CN114422266A - IDaaS system based on dual verification mechanism - Google Patents

IDaaS system based on dual verification mechanism Download PDF

Info

Publication number
CN114422266A
CN114422266A CN202210196762.8A CN202210196762A CN114422266A CN 114422266 A CN114422266 A CN 114422266A CN 202210196762 A CN202210196762 A CN 202210196762A CN 114422266 A CN114422266 A CN 114422266A
Authority
CN
China
Prior art keywords
identity
encryption key
authentication
service providing
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210196762.8A
Other languages
Chinese (zh)
Inventor
周文明
王志鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhongyue Technology Co ltd
Original Assignee
Shenzhen Zhongyue Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Zhongyue Technology Co ltd filed Critical Shenzhen Zhongyue Technology Co ltd
Priority to CN202210196762.8A priority Critical patent/CN114422266A/en
Publication of CN114422266A publication Critical patent/CN114422266A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses IDaaS system based on dual verification mechanism includes: the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; after the service request equipment sends a first request carrying self identity information to the identity authentication server, the identity information is authenticated by the identity authentication server, and if the received first identity authentication token passes the authentication of the identity management server, the service request equipment receives a random encryption secret key sent by the identity management server. The service providing equipment receives the student privacy data encrypted by the random encryption key, sends a second request carrying the identity information of the equipment to the identity authentication server, receives the first identity authentication token and the second request, receives the random decryption key after the second request is authenticated by the identity management server, and analyzes the encrypted data to recover the student privacy data. By adopting the method and the device, identity authentication attack can be resisted, and the safety of the IDaaS system is improved.

