en) * 2005-12-15 2008-12-24 国际商业机器公司 Method, apparatus and program products for custom authentication of a principal in a federation by an identity provider
US8561142B1 (en) * 2012-06-01 2013-10-15 Symantec Corporation Clustered device access control based on physical and temporal proximity to the user
CN105933315A (en) * 2016-04-21 2016-09-07 浪潮集团有限公司 Network service security communication method, device and system
CN108206821A (en) * 2016-12-20 2018-06-26 航天信息股份有限公司 A kind of identity authentication method and system

Also Published As

Publication number Publication date
CN112997537A (en) 2021-06-18
EP3861795A1 (en) 2021-08-11
WO2020098941A8 (en) 2020-07-09
WO2020098941A1 (en) 2020-05-22

Similar Documents

Publication Publication Date Title
RU2735716C2 (en) Enabling activity-based provision of portable wireless networks
US10251042B2 (en) Activity-triggered provisioning of portable wireless networks
US20220286856A1 (en) Dynamic policy-based on-boarding of devices in enterprise environments
CN103248484B (en) Access control system and method
US8046587B2 (en) Method off-line authentication on a limited-resource device
US8847729B2 (en) Just in time visitor authentication and visitor access media issuance for a physical site
US11902268B2 (en) Secure gateway onboarding via mobile devices for internet of things device management
US20180324172A1 (en) Single sign-on for remote applications
US20150135275A1 (en) Authorization server system, control method therefor, and storage medium
CN107820689A (en) Certification key is distributed to application program installation
US20130144633A1 (en) Enforcement and assignment of usage rights
US11729472B2 (en) Content access based on location token
AU2017275376B2 (en) Method and apparatus for issuing a credential for an incident area network
US9590997B2 (en) System and method for accessing a service
EP3062254B1 (en) License management for device management system
KR102495953B1 (en) System and Method for Generating mobile key of Lodging
CN112997537B (en) Automatic digital identification system integrated between consumer device and back-end service
US10542569B2 (en) Community-based communication network services
US10477388B1 (en) Automatic device fulfillment configuration
CN109074247A (en) Vehicle computer updates certification
KR20220137590A (en) Method and apparatus for providing user profile
KR20130140483A (en) System for unified authorization and subscriber terminal
CN114448725A (en) Equipment authentication method, system and storage medium
KR20060009561A (en) Wire/wireless integration member registering method
IT201600115265A1 (en) Process and computer system for the identification and authentication of the digital identity of a subject in possession of a personal telecommunication device.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220208

Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province

Applicant after: Huawei Cloud Computing Technology Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant