CN1592197A - Method of identification between user device and local client use or remote-network service - Google Patents

Method of identification between user device and local client use or remote-network service Download PDF

Info

Publication number
CN1592197A
CN1592197A CN 03156489 CN03156489A CN1592197A CN 1592197 A CN1592197 A CN 1592197A CN 03156489 CN03156489 CN 03156489 CN 03156489 A CN03156489 A CN 03156489A CN 1592197 A CN1592197 A CN 1592197A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
service
authentication
application
cpe
method
Prior art date
Application number
CN 03156489
Other languages
Chinese (zh)
Other versions
CN100426719C (en )
Inventor
施宣明
Original Assignee
台均实业有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

This invention provides a method for authenticating authority limitation between a user end device and local customer end application /remote network service which sets certification information and safety unit interfaces in user end device, sets path certification documents and access safety unit interface matched to the certification information, the safety interface is the specific protocol for their communication, when a user needs an application or service, the safety unit interface sends the two certification documents to a certifying unit for authentication, the authenticated user end devices can get the software service or service, if not, it is refused.

Description

用户端设备与本地客户端应用或远程网络服务间鉴权的方法 Methods CPE and the local client application or between a remote network authentication service

技术领域 FIELD

本发明涉及计算机技术领域,具体地说,涉及用户端设备与本地客户端应用或远程网络服务间鉴权的方法,尤其是在用户端基于软硬件结合方式实现的与客户端应用服务间鉴权的方法。 The method of the present invention relates to computer technology field, and more particularly between CPE and the local application or remote client authentication service network, in particular based on hardware and software manner between the client application in the client authentication service Methods.

背景技术 Background technique

应用软件和网络服务的不断发展,必将导致用户和应用服务之间的信息交互。 The development of network applications and services, will lead to information exchange between users and applications. 这种信息交互不可能是无约束的,必须是在安全机制之下进行。 This can not be unconstrained information exchange must be carried out under the security mechanism. 一方面,需要知道哪些用户有权使用哪些应用或服务;另一方面,用户也需要知道哪些应用或服务可以访问用户的哪部分个人信息。 On the one hand, you need to know which users have access to which applications or services; on the other hand, you also need to know which application or service can access which parts of the user's personal information.

对于信息交互过程中,用户和应用服务双方之间的鉴权和认证,已经有一些方法来实现,但这些方法都存在自身的缺陷。 For the information exchange process between the parties to authenticate and authorize users and application services, already there are ways to achieve, but these methods have their own shortcomings. 例如软加密的技术,是不依靠特别硬件实现的对软件的保护技术,主要有密码法、计算机硬件校验法、钥匙盘法,这类方法的缺陷是加密方法比较容易被破解,另外其验证条件是固定不变的,一旦被破解,将迅速蔓延。 Such as soft encryption technology, technology does not rely on the protection of software, particularly hardware implementation, there cryptography, computer hardware verification method, key disk method, a defect such methods is relatively easy to crack encryption method, which further verified conditions are fixed, once cracked, will spread rapidly. 目前基于软件发行和网络服务应用的需求,不得不广泛地采取该项技术,但是该加密鉴权方法常常出现尴尬的局面,难以实现诸如版权保护等目的。 Based on the current demand for software distribution and network services applications, it has widely adopted this technology, but the encryption authentication method often embarrassing situation, difficult to achieve such as copyright protection and other purposes. 对于特定的应用,还可以采用硬加密技术,例如硬件加密狗,这种方式的缺点是:一个硬件只能针对一个应用服务进行保护,并且被限制在某一固定的本地终端或远程服务器上使用。 For certain applications, hardware encryption techniques may also be employed, such as a hardware dongle, shortcomings of this approach are: a hardware protection against only one service application, and is restricted to use on a given local terminal or remote server . 这样过于“固定”的硬加密方式,虽然安全性较高,但是灵活性、普适性以及移动性较差,远远不能满足实际情况中被授权用户对于不同应用、不同本地终端或远程服务的通用授权和移动使用的要求。 So too "fixed" hard encryption method, although high security, but flexibility, universality and mobility is poor, can not meet the actual situation in the authorized users for different applications, different local or remote terminal services universal mobile use and authorization requirements.

发明内容 SUMMARY

本发明的目的在于提供一种用户端设备与本地客户端应用或远程网络服务间鉴权的方法,实现用户对授权的客户端应用使用权限的认证,以及用户对网络服务的使用权限的认证。 Object of the present invention is to provide a method for the local client device between the client application or remote web service authentication, user authentication of the client application uses the authorization rights, permissions and user authentication on the network and services.

本发明的再一目的在于提供一种用户端设备与本地客户端应用或远程网络服务间鉴权的方法,实现客户端应用或网络服务对用户的访问权限的认证。 A further object of the present invention is to provide a method for the local client device between the client application or remote web service authentication, the client application for authentication, or network access service to the user.

本发明的另一目的在于提供一种用户端设备与本地客户端应用或远程网络服务间鉴权的方法,可以由同一个硬件设备完成用户与多个客户端应用或网络服务之间的认证。 Another object of the present invention is to provide a method for the local client device between the client application or remote web service authentication, authentication between applications or network services may be completed by a user with a plurality of client hardware device.

本发明的又一目的在于提供一种用户端设备与本地客户端应用或远程网络服务间鉴权的方法,用户端设备与本地客户端应用或远程网络服务可根据需要动态地更改、控制认证条件,灵活地保障数据安全。 A further object of the present invention is to provide a terminal device and a local client or a remote network application service authentication between a user, the local client device or a remote network client application services may be dynamically changed as needed to control authentication condition the flexibility to protect data security.

