CN1588853A - Uniform identication method and system based on network - Google Patents
Uniform identication method and system based on network Download PDFInfo
- Publication number
- CN1588853A CN1588853A CN 200410070910 CN200410070910A CN1588853A CN 1588853 A CN1588853 A CN 1588853A CN 200410070910 CN200410070910 CN 200410070910 CN 200410070910 A CN200410070910 A CN 200410070910A CN 1588853 A CN1588853 A CN 1588853A
- Authority
- CN
- China
- Prior art keywords
- network
- login
- certificate server
- string
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention provides a unified certification method based on network and a system. A certification server, user terminals and service subsystem are inter- connected by network. A user is only certified for the identity on the certification server and re-directions to the service subsystem selected by the user with the server, the target service subsystem examines the init of authority. A certification method and a system are provided to uniformly certificate the staff for safety management easily.
Description
Technical field
The present invention relates to the network communications technology, it is particularly related to the authentication in the network, is a kind of based on network uniform authentication method and system concretely.
Background technology
In today of computer technology and network communications technology fast development, each government organs, enterprises and institutions or other have organizing of branch and have mostly set up inner communication network, for the interdepartmental communication in its inside provides guarantee.Even if do not set up the unit of internal network, also can realize its inner interdepartmental communication by the Internet.
Yet, no matter be based on the intercommunication of internal network, still utilize the intercommunication of internet, all be faced with the puzzlement of problems such as system safety, system maintenance.Because, for the internal network of a large enterprise, the internal network of financial company such as bank particularly, because it has a lot of branches in geographic range widely, various internal informations are distributed in numerous independently incompatible each other Regional Management Systems, and these information are placed under numerous internal staff's the management, so when carrying out intercommunication, correspondent or say visitor's authentication, access authentication all is very crucial, and the people who only has legal identity just can carry out the communication that conforms to its access rights.
In order to solve the authentication in the network and the problem of authentication, many enterprises (particularly bank) often take to make its inner each subsystem to authenticate method with authentication separately, there is following drawback at least in the method for this authentication: 1) when safety system is upgraded, often to upgrade respectively to each subsystem, this is the wasting manpower and material resources not only, and stopping using of interior subsystem of short time can occur, be difficult to carry out effective information security management, increase administrative expenses simultaneously greatly.Especially when personnel change, department cancels or merging, organization grows or situation such as downsizing when occurring, this problem is outstanding more even be difficult to solve.2) visitor must need repeat to import the situation of information such as account number, password in the face of a plurality of subsystems, and is not only loaded down with trivial details, the more important thing is that occurring password easily loses, and causes damage for system and user.Therefore, carry out for the intercommunicating network for described, be badly in need of a unification, authentication that have higher-security, easy care and right discriminating system, described intercommunicating safe and convenient to guarantee.
In order to realize unified authentication and right discriminating system, Chinese patent 01132904.1 provides a kind of server login system and method, receive user's recognition data and a functional item comprising: server, and output comprises that the authentication message of a functional item sign indicating number of a server sign indicating number of this user's recognition data, corresponding this server and corresponding this functional item is to authentication platform by user's input.Then, authentication platform carries out an audit program according to an access right table of user's recognition data, server sign indicating number and the functional item sign indicating number of the authentication message that receives and corresponding this user's end, and an authentication result of exporting corresponding this audit program is to server.Afterwards, server just in view of the above authentication result allow this user end to use or refuse this user and hold this functional item of access.The shortcoming of this technology is, all authentications, authentication, the work of examining functional item sign indicating number and server sign indicating number are all born by certificate server, have strengthened the live load of certificate server.When the number of users that proposes authentication is huge, will require very highly to the configuration of certificate server, otherwise can influence the speed of service.
Chinese patent 01145575.6, a kind of wide-band network authentication also is provided, the method of authorizing and chargeing, comprising: after the user is by dialing or Telnet access concentrator, access concentrator prompting user inputs user and password, and the information of user input is sent to AAA Server authenticates, if authentication success then access concentrator is set up a dynamic access control list (ACL), the network of unauthorized user visit when authorized user is visited described access concentrator initialization, access concentrator sends charge information to AAA Server simultaneously, see it is to detect the connection of desiring the user then, if it is disconnected to detect this user's connection, then delete above-mentioned dynamic access control tabulation (ACL) of having set up, send the charging ending message, this method has improved protocol efficiency, has reduced the complexity of agreement, but the shortcoming of this technology is, to on concentrator, set up access list, and want real-time supervisory user connection status, can strengthen the data traffic between concentrator and the certificate server like this.Be subjected to the influence of the network bandwidth, also cause the hidden danger on some stabilities of a system easily.
Summary of the invention
The object of the present invention is to provide a kind of authentication method and system, to realize the unified safety certification of all users to reduce the redundancy of whole safety system.
Technical scheme of the present invention is:
A kind of based on network uniform authentication method in a communication system that is made of login terminal and a plurality of business site, communicates by network between described login terminal and the described business site; It is characterized in that, in described network, link a certificate server at least, in described data in server storehouse, store the authentication information of described login terminal, and this certificate server provides concentrated inlet (inner portal) website, inside; In the database of described business site, store the authentication information of self business datum and described login terminal, and manage by the information of a certificate server office terminal to certificate server inside;
When described login terminal and a certain business site communicate, carry out following steps:
Described login terminal is sent out landing request information by self browser to described certificate server;
Described certificate server comprises the processing of authentication to the landing request information that receives, if described authentication is legal, then set up dialogue (session) information of this this login of login terminal, return the homepage that includes each business site routing iinformation to the browser of this login terminal;
Described login terminal is selected arbitrarily described each business site routing iinformation;
After selected certain business site of described login terminal, described certificate server produces an encryption string that comprises user name as enquiry character string (QUERY_STRING) for this login terminal, upgrade its data storehouse relevant information simultaneously, the request of will landing of described certificate server links (redirect) again to described chosen website, described login terminal and described chosen website are directly connected, and comprise user name at interior encryption string in the checking of this chosen website, if should encrypt string effectively, carry out the login of business site and carry out the access right inspection, the signature string that this business site keeps this encryption string and this encryption string is signed in this business site; Meet communicating by letter of its access right with the described terminal of landing then, and relevant business datum is provided;
If described authentication request information is illegal, then authentication request information is retransmitted in prompting.
The authentication information of described login terminal comprises username and password.
The authentication information of described login terminal comprises user name and the pairing access authority information of this user name.
The processing that described certificate server carries out the landing request information that receives comprises that described certificate server checks the login mode sign of this terminal.
Described login mode sign comprises by the login mode of keyboard and magnetic stripe login mode.
Described magnetic stripe login mode is to drive the magnetic card read write line by the client control, carries out the magnetic stripe read-write.
The described encryption string of user name that comprises comprises server address (SERVERURL) as the enquiry character string, encrypts string (SSISAuth), signature string (SSISign).
Described server address comprises address of the authentication server, site address.
Described encryption string comprises that also authenticated time stabs.
Described encryption string uses the PKI of described chosen website to encrypt.
Described encryption string uses Base64 to encode.
Described signature string is the signature that the plaintext of encrypting string is carried out, and the step of signature is: use MD5 to calculate hashed value expressly earlier, use the encrypted private key of described certificate server then, re-use Base64 and encode.
Described certificate server upgrades its data storehouse relevant information for upgrading the dialog information in the described certificate server database, the title of service sub-system, logon server address, connection-establishment time, log record.
Safeguard each built-in system information in described certificate server office terminal, the renewal of the interpolation of website, deletion, website PKI, key management comprises key updating and log management.
Each built-in system information that safeguard described certificate server office terminal comprises, professional system title, login URL, settling time, remarks etc.
Described network is a Wide Area Network.
Described network is local area network (LAN) and Intranet.
A kind of based on network unified certification system is characterized in that comprising: at least one certificate server, and a plurality of business site servers, the user logins terminal, the certificate server office terminal;
Described user logins terminal, described certificate server, described a plurality of business site servers, certificate server office terminal and links by network;
Wherein, described user logins terminal and sends logging request by a login logical circuit to described certificate server;
The authentication processing logical circuit of described certificate server comprises the processing of authentication to the landing request information that receives, if described authentication is legal, then set up dialogue (session) information of this this login of login terminal, return the homepage that includes each business site routing iinformation to the login logical circuit of this login terminal;
Behind selected certain the business site server of described login terminal, the authentication processing logical circuit of described certificate server produces an encryption string that comprises user name as enquiry character string (QUERY_STRING) for this login terminal, upgrade its data storehouse relevant information simultaneously, described certificate server lands terminal with the user and links (redirect) again to described chosen server in station, described login terminal and described chosen server in station are directly connected, and checking comprises user name at interior encryption string in the verifying logic circuit of this chosen server in station, if should encrypt string effectively, carry out the login of business site and carry out the access right inspection, the signature string that this business site server keeps this encryption string and this encryption string is signed in this business site; Meet communicating by letter of its access right with the described terminal of landing then, and relevant business datum is provided;
If described authentication request information is illegal, then authentication request information is retransmitted in the prompting of authentication processing logical circuit.
The authentication information of described login terminal comprises username and password.
The authentication information of described login terminal comprises user name and the pairing access authority information of this user name.
The authentication processing logical circuit of described certificate server detects the login mode sign that described certificate server is checked this terminal.
Described login mode sign comprises the login mode and the magnetic stripe login mode of domestic consumer's name, password.
Described magnetic stripe login mode is to drive the magnetic card read write line by the client control, carries out the magnetic stripe read-write.
Described authentication logic circuit produces and comprises that the encryption string of user name comprises server address (SERVERURL) as the enquiry character string, encrypts string (SSISAuth), signature string (SSISign).
Described server address comprises address of the authentication server, site address.
Described encryption string comprises that also authenticated time stabs.
Described authentication logic circuit uses the PKI of described chosen website to encrypt encrypting string.
Described authentication logic circuit uses Base64 to encode to encrypting string.
Described authentication logic circuit is signed to the plaintext of encrypting string, and the step of signature is: use MD5 to calculate hashed value expressly earlier, use the encrypted private key of described certificate server then, re-use Base64 and encode.
Described certificate server upgrades its data storehouse relevant information for upgrading the dialog information in the described certificate server database, the title of service sub-system, logon server address, connection-establishment time, log record.
Described certificate server office terminal comprises a management logic circuit, and this logical circuit is safeguarded each built-in system information, the renewal of the interpolation of website, deletion, website PKI, and key management comprises key updating and log management.
Each built-in system information that described certificate server management logic circuit is safeguarded comprises, professional system title, login URL, settling time, remarks etc.
Described network is a Wide Area Network.
Described network is LAN and Intranet.
Effect of the present invention is, by a kind of authentication method and system are provided, make all tellers carry out unified authentication, conveniently carry out safety management, and can carry out the upgrading of whole security certification system easily and not need to be each sub-system staging, only do authentication and do not do scope check on certificate server, this point has also avoided complicated and huge authority to integrate, and has realized the low coupling of whole system.
Description of drawings
Fig. 1 is applied to the logic diagram of banking system for the inventive method;
Fig. 2 is the logic diagram of system of the present invention;
Fig. 3 is a workflow diagram of the present invention.
Embodiment
Below in conjunction with description of drawings the specific embodiment of the present invention.
As shown in Figure 1, the present invention with the application in banking system as an illustration.Teller's information of storing in the database of certificate server comprises the relevant information (as name, sex, ID card No. etc.) of teller number, password, area code, row rank, classification (being used to distinguish the operation that can carry out behind the login authentication server), affiliated function's (can be used for distinguishing professional system), post and physical person, does not contain the actual authority of teller in different system.When bank cashier passes through the browse request certificate server, import some teller's passwords (encrypting storing in the database), wherein, the teller number is distributed unitedly by certificate server, press area code flowing water, head office, economize row and abide by unified newly organized area code setting, or teller's magnetic card is read and write by the magnetic card read write line, and these information are submitted to certificate server in the POST mode, certificate server authentication teller number, password and magnetic strip information (only carry out authentication, do not carry out the verification of authority), customer authentication effectively continues, otherwise login failure, the prompting teller re-enters username and password; Set up dialogue (session) information of this this login of teller at certificate server, to browser return authentication homepage of server face (operation system is judged under not to this teller), the teller can select arbitrarily each system, the teller selectes certain website A, certificate server produces an encryption string that comprises user name as enquiry character string QUERY_STRING for this teller, this word string comprises address of the authentication server and site address, login sign and withdraw from sign, encrypt string, the signature string wherein, is encrypted string and is comprised that user name and authenticated time stab, and encrypt (it is close to have only this station just can connect), and encode with Base64 with the PKI of website A; Signature string expressly sign to encrypting string (calculate hashed value expressly with MD5 earlier, use the encrypted private key of certificate server then, this private key uses triple des: Triple des encryption, using Base64 to encode).While is the new database relevant information more, certificate server will ask to link again redirect to respective site A, teller terminal and website A directly connect, and comprise the encryption string of user name in website A checking, website A does the Base64 decoding to SSIAuth earlier, use own private key deciphering SSIAuth to obtain plaintext (be teller number) then, certifying signature SSISign (does the Base64 decoding earlier then, use the PKI deciphering of certificate server then, plaintext to SSIAuth uses MD5 to calculate hashed value again, relatively whether these two results are identical), if effectively, carry out the login (carrying out scope check here) of service sub-system, the signature string SSISign that this website A keeps this encryption string SSIAuth and this encryption string is signed; If it is invalid that string is encrypted in website A checking, then the teller again chain take back certificate server, to realize the requirement of other service sub-systems of visit; When the teller withdraws from certificate server again hyperlink request return certificate server and withdraw from, after the teller withdraws from from certificate server, do not influence other websites that have been in logging status, if the teller wants to login other service sub-systems, then must login the unified certification server again, certificate server is deleted the corresponding informance of this this login of teller from database, again behind the login authentication server, the former SESSION information that this teller has on certificate server will be lost, and certificate server produces authentication information for it again.Sign-out in the selection of certificate server homepage, according to teller's login mode sign, browser drives card reader and stamps the card; Certificate server is deleted the corresponding information of this login of this teller from database, and keeps a diary.
Management comprises following management function for certificate server, comprises
Maintenance site (each built-in system) information comprises interpolation, the deletion of website, the renewal of website PKI etc., main item of information: professional system title, login URL, settling time, remarks etc.
Key management comprises key updating etc.
Log management.
Wherein, the teller is divided into A: Verification System management teller---and manage, sign and issue teller's teller in Verification System, and can carry out the authentication service management; Only be present on the certificate server; B: operation system management teller---in each built-in system, offer, teller's teller in the maintenance system, the function of this operation system of inquiry scope teller information is arranged on certificate server; Be present in certificate server and the corresponding business system; (real is special C class teller, can be considered the original appropriate level root of each operation system teller) C: professional teller---the professional teller in each operation system is present in certificate server and the corresponding business system; Category-A teller by appropriate level signs and issues from certificate server, and the category-B teller by appropriate level sets into operation system with it again.
Certificate server teller cancellation mechanism:
A. by certificate server cancellation function the linchpin teller is carried out cancellation (leaving office as this teller) by the category-A teller, this teller number was lost efficacy, deletion teller information, and this teller number can reuse;
B. with each industry phylogenetic relationship: do cancellation on certificate server, no matter whether each professional system also exists this teller number, and this teller number can't login built-in system again; On the operation flow, should be that this teller at first makes cancellation in each professional system, the retaining all by oneself of teller's cancellation information by each professional system;
Certificate server teller maintenance function:
A. undertaken linchpin teller's authentication information is safeguarded (as teller's specialty transfer etc.) by certificate server teller maintenance function by the category-A teller, can reset the password that modifies, can carry out the teller except that other information the teller number;
B. with each professional system relation: the just adjustment of teller identification information, do not influence each professional system,, then need cancellation in original system if specialty is transferred, open an account in new system, the teller's information in the certificate server does not have substantial variations (may adjust affiliated function);
The embodiment of system of the present invention is described below in conjunction with Fig. 2.
When the login logical circuit of bank cashier by teller terminal sends logging request to certificate server, input username and password or teller's magnetic card is read and write by the magnetic card read write line, and these information are submitted to the authentication processing logical circuit of certificate server in the POST mode, this logical circuit authentication teller number, password and magnetic strip information (only carry out authentication, do not carry out the verification of authority), if login failure, login logical circuit prompting teller re-enters username and password; Otherwise customer authentication effectively continues, set up dialogue (session) information of this this login of teller at certificate server, to login logical circuit return authentication homepage of server face (operation system is judged under not to this teller), the teller can select arbitrarily each system, the teller selectes certain website A, certificate server authentication processing logical circuit produces an encryption string that comprises user name as enquiry character string QUERY_STRING for this teller, this word string comprises address of the authentication server and site address, login sign and withdraw from sign, encrypt string, the signature string, wherein, encrypt string and comprise that user name and authenticated time stab, and encrypt (it is close to have only this station just can connect), and encode with Base64 with the PKI of website A; Signature string expressly sign to encrypting string (calculate hashed value expressly with MD5 earlier, use the encrypted private key of certificate server then, this private key uses triple des: TripleDES to encrypt, and is using Base64 to encode).While is the new database relevant information more, certificate server will ask to link again redirect to respective site A, teller terminal and website A directly connect, and comprise the encryption string of user name at the verifying logic Circuit verification of website A, the verifying logic circuit of website A is done the Base64 decoding to SSIAuth earlier, use own private key deciphering SSIAuth to obtain plaintext (be teller number) then, certifying signature SSISign (does Ba se64 decoding earlier then, use the PKI deciphering of certificate server then, plaintext to SSIAuth uses MD5 to calculate hashed value again, relatively whether these two results are identical), if effectively, carry out the login (carrying out scope check here) of service sub-system, the signature string SSISign that this website A keeps this encryption string SSIAuth and this encryption string is signed; If invalid if the verifying logic Circuit verification of website A is encrypted string, then the teller again chain take back certificate server, to realize the requirement of other service sub-systems of visit; Again hyperlink request returns certificate server and withdraws from when the teller wants to withdraw from certificate server, after the teller withdraws from from certificate server, do not influence other websites that have been in logging status, if the teller wants to login other service sub-systems, then must login the unified certification server again, the authentication processing logical circuit of certificate server is deleted the corresponding informance of this this login of teller from database, again behind the login authentication server, the former SESSION information that this teller has in the certificate server database will be lost, and the authentication processing logical circuit of certificate server produces authentication information for it again.Sign-out in the selection of certificate server homepage, according to teller's login mode sign, teller terminal login logical circuit drives card reader and stamps the card; The authentication processing logical circuit of certificate server is deleted the corresponding information of this login of this teller from database, and keeps a diary.
Management logic circuit for the certificate server management end comprises following management function, comprises
Maintenance site (each built-in system) information comprises interpolation, the deletion of website, the renewal of website PKI etc., main item of information: professional system title, login URL, settling time, remarks etc.
Key management comprises key updating etc.
Log management.
Be illustrated in figure 3 as workflow diagram of the present invention.(1) teller is by the browse request certificate server; (2) certificate server is at first checked the enquiry character string (QUERY_STRING) that this request is imported into, and it is verified, if identity is effective, then directly forwards (5) to; (3) certificate server requires the teller to import log-on message, and browser is submitted this information to certificate server, and certificate server is checked this teller's login mode sign; (4) certificate server authentication customer information effectively then continues, otherwise login failure, the prompting teller re-enters username and password; (5) set up dialogue (session) information of this this login of teller, to browser return authentication homepage of server face, the teller can select arbitrarily needed sub-services system; (6) selected certain website A of teller, certificate server produces an encryption string that comprises user name as enquiry character string QUERY_STRING for this teller, and the while is the new database relevant information more; (7) certificate server will ask link (redirect) again to respective site A; (8) teller and website A directly connect, and comprise the encryption string of user name in website A checking, if should encrypt string effectively, carry out the login of service sub-system and carry out the access right inspection, the signature string SSISign that this website A keeps this encryption string SSIAuth and this encryption string is signed at this subsystem; If it is invalid that string is encrypted in website A checking, then the teller again chain take back certificate server, and get back to step (2), with the requirement that realizes entering other service sub-systems; (9) teller again hyperlink request return certificate server and withdraw from, from database, delete the corresponding informance of this this login of teller at certificate server.
Above embodiment only limits to illustrate the present invention, but not is used to limit the present invention.
Claims (34)
1. a based on network uniform authentication method in a communication system that is made of login terminal and a plurality of business site, communicates by network between described login terminal and the described business site; It is characterized in that, in described network, link a certificate server at least, in described data in server storehouse, store the authentication information of described login terminal, and this certificate server provides concentrated inlet (inner portal) website, inside; In the database of described business site, store the authentication information of self business datum and described login terminal, and manage by the information of a certificate server office terminal to certificate server inside;
When described login terminal and a certain business site communicate, carry out following steps:
Described login terminal is sent out landing request information by self browser to described certificate server;
Described certificate server comprises the processing of authentication to the landing request information that receives, if described authentication is legal, then set up dialogue (session) information of this this login of login terminal, return the homepage that includes each business site routing iinformation to the browser of this login terminal;
Described login terminal is selected arbitrarily described each business site routing iinformation;
After selected certain business site of described login terminal, described certificate server produces an encryption string that comprises user name as enquiry character string (QUERY_STRING) for this login terminal, upgrade its data storehouse relevant information simultaneously, the request of will landing of described certificate server links (redirect) again to described chosen website, described login terminal and described chosen website are directly connected, and comprise user name at interior encryption string in the checking of this chosen website, if should encrypt string effectively, carry out the login of business site and carry out the access right inspection, the signature string that this business site keeps this encryption string and this encryption string is signed in this business site; Meet communicating by letter of its access right with the described terminal of landing then, and relevant business datum is provided;
If described authentication request information is illegal, then authentication request information is retransmitted in prompting.
2. a kind of based on network uniform authentication method according to claim 1 is characterized in that the authentication information of described login terminal comprises username and password.
3. a kind of based on network uniform authentication method according to claim 1 is characterized in that, the authentication information of described login terminal comprises user name and the pairing access authority information of this user name.
4. a kind of based on network uniform authentication method according to claim 1 is characterized in that, the processing that described certificate server carries out the landing request information that receives comprises that described certificate server checks the login mode sign of this terminal.
5. according to claim 1,4 described a kind of based on network uniform authentication method, it is characterized in that described login mode sign comprises by the login mode of keyboard and magnetic stripe login mode.
6. a kind of based on network uniform authentication method according to claim 5 is characterized in that, described magnetic stripe login mode is to drive the magnetic card read write line by the client control, carries out the magnetic stripe read-write.
7. a kind of based on network uniform authentication method according to claim 1, it is characterized in that, the described encryption string of user name that comprises comprises server address (SERVERURL) as the enquiry character string, encrypts string (SSISAuth), signature string (SSISign).
8. a kind of based on network uniform authentication method according to claim 7 is characterized in that described server address comprises address of the authentication server, site address.
9. a kind of based on network uniform authentication method according to claim 7 is characterized in that, described encryption string comprises that also authenticated time stabs.
10. a kind of based on network uniform authentication method according to claim 9 is characterized in that, described encryption string uses the PKI of described chosen website to encrypt.
11., it is characterized in that described encryption string uses Base64 to encode according to claim 1,7,9,10 any described a kind of based on network uniform authentication method.
12. a kind of based on network uniform authentication method according to claim 1, it is characterized in that, described signature string is the signature that the plaintext of encrypting string is carried out, the step of signature is: use MD5 to calculate hashed value expressly earlier, use the encrypted private key of described certificate server then, re-use Base64 and encode.
13. a kind of based on network uniform authentication method according to claim 1, it is characterized in that, described certificate server upgrades its data storehouse relevant information for upgrading the dialog information in the described certificate server database, the title of service sub-system, the logon server address, connection-establishment time, log record.
14. a kind of based on network uniform authentication method according to claim 1, it is characterized in that, safeguard each built-in system information, the renewal of the interpolation of website, deletion, website PKI in described certificate server office terminal, key management comprises key updating and log management.
15. a kind of based on network uniform authentication method according to claim 1 is characterized in that, each built-in system information that safeguard described certificate server office terminal comprises, professional system title, login URL, settling time, remarks etc.
16. a kind of based on network uniform authentication method according to claim 1 is characterized in that described network is a Wide Area Network.
17. a kind of based on network uniform authentication method according to claim 1 is characterized in that described network is local area network (LAN) and Intranet.
18. a based on network unified certification system is characterized in that comprising: at least one certificate server, a plurality of business site servers, the user logins terminal, the certificate server office terminal;
Described user logins terminal, described certificate server, described a plurality of business site servers, certificate server office terminal and links by network;
Wherein, described user logins terminal and sends logging request by a login logical circuit to described certificate server;
The authentication processing logical circuit of described certificate server comprises the processing of authentication to the landing request information that receives, if described authentication is legal, then set up dialogue (session) information of this this login of login terminal, return the homepage that includes each business site routing iinformation to the login logical circuit of this login terminal;
Behind selected certain the business site server of described login terminal, the authentication processing logical circuit of described certificate server produces an encryption string that comprises user name as enquiry character string (QUERY_STRING) for this login terminal, upgrade its data storehouse relevant information simultaneously, described certificate server lands terminal with the user and links (redirect) again to described chosen server in station, described login terminal and described chosen server in station are directly connected, and checking comprises user name at interior encryption string in the verifying logic circuit of this chosen server in station, if should encrypt string effectively, carry out the login of business site and carry out the access right inspection, the signature string that this business site server keeps this encryption string and this encryption string is signed in this business site; Meet communicating by letter of its access right with the described terminal of landing then, and relevant business datum is provided;
If described authentication request information is illegal, then authentication request information is retransmitted in the prompting of authentication processing logical circuit.
19. a kind of based on network unified certification according to claim 18 system is characterized in that the authentication information of described login terminal comprises username and password.
20. a kind of based on network unified certification according to claim 18 system is characterized in that the authentication information of described login terminal comprises user name and the pairing access authority information of this user name.
21. a kind of based on network unified certification according to claim 18 system is characterized in that the authentication processing logical circuit of described certificate server detects the login mode sign that described certificate server is checked this terminal.
22. a kind of based on network unified certification according to claim 21 system is characterized in that described login mode sign comprises the login mode and the magnetic stripe login mode of domestic consumer's name, password.
23. a kind of based on network unified certification according to claim 22 system is characterized in that described magnetic stripe login mode is to drive the magnetic card read write line by the client control, carries out the magnetic stripe read-write.
24. a kind of based on network unified certification according to claim 18 system, it is characterized in that, described authentication logic circuit produces and comprises that the encryption string of user name comprises server address (SERVERURL) as the enquiry character string, encrypts string (SSISAuth), signature string (SSISign).
25. a kind of based on network unified certification according to claim 24 system is characterized in that described server address comprises address of the authentication server, site address.
26. a kind of based on network unified certification according to claim 24 system is characterized in that described encryption string comprises that also authenticated time stabs.
27. a kind of based on network unified certification according to claim 18 system is characterized in that, described authentication logic circuit uses the PKI of described chosen website to encrypt encrypting string.
28., it is characterized in that described authentication logic circuit uses Base64 to encode to encrypting string according to claim 18,24,26,27 any described a kind of based on network unified certification systems.
29. a kind of based on network unified certification according to claim 18 system, it is characterized in that, described authentication logic circuit is signed to the plaintext of encrypting string, the step of signature is: use MD5 to calculate hashed value expressly earlier, use the encrypted private key of described certificate server then, re-use Base64 and encode.
30. a kind of based on network unified certification according to claim 18 system, it is characterized in that, described certificate server upgrades its data storehouse relevant information for upgrading the dialog information in the described certificate server database, the title of service sub-system, the logon server address, connection-establishment time, log record.
31. a kind of based on network unified certification according to claim 18 system, it is characterized in that, described certificate server office terminal comprises a management logic circuit, this logical circuit is safeguarded each built-in system information, the renewal of the interpolation of website, deletion, website PKI, key management comprises key updating and log management.
32., it is characterized in that each built-in system information that described certificate server management logic circuit is safeguarded comprises, professional system title, login URL, settling time, remarks according to claim 18,31 described a kind of based on network unified certification systems.
33. a kind of based on network unified certification according to claim 18 system is characterized in that described network is a Wide Area Network.
34. a kind of based on network unified certification according to claim 18 system is characterized in that described network is LAN and Intranet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100709103A CN100397814C (en) | 2004-07-13 | 2004-07-13 | Uniform identication method and system based on network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100709103A CN100397814C (en) | 2004-07-13 | 2004-07-13 | Uniform identication method and system based on network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1588853A true CN1588853A (en) | 2005-03-02 |
| CN100397814C CN100397814C (en) | 2008-06-25 |
Family
ID=34604548
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100709103A Active CN100397814C (en) | 2004-07-13 | 2004-07-13 | Uniform identication method and system based on network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100397814C (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719238A (en) * | 2009-11-30 | 2010-06-02 | 中国建设银行股份有限公司 | Method and system for managing, authenticating and authorizing unified identities |
| CN101047504B (en) * | 2006-03-29 | 2010-06-09 | 腾讯科技(深圳)有限公司 | Network log-in authorization method and authorization system |
| CN1937662B (en) * | 2005-09-21 | 2010-12-08 | 中兴通讯股份有限公司 | User unified authentication method for telecommunication voice value-added business |
| CN101919221A (en) * | 2007-11-26 | 2010-12-15 | Csp-斯卡尔创新信息和通信技术公司 | Authentication method without credential duplication for users belonging to different organizations |
| CN101127599B (en) * | 2006-08-18 | 2011-05-04 | 华为技术有限公司 | An identity and right authentication method and system and a biological processing unit |
| CN101136915B (en) * | 2007-10-16 | 2011-08-10 | 中兴通讯股份有限公司 | Method and system for implementing multi-service united safety authentication |
| CN102455777A (en) * | 2010-10-26 | 2012-05-16 | 技嘉科技股份有限公司 | Peripheral device with wireless connection function and running method thereof |
| CN102509030A (en) * | 2009-09-25 | 2012-06-20 | 郭敏 | Anonymous preservation of a relationship and its application in account system management |
| CN102546770A (en) * | 2011-12-26 | 2012-07-04 | 中兴通讯股份有限公司 | Unified account management method and third-party account management system |
| CN101621527B (en) * | 2009-08-21 | 2012-07-11 | 杭州华三通信技术有限公司 | Method, system and device for realizing safety certificate based on Portal in VPN |
| CN102684884A (en) * | 2012-05-24 | 2012-09-19 | 杭州华三通信技术有限公司 | Portal Web server and method for preventing off-line request forgery |
| CN101420416B (en) * | 2007-10-22 | 2013-03-13 | 中国移动通信集团公司 | Identity management platform, service server, login system and method, and federation method |
| CN103023921A (en) * | 2012-12-27 | 2013-04-03 | 中国建设银行股份有限公司 | Authentication and access method and authentication system |
| CN101296371B (en) * | 2007-04-23 | 2013-06-05 | 华为技术有限公司 | IPTV terminal, IPTV system and IPTV service implementing method |
| CN105337967A (en) * | 2015-10-16 | 2016-02-17 | 晶赞广告(上海)有限公司 | Method and system for achieving target server logging by user and central server |
| CN105933347A (en) * | 2016-06-29 | 2016-09-07 | 天脉聚源(北京)传媒科技有限公司 | Method and device for acquiring data resources in application program |
| CN109474435A (en) * | 2018-12-12 | 2019-03-15 | 中国移动通信集团江苏有限公司 | Method, apparatus, equipment, system and the medium of multiple business relay certifications |
| CN109542816A (en) * | 2018-10-29 | 2019-03-29 | 中国电子科技集团公司第二十九研究所 | A kind of service bus building method based on distributed system |
| CN110868301A (en) * | 2019-11-07 | 2020-03-06 | 浪潮软件股份有限公司 | Identity authentication system and method based on state cryptographic algorithm |
| CN111030996A (en) * | 2014-10-24 | 2020-04-17 | 华为技术有限公司 | Method and device for accessing resources |
| CN113327359A (en) * | 2017-12-29 | 2021-08-31 | 创新先进技术有限公司 | Traffic detection method, device and system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI775460B (en) * | 2021-06-01 | 2022-08-21 | 重量科技股份有限公司 | Risk information exchange system and method with privacy protection |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1403948A (en) * | 2001-09-04 | 2003-03-19 | 神达电脑股份有限公司 | Server log-in system and method |
| JP4449288B2 (en) * | 2001-10-31 | 2010-04-14 | ヤマハ株式会社 | Authentication method and apparatus |
| CN100463479C (en) * | 2001-12-25 | 2009-02-18 | 中兴通讯股份有限公司 | Wide-band network authentication, authorization and accounting method |
-
2004
- 2004-07-13 CN CNB2004100709103A patent/CN100397814C/en active Active
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937662B (en) * | 2005-09-21 | 2010-12-08 | 中兴通讯股份有限公司 | User unified authentication method for telecommunication voice value-added business |
| CN101047504B (en) * | 2006-03-29 | 2010-06-09 | 腾讯科技(深圳)有限公司 | Network log-in authorization method and authorization system |
| CN101127599B (en) * | 2006-08-18 | 2011-05-04 | 华为技术有限公司 | An identity and right authentication method and system and a biological processing unit |
| CN101296371B (en) * | 2007-04-23 | 2013-06-05 | 华为技术有限公司 | IPTV terminal, IPTV system and IPTV service implementing method |
| CN101136915B (en) * | 2007-10-16 | 2011-08-10 | 中兴通讯股份有限公司 | Method and system for implementing multi-service united safety authentication |
| CN101420416B (en) * | 2007-10-22 | 2013-03-13 | 中国移动通信集团公司 | Identity management platform, service server, login system and method, and federation method |
| CN101919221A (en) * | 2007-11-26 | 2010-12-15 | Csp-斯卡尔创新信息和通信技术公司 | Authentication method without credential duplication for users belonging to different organizations |
| CN101919221B (en) * | 2007-11-26 | 2015-09-30 | Csp-斯卡尔创新信息和通信技术公司 | For belonging to the authentication method without the need to credential duplication of the user of different institutions |
| CN101621527B (en) * | 2009-08-21 | 2012-07-11 | 杭州华三通信技术有限公司 | Method, system and device for realizing safety certificate based on Portal in VPN |
| CN102509030A (en) * | 2009-09-25 | 2012-06-20 | 郭敏 | Anonymous preservation of a relationship and its application in account system management |
| CN101719238A (en) * | 2009-11-30 | 2010-06-02 | 中国建设银行股份有限公司 | Method and system for managing, authenticating and authorizing unified identities |
| CN102455777B (en) * | 2010-10-26 | 2015-05-27 | 技嘉科技股份有限公司 | Peripheral device with wireless connection function and running method thereof |
| CN102455777A (en) * | 2010-10-26 | 2012-05-16 | 技嘉科技股份有限公司 | Peripheral device with wireless connection function and running method thereof |
| CN102546770A (en) * | 2011-12-26 | 2012-07-04 | 中兴通讯股份有限公司 | Unified account management method and third-party account management system |
| CN102546770B (en) * | 2011-12-26 | 2015-05-27 | 中兴通讯股份有限公司 | Unified account management method and third-party account management system |
| CN102684884A (en) * | 2012-05-24 | 2012-09-19 | 杭州华三通信技术有限公司 | Portal Web server and method for preventing off-line request forgery |
| CN102684884B (en) * | 2012-05-24 | 2016-08-03 | 杭州华三通信技术有限公司 | A kind of Portal Web server and the method preventing from forging the request of rolling off the production line thereof |
| CN103023921A (en) * | 2012-12-27 | 2013-04-03 | 中国建设银行股份有限公司 | Authentication and access method and authentication system |
| CN111030996A (en) * | 2014-10-24 | 2020-04-17 | 华为技术有限公司 | Method and device for accessing resources |
| US11812264B2 (en) | 2014-10-24 | 2023-11-07 | Huawei Cloud Computing Technologies Co., Ltd. | Resource access method and apparatus |
| US11082848B2 (en) | 2014-10-24 | 2021-08-03 | Huawei Technologies Co., Ltd. | Resource access method and apparatus |
| CN105337967B (en) * | 2015-10-16 | 2018-09-11 | 晶赞广告(上海)有限公司 | Realize that user logs in method, system and the central server of destination server |
| CN105337967A (en) * | 2015-10-16 | 2016-02-17 | 晶赞广告(上海)有限公司 | Method and system for achieving target server logging by user and central server |
| CN105933347B (en) * | 2016-06-29 | 2019-03-19 | 天脉聚源(北京)传媒科技有限公司 | A kind of method and device of data resource in acquisition application program |
| CN105933347A (en) * | 2016-06-29 | 2016-09-07 | 天脉聚源(北京)传媒科技有限公司 | Method and device for acquiring data resources in application program |
| CN113327359A (en) * | 2017-12-29 | 2021-08-31 | 创新先进技术有限公司 | Traffic detection method, device and system |
| CN109542816A (en) * | 2018-10-29 | 2019-03-29 | 中国电子科技集团公司第二十九研究所 | A kind of service bus building method based on distributed system |
| CN109542816B (en) * | 2018-10-29 | 2021-05-18 | 中国电子科技集团公司第二十九研究所 | Service bus construction method based on distributed system |
| CN109474435A (en) * | 2018-12-12 | 2019-03-15 | 中国移动通信集团江苏有限公司 | Method, apparatus, equipment, system and the medium of multiple business relay certifications |
| CN110868301A (en) * | 2019-11-07 | 2020-03-06 | 浪潮软件股份有限公司 | Identity authentication system and method based on state cryptographic algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100397814C (en) | 2008-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100397814C (en) | Uniform identication method and system based on network | |
| US20210056196A1 (en) | Systems and mechanism to control the lifetime of an access token dynamically based on access token use | |
| CN111783075B (en) | Authority management method, device and medium based on secret key and electronic equipment | |
| US8327421B2 (en) | System and method for identity consolidation | |
| CN108989346B (en) | Third-party valid identity escrow agile authentication access method based on account hiding | |
| US10491588B2 (en) | Local and remote access apparatus and system for password storage and management | |
| CN105556894A (en) | Network connection automation | |
| CN103152179A (en) | Uniform identity authentication method suitable for multiple application systems | |
| CN107733861A (en) | It is a kind of based on enterprise-level intranet and extranet environment without password login implementation method | |
| US10904233B2 (en) | Protection from data security threats | |
| CN103986584A (en) | Double-factor identity verification method based on intelligent equipment | |
| CN101873333B (en) | Enterprise data maintenance method, device and system based on banking system | |
| Singh et al. | SQL injection: Types, methodology, attack queries and prevention | |
| CN106488452A (en) | A kind of mobile terminal safety access authentication method of combination fingerprint | |
| US20230379160A1 (en) | Non-fungible token authentication | |
| CN101588352B (en) | Method and system for ensuring security of operating environment | |
| CN110753944A (en) | System and method for blockchain based data management | |
| CN102868702B (en) | System login device and system login method | |
| CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
| CN107770192A (en) | Identity authentication method and computer-readable recording medium in multisystem | |
| CN102143131B (en) | User logout method and authentication server | |
| CN109462572B (en) | Multi-factor authentication method, system, storage medium and security gateway based on encryption card and UsbKey | |
| CN103024706A (en) | Short message based device and short message based method for bidirectional multiple-factor dynamic identity authentication | |
| US9258118B1 (en) | Decentralized verification in a distributed system | |
| CN1956375A (en) | Dynamic password identity authentication method and system based on network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |