CN1881878A - Service safety authentication method based on smart card under controlled Internet network environment - Google Patents
Service safety authentication method based on smart card under controlled Internet network environment Download PDFInfo
- Publication number
- CN1881878A CN1881878A CN 200610026414 CN200610026414A CN1881878A CN 1881878 A CN1881878 A CN 1881878A CN 200610026414 CN200610026414 CN 200610026414 CN 200610026414 A CN200610026414 A CN 200610026414A CN 1881878 A CN1881878 A CN 1881878A
- Authority
- CN
- China
- Prior art keywords
- smart card
- user
- network
- service
- under controlled
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a safety identification method of intelligent card service in the controllable network protocol network, wherein S1, user identifies the intelligent card via the IP network service platform server, while the card contains key and card number; S2, the identify server initializes the battle word process to the user to request identification; S3, the user via the battle word obtains the service application public key and the survival period; S4, the user uses the identification key to encrypt the relative information, to enter into the service application process. With said invention, the safety identification process has high safety, few steps, quick response, simple management and low cost.
Description
Technical field
The present invention relates to a kind of smart card terminal equipment under controlled IP network environment that is used for, provide the service security authentication mechanism as use network in wideband digital set-top box, the hand-held network terminal, but this scheme combines the authentication method of traditional open the Internet network and the authentication method of carrier class supervising the network.
Background technology
Along with IP network constantly develops, a large amount of information and services is provided on the IP network, increasing service provider all provides the new business based on internet or IP network technology, as: the broadcasting of Streaming Media, program request, real time information service etc.Some common features of these business, promptly real-time, need the QoS quality assurance, and be paid service, how to guarantee that legal users can use these business, how to prevent that unwarranted user from obtaining content, be directly connected to the professional benign development of carrying out with industrial chain, therefore, guarantee that the user uses professional legitimacy just to become and is even more important.
Opening IP network of typical case or internet are because the opening of its global design framework, think that promptly all network equipment and contacts between client and the subscriber equipment all are to be in a disclosed state in this kind network environment, its bearing protocol is open text based Internet protocol, and anyone or tissue can obtain interactive information between client computer and the server by means such as network data eavesdropping or interceptings.In order to guarantee these safety of data, integrality, generally adopt the mode Data transmission of encryption channel, concrete implementation is carried out key distribution and kerberos authentication mode for being carried on the Internet protocol by public and private key system.The major defect of this scheme is because its basis is that all network equipment and terminal equipments all are in unsafe state, whole key distribution is to the flow process complexity of authentification of user, user's request response time is long, is not suitable for the business of response time requirement strictness is carried out.
But typical carrier class supervising the network, has very strong closure as black phone switching network and its global design structure of mobile communications network, the transmission pipeline that is its mutual agreement and agreement all is privately owned, non-text, has nonidentifiability, the general safety certification scheme that all adopts based on smart card, by both combinations, but effectively guaranteed the efficient and safety of communicating by letter between the server of carrier class supervising the network and the client computer.The main shortcoming of this scheme is that the agreement of its carrying is privately owned not readable agreement, can not adapt at present a large amount of carrying out based on the Internet transport protocol business well.
Summary of the invention
In sum, how to overcome owing to the opening of the global design framework of typical opening IP network or internet and bring, hinder the benign development with industrial chain carried out of internet or IP network new industry; And how to overcome that but the strong closure of mistake owing to typical carrier class managed network integral frame causes, incompatible at present a large amount of carrying out based on internet host-host protocol business.These defectives of above-mentioned prior art all are technical problems to be solved by this invention.Therefore, the objective of the invention is to, provide a kind of under controlled IP network environment, based on the service safety authentication method of smart card.
Technical conceive of the present invention:
At the Internet technology business that is based on of being carried out in the controlled IP network; therefore the solution that proposes of the present invention is a kind ofly to solve service safety authentication method in the above-mentioned network architecture based on smart card and Internet protocol, makes to reach protection business datum safety, improve user's request answer speed.
This method can be accomplished:
1) professional real-time and the fail safe of carrying out in the controlled IP network;
2) the operation flow interaction protocol can be based on agreement or other agreements of the Internet opening;
3) secure distribution of key;
4) data integrity in the operation flow, consistency, can not distorting property;
5) encryption and verification algorithm have flexibility;
6) simplify the business authentication flow process, accelerated user's request answer speed, and do not reduced the fail safe of operation flow.
