A kind of identity authorization system based on portable terminal
Technical field
The utility model relates to the technology that radio communication, network service, algorithm security and network security combine, specifically be on credible portable terminal, to generate dynamic password and use this password to realize the security system of strong identity authentication.
Background technology
Along with the fast development of the Internet, increasing application system is moved on public network, and network security problem becomes increasingly conspicuous, and it is important unusually that the authentication that enters the mouth for sensitive operation also becomes.What present most of application system still adopted is the identification authentication mode that user name adds static password; This authentication mode has many potential safety hazards, for example: static password easily by conjecture and crack, static password by the hacker intercept and capture, static password by the keeper illegally use, by fishing website defraud of, numerous static passwords is not easy to memory etc.
Mainly contain following several kinds of solutions at present to the problems referred to above:
(1) digital certificate: use digital certificate can realize safety chain and digital signature, can the online information transmitted of better protect.The limitation of digital certificate is to use inconvenience at the enterprising line operate of the computer of own install certificate, and higher based on the certificate system cost of PKI.
(2) USB mobile certificate: in USB Key hardware device, utilize the algorithm that is built among the USB Key to realize authentication key or digital certificate store to user identity.Use the limitation of USB Key to be to need that the USB socket is arranged on the equipment, need with equipment on the corresponding driver of operating system and install, be faced with the threat of trojan horse, exist potential safety hazard, cost higher relatively.
(3) request-reply formula cryptosystem: when needing identity verification in system; The user needs to send earlier a request of obtaining password; Server end is received and can be generated an interim password after the request and remember; Send to the user through specific channel then, the user inputs this password again and carries out authentication to server end.
Because the interim password that the user obtains is all different at every turn; This verification mode can strengthen fail safe, but in the process of whole checking, server end need send password to user through specific channel; Therefore has certain limitation; And can not guarantee to transmit the safety of channel, such as using note, password is all with plaintext transmission.
(4) dynamic password (OTP) authentication system: have a hardware device in user's hand, a built-in unique key in the hardware device, and can generate dynamic password through specific algorithm; When the user carries out authentication; Except that the input static password, necessarily require to import dynamic password, this dynamic password finally can be sent to the certificate server end; Server end at first finds with the corresponding key of user and generates dynamic password through identical algorithm, compares the realization authentication then.Algorithm can adopt incident, time etc. as dynamic factor; Therefore each password that generates all is different in the hardware device; And whole system can realize that a dynamic password can only use once, and this authentication system is can effectively solve one of mode of authenticating user identification at present.But, the user uses hardware device to obtain dynamic password to have certain defective: cost is higher, can not communicate, can not well solve and certificate server between dynamic factor synchronously, can not abundant operating experience and business function be provided as the user.
The utility model content
In view of this; In order to overcome the deficiency of prior art; The utility model provides a kind of identity authorization system based on portable terminal, and this system adopts the dynamic cipher verification system, replaces hardware device with software client; Practiced thrift the hardware production cost; Simultaneously flexibly software client can and certificate server between dynamic factor realize synchronously, and combine software client that a kind of convenience and the integrated strong identity authentication system of third party's application system are provided, solved limitation and the deficiency of using hardware device to bring to whole authentication system.
The Verification System that the utility model provides based on the identity identifying method of portable terminal; Said system comprises: portable terminal, Self-Service device end and certificate server end; Said portable terminal and Self-Service device end, certificate server end wireless telecommunications respectively are connected, and are connected with internet communication between said Self-Service device end and the certificate server end.
Further, in the said portable terminal smart card is set.
Said certificate server end contains authentication information storehouse and authentication proxy bag, and said portable terminal contains initialization accomplishes dynamic password generation unit, a key initialization unit, realization client and certificate server end dynamic factor that the back generates dynamic password synchronous a key lock unit, a key verification unit, authentication result receiving element and the location-based service unit that obtains terminal positional information and upload onto the server.
Said certificate server end comprises: the employing asymmetric arithmetic solves the data decryption module of mobile terminal request data, calculates the cryptographic check module of dynamic password, guarantees the access control module that used dynamic password can not be used again; The position comparing module, data encryption module, dynamic factor synchronization module; Key production module, initialization password generation module and log pattern, said Self-Service device end comprises: the sequence number generation module; The self-shield module; Log pattern, user's own operational module, and client update module.
Further; Also comprise the management server end, said management server end comprises: third party's application management module, key distribution module, role-security module, certificate server monitoring module, client release release management module, log management module, behavioural analysis module and report form showing module.
A kind of identity authorization system based on portable terminal that the utility model provides is realized through following method; Comprise step: (1) obtains the initial password of login Self-Service end; (2) sequence number of generation initialization mobile client; (3) mobile client initialization, (4) authentication: when the user proposed to land application to third party's application server, portable terminal proposed authentication request to certificate server; Third party's application server access authentication server to the mobile terminal authentication result after, to user's return authentication result.
The authentication request that said portable terminal proposes to certificate server comprises the authentication request of dynamic password.
Certificate server generates private cipher key according to symmetric encipherment algorithm or hash algorithm, and said portable terminal uses the private cipher key of each client to generate dynamic password as one of client identity key element, employing time factor and the incident factor as synchronizer.Guarantee that mobile link transmits the randomness of data, disposable effective and ageing.
No matter be the time factor or the incident factor, all relate to the synchronous of the client and the certificate server end both sides factor.Adopt a key synchronous in the utility model, guaranteed that dynamic password can pass through in verification.A so-called key is meant synchronously: with compare with the dynamic factor of oneself after client that the certificate server end carries out radio communication gets access to the dynamic factor of certificate server end; Client calculates a difference and preserves then, and the dynamic factor of client just can be consistent with the dynamic factor of certificate server end through this difference.
Said portable terminal also comprises the positional information authentication to the authentication request that certificate server proposes.
Said step: (1) user is through the initial password of third party's application server to certificate server request login Self-Service device; Certificate server generate said user's initial password and preserve user name and password to the authentication information storehouse, return the initial password of login Self-Service device simultaneously to the user through third party's application server.
Said step: (1) user is through the initial password of keeper to management server request login Self-Service device; Management server generate this user's initial password and preserve user name and password in the authentication information storehouse, return the initial password of login Self-Service device simultaneously to the user through the keeper.
Said step: (2) user is through the sequence number of Self-Service device end to certificate server request initialization client; Certificate server generates said sequence number and key thereof; And encrypting storing is in the authentication information storehouse; Return said sequence number through the Self-Service device to the user simultaneously, said sequence number and user name are cached in the Self-Service device.
Said step: (3) user is to the initialized sequence number of Self-Service device end input request; Portable terminal proposes initialization requests to the Self-Service device simultaneously, and the Self-Service device is retrieved valid cache according to sequence number, and obtains key information to certificate server; Said certificate server through the Self-Service device to portable terminal " return " key" information; The portable terminal checking is also preserved said key information, and propose bind request to the Self-Service device, and the Self-Service device is bound the relevant information of sequence number and portable terminal; Bind sequence number and user name then, accomplish the portable terminal initialization.
Only need the user just to tap in the utility model and can accomplish initialization and binding, be called a key initialization in client.And
The general Verification System based on software client need be done initialization and bind for two steps, and the user at first carries out the initialization of client, carries out the binding of account number and sequence number through keeper or oneself login Self-Service end then.
The beneficial effect of the utility model is:
1. the identity identifying method based on portable terminal that belongs to the dynamic cipher verification system that the utility model provides adopts software client to replace hardware device, has practiced thrift the cost of producing hardware.
2. the software client of the utility model is more flexible; Can communicate, the dynamic factor between software client and certificate server can realize synchronously very easily, and software client can to the user bring abundant operating experience and business function (as: initialization of one-key operation client and bind, through the scanning two-dimension code accomplish initialization and bindings, a key verification dynamic password, a key synchronous dynamic factor, authentication result receiving element, daily record etc. is logined in inquiry).
3. the utility model combines software client that a kind of very convenient and integrated strong identity authentication solution of third party's application system is provided, thereby has solved limitation and the deficiency of using hardware device to bring for whole authentication system fully.
Description of drawings
Fig. 1. the utility model system works schematic diagram
Fig. 2. the utility model system works flow process figure (step (1))
Fig. 3. the utility model system works flow process figure (step (2))
Fig. 4. the utility model system works flow process figure (step (3))
Fig. 5. the utility model system works flow process figure (step (4))
Fig. 6. the utility model system works flow process figure (step (5))
Embodiment
The utility model is used to realize that the system of above-mentioned identity identifying method comprises: portable terminal, Self-Service device end and certificate server end, said certificate server end contain authentication information storehouse and authentication proxy's bag.(as shown in Figure 1, wherein Verification System authentication authorization and accounting server end among Fig. 1)
Said portable terminal (client) comprising:
(1) dynamic password generation unit: after initialization was accomplished, portable terminal can obtain a key, and this secret key encryption is kept in the terminal, and it is unique, and the key that each user obtains all can be different, and it is mainly used in the calculating dynamic password.
Password=OTP (key+dynamic factor)
The dynamic password of password for generating;
OTP is for generating the algorithm of dynamic password: what we adopted is one-way hash algorithm or symmetric encipherment algorithm, and the algorithm of the OTP of the utility model generation at present has: privately owned hash algorithm, OATH algorithm, SM3 algorithm, SMS4 algorithm, aes algorithm etc.
(2) one key initialization unit: the user client can through the scanning two-dimension code or directly list entries number can accomplish initialization, after initialization was accomplished, the user just can use the dynamic password of client generation.Client adopts rivest, shamir, adelman in the initialize communications process.
(3) one key lock units: it is synchronous that the user only need click the dynamic factor (Time And Event) that just can accomplish client and certificate server end in client.
(4) one key verification units: the user only need click in client just can pass through the verification of certificate server end to this dynamic password, and the back-checking result.
(5) authentication result receiving element: portable terminal can obtain and show the check results of this dynamic password.
(6) client is supported the dynamic password generation that a plurality of third parties use; Customer navigation terminal page or leaf top is by trade classification; Click different industries can below show that under the industry each use, click each application and will get into corresponding dynamic password and generate page or leaf.
(7) location-based service unit: be the application program that runs on the mobile terminal device, passage and relevant api interface by means of operator provides obtain the position, terminal, and upload onto the server.
Said certificate server end (Verification System among Fig. 1) comprising:
(1) data decryption module, the communication data that adopts the asymmetric arithmetic deciphering to receive;
(2) cryptographic check module: store corresponding key, dynamic factor according to server end, go out dynamic password, and adopt certain window policy, the dynamic password that the verification client is up according to the algorithm computation identical with client.If with time is dynamic factor; Just free window: current time-n < current time < current time+n; N for the time window of configuration (minute), dynamic password with client is identical just thinks that verification passes through as long as the dynamic password that generates in the window has.If with the incident is dynamic factor, event window: n (number of times) is just arranged, can generate an initial number of times at random simultaneously.
(3) access control module: same password can only use once, and authentication control service provides the identification function of used dynamic password, guarantees that used dynamic password can not be used again.
(4) position comparing module: the user is logined IP information and the corresponding mobile location information of terminals is stored and analyzed; The IP address of the PC that positional information that portable terminal provides and application server are logined; Often login the information such as position and IP address of storage compares according to the user; In case catching exception takes appropriate measures.
(5) data encryption module: adopt asymmetric arithmetic to encrypt the data that to communicate by letter.
(6) dynamic factor synchronization module: the dynamic factor that the certificate server end is provided.
(7) key production module: with generating unique key, the key that client obtained all is different.
(8) initialization password generation module: the user who uses for the third party generates the initialization password that lands the Self-Service end, and user name, initial password are kept at the authentication information storehouse.
(9) log pattern: record authentication daily record, position comparison daily record etc., be convenient to do behavioural analysis.
Said Self-Service device end comprises:
(1) sequence number generation module: sequence number or the sequence number two-dimension code that need use when generating the client initialization.
(2) self-shield module: in case user's initialization client, Self-Service device end is launched dynamic password protection automatically.
(3) log pattern: check Operation Log, account abnormal operation information etc.
(4) user self-help operational module: the sequence number of information inquiry, unbind, freeze, thaw, cancellation etc.
(5) client update module: download up-to-date software client.
Said identity authorization system also comprises the management server end, and said management server end comprises
(1) third party's application management module: the third party who manages integrated dynamic password uses.
(2) key distribution module: generate the public and private key of communication between client, Verification System, the third party's application, and be kept at corresponding authentication information storehouse.
(3) role-security module: different login roles have the different operation authority.
(4) certificate server monitoring module: monitor the running status of certificate server cluster in real time,, then produce and report to the police if unusual.
(5) client release release management module: client release release management.
(6) log management module: authentication daily record, Operation Log and abnormal information are managed.
(7) behavioural analysis module: corresponding analysis result is analyzed and write down in user's various actions.In case the information of noting abnormalities is taked corresponding safety measure.
(8) report form showing module: represent the behavioural analysis result with graphical pattern.
Said authentication information storehouse: be used for information such as storage key, associative operation and behavior daily record.All sensitive datas are stored in the database after encrypting, and perfect data security protecting function is arranged, and have complete data base administration, backup functionality.Abundant integrated interface: for the third party uses abundant interface is provided, so that third party's application and authentication system is integrated.Access interface: TCP/IP, webservice and http in several ways, and be packaged with corresponding authentication proxy's bag.
A kind of identity authorization system that the utility model provides based on portable terminal, realize according to following steps:
(1) user can obtain the initial password of login Self-Service end through third party's application system (B/S) or to the keeper.(as shown in Figure 2) (2) generate the sequence number of initialization mobile client; () (3) mobile client initialization of Fig. 3; () (4) authentication: when the user proposes to land application to third party's application server of Fig. 4; Portable terminal proposes authentication request to certificate server, third party's application server access authentication server to the mobile terminal authentication result after, to user's return authentication result (like Fig. 5,6 said).
Although through some preferred embodiment with reference to utility model; The utility model is described; But those of ordinary skill in the art is to be understood that; Can make various changes to it in form with on the details, and the spirit and the scope of the utility model that does not depart from appended claims and limited.