Description

IDaaS system based on dual verification mechanism
Technical Field
The application relates to the technical field of information security, in particular to an IDaaS system based on a dual verification mechanism.
Background
Wisdom campus is becoming the new trend of the information-oriented development of the campus at present. However, there are many information security problems encountered in the construction and exploration of the smart campus management system, such as counterfeiting attack, identity theft attack, identity authentication attack, and the like.
Disclosure of Invention
Based on the above existing problems and the defects of the prior art, the application provides an IDaaS system based on a dual verification mechanism, and by adopting the application, the identity information of the communication equipment is dual verified by adopting the identity verification server and the identity management server so as to resist identity authentication attack or identity theft attack and the like, and the data security in the IDaaS system can be improved.
In a first aspect, the present application provides an IDaaS system based on a dual verification mechanism, including:
the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; the service request equipment, the identity authentication server, the identity management server and the service providing equipment are connected through a network; wherein,
the service request device is configured to: sending a first request carrying identity information of the service request device to the identity authentication server;
the authentication server is configured to: verifying the identity information of the service request equipment, and if the identity information passes the verification, sending a first identity verification token encrypted by a first encryption key to the service request equipment; the first authentication token is to: the identity management server verifies the service request equipment as authorized equipment which is legal and communicates with the identity management server;
the service request device is further configured to: sending the first request, the first authentication token encrypted by the first encryption key and the acquired identity information of the service providing equipment to the identity management server;
the identity management server is configured to: the first request is verified, and if the first request passes the verification, a second identity verification token and a random encryption key which are encrypted by a second encryption key are sent to the service request equipment;
the service request device is further configured to: the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key are sent to the service providing equipment; the second authentication token is to: the service request service device communicates with the service providing device; the service providing device is configured to: in response to receiving the student privacy data and the second authentication token, sending a second request carrying identity information of the service providing device to the authentication server;
the authentication server is further configured to: verifying the identity information of the service providing equipment, and if the identity information passes the verification, sending the first identity verification token encrypted by the first encryption key to the service providing equipment;
the service providing device is further configured to: sending the second request carrying the identity information of the service providing equipment and the first identity authentication token encrypted by the first encryption key to the identity management server;
the identity management server is further configured to: verifying the second request, and if the second request passes the verification, sending the random decryption key and the second decryption key to the service providing equipment;
the service providing device is configured to: analyzing the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data; the second encryption key and the second decryption key are a pair of keys, and the random encryption key and the random decryption key are a pair of keys.
In combination with the first aspect, in some alternative embodiments,
the first request is to: the service request equipment requests the identity authentication server and the identity management server to provide authentication tokens so as to realize the communication between the service request equipment and the service providing equipment;
the authentication server is specifically configured to: verifying the identity information of the service request equipment, and if the identity information passes the verification, sending a first identity verification token encrypted by a first encryption key and the acquired first timestamp to the service request equipment; the first encryption key is an encryption key between the authentication server and the identity management server; the first timestamp is a timestamp between the service request device and the authentication server; the first timestamp is used to indicate a point in time at which the authentication server generated the first encryption key, the first authentication token, and encrypted the first authentication token with the first encryption key;
the service request device is further specifically configured to: sending the first request carrying the identity information of the service request device, the first authentication token encrypted by the first encryption key, the identity information of the service providing device and a second timestamp generated by the service request device to the identity management server; the second timestamp is used for indicating the acquisition time point of the first authentication token encrypted by the first encryption key and the identity information of the service providing equipment;
the identity management server is specifically configured to: verifying whether the first request is sent by a legal authorized device, and if the first request is passed through the verification, sending a second identity verification token, a random encryption key, a third timestamp and the identity information of the service providing device to the service request device, wherein the second identity verification token, the random encryption key and the third timestamp are encrypted by a second encryption key; wherein the second encryption key is an encryption key between the service request device and the identity management server; the random encryption key is an encryption key between the service request device and the service providing device; the third timestamp is used to indicate a point in time at which the identity management server generates the second encryption key and the second authentication token;
the authentication server is specifically configured to: verifying the identity information of the service providing equipment, and if the identity information passes the verification, sending the first identity verification token encrypted by the first encryption key, the obtained fourth timestamp and the user identity information of the service providing equipment to the service providing equipment; the fourth timestamp is used to indicate a point in time at which the authentication server generated the first encryption key, the first authentication token, and encrypted the first authentication token with the first encryption key;
the service providing device is further configured to: sending the second request carrying the identity information of the service providing device, the first authentication token encrypted by the first encryption key, the identity information of the service requesting device and the acquired fifth timestamp to the identity management server; the fifth timestamp is used for indicating the first authentication token encrypted by the first encryption key and the acquisition time point of the identity information of the service request device;
the identity management server is further specifically configured to: verifying the second request, and if the second request passes the verification, sending the random decryption key, the second decryption key and a sixth timestamp to the service providing equipment; the sixth timestamp is used for indicating a generation time point of the random decryption key and the second decryption key;
the service providing device is specifically configured to: and analyzing the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data.
In combination with the first aspect, in some alternative embodiments,
the service request device is specifically configured to:
a first Request carrying the identity information ID of the service Request equipment1Sending the information to the identity authentication server; or,
the identity authentication server is specifically configured to:
verifying the identity information ID of the service request deviceAIf the verification is passed, the first encryption key E is usedk(AS-IDS)After encryptionFirst authentication token Ek(AS-IDS)(Token1) The first time stamp T obtained1And identity information ID of the service request deviceAAnd sending the request message to the service request device.
In combination with the first aspect, in some alternative embodiments,
the service request device is further specifically configured to:
the ID carrying the identity information of the service request equipmentAFirst Request of1Said first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of the service providing apparatusBAnd a second time stamp T generated by the service request device2Sending the information to the identity management server; or,
the identity management server is specifically configured to:
verifying the first Request1Whether it is sent by a legitimate authorized device, and if the authentication is passed, it will be sent by a second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of the service request deviceAAnd identity information ID of the service providing apparatusBAnd sending the request message to the service request device.
In combination with the first aspect, in some alternative embodiments,
the service request device is further specifically configured to:
will be encrypted by a random encryption key RK(A-B)The encrypted private data Msg of the student and the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Providing the service providing device; wherein the second encryption key EK-SAML(IDS-B)Generated based on the SAML protocol;
the service providing device is specifically configured to:
in response to receiving the messageThe student privacy data Msg and the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Sending ID carrying the service providing deviceBSecond Request of2Providing the identity authentication server;
the identity authentication server is specifically further configured to:
verifying the identity information ID of the service providing deviceBIf the verification is passed, the first encryption key E is usedk(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) The fourth timestamp T of the acquisition4And user identity information ID of the service providing apparatusBSending the service request to the service providing equipment;
the service providing device is further specifically configured to:
the ID carrying the identity information of the service providing equipmentBSecond Request of2Said first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of the service request deviceAAnd the acquired fifth time stamp T5Sending the information to the identity management server;
the identity management server is further specifically configured to:
verifying the second Request2Transmitting a random decryption key RK (A-B) and the second decryption key K-SAML (IDS-B) to the service providing apparatus if the authentication is passed; the second decryption key K-SAML (IDS-B) is generated based on a SAML protocol;
the service providing device is further specifically configured to:
the random encryption key E is encrypted by the random decryption key RK (A-B) and the second decryption key K-SAML (IDS-B)RK(A-B)Encrypted private data E of studentsRK(A-B)(Msg) and said second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) And analyzing to obtain the student privacy data Msg.
In combination with the first aspect, in some alternative embodiments,
the service request device, the authentication server and the identity management server are deployed in a fog computing environment, and the service providing device is deployed in a cloud computing environment;
or,
the service request device, the authentication server are deployed in the fog computing environment, and the identity management server and the service providing device are deployed in the cloud computing environment.
In combination with the first aspect, in some alternative embodiments,
the identity management server is further specifically configured to:
will be encrypted by the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of the service request deviceAAnd identity information ID of the service providing apparatusBBefore being sent to the service request device,
generating the random encryption key E by an elliptic curve cryptographic algorithmRK(A-B)
In combination with the first aspect, in some alternative embodiments,
the identity management server is further specifically configured to:
before sending the random decryption key RK (a-B) and the second decryption key K-SAML (IDS-B) to the service providing device,
and generating the random decryption key RK (A-B) by an elliptic curve cryptography algorithm.
In combination with the first aspect, in some alternative embodiments,
the authentication server is specifically configured to:
verifying whether the identity information of the service request equipment exists in a local database of the identity verification server or a memory of the identity verification server, and if so, determining that the identity information of the service request equipment passes verification;
or,
the authentication server is specifically configured to:
and verifying whether the identity information of the service providing equipment exists in a local database of the identity verification server or a memory of the identity verification server, and if so, determining that the identity information of the service providing equipment passes verification.
In combination with the first aspect, in some alternative embodiments,
the identity management server is specifically configured to:
decrypting the first authentication token encrypted by the first encryption key, and verifying that the service request device is an authorized device which is legal to communicate with the identity management server and the first request is really sent by the service request device according to the obtained first authentication token;
or,
the identity management server is specifically configured to:
and decrypting the first authentication token encrypted by the first encryption key, and verifying that the service providing equipment is authorized equipment which is legally communicated with the identity management server and the second request is really sent by the service providing equipment according to the obtained first authentication token.
The application provides an IDaaS system based on a dual verification mechanism, which comprises: the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; the service request equipment, the identity authentication server, the identity management server and the service providing equipment are connected through a network; the service request equipment sends a first request carrying identity information of the service request equipment to an identity authentication server, obtains a first identity authentication token encrypted by a first encryption key and identity information of service providing equipment, passes authentication of an identity management server based on the first identity authentication token, receives a random encryption key sent by the identity management server and a second identity authentication token encrypted by a second encryption key if the authentication is passed, and sends student privacy data encrypted by the random encryption key and the second identity authentication token encrypted by the second encryption key to the service providing equipment. Responding to the received student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key, the service providing equipment sends a second request carrying the identity information of the service providing equipment to the authentication equipment, if the identity information is verified, the service providing equipment receives the first authentication token which is sent by the authentication server and encrypted by the first encryption key and the second request, so as to verify the authenticity of the second request by the identity management server, if the authentication is passed, the service providing device will receive the random decryption key and the second decryption key sent by the identity management server, the student privacy data encrypted by the random encryption key and the second identity authentication token encrypted by the second encryption key are analyzed, and the student privacy data are recovered. By adopting the method and the system, the identity information of the communication equipment is subjected to double verification by adopting the identity verification server and the identity management server so as to resist identity authentication attack or identity theft attack and the like, and the information security in the IDaaS system can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an IDaaS system based on a dual authentication mechanism provided in the present application;
fig. 2 is a schematic structural diagram of another dual authentication mechanism-based IDaaS system provided in the present application;
fig. 3 is a schematic structural diagram of another dual authentication mechanism-based IDaaS system provided in the present application;
fig. 4 is a schematic structural diagram of another dual authentication mechanism-based IDaaS system provided in the present application.
Detailed Description
The technical solutions in the present application will be described clearly and completely with reference to the accompanying drawings in the present application, and it is obvious that the described embodiments are some, not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to improve the security of data in the IDaaS system and resist counterfeiting attack, identity theft attack and identity authentication attack, the application provides the IDaaS system based on a double verification mechanism. Specifically, referring to fig. 1, it is a flow chart of a structure of an IDaaS system based on a dual authentication mechanism provided in the present application, as shown in fig. 1, the system may include but is not limited to:
a service request device, an Authentication Server (AD), an Identity Management Server (IDS), and a service providing device; the service request equipment, the identity authentication server, the identity management server and the service providing equipment are connected through a communication network;
optionally, the service request device, the identity authentication server, and the identity management server are deployed in a cloud computing environment, and the service providing device is deployed in a cloud computing environment; or,
optionally, the service request device and the identity authentication server are deployed in a cloud computing environment, and the identity management server and the service providing device are deployed in a cloud computing environment.
It should be noted that the service request device may include, but is not limited to: the camera can be used for the classroom special camera of the collection of the privacy data of the student, the AI intelligent box that can be used for the collection of the privacy data of the student, the camera that can be used for the collection of the privacy data of the student, or other equipment that can be used for the collection of the privacy data of the student.
The service providing device may include, but is not limited to: the server can be used for processing the privacy data of the students.
It should be noted that the above communication network may include, but is not limited to, the following ways:
mode 1: communication networks in a wired manner (e.g., network cable or fiber optic cable);
mode 2: a communication network in a wireless mode (such as WIFI6 or 5G);
mode 3: a communication network combining the wired mode and the wireless mode.
The service request device may be operable to: sending a first request carrying identity information of service request equipment to an identity authentication server; wherein,
the identity information of the service request device may include, but is not limited to: the geographical position of the service request device and/or the unique identification code of the device;
the unique identification code of the device may include, but is not limited to: the Device Unique Identifier (UDID), IMEI code (International Mobile Equipment Identity), vendor Identifier (IDFV), universal Unique Identifier, MAC address, IP address, or other Unique Identifier of the service request Device.
The authentication server may be operable to: verifying the identity information of the service request equipment, and if the identity information passes the verification, sending a first identity verification token encrypted by the first encryption key to the service request equipment; wherein the first authentication token is operable to: the identity management server verifies the service request equipment as authorized equipment which is legal and communicates with the identity management server;
the first encryption key may include, but is not limited to: a public key in an asymmetric encryption algorithm, or a secret key in a symmetric encryption algorithm.
It should be noted that, the specific process of the authentication server for authenticating the identity information of the service request device is as follows:
the authentication server is specifically operable to: and verifying whether the identity information exists in a local database of an identity verification server of the identity verification server or a memory of the identity verification server, and if so, determining that the identity information of the service request equipment passes verification.
It should be noted that the service request device may also be configured to: sending a first request carrying identity information of service request equipment, a first identity authentication token encrypted by a first encryption key and acquired identity information of service providing equipment to an identity management server; wherein the first request is operable to: the service request equipment requests the identity authentication server and the identity management server to provide authentication tokens so as to realize the information communication of the student private data and the like between the service request equipment and the service providing equipment;
the identity management server may be operable to: the first request is verified, and if the first request passes the verification, the second identity verification token encrypted by the second encryption key and the random encryption key are sent to the service request equipment;
specifically, the identity management server may be specifically configured to: and decrypting the second authentication token encrypted by the second encryption key to verify whether the first request is sent by a legal authorized device, and if the first request passes the verification, sending the second authentication token encrypted by the second encryption key and the random encryption key to the service request device. The second authentication token is for: the service request service device communicates with the service providing device;
the service request device may be further operable to: the student privacy data encrypted by the random encryption key and the second identity authentication token encrypted by the second encryption key are sent to the service providing equipment; the student privacy data may include, but is not limited to: face images of students, examination scores of students, class scores of students, attendance scores of students, growth files of students, family backgrounds of students, and the like.
The service providing device may be operable to: in response to receiving the student privacy data and the second authentication token, sending a second request carrying the identity information of the service providing device to the authentication server;
the authentication server is further configured to: verifying whether the identity information of the service providing equipment exists in a local database of an identity verification server or a memory of the identity verification server, if so, determining that the identity information of the service providing equipment passes verification, and if so, sending a first identity verification token encrypted by a first encryption key to the service providing equipment;
the service providing device may be further operable to: sending a second request carrying the identity information of the service providing equipment and a first identity authentication token encrypted by the first encryption key to an identity management server;
the identity management server is further configured to: decrypting the first authentication token encrypted by the first encryption key by using the first decryption key to verify whether the second request is sent by a legal authorized device or not so as to verify the second request, and if the second request passes the verification, sending the random decryption key and the second decryption key to the service providing device; wherein the second request is operable to: the service request equipment requests the identity authentication server and the identity management server to provide authentication tokens so as to realize the communication of the student private data between the service providing equipment and the service request equipment;
the first decryption key and the first encryption key are a pair of keys, wherein the first decryption key may include, but is not limited to: a private key in an asymmetric encryption algorithm, or a key in a symmetric encryption algorithm.
The service providing device is configured to: analyzing the student privacy data encrypted by the random encryption key and the second identity verification token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data; the second encryption key and the second decryption key are a pair of keys, and the random encryption key and the random decryption key are a pair of keys. It should be noted that the identity information of the service providing device may include, but is not limited to: the geographic location and/or the unique identification code of the device where the service providing device is located;
the unique identification code of the device may include, but is not limited to: a Device Unique Identifier (UDID), an IMEI code (International Mobile Equipment Identity), a vendor Identifier (IDFV), a universal Unique Identifier, a MAC address, an IP address, or other Unique Identifier of the service providing Device.
In the application, after the service request equipment sends a first request carrying identity information of the service request equipment to an identity authentication server, a first identity authentication token encrypted by a first encryption key and identity information of service providing equipment are obtained, and based on the first identity authentication token, the authentication of the identity management server is passed, if the authentication is passed, a random encryption key sent by the identity management server and a second identity authentication token encrypted by a second encryption key are received, and student privacy data encrypted by the random encryption key and the second identity authentication token encrypted by the second encryption key are sent to the service providing equipment; it should be noted that the identity management server may decrypt the first authentication token encrypted by the first encryption key based on the shared attribute.
Responding to the received student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key, the service providing equipment sends a second request carrying the identity information of the service providing equipment to the authentication equipment, if the identity information is verified, the service providing equipment receives the first authentication token which is sent by the authentication server and encrypted by the first encryption key and the second request, so as to verify the authenticity of the second request by the identity management server, if the authentication is passed, the service providing device will receive the random decryption key and the second decryption key sent by the identity management server, the student privacy data encrypted by the random encryption key and the second identity authentication token encrypted by the second encryption key are analyzed, and the student privacy data are recovered.
In order to improve the security of data in the IDaaS system and resist counterfeiting attack, identity theft attack and identity authentication attack, the application provides another IDaaS system based on a double verification mechanism. In particular, the method comprises the following steps of,
referring to fig. 2, a schematic structural diagram of an IDaaS system based on a dual authentication mechanism provided in the present application is shown in fig. 2, where the system may include, but is not limited to:
the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; the service request device, the identity authentication server, the identity management server, and the service providing device are connected through a communication network, and specific description may refer to the embodiment in fig. 1, which is not described herein again.
The service request device may be operable to: sending a first request carrying identity information of service request equipment to an identity authentication server; wherein the first request is operable to: the service request equipment requests the identity authentication server and the identity management server to provide an authentication token so as to realize the communication between the service request equipment and the service providing equipment;
it should be noted that the service request device is specifically operable to:
a first Request carrying the ID (identity) of the service Request device1Sending to an identity authentication server;
the authentication server may be operable to: verifying the identity information of the service request equipment, and if the identity information is verified, sending a first identity verification token encrypted by a first encryption key, the acquired first timestamp and the identity information of the service request equipment to the service request equipment; the first encryption key is an encryption key between the identity authentication server and the identity management server; the first timestamp is a timestamp between the service request device and the authentication server. The first timestamp may be generated by the authentication server based on a digital signature technology or by other timestamp service center devices. The first timestamp is used to indicate a point in time when the authentication server generates the first encryption key, the first authentication token, and encrypts the first authentication token with the first encryption key.
For example, the authentication server may be specifically configured to:
verifying identity information ID of service request deviceAIf the identity information IDAPresent in service request devices, i.e. identity information IDAIf the authentication is passed, the first encryption key E is sentk(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) The first time stamp T obtained1And identity information ID of the service request deviceATo the service requesting device.
The service request device may be further operable to: sending a first request carrying identity information of service request equipment, a first identity authentication token encrypted by a first encryption key, identity information of service providing equipment and an acquired second timestamp to an identity management server; the first identity token here can be used for the service request device to communicate with the identity management server. The second timestamp may be generated by the service request device based on a digital signature technology or by other timestamp service center devices. The second timestamp is used for indicating the acquisition time point of the first authentication token and the identity information of the service providing device encrypted by the first encryption key.
For example, the service request device may be further configured to:
will carry the identity information ID of the service request deviceAFirst Request of1By a first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of service providing deviceBAnd the acquired second time stamp T2Sending the information to an identity management server;
the identity management server may be operable to: verifying whether the first request is sent by a legal authorized device, and if the first request passes the verification, sending a second identity verification token, a random encryption key, a third timestamp, the identity information of the service request device and the identity information of the service providing device to the service request device, wherein the second identity verification token, the random encryption key, the third timestamp, the identity information of the service request device and the identity information of the service providing device are encrypted by the second encryption key; the second encryption key is an encryption key between the service request equipment and the identity management server; the random encryption key is an encryption key between the service request equipment and the service providing equipment; and the second identity token is used for the service request equipment to communicate with the service providing equipment. The third timestamp may be generated by the identity management server based on a digital signature technology, or generated by other timestamp service center devices. The third timestamp is used to indicate a point in time when the identity management server generates the second encryption key and the second authentication token.
For example, the identity management server may be specifically configured to: verifying the first Request1Whether it is sent by a legitimate authorized device, if the first Request is1If the second encryption key E is verified, the second encryption key E is usedK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of service request deviceAAnd identity information ID of the service providing apparatusBTo the service request device.
The identity management server may be further operable to:
will be encrypted by the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of service request deviceAAnd identity information ID of the service providing apparatusBBefore being sent to the service request device,
generating a random encryption key E by an Elliptic Curve Cryptography (ECC)RK(A-B)
It should be noted that the identity management server may also be configured to: before the second authentication token encrypted by the second encryption key, the random encryption key, the third timestamp, the identity information of the service requesting device and the identity information of the service providing device are sent to the service requesting device,
a random encryption key will also be generated by the elliptic curve cryptography algorithm.
The service request device may be further operable to: and sending the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key to the service providing equipment.
For example, the service request device may be further configured to:
will be encrypted by a random encryption key RK(A-B)The encrypted private data Msg of the student and a second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Sending the data to the service providing equipment; wherein the second encryption key EK-SAML(IDS-B)Generated based on the SAML protocol.
The service providing device is particularly operable to: and sending a second request carrying the identity information of the service providing equipment to the identity authentication server in response to receiving the student privacy data and the second identity authentication token.
For example, the service providing device is specifically configured to: in response to receiving the student privacy data Msg encrypted by the random key and by the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Sending a second Request carrying identity information of the service providing device2To the authentication server.
The authentication server is specifically operable to: verifying the identity information of the service providing equipment, if the database of the identity verification server is stored in the identity information of the service providing equipment, the verification is passed, and if the verification is passed, sending a first identity verification token encrypted by the first encryption key, a fourth timestamp generated by the identity verification server and the user identity information of the service providing equipment to the service providing equipment; the fourth timestamp may be generated by the authentication server based on a digital signature technology, or generated by other timestamp service center devices. The fourth timestamp is used to indicate a point in time when the authentication server generates the first encryption key, the first authentication token, and encrypts the first authentication token with the first encryption key.
For example, the authentication server may be specifically configured to: authentication service providerIdentity information ID for a deviceBIf the verification is passed, a first encryption key E is sentk(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) And a fourth time stamp T generated by the identity authentication server4And user identification information ID of the service providing apparatusBTo the service providing device.
The service providing device may be further specifically configured to: sending a second request carrying the identity information of the service providing equipment, a first identity authentication token encrypted by the first encryption key, the identity information of the service request equipment and a fifth timestamp generated by the service providing equipment to an identity management server; the fifth timestamp may be generated by the service providing device based on a digital signature technology, or generated by other timestamp service center devices. The fifth timestamp is used for indicating the time point of acquiring the identity information of the first authentication token and the service request device after the first encryption key is encrypted.
For example, the service providing device is further configured to: will carry the identity information ID of the service providing deviceBSecond Request of2By a first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of service request deviceAAnd a fifth time stamp T generated by the service providing apparatus5And sending the information to an identity management server.
The identity management server may be further configured to: and decrypting the first authentication token encrypted by the first encryption key, confirming that the service providing equipment is sent by legal authorized equipment according to the first authentication token, passing the authentication, and sending the random decryption key, the second decryption key, the sixth timestamp, the identity information of the service request equipment and the identity information of the service providing equipment to the service providing equipment. The sixth timestamp may be generated by the identity management server based on a digital signature technology, or generated by other timestamp service center devices. The sixth timestamp is used to indicate a generation time point of the random decryption key and the second decryption key.
For example, the identity management server is further specifically configured to: validating the second Request2If the authentication is passed, the random decryption key RK (A-B), the second decryption key K-SAML (IDS-B) and the sixth timestamp T are added6Identity information ID of service request deviceAAnd identity information ID of the service providing apparatusBSending the data to the service providing equipment; a second decryption key, K-SAML (IDS-B), is generated based on the SAML protocol.
The identity management server is further specifically configured to:
before sending the random decryption key RK (a-B) and the second decryption key K-SAML (IDS-B) to the service providing device,
the random decryption key RK (A-B) is generated by an elliptic curve cryptography algorithm (ECC).
The service providing device may be operable to: and analyzing the student privacy data encrypted by the random encryption key and the second identity verification token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data.
For example, the service providing device is specifically configured to: the random encryption key E is encrypted by the random decryption key RK (A-B) and the second decryption key K-SAML (IDS-B)RK(A-B)Encrypted private data E of studentsRK(A-B)(Msg) and by a second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) And analyzing and recovering the private data Msg of the student.
It should be noted that the definitions or explanations in the embodiment of fig. 2, which are not explained in detail, may refer to the embodiment of fig. 1.
Referring to fig. 3, a schematic structural diagram of another dual authentication mechanism-based IDaaS system provided in the present application is shown, where the system may include, but is not limited to: the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; the service request equipment, the identity authentication server, the identity management server and the service providing equipment are connected through a communication network;
it should be noted that the service request device, the authentication server, and the identity management server are deployed in a fog computing environment, and the service providing device is deployed in a cloud computing environment.
It should be noted that, for implementation of specific functions of the service request device, the identity authentication server, the identity management server, and the service providing device, reference may be made to the embodiments in fig. 1-2, and details are not repeated here.
Referring to fig. 4, a schematic structural diagram of another dual authentication mechanism-based IDaaS system provided in the present application is shown, where the system may include, but is not limited to: the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; the service request equipment, the identity authentication server, the identity management server and the service providing equipment are connected through a communication network;
it should be noted that the service request device, the authentication server, and the identity management server are deployed in a cloud computing environment, and the service providing device is deployed in a cloud computing environment.
It should be noted that, for implementation of specific functions of the service request device, the identity authentication server, the identity management server, and the service providing device, reference may be made to the embodiments in fig. 1-2, and details are not repeated here.
Those of ordinary skill in the art will appreciate that the aspects of the examples described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described above generally in terms of their functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and systems may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus or system may be implemented in other ways. Whether such functionality of the system or device is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