为此,本发明通过如下技术方案实现上述目的:在用户端设备内设置认证信息以及安全机制接口,在应用或服务内设置与所述认证信息匹配的认证文件和访问安全机制接口的路径;安全机制接口为两者通信的特定协议,当用户需求某应用或服务时,通过用户端设备与应用或服务之间设置的安全机制接口,将两者的认证文件交认证机制进行鉴权,鉴权通过的用户端设备可获得软件应用或服务;没有通过的,则拒绝该用户。 To this end, the present invention achieves the above object is achieved by the following technical solutions: setting authentication information and security interfaces within the client device, is provided with the path and file access security authentication mechanism of the authentication information matches the interface within the application or service; security Interface mechanism for a particular communication protocol both when the user needs an application or service, the security mechanism between the client device via the interface and application or service provided, both the cross-certification document authentication mechanism for authentication, authentication CPE available through a software application or service; not passed, then the user is denied.

本发明通过带有安全机制的硬件设备存储、管理用户和客户端应用或网络服务所需的交互信息,实现信息安全存放、信息管理以及信息安全交互,从而衍生出:硬件设备识别、用户身份验证、用户权限管理、用户数据共享、安全数据存放及管理、软件版权保护、定制应用服务等一系列功能。 The present invention is a storage apparatus with a hardware security mechanism, the desired user and client management application or the interactive information services network, information security storage, management information interaction and information security, which have shown: the hardware device identification, user authentication , user rights management, user data sharing, security, data storage and management, copyright protection software, custom application services and a series of functions.

附图说明 BRIEF DESCRIPTION

图1为本发明认证体系的结构示意图;图2为本发明认证内容的流程示意图; FIG 1 is a schematic structural certification system of the present invention; FIG. 2 of the present invention, the authentication process schematic content;

图3为本发明鉴权和访问的流程图。 3 is a flowchart illustrating access authentication and invention.

具体实施方式 detailed description

下面根据附图和实施例,对本发明的技术方案做进一步的详细描述。 The following figures and examples, further detailed description of the technical solution of the present invention.

参见图1,本发明为一种硬件和软件相结合的用户与客户端应用或网络服务之间的鉴权机制。 Referring to Figure 1, the present invention is a combination of hardware and software, and a client application or user authentication mechanism between the service network. 通过硬件设备内建立的安全机制、授权客户端应用或网络服务的认证文件(AKF)、遵循的安全机制接口、对硬件设备和软件应用服务之间进行鉴权的认证体系,可以实现用户与客户端应用或网络服务之间的鉴权,实现信息安全存放、信息管理以及信息安全交互,从而衍生出:硬件设备识别、用户身份验证、用户权限管理、用户数据共享、安全数据存放及管理、软件版权保护、定制应用服务等一系列功能。 Security mechanisms established by internal hardware, client applications or the authorized service network of certified documents (AKF), followed by security interfaces, between hardware devices and software applications and services for authentication of the certification system, users can achieve with customers authentication between the client application or network services, information security storage, information management and information security interaction, which have shown: a hardware device identification, user authentication, user rights management, user data sharing, data storage and security management software copyright protection, custom application services and a series of functions.

如图2所示,本发明的方法包含3方面的内容:第一、具有安全机制的硬件设备。 2, the method of the present invention comprises a content of 3 aspects: First, a hardware device having a security mechanism. 这个设备具有安全的加密数据空间、加密及认证的算法、自身的认证信息和特性信息。 This device has a data encryption space security, encryption and authentication algorithms, authentication information and its property information. 这个设备可具体表现为不同的电子产品,如:USB闪存、键盘读取设备、MP3读取设备、PDA读取设备、STB读取设备、磁盘读取设备、智能PDA读取设备、数据银行、电子图书、多功能无线设备E-phone、数码相机、录音笔等。 This device may embody different electronic products, such as: USB flash memory, keyboard reading device, MP3 reading device, PDA reading device, STB reading device, disk read devices, smart PDA reading device, data banks, e-books, multi-function wireless devices E-phone, digital camera, voice recorder and so on.

第二、遵循安全机制接口的应用或服务。 Second, following the application or service security interface. 这些应用和服务都具有认证文件,并且通过既定的安全机制接口访问硬件设备。 These applications and services have certification documents, and through the established security mechanism interface to access hardware devices.

第三、认证体系。 Third, the certification system. 认证体系完成鉴权的过程,用于硬件设备和应用服务双方进行合法性和权限的互相认证。 Certification system to complete the authentication process for both the hardware and application services legitimacy and authority of mutual authentication. 认证体系可以由硬件设备的IC实现,也可以由软件方式实现,也可以是二者的结合。 IC certification system may be implemented by hardware, may be realized by a software manner, it may be a combination of both.

当应用或服务需要访问硬件设备时,其简要过程如下:应用或服务发送访问请求,同时将认证文件提交到认证体系;认证体系获取应用或服务的认证文件,同时获取硬件设备自身的认证信息和特性信息;认证体系认证该硬件设备是否有权使用该应用或服务,如无权,返回错误信息,终止访问;否则,继续;认证体系认证该应用或服务是否有权访问该硬件设备,如无权,返回错误信息,终止访问;否则,继续;认证体系对该应用或服务对该硬件设备的有效访问信息(有效空间、大小等等)进行认证;认证通过后,该应用或服务通过既定的安全机制接口访问硬件设备。 When the application or service needs to access hardware devices, it briefly as follows: the application or service to send access requests, also submitted certification documents to the certification system; to obtain certification documentation application or service certification system, while acquiring the hardware device itself authentication information and property information; system certification whether the hardware device is entitled to use the application or service, such as no right, returns an error message, terminate access; otherwise, continue; certification system certification service or whether the application has access to the hardware device, such as no right, returns an error message, terminate access; otherwise, continue; certification system for the application or service to authenticate the effective access to information about the hardware devices (available space, size, etc.); after authentication, the application or service through the established security interface to access hardware devices.

又参见图3,本发明用户硬件设备具有安全机制结构和特点。 See also FIG. 3, the user equipment according to the present invention has the hardware configuration and security features. 硬件设备芯片具有该设备的特性信息,包括唯一的设备ID号和设备类型的标示。 Characteristic information of the hardware device having a chip device, comprising a unique device ID number and device of the type indicated. 硬件设备包括MP3,PDA数据银行,数码相机,录音笔等类型,每一种类型又细分为不同的型号、不同的厂商,具有相同型号、相同厂商的移动存储设备为同一类别。 Hardware devices, including MP3, PDA Data Bank, a digital camera, voice recorder and other types, each type further divided into different types, different vendors have the same type and manufacturer of mobile storage devices to the same category. 在用户硬件设备内建有加、解密的密钥表,用于对安全加密数据区存储的信息进行加、解密,还具有执行信息加解密的功能模块。 User hardware device built in the encryption and decryption key table, information security for encrypted data area stored encryption and decryption, the module has a function of performing information encryption and decryption. 对于信息进行加密解密,可利用软件或者硬件独立或者结合的方式实现。 For encryption and decryption of information, software or hardware may be utilized independently or in combination manner. 上述加密解密算法可以是符合条件的任何算法,例如DES算法、RSA算法,并且用户硬件设备还具有一组命令集,用于实现硬件设备和应用或服务之间的认证过程。 The cryptographic processing algorithm may be any algorithm in line with conditions such as the DES algorithm, the RSA algorithm, and the user hardware device further includes a set of commands, for implementing an authentication procedure between the application and the hardware devices or services.

用户硬件设备内设有一定容量的安全加密数据区。 User hardware devices are equipped with a certain capacity encrypted data safe area. 在该数据区内,存有该硬件设备的认证信息,这些信息是一个服务包的集合,每一个服务包的内容包括:有效标志,用于标志此类服务是否被开启,通过标示该硬件设备可以接受哪些类别的认证文件,就标示了该硬件设备可以使用哪些类别的应用或服务;有效时间,用于标志此类服务的有效截至时间。 In the data area, there's the hardware device authentication information, that information is a collection of a service pack, the contents of each service pack includes: valid flag, whether the flag for such services is turned on, marked by the hardware device What types of documents can be accepted certification, it marked the hardware device which categories of applications or services can be used; the effective time, effective as of the time stamp for such services.

如果要访问安全加密数据区中的数据,必须通过证书认证,而且只能通过安全机制接口进行访问。 If you want to access the data security encryption data area must be, and can only be accessed through a secure interface via certificate authentication mechanism.

本发明另一方面,授权的应用或服务可以是客户端应用,也可以是远端的网络服务应用,该本地客户端或远程网络可以调用安全机制接口,并具有认证文件。 Aspect of the invention, the authorization application or service can be a client application can also be the remote network service application, the local client or a remote network interfaces can call security and have certification documents. 该认证文件在授权时颁发,每一个被授权的应用或服务都具有自己的认证文件。 The certification document issued at the time of authorization, each application or service authorized has its own certification documents. 该认证文件包括:认证文件版本,用于记录认证文件的版本信息;有效区域名称,用于标示授权的应用或服务在硬件设备安全加密数据区中可以访问的区域;有效区域长度,用于标示授权的应用或服务在硬件设备安全加密数据区中可以访问的区域的长度。 The authentication files include: an authentication file version, version information for authentication recorded file; effective area names, a region marked authorized application or service in secure hardware encryption data region can be accessed; effective length area for indicating the length of the authorized area of ​​application or service in the hardware security encryption data area can be accessed. 上述认证文件还包括保密串,用于验证证书拥有者的合法性;有效期限,用于限定该证书的有效时间;服务类别,用于标示该认证文件对应的服务类型;使用方法,用于制定对有效区域的访问方式,如使用哪一把密钥进行加解密;认证文件删除,用于删除该认证文件。 Confidential file further comprises the authentication string is to validate the certificate's owner; expiration date for the certificate is valid time defined; class of service for indicating the authentication service type corresponding to the file; use for the development of the effective area of ​​access methods, such as which key to use for encryption and decryption; authentication file deletion for deleting the authentication file.

本发明的认证体系从硬件设备处取得硬件的认证信息,从授权的应用或服务处取得认证文件,作为进行鉴权认证的依据。 Certification system of the present invention to obtain authentication information from the hardware device at the hardware, certified document from an authorized application or Service, as a basis for authentication and authorization. 认证体系可利用硬件设备IC所带的认证机制算法和/或软件实现的认证机制算法对硬件认证信息和认证文件进行认证。 Certification system to be certified hardware authentication information and files using the authentication mechanism for authentication algorithm hardware devices carried by the IC authentication mechanisms algorithms and / or software implementation.

具体地,本发明的步骤为:首先,为每一个硬件设备设定认证信息,也就是服务包信息。 In particular, the steps of the present invention are: First, the setting for each hardware device authentication information, i.e. the service pack. 每一个硬件设备在出厂时都进行认证信息的设定,认证信息还可以通过软件或网络远程控制的方式进行修改。 Each hardware device authentication information are set at the factory, the authentication information can also be modified through software or network remote control.

其次,为每一个授权的服务或应用生成特定的AKF认证文件,通过颁发渠道交付给使用者。 Second, generate specific AKF certification documents for each authorized service or application, delivered to the user through the award of channels. AKF认证文件具有有效期限,需定期更换。 AKF certification documents have expiration date, to be regularly replaced.

当授权的服务或应用要访问硬件设备信息时,发出访问请求,同时将AKF文件提交到认证体系。 When authorized service or application to access the hardware device information access request, and will submit the file to the AKF certification system. 此时由认证体系读取硬件的认证信息,也就是服务包信息。 At this time, the authentication information is read by the hardware certification system, which is the service pack information.

认证体系首先验证该硬件设备是否有权限使用此项应用或服务,即该硬件设备的用户是否有权限使用此项应用或服务。 Certification system first verifies that the hardware device has permission to use this application or service, whether that is the hardware device user has permission to use this application or service. 具体是:认证体系读取AKF认证文件中的“服务类别”,判断在硬件的认证服务包信息中此项“服务类别”是否为有效服务。 Specifically: AKF certification certification system to read the file "service class", in the judgment of this certification service pack information about the hardware in the "class of service" is a valid service. 如不是,证明该硬件设备无权限使用此项应用或服务,返回错误信息,结束;如是,继续。 If not, prove that the hardware without permission to use this application or service, returns an error message, ending; if so, continue. 认证体系判断硬件的服务包信息中该“服务类别”是否过期。 Service pack information certification system to determine hardware of the "class of service" is expired. 若过期,证明该硬件设备无权限使用此项应用或服务,返回错误信息,结束;如未过期,继续。 If expired, the hardware device to prove no permission to use this application or service, returns an error message, ending; if not expired, continue.

然后认证体系分析AKF认证文件,验证此项应用或服务对硬件设备信息的访问权限。 The authentication system analysis AKF certification documents to verify this application or service to access the hardware device information. 具体是:认证体系读取AKF文件中的“有效时间”,判断AKF文件是否过期,若过期,返回错误信息,结束;如未过期,继续。 Specifically: certification system reads the "Effective Time" AKF file to determine whether AKF file expires, if expired, it returns an error message, ending; if not expired, continue. 读取AKF文件中的“保密串”,判断使用者身份是否合法,如不合法,返回错误信息,结束;如合法,则继续。 AKF read the document "secret string" to determine the identity of the user is legitimate, if not legally, return an error message, ending; as legitimate, then continue. 读取AKF文件中的“有效区域名称”,判断使用者希望访问的空间与有效访问空间是否一致,如不一致,返回错误信息,结束;如一致,继续。 Read "Effective range name" AKF file, determine the user wants to access effective access to space and space are the same, if not, returns an error message, ending; as consistent and continue. 读取AKF文件中的“有效区域大小”,判断访问空间是否溢出,如溢出,返回错误信息,结束;如不溢出,则表明此项应用或服务有权限访问它想要访问的硬件设备信息。 Read "effective area size" AKF file to determine whether access to space overflow, such as overflow, returns an error message, ending; if not overflow, it means that this application or service has access to the hardware device information it wants to access. 最后读取AKF文件中的“使用方法”,取得讲演使用的密钥ID,并通过安全机制接口访问硬件设备上的信息。 Finally, read the AKF document "use" to obtain key ID used in speech and access to information on the hardware security mechanisms via the interface.

采用本发明,实现双向认证的过程如下:认证体系从硬件设备处取得硬件认证信息,从授权的应用或服务处取得认证文件,作为认证的依据。 According to the present invention, two-way authentication process is as follows: to obtain certification system hardware authentication information from the hardware device, certified document from the application or authorized Service as a basis for certification.

其中,用户设备硬件认证信息是一个服务包的集合,标志了该硬件设备对授权的应用或服务的使用权限。 Among them, the user authentication device hardware information package is a collection of services, marking the hardware usage rights to authorized applications or services. 对硬件认证信息的认证,也就是对硬件设备设备权限的认证。 Certified hardware authentication information, which is the certification authority for hardware devices.

认证文件则标志了授权的应用或服务对硬件设备的使用权限。 Certification marks the file is authorized applications or services use rights to the hardware devices. 对认证文件的认证,也就是对授权的应用或服务的权限的认证。 Authentication authentication of documents, which is certified for permission application or service mandates.

采用本发明实现一个硬件设备和多个服务应用之间的认证时,用户设备硬件认证信息是一个服务包的集合,包含了多个服务包,每一个服务包可以标志该硬件设备对某一类授权的应用或服务的使用权限,所以通过硬件认证信息即可验证该硬件设备和多个服务应用之间的认证。 When using the present invention for authentication between a hardware device and a plurality of service applications, the user authentication device hardware is a collection of services information packet, including a plurality of service packages, each service package can mark the hardware device to some kind of unauthorized use permission application or service, the authentication information to verify hardware authentication between the hardware device and multiple service applications.

本发明实现动态控制认证的条件是:用户设备硬件认证信息是可以通过软件或网络远程控制的方式进行修改的;同时AKF认证文件是可以更换的。 Conditions of the present invention is to dynamically control Authentication: User authentication device hardware information can be modified by software, or a remote control network; while AKF authentication file is replaceable. 所以双方的认证条件都是可以动态控制的。 So both the certification requirements can all be dynamically controlled.

最后所应说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,其均应涵盖在本发明的权利要求范围当中。 Finally, it should be noted that the above embodiments are intended to illustrate and not limit the present invention, although the present invention has been described in detail with reference to preferred embodiments, those of ordinary skill in the art should be understood that the techniques of the present invention program modifications or equivalent replacements without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the present invention as claimed in which the required range.

Claims (24)

  1. 1.一种用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:在用户端设备内设置认证信息以及安全机制接口,在应用或服务内设置与认证信息匹配的认证文件和访问安全机制接口的路径;安全机制接口为两者通信的特定协议,当用户需求某应用或服务时,通过用户端设备与应用或服务之间设置的安全机制接口,将两者的认证文件交认证机制进行鉴权,鉴权通过的用户端设备可获得软件应用或服务;没有通过的,则拒绝该用户。 A local CPE method between a client application / service authentication remote network, wherein: the authentication information and the security mechanism provided in the CPE interfaces provided in the application or service that matches the authentication information certification path and file access security interface; security protocol specific interfaces for communication with both, when the user needs an application or service, security mechanisms between a CPE and an interface application or service provided, both of cross-authentication file authentication mechanism authenticates the user device authentication available through a software application or service; not passed, then the user is denied.
  2. 2.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备为USB闪存、键盘读取设备、MP3读取设备、PDA读取设备、STB读取设备、磁盘读取设备、智能PDA读取设备、数据银行、电子词典、多功能无线设备、数码相机、录音笔。 2. The method of authentication between the CPE and the local client application 1 / remote network services claim, wherein: the client device is a USB flash drive, keyboard reading apparatus, MP3 reading device, PDA read to take equipment, STB reading device, disk read devices, smart PDA reading device, data banks, electronic dictionaries, multi-function wireless devices, digital cameras, voice recorder.
  3. 3.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:实现鉴权过程的认证机制设置在用户端设备或客户端,或者通过两者结合进行。 3. The method of authentication between the CPE and the local client application 1 / remote network services claim, wherein: the authentication procedure implemented authentication mechanism provided in the client device or client, or by two who in conjunction.
  4. 4.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:认证机制进行鉴权是由应用或服务向用户端设备进行,即应用或服务认证用户端设备是否有使用权限。 The CPE and the local client application / service between the remote network authentication method according to claim 1, wherein: authenticating the authentication mechanism is by the application or service to customer premise equipment, i.e., application, or whether service authentication CPE are authorized.
  5. 5.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备内设置的认证信息是服务包的集合,用于实现与应用或服务之间认证鉴权。 5. The method of authentication between the CPE and the local client application 1 / remote network services claim, wherein: the authentication information provided in the client device is a packet service set, for achieving the application or authentication between the authentication service.
  6. 6.根据权利要求5所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:所述服务包集合含有一个或一个以上服务包信息。 6. The method of inter / remote network service authenticating the client device to the local client application according to claim 5, wherein: the service package comprising a set of one or more service package information.
  7. 7.根据权利要求6所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:所述服务包信息包括有效标志和/或有效时间,其中有效标志标示用户端设备对于某应用或服务的使用权限信息;有效时间标志了此类服务使用的有效时间。 7. The method of between CPE and the local client application 6 / remote network authentication services as claimed in claim wherein: said information includes a valid flag Service pack and / or the effective time, wherein the user active flag Flag end equipment usage rights information for an application or service; marked the effective time effective time use of such services.
  8. 8.根据权利要求7所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:服务包信息可通过网络远程下载动态更新。 The method of CPE and the local client application / service authentication between the remote network according to claim 7, wherein: the service pack information may be dynamically updated over the network remote download.
  9. 9.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备内设置认证信息可通过软件或网络远程控制方式进行修改。 9. The method of inter / remote network service authenticating the client device to the local client application according to claim 1, wherein: the authentication information provided CPE can be modified by software or network remote control.
  10. 10.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务设置的认证文件中包括认证文件版本、有效区域名称和有效区域长度;所述认证文件版本,用于记录认证文件的版本信息;所述有效区域名称,用于标示授权的应用或服务在硬件设备安全加密数据区中可以访问的区域;所述有效区域长度,用于标示授权的应用或服务在硬件设备安全加密数据区中可以访问的区域的长度。 10. The method of authentication between the CPE and the local client application 1 / remote network services claim, wherein: the authentication service or application settings file included in the authentication file versions, the effective area of ​​the effective region and the name length; the authentication file version, file version information for authentication of recording; the effective area names, a region marked authorized application or service in secure hardware encryption data region can be accessed; the length of the effective region, a length of the area indicated in the authorization application or service hardware security encryption data area can be accessed.
  11. 11.根据权利要求10所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务设置的认证文件中还包括有效期限,用于限定证书的有效时间。 The method of CPE and the local client application / service authentication between the remote network according to claim 10, wherein: the authentication service or application file set also includes a validity period, for defining a valid certificate time.
  12. 12.根据权利要求10所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务设置的认证文件中还包括服务类别,用于标志该认证文件对应的服务类型。 The method of CPE and the local client application / service authentication between the remote network according to claim 10, wherein: the authentication service or application file further comprises a set of service classes, the authentication flag for file corresponding to the type of service.
  13. 13.根据权利要求10所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务设置的认证文件中还包括认证文件删除,用于删除认证文件。 The method of CPE and the local client application / service authentication between the remote network according to claim 10, wherein: the authentication service or application file set also includes authentication file deletion, file authentication for deleting .
  14. 14.根据权利要求10所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务设置的认证文件中还包括保密串,用于认证证书拥有者的合法性。 The method of CPE and the local client application / service authentication between the remote network according to claim 10, wherein: the authentication service or application file set also includes a string confidentiality, authentication certificate for the owner of legitimacy.
  15. 15.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务认证文件的设置通过网络获取或制作时生成。 15. The method of inter / remote network service authenticating the client device to the local client application according to claim 1, wherein: generating a network by acquiring or creating applications or settings file service authentication.
  16. 16.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务由本地客户端或远程网络提供。 16. The method of inter / remote network service authenticating the client device to the local client application according to claim 1, wherein: the application or service by the local client or a remote network provided.
  17. 17.根据权利要求1至16任一所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备与应用或服务之间鉴权的具体步骤为:当授权的服务或应用需要访问用户端设备信息时,发出访问请求,同时将认证文件提交到认证机制;认证机制读取用户端设备的认证信息,也就是服务包信息;验证该用户端设备是否有权限使用此项应用或服务;认证机制读取认证文件中的“服务类别”,判断在硬件的认证服务包信息中此项“服务类别”是否为有效服务;如不是,证明该用户端设备无权限使用此项应用或服务,返回错误信息,结束;如是,认证机制判断在硬件的服务包信息中该“服务类别”是否过期;若过期,证明该用户端设备无权限使用此项应用或服务,返回错误信息,结束;如未过期,认证机制分析认证文件,验证此项应用 The method of CPE and the local client application / service authentication between the remote network according to claim one of claims 1 to 16, wherein: the specific authentication step between the client device and for the application or service : when an authorized service or application needs to access CPE information access request, the authentication file simultaneously submitted to the authentication mechanism; authentication mechanism to read the authentication information of the client device, i.e. the service pack information; verifying the CPE is there a permission to use this application or service; authentication mechanism reads the authentication file "class of service", in the judgment of this certification service pack information about the hardware in the "class of service" is a valid service; if not, to prove that the end user equipment without permission to use this application or service, returns an error message, ending; if so, determine the authentication mechanism "service class" has expired in the service pack information about the hardware; if expired, to prove that the CPE no permission to use this application or services, returns an error message, ending; if not expired, the authentication mechanism analysis certification documents to verify this application 或服务对硬件信息的访问权限;读取认证文件中的“有效时间”,判断认证文件是否过期;若过期,返回错误信息,结束;如未过期,读取认证文件中的“保密串”,判断使用者身份是否合法;若不合法,返回错误信息,结束;如合法,则用户端设备获得该应用或服务。 Hardware or service information access; read the "Effective Time" certification file to determine whether the certification documents expired; if expired, returns an error message, ending; if not expired, read the authentication file "secret string" determine the user's identity is legitimate; if not legal, returns an error message, ending; as legitimate, the CPE to obtain the application or service.
  18. 18.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备内设置安全机制,通过加密算法实现设备加密数据空间的保护。 18. The method of locally between the client device and the client application 1 / remote network authentication services as claimed in claim wherein: the security mechanisms provided within user device, the encrypted data space to achieve protection device by the encryption algorithm.
  19. 19.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备内还设有身份信息和/或类型识别信息。 19. The method of inter / remote network service authenticating the client device to the local client application according to claim 1, wherein: further provided with identity information and / or type identification information in the CPE.
  20. 20.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:所述认证机制进行鉴权包括由用户端设备对应用或服务进行,即用户端设备认证应用或服务是否有使用权限。 20. The method of locally between the client device and the client application 1 / remote network authentication services as claimed in claim wherein: authenticating the authentication mechanism includes a client device application or service, i.e., whether CPE certification applications or services are authorized.
  21. 21.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备内设有安全数据存储区,设置安全机制,包括内建的密钥表,用于加解密安全加密数据存储区的数据。 21. The client device of claim 1 and a method local client inter / end remote web service authentication application claims wherein: CPE there is a secure data storage area, security settings, including built-in key table for secure data encryption and decryption of the encrypted data storage area.
  22. 22.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务认证文件包括设备安全数据存储区访问的权限,有效数据区域名称或区域大小,用于限定该应用或服务只能够访问对应的数据存储区。 22. The method of authentication between the CPE and the local client application 1 / remote network services claim, wherein: the authentication service or application file includes access to the device to access secure data storage area, data area name or area size for defining the application or service can only access the corresponding data store.
  23. 23.根据权利要求1所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:应用或服务认证文件包括设备使用方法,用于制定对于安全数据存储区的访问方式,获取相应的密钥,实现数据加解密。 23. The client device of claim 1 and a method local client inter / end remote web service authentication application claim, wherein: the authentication service or application file comprises device uses a method for secure data storage area for the development of access way to get the appropriate key, data encryption and decryption.
  24. 24.根据权利要求20至23任一所述的用户端设备与本地客户端应用/远程网络服务间鉴权的方法,其特征在于:用户端设备对于应用或服务进行,即用户端设备认证应用或服务是否有使用权限时,认证机制读取认证文件中的“有效区域名称”,判断使用者希望访问的空间与有效访问空间是否一致;如不一致,返回错误信息,结束;如一致,读取认证文件中的“有效区域大小”,判断访问空间是否溢出;如溢出,返回错误信息,结束;如不溢出,此项应用或服务有权限访问它想要访问的用户端设备信息;读取认证文件中的“使用方法”,取得讲演使用的密钥ID,通过安全机制接口访问用户端设备上的信息。 24. The method of CPE and the local one of the client application / service authentication between the remote network of any of claims 20 to 23, wherein: the client device to the application or service, i.e. CPE authentication application when or whether the service are authorized authentication mechanism that reads "effective range name" certification document, determined that the user wants to access effective access to space and space are the same; if not, returns an error message, ending; the same as reading "effective area size" certification file to determine whether an overflow space access; such as overflow, returns an error message, ending; if not overflow, this application or service has access to CPE information it wishes to access; read the authentication file in the "use" key ID to obtain use of speech, access to information on the CPE through security interface.
CN 03156489 2003-09-01 2003-09-01 Method of identification between user device and local client use or remote-network service CN100426719C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 03156489 CN100426719C (en) 2003-09-01 2003-09-01 Method of identification between user device and local client use or remote-network service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 03156489 CN100426719C (en) 2003-09-01 2003-09-01 Method of identification between user device and local client use or remote-network service

Publications (2)

Publication Number Publication Date
CN1592197A true true CN1592197A (en) 2005-03-09
CN100426719C CN100426719C (en) 2008-10-15

Family

ID=34598435

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 03156489 CN100426719C (en) 2003-09-01 2003-09-01 Method of identification between user device and local client use or remote-network service

Country Status (1)

Country Link
CN (1) CN100426719C (en)

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100464549C (en) 2005-10-28 2009-02-25 广东省电信有限公司研究院 Method for realizing data safety storing business
CN1889426B (en) 2005-06-30 2010-08-25 联想(北京)有限公司 Method and system for realizing network safety storing and accessing
CN101931908A (en) * 2010-07-23 2010-12-29 中兴通讯股份有限公司 Method, device and system for acquiring service by portable equipment
CN101127599B (en) 2006-08-18 2011-05-04 华为技术有限公司 An identity and right authentication method and system and a biological processing unit
USD640976S1 (en) 2008-08-28 2011-07-05 Hewlett-Packard Development Company, L.P. Support structure and/or cradle for a mobile computing device
CN101212489B (en) 2006-12-27 2011-08-03 财团法人工业技术研究院 Asset management monitoring method and switching device for asset management monitoring
US8234509B2 (en) 2008-09-26 2012-07-31 Hewlett-Packard Development Company, L.P. Portable power supply device for mobile computing devices
US8305741B2 (en) 2009-01-05 2012-11-06 Hewlett-Packard Development Company, L.P. Interior connector scheme for accessorizing a mobile computing device with a removeable housing segment
US8385822B2 (en) 2008-09-26 2013-02-26 Hewlett-Packard Development Company, L.P. Orientation and presence detection for use in configuring operations of computing devices in docked environments
US8395547B2 (en) 2009-08-27 2013-03-12 Hewlett-Packard Development Company, L.P. Location tracking for mobile computing device
US8401469B2 (en) 2008-09-26 2013-03-19 Hewlett-Packard Development Company, L.P. Shield for use with a computing device that receives an inductive signal transmission
US8437695B2 (en) 2009-07-21 2013-05-07 Hewlett-Packard Development Company, L.P. Power bridge circuit for bi-directional inductive signaling
CN101789968B (en) 2010-01-08 2013-06-05 深圳市沟通科技有限公司 Safe enterprise mobile working application delivery method
USD687038S1 (en) 2009-11-17 2013-07-30 Palm, Inc. Docking station for a computing device
US8527688B2 (en) 2008-09-26 2013-09-03 Palm, Inc. Extending device functionality amongst inductively linked devices
CN101938627B (en) 2009-06-30 2014-03-19 中兴通讯股份有限公司 System and method for realizing authentication monitoring
US8688037B2 (en) 2008-09-26 2014-04-01 Hewlett-Packard Development Company, L.P. Magnetic latching mechanism for use in mating a mobile computing device to an accessory device
US8712324B2 (en) 2008-09-26 2014-04-29 Qualcomm Incorporated Inductive signal transfer system for computing devices
US8755815B2 (en) 2010-08-31 2014-06-17 Qualcomm Incorporated Use of wireless access point ID for position determination
US8850045B2 (en) 2008-09-26 2014-09-30 Qualcomm Incorporated System and method for linking and sharing resources amongst devices
CN101727274B (en) 2008-10-16 2014-10-15 埃森哲环球服务有限公司 For allowing a user to access enterprise data on the portable electronic device a method, system and graphical user interface
US8868939B2 (en) 2008-09-26 2014-10-21 Qualcomm Incorporated Portable power supply device with outlet connector
US8954001B2 (en) 2009-07-21 2015-02-10 Qualcomm Incorporated Power bridge circuit for bi-directional wireless power transmission
CN104468562A (en) * 2014-12-03 2015-03-25 南京信息工程大学 Portable transparent data safety protection terminal oriented to mobile applications
US9083686B2 (en) 2008-11-12 2015-07-14 Qualcomm Incorporated Protocol for program during startup sequence
CN104809367A (en) * 2014-01-24 2015-07-29 中辉世纪传媒发展有限公司 Digital rights management (DRM) protection method and device for service program
CN104819097A (en) * 2015-04-03 2015-08-05 北京天诚同创电气有限公司 Protection method and device of programmable logic controller program of wind turbine generator
CN105009131A (en) * 2012-09-22 2015-10-28 谷歌公司 Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers
US9201457B1 (en) 2001-05-18 2015-12-01 Qualcomm Incorporated Synchronizing and recharging a connector-less portable computer system
CN105337964A (en) * 2015-09-30 2016-02-17 宇龙计算机通信科技(深圳)有限公司 Data security protection method and device
US9395827B2 (en) 2009-07-21 2016-07-19 Qualcomm Incorporated System for detecting orientation of magnetically coupled devices

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6263446B1 (en) 1997-12-23 2001-07-17 Arcot Systems, Inc. Method and apparatus for secure distribution of authentication credentials to roaming users
CN100463479C (en) 2001-12-25 2009-02-18 中兴通讯股份有限公司 Wide-band network authentication, authorization and accounting method

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9201457B1 (en) 2001-05-18 2015-12-01 Qualcomm Incorporated Synchronizing and recharging a connector-less portable computer system
CN1889426B (en) 2005-06-30 2010-08-25 联想(北京)有限公司 Method and system for realizing network safety storing and accessing
CN100464549C (en) 2005-10-28 2009-02-25 广东省电信有限公司研究院 Method for realizing data safety storing business
CN101127599B (en) 2006-08-18 2011-05-04 华为技术有限公司 An identity and right authentication method and system and a biological processing unit
CN101212489B (en) 2006-12-27 2011-08-03 财团法人工业技术研究院 Asset management monitoring method and switching device for asset management monitoring
USD640976S1 (en) 2008-08-28 2011-07-05 Hewlett-Packard Development Company, L.P. Support structure and/or cradle for a mobile computing device
US8868939B2 (en) 2008-09-26 2014-10-21 Qualcomm Incorporated Portable power supply device with outlet connector
US8234509B2 (en) 2008-09-26 2012-07-31 Hewlett-Packard Development Company, L.P. Portable power supply device for mobile computing devices
US8850045B2 (en) 2008-09-26 2014-09-30 Qualcomm Incorporated System and method for linking and sharing resources amongst devices
US8385822B2 (en) 2008-09-26 2013-02-26 Hewlett-Packard Development Company, L.P. Orientation and presence detection for use in configuring operations of computing devices in docked environments
US8712324B2 (en) 2008-09-26 2014-04-29 Qualcomm Incorporated Inductive signal transfer system for computing devices
US8401469B2 (en) 2008-09-26 2013-03-19 Hewlett-Packard Development Company, L.P. Shield for use with a computing device that receives an inductive signal transmission
US8527688B2 (en) 2008-09-26 2013-09-03 Palm, Inc. Extending device functionality amongst inductively linked devices
US8688037B2 (en) 2008-09-26 2014-04-01 Hewlett-Packard Development Company, L.P. Magnetic latching mechanism for use in mating a mobile computing device to an accessory device
CN101727274B (en) 2008-10-16 2014-10-15 埃森哲环球服务有限公司 For allowing a user to access enterprise data on the portable electronic device a method, system and graphical user interface
US9083686B2 (en) 2008-11-12 2015-07-14 Qualcomm Incorporated Protocol for program during startup sequence
US8305741B2 (en) 2009-01-05 2012-11-06 Hewlett-Packard Development Company, L.P. Interior connector scheme for accessorizing a mobile computing device with a removeable housing segment
CN101938627B (en) 2009-06-30 2014-03-19 中兴通讯股份有限公司 System and method for realizing authentication monitoring
US9395827B2 (en) 2009-07-21 2016-07-19 Qualcomm Incorporated System for detecting orientation of magnetically coupled devices
US8437695B2 (en) 2009-07-21 2013-05-07 Hewlett-Packard Development Company, L.P. Power bridge circuit for bi-directional inductive signaling
US8954001B2 (en) 2009-07-21 2015-02-10 Qualcomm Incorporated Power bridge circuit for bi-directional wireless power transmission
US8395547B2 (en) 2009-08-27 2013-03-12 Hewlett-Packard Development Company, L.P. Location tracking for mobile computing device
US9097544B2 (en) 2009-08-27 2015-08-04 Qualcomm Incorporated Location tracking for mobile computing device
USD687038S1 (en) 2009-11-17 2013-07-30 Palm, Inc. Docking station for a computing device
CN101789968B (en) 2010-01-08 2013-06-05 深圳市沟通科技有限公司 Safe enterprise mobile working application delivery method
CN101931908A (en) * 2010-07-23 2010-12-29 中兴通讯股份有限公司 Method, device and system for acquiring service by portable equipment
US8522046B2 (en) 2010-07-23 2013-08-27 Zte Corporation Method, apparatus and system for acquiring service by portable device
CN101931908B (en) 2010-07-23 2014-06-11 中兴通讯股份有限公司 Method, device and system for acquiring service by portable equipment
WO2012009922A1 (en) * 2010-07-23 2012-01-26 中兴通讯股份有限公司 Method, apparatus and system for obtaining traffic service by portable device
US8755815B2 (en) 2010-08-31 2014-06-17 Qualcomm Incorporated Use of wireless access point ID for position determination
US9191781B2 (en) 2010-08-31 2015-11-17 Qualcomm Incorporated Use of wireless access point ID for position determination
CN105009131A (en) * 2012-09-22 2015-10-28 谷歌公司 Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers
CN104809367A (en) * 2014-01-24 2015-07-29 中辉世纪传媒发展有限公司 Digital rights management (DRM) protection method and device for service program
CN104468562B (en) * 2014-12-03 2017-12-15 南京信息工程大学 Data oriented mobile applications transparent to the portable terminal security
CN104468562A (en) * 2014-12-03 2015-03-25 南京信息工程大学 Portable transparent data safety protection terminal oriented to mobile applications
CN104819097A (en) * 2015-04-03 2015-08-05 北京天诚同创电气有限公司 Protection method and device of programmable logic controller program of wind turbine generator
CN105337964A (en) * 2015-09-30 2016-02-17 宇龙计算机通信科技(深圳)有限公司 Data security protection method and device

Also Published As

Publication number Publication date Type
CN100426719C (en) 2008-10-15 grant

Similar Documents

Publication Publication Date Title
US7224805B2 (en) Consumption of content
US20020178370A1 (en) Method and apparatus for secure authentication and sensitive data management
US20060085844A1 (en) User authentication system
US20110023103A1 (en) Method for reading attributes from an id token
US20040255119A1 (en) Memory device and passcode generator
US20060021065A1 (en) Method and device for authorizing content operations
US7296147B2 (en) Authentication system and key registration apparatus
US20040228487A1 (en) Content reading apparatus
US20130007471A1 (en) Systems and methods for securing cryptographic data using timestamps
US20020046350A1 (en) Method and system for establishing an audit trail to protect objects distributed over a network
US7802293B2 (en) Secure digital credential sharing arrangement
US20050198510A1 (en) Binding content to an entity
US20080089517A1 (en) Method and System for Access Control and Data Protection in Digital Memories, Related Digital Memory and Computer Program Product Therefor
US20040168056A1 (en) Revocation of a certificate and exclusion of other principals in a digital rights management (DRM) system based on a revocation list from a delegated revocation authority
US20030208681A1 (en) Enforcing file authorization access
US20060053302A1 (en) Information processing apparatus with security module
US20060282680A1 (en) Method and apparatus for accessing digital data using biometric information
US20080152146A1 (en) Private and Controlled Ownership Sharing
US20040088541A1 (en) Digital-rights management system
US20040103312A1 (en) Domain-based digital-rights management system with easy and secure device enrollment
US20040133797A1 (en) Rights management enhanced storage
US20050137889A1 (en) Remotely binding data to a user device
US20050138400A1 (en) Digital content protection method
US20040243815A1 (en) System and method of distributing and controlling rights of digital content
US20090254978A1 (en) Delegated authentication for web services

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
ASS Succession or assignment of patent right

Owner name: TAIJUN TECHNOLOGY(SHENZHEN) LTD.

Free format text: FORMER OWNER: TAIJUN INDUSTRIAL CO., LTD.

Effective date: 20050422

C41 Transfer of patent application or patent right or utility model
C14 Grant of patent or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 518106 SHENZHEN, GUANGDONG PROVINCE TO: 100086 HAIDIAN, BEIJING

ASS Succession or assignment of patent right

Owner name: MAISHIYA (BEIJING) SCIENCE AND TECHNOLOGY CO., LTD

Free format text: FORMER OWNER: TAI GUEN TECHNOLOGY (SHENZHEN) CO., LTD.

Effective date: 20150107

C41 Transfer of patent application or patent right or utility model
EXPY Termination of patent right or utility model