Under controlled IP network environment, the business that is based on Internet technology of being carried out, therefore, the mutual network business identification method of use secrete key of smart card that is proposed, be transmission channel to be encrypted by the safety card key of smart card, obtain customer service authentication key from server, follow-up use authentification of user KI is finished whole service authentication flow process, with the Replay Attack problem in the consistency, integrality and the network that guarantee the transmission data.
Technical scheme of the present invention is as follows:
Under controlled IP network environment, remove the transmission channel between user terminal and the network element, transmission channel between network element and the network element all is in safe state, also be that transfer of data between them all is in can not be by the attack state, mutual communication is efficiently, and the framework of network element device is based on model trusty.The characteristics of this framework maximum provide each professional network element device and are in the territory of a safety, communication between them, general adopt efficiently, the encryption channel of safety, the agreement of communication has strong attack protection, generally do not adopt Internet protocol, these characteristics also are the maximum differences of controlled IP network framework and open the Internet framework.In the described below method, service security authentication method and flow process thereof are based on this type of controlled IP network environment, the carrying out of the paid business that the characteristics of this type of network environment are suitable for is real-time, need the QoS quality assurance.
Smart card techniques is to guarantee communication security between user terminal and the service platform, the professional key technology of using the authentification of user authentication in the controlled IP network, smart card can guarantee wherein security of storage data, can not be very high by the cost that illegal means reads or reads.
For guaranteeing the professional fail safe of carrying out under controlled IP network environment, can utilize the security features of smart cards for storage, carry out professional authentication and authentication.Deposit secrete key of smart card (ICKey), smart card numbers information such as (ICNM) in the smart card in advance, before the user uses business, carry out the smart card distribution.When the user asks to use business, at first carry out smart card authentication, server end is initiated challenge word (Challenge) process, the user utilizes secrete key of smart card ICKey to single channel encryption, obtain business authentication KI (ServiceKey) by challenge word process, business authentication KI (ServiceKey) guarantees the fail safe that follow-up business is used.
This method realizes having following precondition or hypothesis: 1) communication between the controlled IP network in-house network element device be safe, trusty, can not be attacked; 2) communication channel between subscriber terminal equipment and the controlled IP network in-house network element device be unsafe, can be attacked; 3) storage of the key (ICKey) in the smart card is safe, and this key is stored in smart card and platform side simultaneously; 4) secrete key of smart card (ICKey) is kept in the smart card and network platform server side simultaneously.
In sum, technical scheme of the present invention is as follows:
According to a kind of service safety authentication method that is used for smart card device under the controlled IP network environment of the present invention, be suitable for:
A. open the Internet network information checking mode provides internet bearing protocol and challenge word process;
B. smart card device provides public keys and the User Identity of sharing with server;
C. but the Security Architecture of supervising the network provides except that the transmission channel between user terminal and the network element, and the transmission channel between network element and the network element all is in safe state and high efficiency of transmission state.
Beneficial effect of the present invention:
1) fail safe that utilizes smart cards for storage to have has guaranteed the fail safe of secrete key of smart card ICKey storage;
2) utilize negotiate peace controlled IP network framework of open internet protocol, do not reduced under the safe prerequisite, simplified professional identifying procedure;
3) utilize secrete key of smart card ICKey encrypted transmission business authentication KI ServiceKey, guaranteed the fail safe of ServiceKey;
4) utilize ServiceKey to encrypt communication channel between the terminal equipment and the webserver, guaranteed that professional transmission data are invisible;
5) utilize the communication network agreement between the webserver, to transmit data, the high efficiency of guaranteeing data security property and transfer of data;
6) utilize the timestamp mode to carry out mutual authentication between terminal equipment and the server, guaranteed the legitimacy of data;
7) flow process bearing protocol and cryptographic check mode all have flexibility and opening; And
8) the flow process interaction times is few, and response is fast, and management is simple, and construction cost is low.
Description of drawings
Fig. 1 is according to safety certification principle assumption diagram of the present invention.
Fig. 2 is that IP top box of digital machine user authenticates and obtain the flow chart that the web page class information service is implemented among the present invention.
Embodiment
Provide better embodiment of the present invention according to Fig. 1 and Fig. 2 below, and described in detail, make those skilled in the art be easier to understand the present invention, but be not to be used for limiting scope of the present invention.
See also Fig. 1, as shown in the figure:
1. in smart card, write secrete key of smart card (ICKey) and smart card numbers (ICNM), and be distributed to the user;
2. when the user used related service for the first time, (ICNM) sent to service server end, i.e. business platform server with smart card numbers;
3. service server is initiated challenge word (Challenge) process, requires the user to use secrete key of smart card (ICKey) to carry out authentication;
4. user's rise time is stabbed (TimeStamp), uses secrete key of smart card (ICKey) that challenge word (Challenge) and timestamp (TS) are encrypted, and the word that throws down the gauntlet is replied;
5. service server verified users challenge word is replied, and judges success or not;
6. if verification is passed through, generate TTL life cycle of business authentication KI (ServiceKey) and ServiceKey, and use secrete key of smart card (ICKey) encryption to return to the user, if the back-checking failure information is not passed through in verification;
7. the user uses business authentication KI (ServiceKey) secure service to use relevant information, enters the use operation flow.
The bearing protocol of whole realization proposal can but not only be confined to the internet-class agreement.Business authentication KI (ServiceKey) is dynamically produced by the business service platform, and effectively, user side is preserved temporarily in its life cycle, asks to obtain when need not to use business at every turn.
See also Fig. 2, it is that IP top box of digital machine user authenticates the flow chart that obtains web page class information service enforcement.As shown in the figure:
Prerequisite: the IP top box of digital machine uses smart card device, built-in ICKey, ICNM in the smart card, and wherein ICKey and ICNM bundle in the business platform side; Set-top box is built-in address of the authentication server and request service name (Service).
Idiographic flow is as follows
1, set-top box is initiated request by http protocol to certificate server, and the request message content is plaintext ICNM;
2, certificate server returns HTTP and replys, and requires the set-top box word authentication that throws down the gauntlet by error code 401, returns challenge word Challenge, is a random digit sequence;
3, set-top box generates local time stamp TS1, replys challenge word Challenge, the challenge word Challenge of the message content of request for encrypting with secrete key of smart card ICKey by http protocol, time stamp T S1 and Business Name Service, ICKeyEncrpt (Challenge, TS1, Service);
4, certificate server carries out authentication to the Challenge response message, and generate business authentication KI ServiceKey and life cycle TTL;
5, certificate server is given the information server that provides professional synchronously with ICNM, ServiceKey, TTL and TS1; The agreement of its carrying is the telecommunications network protocol type, has efficient, safe and reliable characteristics;
6, certificate server is replied by HTTP and is returned set-top box business authentication KI ServiceKey, TS1 and professional portal link ServiceURL is provided, response content is used ICKey encrypted transmission, ICKeyEncrpt (ServiceKey, TS1, ServiceURL, TTL);
7, set-top box is initiated HTTP requested service door ServiceURL, request content comprises ICNM, TS2, ServiceURL, use the business authentication KI to encrypt, form is as ICNM ‖ ServiceKeyEncrpt (ICNM, TS2, ServiceURL), TS2 is a set-top box timestamp two, can adopt the mode of TS1+ increment to generate;
8, information server uses ServiceKey deciphering machine top box request msg, and by the ICNM in the data decryption and plaintext ICMN comparatively validate data consistency, legitimacy;
9, information server is asked by professional use of HTTP answering machine top box, response content comprises HTML content, TS2, ServiceURL, random number, use the business authentication KI to encrypt, form is as ServiceKeyEncrpt (HTML content, TS2, ServiceURL);
10, set-top box decryption information server returned content, and carry out server data by random number in the data decryption and TS2 and verify, bring into use business.
TS1, TS2 are used for preventing the Replay Attack and the data consistent check of network.
In this specific implementation method, procotol is not limited to HTTP(Hypertext Transport Protocol), goes back real-time Transmission stream protocol (RTSP).
Its step comprises:
S1. the smart card without the business authentication authentication of its key is divided on the basis that will write key and card number in the user will block, and send business platform server to carry out probatio inspectionem pecuoarem through IP network;
S2. certificate server initiates to challenge the word process to the user, requires authentication;
S3. the user obtains professional the use public keys and life cycle by the challenge word; And
S4. the user uses relevant information by using business authentication KI secure service, enters the use operation flow.
Further, described challenge word process, also comprise step: the user passes to certificate server with identification information; Certificate server recording user identification information generates random number challenge word, returns to user side; The user uses public-key encryption challenge word and the subscriber identity information of sharing with certificate server, response authentication server-challenge word; Certificate server uses the public keys deciphering challenge word response message of sharing with the user, and provides service to the user;
The described professional public keys that uses is to obtain by basic public keys;
Be the term of validity of using key in order to identification service described life cycle, when the term of validity lost efficacy, needs to obtain the professional key that uses by basic public keys again;
Described being suitable for enters the professional flow process of using, and its encryption key is the professional key that uses;
Described challenge word process, its bearing protocol can internet usage network agreements, but are not limited to internet protocol;
Described User Identity information comprises User Identity number and timestamp;
Described timestamp information by the mode that changes in due order, is used for preventing the Replay Attack of network, changes in due order and adopts the mode of incremental increase to carry out;
Described internet bearing protocol is meant the internet application layer protocol, but is not limited to internet protocol, goes back traditional telecommunications network agreement;
Described smart card device removes the hardware smart card, also can comprise soft smart card, and selected soft smart card is the virtual smart card of realizing with software.
Claims (10)
1. the service safety authentication method of a smart card device under controlled IP network environment is suitable for: open the Internet network information checking mode provides internet bearing protocol and challenge word process; Smart card device provides public keys and the User Identity of sharing with server; But the Security Architecture of supervising the network provides except that the transmission channel between user terminal and the network element, and the transmission channel between network element and the network element all is in safe state and high efficiency of transmission state; Its step comprises:
S1. the smart card without the business authentication authentication of its key is divided on the basis that will write key and card number in the user will block, and send business platform server to carry out probatio inspectionem pecuoarem through IP network;
S2. certificate server initiates to challenge the word process to the user, requires authentication;
S3. the user obtains professional the use public keys and life cycle by the challenge word; And
S4. the user uses relevant information by using business authentication KI secure service, enters the use operation flow.
2. according to claim 1 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that the challenge word process described in the step S2 also comprises step:
S21, user pass to certificate server with identification information;
S22, certificate server recording user identification information generate random number challenge word, return to user side;
S23, user use public-key encryption challenge word and the subscriber identity information of sharing with certificate server, response authentication server-challenge word;
S24, certificate server use the public keys deciphering challenge word response message of sharing with the user, and provide service to the user.
3. according to claim 1 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: it is to obtain by basic public keys that the business among the described step S4 is used public keys.
4. according to claim 1 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: be the term of validity of using key in order to identification service the life cycle among the described step S3, when the term of validity lost efficacy, need to obtain the professional key that uses by basic public keys again.
5. according to claim 1 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: being used among the described step S4 used operation flow, its encryption key is the professional key that uses.
6. according to claim 1 and 2 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: described challenge word process, its bearing protocol can internet usage network agreements, but are not limited to internet protocol.
7. according to claim 1 and 2 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: described User Identity information comprises User Identity number and timestamp.
8. according to claim 7 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: the mode of described timestamp information by changing in due order, be used for preventing the Replay Attack of network, change in due order and adopt the mode of incremental increase to carry out.
9. according to claim 1 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: described internet bearing protocol is meant the internet application layer protocol, but be not limited to internet protocol, go back traditional telecommunications network agreement.
10. according to claim 1 under controlled IP network environment the service safety authentication method of smart card device, it is characterized in that: described smart card device, remove the hardware smart card, also can comprise soft smart card, selected soft smart card is the virtual smart card of realizing with software.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610026414 CN1881878A (en) | 2006-05-10 | 2006-05-10 | Service safety authentication method based on smart card under controlled Internet network environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610026414 CN1881878A (en) | 2006-05-10 | 2006-05-10 | Service safety authentication method based on smart card under controlled Internet network environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1881878A true CN1881878A (en) | 2006-12-20 |
Family
ID=37519869
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610026414 Pending CN1881878A (en) | 2006-05-10 | 2006-05-10 | Service safety authentication method based on smart card under controlled Internet network environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1881878A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008089638A1 (en) * | 2007-01-18 | 2008-07-31 | Huawei Technologies Co., Ltd. | Method and communication terminal of controlling user information on the communication termial |
| CN101895538A (en) * | 2010-06-30 | 2010-11-24 | 北京握奇数据系统有限公司 | Method and system for establishing data exchange channels, smart card and server |
| CN101895537A (en) * | 2010-06-30 | 2010-11-24 | 北京握奇数据系统有限公司 | Method for establishing data exchange channels and system thereof comprising smart card and server |
| CN101729246B (en) * | 2008-10-24 | 2012-02-08 | 中兴通讯股份有限公司 | Method and system for distributing key |
| CN101068143B (en) * | 2007-02-12 | 2012-04-11 | 中兴通讯股份有限公司 | Network equipment identification method |
| CN106302386A (en) * | 2016-07-25 | 2017-01-04 | 深圳信息职业技术学院 | A kind of method promoting IPv6 protocol data bag safety |
| CN112311533A (en) * | 2019-07-29 | 2021-02-02 | 中国电信股份有限公司 | Terminal identity authentication method, system and storage medium |
| CN114760141A (en) * | 2022-04-22 | 2022-07-15 | 深圳市永达电子信息股份有限公司 | Digital certificate request distribution method |
-
2006
- 2006-05-10 CN CN 200610026414 patent/CN1881878A/en active Pending
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008089638A1 (en) * | 2007-01-18 | 2008-07-31 | Huawei Technologies Co., Ltd. | Method and communication terminal of controlling user information on the communication termial |
| CN101068143B (en) * | 2007-02-12 | 2012-04-11 | 中兴通讯股份有限公司 | Network equipment identification method |
| CN101729246B (en) * | 2008-10-24 | 2012-02-08 | 中兴通讯股份有限公司 | Method and system for distributing key |
| CN101895538A (en) * | 2010-06-30 | 2010-11-24 | 北京握奇数据系统有限公司 | Method and system for establishing data exchange channels, smart card and server |
| CN101895537A (en) * | 2010-06-30 | 2010-11-24 | 北京握奇数据系统有限公司 | Method for establishing data exchange channels and system thereof comprising smart card and server |
| CN101895538B (en) * | 2010-06-30 | 2013-06-05 | 北京握奇数据系统有限公司 | Method and system for establishing data exchange channels, smart card and server |
| CN101895537B (en) * | 2010-06-30 | 2014-07-30 | 北京握奇数据系统有限公司 | Method for establishing data exchange channels and system thereof comprising smart card and server |
| CN106302386A (en) * | 2016-07-25 | 2017-01-04 | 深圳信息职业技术学院 | A kind of method promoting IPv6 protocol data bag safety |
| CN112311533A (en) * | 2019-07-29 | 2021-02-02 | 中国电信股份有限公司 | Terminal identity authentication method, system and storage medium |
| CN112311533B (en) * | 2019-07-29 | 2023-05-02 | 中国电信股份有限公司 | Terminal identity authentication method, system and storage medium |
| CN114760141A (en) * | 2022-04-22 | 2022-07-15 | 深圳市永达电子信息股份有限公司 | Digital certificate request distribution method |
| CN114760141B (en) * | 2022-04-22 | 2024-03-08 | 深圳市永达电子信息股份有限公司 | Digital certificate request distribution method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1881878A (en) | Service safety authentication method based on smart card under controlled Internet network environment | |
| CN1949765B (en) | Method and system for obtaining SSH host computer public key of device being managed | |
| US9852300B2 (en) | Secure audit logging | |
| CN103428221B (en) | Safe login method, system and device to Mobile solution | |
| CN105306211B (en) | A kind of identity identifying method of client software | |
| WO2017201809A1 (en) | Communication method and system for terminal | |
| CN109547198B (en) | System for network transmission video file | |
| CN102685749B (en) | Wireless safety authentication method orienting to mobile terminal | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN101094394A (en) | Method for guaranteeing safe transmission of video data, and video monitoring system | |
| CN1787513A (en) | System and method for safety remote access | |
| CN1881924A (en) | Group communication safety distribution media recording and retaking method and device | |
| CN101247407A (en) | Network authentication service system and method | |
| CN101075866A (en) | Method and system for loading message on Internet | |
| CN109743170B (en) | Method and device for logging in streaming media and encrypting data transmission | |
| Bali et al. | Lightweight authentication for MQTT to improve the security of IoT communication | |
| CN101521667B (en) | Method and device for safety data communication | |
| CN1314221C (en) | Safety proxy method | |
| CN1917424A (en) | Method for upgrading function of creditable calculation modules | |
| CN1688176A (en) | Method for implementing wireless authentication and data safety transmission based on GSM network | |
| CN103716280B (en) | data transmission method, server and system | |
| CN1728637A (en) | Method for identifying physical uniqueness of networked terminal, and access authentication system for terminals | |
| CN108667718A (en) | A kind of instantaneous communication system and its communication means | |
| CN113194069B (en) | Communication tracing method, communication tracing device and medium based on block chain | |
| CN1801699A (en) | Method for accessing cipher device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHINA TELECOMMUNICATION STOCK CO., LTD. Free format text: FORMER OWNER: SHANGHAI TELECOM CO., LTD. Effective date: 20080328 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20080328 Address after: Number 31, Finance Street, Beijing, Xicheng District: 100032 Applicant after: China Telecommunication Co., Ltd. Address before: 1835 South Pudong Road, Shanghai, China: 200122 Applicant before: Shanghai Telecom Co., Ltd. |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20061220 |