Claims (10)

1. An IDaaS system based on a dual authentication mechanism, comprising:
the system comprises service request equipment, an identity authentication server, an identity management server and service providing equipment; the service request equipment, the identity authentication server, the identity management server and the service providing equipment are connected through a network; wherein,
the service request device is configured to: sending a first request carrying identity information of the service request device to the identity authentication server;
the authentication server is configured to: verifying the identity information of the service request equipment, and if the identity information passes the verification, sending a first identity verification token encrypted by a first encryption key to the service request equipment; the first authentication token is to: the identity management server verifies the service request equipment as authorized equipment which is legal and communicates with the identity management server;
the service request device is further configured to: sending the first request, the first authentication token encrypted by the first encryption key and the acquired identity information of the service providing equipment to the identity management server;
the identity management server is configured to: the first request is verified, and if the first request passes the verification, a second identity verification token and a random encryption key which are encrypted by a second encryption key are sent to the service request equipment;
the service request device is further configured to: the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key are sent to the service providing equipment; the second authentication token is to: the service request service device communicates with the service providing device; the service providing device is configured to: in response to receiving the student privacy data and the second authentication token, sending a second request carrying identity information of the service providing device to the authentication server;
the authentication server is further configured to: verifying the identity information of the service providing equipment, and if the identity information passes the verification, sending the first identity verification token encrypted by the first encryption key to the service providing equipment;
the service providing device is further configured to: sending the second request carrying the identity information of the service providing equipment and the first identity authentication token encrypted by the first encryption key to the identity management server;
the identity management server is further configured to: verifying the second request, and if the second request passes the verification, sending the random decryption key and the second decryption key to the service providing equipment;
the service providing device is configured to: analyzing the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data; the second encryption key and the second decryption key are a pair of keys, and the random encryption key and the random decryption key are a pair of keys.
2. The dual authentication mechanism-based IDaaS system of claim 1,
the first request is to: the service request equipment requests the identity authentication server and the identity management server to provide authentication tokens so as to realize the communication between the service request equipment and the service providing equipment;
the authentication server is specifically configured to: verifying the identity information of the service request equipment, and if the identity information passes the verification, sending a first identity verification token encrypted by a first encryption key and the acquired first timestamp to the service request equipment; the first encryption key is an encryption key between the authentication server and the identity management server; the first timestamp is a timestamp between the service request device and the authentication server; the first timestamp is used to indicate a point in time at which the authentication server generated the first encryption key, the first authentication token, and encrypted the first authentication token with the first encryption key;
the service request device is further specifically configured to: sending the first request carrying the identity information of the service request device, the first authentication token encrypted by the first encryption key, the identity information of the service providing device and a second timestamp generated by the service request device to the identity management server; the second timestamp is used for indicating the acquisition time point of the first authentication token encrypted by the first encryption key and the identity information of the service providing equipment;
the identity management server is specifically configured to: verifying whether the first request is sent by a legal authorized device, and if the first request is passed through the verification, sending a second identity verification token, a random encryption key, a third timestamp and the identity information of the service providing device to the service request device, wherein the second identity verification token, the random encryption key and the third timestamp are encrypted by a second encryption key; wherein the second encryption key is an encryption key between the service request device and the identity management server; the random encryption key is an encryption key between the service request device and the service providing device; the third timestamp is used to indicate a point in time at which the identity management server generates the second encryption key and the second authentication token;
the authentication server is specifically configured to: verifying the identity information of the service providing equipment, and if the identity information passes the verification, sending the first identity verification token encrypted by the first encryption key, the obtained fourth timestamp and the user identity information of the service providing equipment to the service providing equipment; the fourth timestamp is used to indicate a point in time at which the authentication server generated the first encryption key, the first authentication token, and encrypted the first authentication token with the first encryption key;
the service providing device is further configured to: sending the second request carrying the identity information of the service providing device, the first authentication token encrypted by the first encryption key, the identity information of the service requesting device and the acquired fifth timestamp to the identity management server; the fifth timestamp is used for indicating the first authentication token encrypted by the first encryption key and the acquisition time point of the identity information of the service request device;
the identity management server is further specifically configured to: verifying the second request, and if the second request passes the verification, sending the random decryption key, the second decryption key and a sixth timestamp to the service providing equipment; the sixth timestamp is used for indicating a generation time point of the random decryption key and the second decryption key;
the service providing device is specifically configured to: and analyzing the student privacy data encrypted by the random encryption key and the second authentication token encrypted by the second encryption key through the random decryption key and the second decryption key to obtain the student privacy data.
3. The dual authentication mechanism-based IDaaS system of claim 2,
the service request device is specifically configured to:
a first Request carrying the identity information ID of the service Request equipment1Sending the information to the identity authentication server; or,
the identity authentication server is specifically configured to:
verifying the identity information ID of the service request deviceAIf the verification is passed, the first encryption key E is usedk(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) The first time stamp T obtained1And identity information ID of the service request deviceAAnd sending the request message to the service request device.
4. The dual authentication mechanism-based IDaaS system of claim 3,
the service request device is further specifically configured to:
the ID carrying the identity information of the service request equipmentAFirst Request of1Said first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of the service providing apparatusBAnd a second time stamp T generated by the service request device2Sending the information to the identity management server; or,
the identity management server is specifically configured to:
verifying the first Request1Whether it is sent by a legitimate authorized device, and if the authentication is passed, it will be sent by a second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of the service request deviceAAnd identity information ID of the service providing apparatusBAnd sending the request message to the service request device.
5. The dual authentication mechanism-based IDaaS system of claim 4,
the service request device is further specifically configured to:
will be encrypted by a random encryption key RK(A-B)Encrypted student privacy data Msg and second encryption secretKey EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Providing the service providing device; wherein the second encryption key EK-SAML(IDS-B)Generated based on the SAML protocol;
the service providing device is specifically configured to:
in response to receiving the student privacy data Msg and the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Sending ID carrying the service providing deviceBSecond Request of2Providing the identity authentication server;
the identity authentication server is specifically further configured to:
verifying the identity information ID of the service providing deviceBIf the verification is passed, the first encryption key E is usedk(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) The fourth timestamp T of the acquisition4And user identity information ID of the service providing apparatusBSending the service request to the service providing equipment;
the service providing device is further specifically configured to:
the ID carrying the identity information of the service providing equipmentBSecond Request of2Said first encryption key Ek(AS-IDS)Encrypted first authentication token Ek(AS-IDS)(Token1) Identity information ID of the service request deviceAAnd the acquired fifth time stamp T5Sending the information to the identity management server;
the identity management server is further specifically configured to:
verifying the second Request2Transmitting a random decryption key RK (A-B) and the second decryption key K-SAML (IDS-B) to the service providing apparatus if the authentication is passed; the second decryption key K-SAML (IDS-B) is generated based on a SAML protocol;
the service providing device is further specifically configured to:
the random encryption key E is encrypted by the random decryption key RK (A-B) and the second decryption key K-SAML (IDS-B)RK(A-B)Encrypted private data E of studentsRK(A-B)(Msg) and said second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) And analyzing to obtain the student privacy data Msg.
6. The dual authentication mechanism-based IDaaS system of claim 5,
the service request device, the authentication server and the identity management server are deployed in a fog computing environment, and the service providing device is deployed in a cloud computing environment;
or,
the service request device, the authentication server are deployed in the fog computing environment, and the identity management server and the service providing device are deployed in the cloud computing environment.
7. The dual authentication mechanism-based IDaaS system of claim 5,
the identity management server is further specifically configured to:
will be encrypted by the second encryption key EK-SAML(IDS-B)Encrypted second authentication token EK-SAML(IDS-B)(Token2) Random encryption key ERK(A-B)A third time stamp T3Identity information ID of the service request deviceAAnd identity information ID of the service providing apparatusBBefore being sent to the service request device,
generating the random encryption key E by an elliptic curve cryptographic algorithmRK(A-B)。
8. The dual authentication mechanism-based IDaaS system of claim 5,
the identity management server is further specifically configured to:
before sending the random decryption key RK (a-B) and the second decryption key K-SAML (IDS-B) to the service providing device,
and generating the random decryption key RK (A-B) by an elliptic curve cryptography algorithm.
9. The dual authentication mechanism-based IDaaS system of claim 1,
the authentication server is specifically configured to:
verifying whether the identity information of the service request equipment exists in a local database of the identity verification server or a memory of the identity verification server, and if so, determining that the identity information of the service request equipment passes verification;
or,
the authentication server is specifically configured to:
and verifying whether the identity information of the service providing equipment exists in a local database of the identity verification server or a memory of the identity verification server, and if so, determining that the identity information of the service providing equipment passes verification.
10. The dual authentication mechanism-based IDaaS system of claim 1,
the identity management server is specifically configured to:
decrypting the first authentication token encrypted by the first encryption key, and verifying that the service request device is an authorized device which is legal to communicate with the identity management server and the first request is really sent by the service request device according to the obtained first authentication token;
or,
the identity management server is specifically configured to:
and decrypting the first authentication token encrypted by the first encryption key, and verifying that the service providing equipment is authorized equipment which is legally communicated with the identity management server and the second request is really sent by the service providing equipment according to the obtained first authentication token.
CN202210196762.8A 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism Pending CN114422266A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210196762.8A CN114422266A (en) 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210196762.8A CN114422266A (en) 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism

Publications (1)

Publication Number Publication Date
CN114422266A true CN114422266A (en) 2022-04-29

Family

ID=81262004

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210196762.8A Pending CN114422266A (en) 2022-02-28 2022-02-28 IDaaS system based on dual verification mechanism

Country Status (1)

Country Link
CN (1) CN114422266A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116755842A (en) * 2023-08-15 2023-09-15 中移(苏州)软件技术有限公司 Identity verification system deployment method, device, equipment and storage medium
CN118118221A (en) * 2024-01-19 2024-05-31 中国华能集团有限公司北京招标分公司 Encryption and decryption service method and system based on identity management

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2384040A1 (en) * 2010-04-29 2011-11-02 Research In Motion Limited Authentication server and method for granting tokens
WO2016141856A1 (en) * 2015-03-07 2016-09-15 华为技术有限公司 Verification method, apparatus and system for network application access
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device
CN106302502A (en) * 2016-04-03 2017-01-04 北京动石科技有限公司 A kind of secure access authentication method, user terminal and service end
US20170012949A1 (en) * 2006-04-25 2017-01-12 Stephen Laurence Boren Dynamic identity verification and authentication continuous, dynamic one-time-pad/one-time passwords and dynamic distributed key infrastructure for secure communications with a single key for any key-based network security controls
CN108702297A (en) * 2017-02-01 2018-10-23 陈大昭 Certificate server, Verification System and method
CN109492358A (en) * 2018-09-25 2019-03-19 国网浙江省电力有限公司信息通信分公司 A kind of open interface uniform authentication method
US20200065464A1 (en) * 2018-08-24 2020-02-27 Baskaran Dharmarajan Identification service based authorization
CN111212095A (en) * 2020-04-20 2020-05-29 国网电子商务有限公司 Authentication method, server, client and system for identity information
CN112448810A (en) * 2019-08-31 2021-03-05 华为技术有限公司 Authentication method and device
CN112788033A (en) * 2021-01-13 2021-05-11 京东方科技集团股份有限公司 Authentication method and authentication system
CN114070614A (en) * 2021-11-15 2022-02-18 中国工商银行股份有限公司 Identity authentication method, device, equipment, storage medium and computer program product

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170012949A1 (en) * 2006-04-25 2017-01-12 Stephen Laurence Boren Dynamic identity verification and authentication continuous, dynamic one-time-pad/one-time passwords and dynamic distributed key infrastructure for secure communications with a single key for any key-based network security controls
EP2384040A1 (en) * 2010-04-29 2011-11-02 Research In Motion Limited Authentication server and method for granting tokens
WO2016141856A1 (en) * 2015-03-07 2016-09-15 华为技术有限公司 Verification method, apparatus and system for network application access
CN106161032A (en) * 2015-04-24 2016-11-23 华为技术有限公司 A kind of identity authentication method and device
CN106302502A (en) * 2016-04-03 2017-01-04 北京动石科技有限公司 A kind of secure access authentication method, user terminal and service end
CN108702297A (en) * 2017-02-01 2018-10-23 陈大昭 Certificate server, Verification System and method
US20200065464A1 (en) * 2018-08-24 2020-02-27 Baskaran Dharmarajan Identification service based authorization
CN109492358A (en) * 2018-09-25 2019-03-19 国网浙江省电力有限公司信息通信分公司 A kind of open interface uniform authentication method
CN112448810A (en) * 2019-08-31 2021-03-05 华为技术有限公司 Authentication method and device
CN111212095A (en) * 2020-04-20 2020-05-29 国网电子商务有限公司 Authentication method, server, client and system for identity information
CN112788033A (en) * 2021-01-13 2021-05-11 京东方科技集团股份有限公司 Authentication method and authentication system
CN114070614A (en) * 2021-11-15 2022-02-18 中国工商银行股份有限公司 Identity authentication method, device, equipment, storage medium and computer program product

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
C. RUPA等: ""Enhancing the Access Privacy of IDaaS System Using SAML Protocol in Fog Computing"", 《IEEE ACCESS》, 24 September 2020 (2020-09-24), pages 2 - 4 *
L. LI ET AL: ""A Networking Identity Authentication Scheme Combining Fingerprint Coding and Identity Based Encryption"", 《2007 IEEE INTELLIGENCE AND SECURITY INFORMATICS, NEW BRUNSWICK》 *
贾英涛;郑建德;: "J2EE平台双因素认证的设计与实现", 厦门大学学报(自然科学版), no. 01 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116755842A (en) * 2023-08-15 2023-09-15 中移(苏州)软件技术有限公司 Identity verification system deployment method, device, equipment and storage medium
CN116755842B (en) * 2023-08-15 2023-10-31 中移(苏州)软件技术有限公司 Identity verification system deployment method, device, equipment and storage medium
CN118118221A (en) * 2024-01-19 2024-05-31 中国华能集团有限公司北京招标分公司 Encryption and decryption service method and system based on identity management

Similar Documents

Publication Publication Date Title
CN110708170B (en) Data processing method and device and computer readable storage medium
CN106789090B (en) Public key infrastructure system based on block chain and semi-random combined certificate signature method
CN108206831B (en) Electronic seal realization method, server, client and readable storage medium
JP4546240B2 (en) User authentication method and system using challenge / response method
KR102177848B1 (en) Method and system for verifying an access request
CN109309565A (en) A kind of method and device of safety certification
US11600129B2 (en) Electronic voting system and method based on homogeneous cryptography
CN111435913A (en) Identity authentication method and device for terminal of Internet of things and storage medium
CN112565265B (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
US20110320359A1 (en) secure communication method and device based on application layer for mobile financial service
CN114422266A (en) IDaaS system based on dual verification mechanism
CN106470103B (en) Method and system for sending encrypted URL request by client
CN108989038B (en) Identification equipment, system and method for geographic position authentication
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN114091009B (en) Method for establishing safety link by using distributed identity mark
CN110611679A (en) Data transmission method, device, equipment and system
CN114024672A (en) Safety protection method and system for low-voltage power line carrier communication system
CN113965425B (en) Access method, device and equipment of Internet of things equipment and computer readable storage medium
CN111541708B (en) Identity authentication method based on power distribution
CN113365264A (en) Block chain wireless network data transmission method, device and system
CN114760046A (en) Identity authentication method and device
CN113676330B (en) Digital certificate application system and method based on secondary secret key
CN114928469A (en) IDaaS system for access control based on mutual authentication mechanism
KR20150005789A (en) Method for Authenticating by using Certificate
KR101893758B1 (en) System and method for monitoring leakage of internal information through analyzing encrypted traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination