WO2009089764A1

WO2009089764A1 - A system and method of secure network authentication

Info

Publication number: WO2009089764A1
Application number: PCT/CN2008/073863
Authority: WO
Inventors: Shaohua Ren
Original assignee: Shaohua Ren
Priority date: 2008-01-10
Filing date: 2008-12-30
Publication date: 2009-07-23
Also published as: CN101978650B; CN101978650A

Abstract

A system and method of secure network authentication are disclosed in this invention. The security and convenience of network authentication can be improved greatly when the authentication is processed in the third-party, but the solutions of network authentication through the third-party have great defects up to now. As to the defects in the third-party authentication, an innovative system and method of third-party identification authentication are disclosed to overcome the defects mentioned above. In this invention, the third-party authentication system uses a program which is run on the three parties and can be responded automatically, toform a system so as to achieve the following functions: the UE can access different server party resources with only once third-party authentication; when the authentication of the third-party ends, the access of the UE to the server party also ends; the security can be improved with other methods (the portable IC, the agreed algorithm, the information with closed transmitting and changeable calculation), etc.

Description

Secure network authentication system and method

The present invention relates to a secure network authentication system and method. Background technique

The amount of resources and services provided by the Internet is huge and growing rapidly. The Internet has become the main channel for people to access information resources and information services. Many online resources and service providers require users to log in and verify. This has caused some problems. First, each network service party uses different login information, and the login information is difficult to remember. Secondly, the simple user name plus password method also has the problem of too low security, which can not meet the needs of many online applications.

The third-party or intermediaries' authentication method is an effective way to solve the above problems, but the existing third-party (intermediary) certification solutions have some shortcomings.

For example, some solutions are that the user saves the username and password of the online resource in a fixed online authentication service. When the user logs in to the online resource, the online authentication service automatically completes the login of the online resource by using the user's username and password. Although this method is convenient, it still uses a fixed username and password to log in to the online resource. The user needs to record the user name and password registered at each resource site in the portal, and the security cannot be guaranteed.

For another example, some solutions use the end user to send a user authentication information with a time validity period to the user terminal after authenticating the identity of the service provider through the online authentication service.

In COOKIE, when the terminal connects to the service party, the online authentication service party checks the user authentication information saved by the terminal and notifies the network service party. In this way, since the user still retains valid user authentication information after the user stops using the terminal, the authentication confirmation information may be stolen. In addition, such a solution cannot be used in some terminal environments where COOKIE is disabled.

As another example, some solutions are authenticated by other communication terminals. But in this scheme In this case, other communication terminals of the user cannot automatically identify the authentication information and actively participate in the delivery process. Therefore, such a solution is insecure and inconvenient, such as: It is impossible to access different service party resources after one third party authentication; When the third-party authentication is suspended, the user's access to the service provider is also suspended; the third-party authentication method (IC key, etc.) cannot be combined to enhance security; only the small-digit string can be used for authentication and cannot be authenticated. Calculate changes in the information passed in the delivery; and so on.

For another example, some solutions are implemented by means of a third party transmitting the IP address of the user terminal, but there are some limitations, such as: In some NAT environments, the intranet user cannot obtain the external IP address of the program object; the authentication procedure cannot Get or listen to the IP address of other programs; and so on.

In addition, the use of mobile IC keys for authentication is a very good way to enhance network authentication security. This approach has been used in many applications, such as online banking. However, if each online application issues its own mobile IC for authentication, it is not only costly but also very inconvenient for users.

In addition, the existing methods on the Internet to establish a new connection based on established connections (such as SessionlD and IP address transmission) have security and limitations: SessionlD is unchanged; some NAT restrictions IP address transfer.

Summary of the invention

In response to the above-mentioned shortcomings of the third party authentication method, the present invention adopts an innovative third party identity authentication system and method to solve the above mentioned problems. The third-party authentication system of the present invention realizes the following functions by running a program capable of automatically responding on three parties: The user terminal can access different service party resources after a third-party authentication; the user is authenticated when the third-party authentication is suspended. The terminal's access to the servant is also aborted; combined with other means (mobile ICs, contracted algorithms, and closed-computable, changeable information, etc.) to enhance security; and so on. The third party identity authentication system and method of the present invention specifically have four schemes, respectively Scheme I, Scheme II, Scheme III and Scheme IV, these four schemes can be combined to create a new application scheme.

In view of the above-mentioned shortcomings of the SesskmID and IP address delivery methods on the Internet, the present invention proposes an innovative method for establishing a new connection between two parties on the Internet, which is the scheme V below. Option I

The third-party authentication system of the present invention can realize the following functions through the active participation and automatic completion of the three-party software: The requesting party can access different service party resources after one third-party authentication; the requesting party to the service party when the third-party authentication is suspended Access is also aborted; combined with other third-party authentication methods (mobile ICs, keys, etc.) to enhance security; information transmitted in closed closures is computationally altered to enhance security;

The present invention is implemented by a third-party identity authentication system and method, wherein three systems are respectively connected to the same network, and the three systems are respectively a service party, a requesting party, and a third party, wherein the service party requests the request. The party's authentication is to be completed by a third party. When the requesting party requests the access authentication, the three parties can complete the following steps: One party obtains the authentication information and initiates the authentication information from the above three parties. Closed transfer, wherein the program running on the other two parties can automatically recognize the information and path of the closed transfer and respond to the completion of the closed transfer, wherein the end point of the closed transfer in the above three parties can verify whether the received information originates from the starting point of the closed transfer The authentication passes only when the received message originates from the beginning of the closed delivery.

Wherein, the same network is the Internet.

Among them, only when the requesting party passes the third-party certification, the third party will participate in completing the closed delivery.

Among them, only when the service party passes the third-party certification, the third party will participate in the completion of the closed transmission.

Wherein the closed transit path consists of information transfer between each of the three systems, Specifically: the starting point and the ending point of the closed transmission are the same party, firstly sending information to the other party, then the last party in the other direction sends out the information, and then the last direction returns information to the first party to complete the closed transmission; or, the starting point of the closed transmission The end point is not the same as the end point. First, one party separately sends information to the other two parties, and then one of the other two parties sends a message to the other party to complete the closed transmission.

Wherein, in the closed transmission, the content of the information that is closed and transmitted when transmitted from one party to the other is constant. The closed delivery information cannot be the IP address and port number in the packet header, because for example, if one of the parties is behind NAT, the intranet IP address and port number of the application object will be mapped to the external network IP address after NAT processing. And port number.

Among them, different service parties can authenticate the same requestor through the same third party. The closed transmission from the three parties originating from the authentication information means that the transmitted information is the same or the transmitted information is different and conforms to a corresponding mathematical calculation corresponding rule.

Wherein, in the closed transmission, the information transmitted is the authentication information itself. At this time, the end point of the closed transmission verifies whether the received information is consistent with the issued authentication information or whether the two received information are consistent, and if they are consistent, the proof is obtained. The information received originates from the starting point of the closed transmission. At this time, the information transmitted between each of the closed passes is the same, and is the authentication information. Wherein, the authentication information may be a sequence consisting of any symbols. For example: The authentication information can be a random number generated by a random function.

Alternatively, in the closed delivery, at least one of the information conveyed is not authentication information, and the information is generated by one or both parties based on the authentication information. At this time, the end point of the closed delivery can verify whether the received information is Whether the two pieces of information generated or received based on the authentication information are generated based on the same authentication information, if generated based on the authentication information or generated based on the same authentication information, the information received to prove receipt originates from the starting point of the closed delivery. At this point, the information passed between each of the closed passes is not all the same. For example: When the start and end points of the closed transfer are not the same, the authentication information may be a randomly generated pair of numbers that conform to a specific law. The closed starting point sends two of the pair of numbers to the remaining two parties, and the closing end point determines whether the received two pieces of information originate from the same authentication information by verifying whether the two numbers obtained meet the specific law. For another example, the authentication information may be a random sequence. After receiving the authentication information, one party calculates its one-way hash value by an agreed algorithm and sends the hash value to the end point of the closed transmission. Another example: the authentication information may be a key, a one-way hash function or other function. After receiving the authentication information, one party calculates the agreed value by the key, one-way hash function or other function and sends it to the closed end point. The closed end point determines whether the party's information originates from the starting point of the closed delivery by checking the agreed value.

Wherein, in the closed transmission, the information transmission path between any two of the three parties does not pass through the other of the three parties.

Wherein, in the closed delivery, each information sent by the requesting party is used only for one authentication, and each information sent by the requesting party cannot be inferred from information previously sent by the requesting party.

The process of the closed delivery is completed by a program running on the three systems through a computer network, and the user of the system is not included in the delivery path, and the user of the system does not need to know the content of the delivery information, and the user of the system does not need to Participate in the process of delivery.

The service provider is a computer system that provides resources and services to users through the Internet, the requesting party is a computer-enabled terminal device connected to the Internet used by the user, and the third party is a computer capable of authenticating the user of the requesting party through the Internet. The system, wherein the service party provides resources and services to the requester only when the user of the requesting party passes the identity authentication of the service party, and the identity authentication of the user to the user is performed by a third party.

The requesting party may be a PC terminal, a mobile terminal, or the like, and the server and the third party may be a server or a server group.

The service party and the requester may also be user terminals that use third party services. For example, the present invention can be used in an instant messaging system in which two user terminals establish a handshake process of a point-to-point connection between two terminals through an instant messaging system, such as: a third party is an instant messaging service party, the service party And the requesting party is the user of the instant messaging service, wherein when the server needs to send a file to the requesting party or the requesting party needs to establish a dialogue connection with the service party, the server or the requesting party can generate an authentication information and directly and through the first The three parties send to the other party, and the requester or the service party that receives the authentication information verifies the received authentication information to determine whether the connection authentication of the other party passes.

Wherein, in the closed transmission, when one party generates the authentication information or when the closed delivery destination party receives the first information, a time stamp is generated, and only when the closed delivery destination party receives the information or receives the second information. The certification will not pass until the specified period of validity has expired. For example: When the servant is the start and end points of the closed delivery, the servant will mark the current system time when generating the authentication information. When the information is returned through the closed delivery, the servant compares the return time and the generation time, only when the time difference is less than The specified value is the certification to pass. Another example: When the requester is the starting point of the closed transmission and the service party is the end point of the closed transmission, the service party compares the time difference between the first information and the second information. Only when the time difference is less than the specified value, the authentication can pass.

The three systems are independent of each other, the three are operated independently, the three are independently connected to the Internet, the three are not the same independent entity, and the three do not have a affiliation relationship, and any one of the three The other party's system privileges do not have administrative or control rights.

The requesting user has a user identification code (APID) in the servant system, and the requesting user also has a user identification code (AUID) in the third party system, and the APID has a corresponding relationship with the AUID. The correspondence is controlled by the server system or a third party system. Wherein the user identification code is a sequence consisting of any symbol.

The number of the service parties is multiple, and one requester user may have several different APIDs on several application service systems, and the APIDs may correspond to the same AUID of the user on the same third party system.

The third-party system is one or more, and one requesting user may have an AUID on several third-party systems, and the AUIDs may correspond to the same service party of the user. The same APID on the system.

Among them, the communication path between each of the three parties can be encrypted, such as the connection established by SSL.

The connection manner of the same network includes a wired mode and a wireless mode.

In order to prevent malicious eruption of the login request and the like, the servant may perform authentication on the requesting user with the login password before authenticating the requesting user through the third party.

The end point of the closed delivery is a service party or a third party, wherein when the third party is the end point of the closed delivery, the third party needs to notify the service party of the result of the authentication.

The authentication information is generated immediately by a party when the closed delivery is initiated or is generated in advance.

The information conveyed by the closure is not an IP address and a port number in the data header. The closed delivery information does not depend on the IP address and port number, which provides better security and better addresses NAT penetration and other issues.

Wherein, before or during the closing transmission, the requesting party sends a connection request directly to the servant or through the third directional service party, and the connection request may be completed by the information transmitted by the closure or by a separate The steps and information are completed.

The port or connection that the servant allows the requesting party to access after the authentication is passed is the port or connection in which the requesting party and the servant perform information transmission in the closed delivery. For example: the requesting party is a local area network user in a NAT gateway, and the requesting party performs the information transfer in the closed delivery through the port P assigned by the NAT, and the service party allows the port P to access the specified service or Resources.

Among them, the information transmission between the requester and the service party is carried out through the Internet. Information transfer between the service provider and the third party is done via the Internet or not via the Internet. Information transfer between the requesting party and the third party is done via the Internet or not via the Internet.

Wherein, in the closed delivery, the requesting party separately communicates with the service party through two different programs. The third party performs information transmission, wherein the requesting party transmits information to the third party through a program, and the requesting party accesses the service party through another program after the service party passes the authentication of the requesting party. As described in the following embodiments, the requesting party communicates with a third party through a special authentication procedure, and the requesting party communicates with the servant through other programs and establishes an access, and the authentication program can communicate with the other program.

The process of the closed delivery is performed by a program running on the three systems, wherein an authentication program running on the requesting party can automatically participate in completing the closed delivery after being authenticated by a third party, wherein only The closed delivery can only be completed when the authentication program runs and passes third party authentication. The service provider authentication can only be passed when the closed delivery is correctly completed. After the service provider passes the authentication, the service party responds to the requester's access request according to the requester's authority.

Wherein, when the third party is the end point of the closed delivery, the third party will pass the verification result of the verification notification closure to the service party after the closure delivery is completed.

The requesting party can access different servant resources after a third-party authentication.

The access of the requesting party to the specified service or resource of the service party is also suspended when the authentication program is suspended.

The third party will authenticate the requesting party each time the requesting party reconnects to the third party, and the requesting party can access multiple different servants by only one third party's identity authentication.

Each time the requesting party re-accesses the servant, the servant will perform access authentication on the requesting party.

The content of the invention relates to how the third party transmits the authentication credential of the requesting party to the servant, and the way the third party authenticates the requesting party can be combined with any feasible manner, for example: a simple username and password, symmetrical Key or asymmetric key authentication, dynamic password, one-way function calculation, biometric authentication, mobile IC chip, authentication by other communication terminals of the user, SIM card recognition Etc., the specific method is not limited to the manners listed above, but may also be a combination of several methods. The invention adopts a closed delivery method originating from the authentication information to transmit the authentication certificate of the third party to the requesting party to the service party, and the service party determines whether the authentication is passed by comparing whether the received information matches. This solution has various implementation methods, small workload on the service side, simple program and easy implementation. Moreover, the closed delivery information does not depend on the IP address and port number, providing better security while better addressing NAT penetration and other issues. Scheme II

The invention provides a security certification by a third party, and the user has a mobile ic. On the one hand, a different identity can be conveniently accessed through a single identity authentication performed by a third party. On the other hand, the portable IC can Implement secure identity authentication on different terminals.

The present invention is implemented as follows: The system includes a mobile IC, a terminal, an application service system, and an authentication service system, wherein the terminal, the application service system, and the authentication service system are respectively connected to the Internet, and the application service system is to the end user through the Internet. a computer system providing a service, the user uses the service provided by the application service system through the Internet on the terminal, and the application service system authenticates the terminal user through the authentication service system, wherein the terminal user has a movable type

The IC, the mobile IC is connected to the terminal through a standard interface of the computer peripheral, and the authentication service system authenticates the terminal user through the mobile IC. The authentication service system can directly authenticate the authentication information of the terminal user after the terminal user passes the identity authentication. Passed or passed through the terminal to the application service system, wherein the authentication service system can deliver the authentication information to the application service system only when the connection identifier of the mobile IC and the terminal is valid. The application service system will allow the user terminal to access the specified service after receiving the authentication information and confirming the validity.

Among them, each authentication information is used only once and cannot be inferred from the previous authentication information. For example: the authentication information may be information generated by the authentication service system including a time stamp and a username, and a digital signature encrypted by the private key of the information, or the authentication information may be a random number generated by the authentication service system and the authentication service system Random numbers in both direct and user terminals The formula is sent to the application service system, and so on.

When the authentication information is transmitted by the terminal, the authentication service system or the application service system can forward the authentication information to the other party through the application running on the terminal, and the terminal program can identify the authentication information and complete the forwarding of the authentication information. The user does not need to know the content of the authentication information, and the terminal user does not need to participate in the forwarding process.

Among them, the authentication service system can transmit the authentication information to the application service system only when the connection identifier of the mobile IC and the terminal is valid. The connection tag may be a tag that connects the validity period generated after authentication, or a tag that depends on a specific program object, or a tag that is valid for the current connection. For example: When the mobile IC is authenticated by the authentication service system, the authentication service system generates a time expiration mark, during which the terminal's connection tag is valid. Another example: When the mobile IC is authenticated by the authentication service system, a program object is run on the terminal, and the connection flag of the terminal is valid during the running of the program object, and the connection flag of the terminal is invalid when the program is aborted. Another example: The connection mark can also be designed such that when the portable IC is connected to the terminal, the connection mark of the terminal is valid.

The standard interface of the computer peripheral is a wired or wireless standard interface for interconnecting communication between the computer and the external device and the removable storage device, and the standard interface is plug and play, such as: USB interface, Bluetooth Interface and more. Plug and Play means: After the peripherals are connected to the booted computer host through this interface, they can communicate and use each other immediately without restarting the host computer.

Among them, the terminal, the application service system and the authentication service system are independent of each other. The terminal, the application service system and the authentication service system are independent of each other, which means that the three are independently operated, and the three are independently connected to the Internet, and the three do not belong to the same independent entity, and the three do not have a belonging relationship. . Any one of the terminal, the application service system, and the authentication service system does not have management or control over the system rights of the other party.

Wherein, the mobile IC stores a mathematical algorithm or an algorithm factor X, and the authentication service system stores Corresponding mathematical algorithm or algorithm factor Y, mathematical algorithm or algorithm factor X and mathematical algorithm or algorithm factor 存在 exist, the authentication service system can be based on mathematical algorithm or algorithm factor X and mathematical algorithm or algorithm factor Υ correspondence The relationship authenticates the end user. Depending on the implementation, mathematical algorithms or algorithmic factors X and Υ can also be combined with external variables or parameters to improve security, such as: adding time variables, adding instant parameters sent by the authentication server to the terminal, adding counter parameters, Add random variables, join username and password

„.

Wherein, the mathematical algorithm or algorithm factor X and the mathematical algorithm or algorithm factor are the same symmetrically encrypted key, or a pair of asymmetrically encrypted keys, or a dynamic cryptographic algorithm.

Wherein, the movable IC can perform a mathematical operation on a mathematical algorithm or an algorithm factor X, and send the operation result to the terminal through a standard interface. The mathematical operations may be: encryption, decryption, digital digest calculation, one-way function calculation, or dynamic password calculation, and the like. The portable IC is an integrated circuit having computing and storage functions, including a chip and peripheral circuits.

The terminal user has an user identification code (APID) in the application service system, and the terminal user also has a user identification code (AUID) in the authentication service system, and the APID has a correspondence relationship with the AUID, and the application service system or the authentication service system stores the APID. Correspondence with AUID. The user identification code can be a sequence of any symbol. For example: APID and AUID can be the login user name of the end user on the application service system and the authentication service system or a unique string randomly generated by the system. For another example: AUID can be "application service system name + APID", and the application service system can directly obtain the AUID based on the APID and send it to the corresponding authentication service system to request identity authentication. For another example, the AUID may be a string generated by the authentication service system for the end user, and the authentication service system or the application service system stores a correspondence list between the AUID and the APID, and the authentication service system or the application service system may obtain the list according to the list and the APID. AUIDo

The application service system is multiple, and one terminal user can serve in several applications. There are several different APIDs on the system, and these APIDs can correspond to the same AUID of the user's mobile IC on the same authentication service system.

The authentication service system is one or more, and the mobile IC of one end user may have an AUID on each of the several authentication service systems, and the AUIDs may correspond to the same one of the users on the same application service system. APID.

The terminal is a computer-enabled device connectable to the Internet.

The application service system is a server or a server group, and the authentication service system is a server or a server group.

The connection manner of the Internet includes a wired mode and a wireless mode.

Wherein, the user identification code is a sequence consisting of any symbol.

The application service system is a computer system that provides resources and services on the Internet.

Among them, the same mobile IC can have multiple APIDs or AUIDs on the same application service system or authentication service system.

After the application service system receives the authentication information and confirms the validity, the user terminal is allowed to access the designated service, and when the connection flag fails, the user terminal access to the designated service of the application service system is also suspended.

The mobile IC completes information transmission and authentication by using an authentication program running on the user terminal and the authentication service system. After the terminal user passes the authentication, the authentication service system sends the authentication information to the application service system, and the application service system receives the authentication information. When the validation is valid, another program object of the non-authentication program running on the user terminal is allowed to access the specified service. Wherein, if the authentication information is forwarded by the user terminal, the authentication information is sent by the user terminal to the application service system by another program object of the non-authentication program, and if the application service system receives the authentication information and confirms the validity, the non-authentication Another program of the program will be allowed to access the specified service.

In the present invention, in order to prevent malicious eruption of the landing request and the loss of the mobile IC, etc., Set the login password for the end user to log in to the authentication service system, application service system or mobile IC. For example: After the terminal user passes the simple authentication of the authentication service system with the login user name and the login password, the authentication service system authenticates the identity through the mobile IC. For another example, after the terminal user passes the simple authentication of the application service system by using the login user name and the login password, the application service system authenticates the terminal through the authentication service system. For another example, the user can authenticate to the authentication service system by using the mobile IC only by the login password verification of the mobile IC.

The content of the present invention relates to a third-party authentication service system that implements identity authentication for an end user through a mobile IC, and the specific manner in which the authentication service system transmits the authentication information of the terminal user to the application service system can be combined with various possible Method, for example:

1) The application service system sends specific information to the authentication service system. If the terminal passes the identity authentication of the authentication service system, the authentication service system returns the specific information to the application service system through the terminal, and the application service system determines according to the specific information returned by the terminal. Whether the user's authentication passed;

2) The application service system requests the authentication service system to perform identity authentication on a certain terminal. If the terminal passes the identity authentication of the authentication service system, the authentication service system directly provides specific information to the application service system, and the authentication service system sends specific information to the terminal through the terminal. The application service system returns, and the application service system determines whether the user's authentication is passed according to comparing two specific information;

3) The authentication service system generates a specific algorithm or parameter, and the authentication service system sends a specific algorithm or parameter to the terminal and the application service system, and the application service system implements the authentication of the terminal through the corresponding relationship between the specific algorithm and the parameter;

4) After the terminal passes the identity authentication of the authentication service system, the authentication service system sends specific information including the digital signature to the terminal, and the specific information further includes time information when the information is generated, and the terminal requests the application service system with the specific information. Certification

5) After the terminal passes the identity authentication of the authentication service system, when the application service system goes to the authentication service The service system sends a request for identity authentication to the terminal and a random number. The authentication service system compares the address information of the terminal with the address information of the authentication terminal or the comparison result and sends the random number back to the application service system.

The possible implementation manners are not limited to the ones listed above, and the specific implementation may determine a feasible solution according to specific situations.

The authentication information may be any information, and the authentication information may be generated by the authentication service system or the application service system. The function of the authentication information is to notify the application service system in some manner by the authentication service system to authenticate the identity of the terminal.

The invention combines the method of mobile IC and third-party authentication, so that the user can realize secure and convenient identity authentication on many network resources with the lowest hardware cost and time cost, gp: - aspect, the user only needs With a mobile IC, you can securely authenticate different online resources. On the other hand, users can access different online resources only by authenticating to a fixed third party. Option III

The present invention is implemented in such a manner that a secure network authentication system and method includes a user party, a service party, and an intermediary party, and at least one of the three parties can separately communicate with each other through wired or wireless means. After the user authenticates through the service provider, the service provider can access the specified service or resource of the service provider. The service provider authenticates the user through the intermediary. After the user passes the intermediary authentication, the user can authenticate through the service provider. The servant can perform the servant authentication on the same user side through the same intermediary, and is characterized in that: after the user party authenticates through the intermediary's intermediary, the authentication program run by the user party will maintain a valid authentication connection with the intermediary or Maintaining a valid authentication identifier, when the user requests access to the servant, the servant authentication is performed. In the servant authentication, if the authentication connection or the authentication identifier is valid, the intermediary will Sent to the service party with or without the user, only when the service party receives After verifying that the correct authentication credentials through service-party certification will, in After the service provider passes the service, the service party responds to the user's access request according to the user's right authority. The authentication connection or the authentication identifier of the authentication program will be invalid as long as the authentication program is suspended. The verification certificate is A message sent as a whole is composed of two separately transmitted information, wherein the user does not need to send or save the user name and password that can be directly authenticated by the service party to the service party to be registered in the service party. square. If the authentication connection or the authentication identifier is invalid, the intermediary will suspend the authentication process, and the service party's authentication to the user will fail. Among them, the user side needs to perform the service party authentication every time the user establishes a connection with the service party.

The user's access to the specified service or resource of the service party is also suspended when the authentication program is suspended. When the authentication procedure is aborted, the servant may be notified to suspend the access, or the user's access to the servant's program object may be suspended.

The program object that the user side is allowed to access the specified service or resource of the service party is not the authentication program. The specific program object of the user side accessing the service party is other program objects of the non-authentication program, and these other program objects may be initiated by the user, or the authentication program may be started on the user side.

Among them, the user party, the service party and the intermediary party are connected through the Internet. Among them, the information transmission of the three parties is carried out through the Internet.

Wherein, the verification voucher includes or contains information about the generation time, or contains random information generated by the servant or the intermediary. For example: In each servant authentication process, the servant will first generate a random sequence and send it to the intermediary. The intermediary will add the random sequence to the vouchers sent to the servant. The servant will check the voucher after receiving the voucher. The random sequence is correct only if the random sequence is correct. For another example: The content of the voucher contains the generation time of the voucher and is digitally signed. For example: the content of the voucher includes a random number generated by the intermediary, and the random number forms a character string with the user side AUID, the voucher generation time, and the service party domain name, and the character string and the random number constitute the voucher. The string and the random number are sent to the service party with and without the route of the user. The service party will receive two pieces of information. Whether the random number in the comparison string is the same as the individual random number, the certificate is correct only when the two random numbers are the same.

The content of the verification certificate of the user side issued by the intermediary cannot be inferred from the verification certificate of the user side issued by the previous intermediary. For example: The verification credential contains randomly generated information, or the verification information is a digital signature of information containing time, and so on.

Among them, each verification certificate can only complete the service party authentication once. For example, if the servant receives the authentication credential of the user after accessing the user, the servant will not receive the verification credential. In addition, in this case, the servant suspends the current access of the user to request the user. Perform service party certification again.

Among them, the authentication connection or the certification mark or the verification certificate has a time validity period, and the expired authentication connection or the certification mark or the verification certificate will be invalid. The validity period of the certification mark may be set by the user on the authentication procedure or may be set by the intermediary. The authentication procedure may prompt the user to perform the intermediary authentication to refresh the authentication identifier when the authentication identifier is to expire, or may automatically perform the intermediary authentication to refresh the authentication identifier. For example: The intermediary authentication depends on the user side key, and the authentication program can automatically perform the intermediary authentication as long as the user side key is connected or stored in the user side terminal.

The authentication identifier cannot be derived from the previous authentication identifier. The authentication identifier may also be stored on a mobile peripheral or a removable IC connected to the user terminal.

The intermediary and the servant have corresponding agreement algorithms, and the servant can verify whether the received verification vouchers are correct through the agreed algorithm. The certificate authenticated by the user side through the intermediary may be composed of two parts of information, and the service party can determine whether the two pieces of information in the voucher match by the agreed algorithm, and if the match is matched, the voucher is sent by the intermediary or is correct.

The appointment algorithm may be an encryption and decryption algorithm, or a digital signature algorithm, or a one-way function algorithm, or a dynamic cryptographic algorithm or the like. For example: The appointment algorithm is based on RSA+SHA The digital signature algorithm, the intermediary has the RSA private key and the specific SHA, the servant can obtain the RSA public key and the specific SHA corresponding to the intermediary private key, and the intermediary generates a string including the user AUID, the generation time, and the servant domain name. Digital signature, the string and its digital signature constitute the certificate authenticated by the user through the intermediary, the intermediary sends the certificate to the service party as a whole through the user, or the intermediary signs the string and digital of the certificate The two parts of the information are sent to the servant by the path of the user and the user. After receiving the vouch, the servant verifies that the string in the voucher matches the digital signature with the RSA public key + specific SHA. If it matches, the voucher is correct. .

The verification credential is not the network address of the user side, and the verification of the verification credential is not implemented by comparing the network address of the user side. The verification of the voucher is not based on the network address or IP address, which is suitable for more applications (such as some NAT applications), and in this way, verification of the voucher can be implemented to improve security.

The information transmitted between the user side and the service party does not pass through the intermediary, or the connection established by the service party to allow the user to access does not pass through the intermediary.

The intermediary has a secret key, and the verification of the verification credential by the service party is performed by the key, which is a private key in a pair of asymmetric encryption keys or a symmetric encryption key. For example, as described in the following embodiments, the intermediary generates a verification credential by means of a private key digital signature, and the service party can obtain the public key corresponding to the intermediary private key and verify the verification credential with the public key.

The verification credential is composed of one piece of information or two pieces of separately sent information. When the voucher consists of two pieces of information, the two pieces of information can be the same or different. Wherein, two pieces of information can be sent by the same route or different routes. The service party determines whether the service provider authentication is passed by using the obtained two pieces of information.

The validity of the authentication connection or the authentication identifier is that the authentication connection or the authentication identifier exists and is correct. The invalidation of the authentication connection or the authentication identifier means that the authentication connection or the authentication identifier does not exist or is deleted. Or not correct. For example: When the certification process is aborted The certificate program will notify the intermediary, and the intermediary will know that the authentication connection or the authentication ID of the authentication program has expired, and then the intermediary considers that the authentication connection or the authentication identifier is incorrect.

The user side's authentication procedure and the way to save the authentication identifier are not standard browsers.

Cookie method. The authentication program may not be a standard browser, and the authentication identifier may be stored in a manner other than a cookie. The authentication program can be composed of a standard browser plus a dedicated authentication function execution module, or a dedicated authentication function execution program.

The authentication program can also be a standard browser, and the authentication identifier is saved in the manner of a session cookie. At this time, due to the limitation of the standard browser function, the user needs to request access to the service party by selecting the service party that needs to log in from the interface of the authentication program.

Wherein, after the servant confirms that the voucher is correct, the servant will allow a connection or port from the user terminal to access the specified service or resource, and the connection or port is the port or connection to which the user forwards the credential to the servant.

The user side requests to access the service party, specifically, the user party directly sends an access request to the service party or the user sends a request to the intermediary party to the access service party. The user side can request access directly on the service party interface, and the user side can also request access to the service party on the authentication program interface.

The authentication connection is a session connection established between the authentication program run by the user side and the intermediary party after the user side authenticates by the intermediary. In this application, SessionlD can be random and has enough digits to ensure security, such as: SessionlD is a 1024-bit non-repeating random sequence.

Wherein, the authentication identifier is a random long string, or an encrypted string, or an encryption key, or a dynamic cryptographic algorithm, or a one-way function, and the like. The authentication identifier may be a SessionID in which the authentication program establishes a session with the intermediary.

In the servant authentication, the user's authentication program sends information about the authentication identifier to the intermediary to enable the intermediary to verify the authentication identifier and the user, and when the verification is correct, the intermediary The verification certificate will be sent to the service party with or without the user.

The information about the authentication identifier is either the authentication identifier itself or the information having a verifiable mathematical correspondence with the authentication identifier. For example: the authentication identifier is one of a pair of asymmetric keys or a symmetric key, the intermediary has the other of the pair of asymmetric keys or also has the symmetric key, and the authentication program uses the key identified by the authentication. Encrypt or digitally sign specific information and send the encrypted information or digital signature to the intermediary (the intermediary also owns the specific information, for example, the specific information is the random information generated by the current time or the intermediary and sent to the user) The encrypted information or digital signature is information about the authentication identifier, and the intermediary verifies the encrypted information or the digital signature with the owned key, and if it is correct, the verification is passed.

After the user side authenticates by the intermediary, the user side may also invalidate the authentication connection or the authentication identifier if the authentication program does not suspend the resident operation.

The user side has a mobile peripheral device, and only when the mobile peripheral device and the user terminal are connected by wire or wirelessly, the user can authenticate through the intermediary. The specific way of connecting the mobile peripheral to the terminal is a wired connection or a wireless connection, such as: a USB interface data line, a Bluetooth wireless interface, an infrared connection, and the like. Among them, the user can be connected to different terminals through a wired or wireless interface. Among them, the terminal connected to the user's mobile peripheral is the user terminal. For example: The user has an IC with a USB interface, and the IC stores a private key, and the intermediary authentication is completed by calculating the private key on the IC.

Among them, the user has passed a simple authentication of the service party before the service party certification. This authentication can be done by means of a login password, which can prevent malicious eruption of login requests and other issues.

Among them, the service party can communicate with each other by wired or wireless connection with the other two parties.

The user side can separately communicate with each other through wired or wireless means. After the user's access to the designated service or resource of the service party is suspended, the user needs to re-authenticate through the intermediary to perform the service provider authentication.

Wherein, the information transfer between the authentication program and the external objects of two different addresses or different domain names does not cause the authentication connection or the authentication identifier to be invalid, the information transmission or the authentication program identifies and receives the information from the service party or the intermediary, or The certification process is sent to the servant or intermediary

4 from

The three-party information transmission can also be performed by the user side.

The user side can also authenticate the service party through the intermediary in the same way, §卩: The terminal and the service party perform the exchange in the above-mentioned connection authentication process, and the terminal can complete the authentication to the service party.

Wherein, the process of connection authentication should be completed by a program running on the three-party system through a computer network.

The service party may be a server system that provides resources and services to the user through the Internet, such as various websites. The service party may also be a terminal of another user on the Internet. After the authentication of the user party is passed, the terminal of the user side is allowed to access the specified service or resource of the terminal of the other user. For example: The present invention can be used in a handshake process in which two user terminals establish a point-to-point connection between two terminals in an instant messaging system.

The designated resource or service of the service party may be a file resource, a browser service, a multimedia resource or service, an audio and video connection, an instant messaging conversation service, a search service, an online account operation service, an online transaction service, and the like. For the servant, for example: online game operators, online forums, instant messenger service providers, resource download sites, online banking, online stores, a terminal that has access to instant messaging systems (such as MSN), and so on.

Among them, the intermediary is a computer system that performs third-party authentication on the Internet.

The user terminal, the service party and the intermediary are devices with computer functions, such as:

PC, mobile phone, server, server group, etc. The user side has a user identification code (APID) in the servant system, and the user side also has a user identification code (AUID) in the intermediary system, and the APID has a corresponding relationship with the AUID. The correspondence is mastered by the server system or the intermediary system. Wherein, the user identification code is a sequence consisting of any symbol. For example: APID and AUID can be the user name of the user on the servant and the intermediary or the serial number generated by the servant and the intermediary for the user. Another example: AUID can be APID+ servant name or address. The service party stores the APID and user rights of the user side.

The communication path between the service party and the intermediary, or between the intermediary and the terminal, or between the service provider and the user may be encrypted, such as a connection established by using SSL.

The intermediary authentication can be performed in different ways, for example, the manner of the user name and password, the way of moving the IC, the way of returning the authentication number through other terminals of the user, and the like.

The invention can be implemented by loading a special module on the instant messaging terminal or the client software of the browser. In this case, the authentication program is the client software of the instant messaging terminal or the browser.

The present invention can be combined with other solutions that the inventors have applied to form a new solution, including: the service party authentication can be completed in combination with the closed delivery based on the authentication information ("Through a third party identity authentication system and method", Patent application number: 200810056123.1), the service party authentication can also be completed in a manner that the user side and the intermediary have the corresponding agreement algorithm ("the third-party authentication system and method based on the agreed algorithm", patent application number: 200810114706.5). For example, the following application scheme: The service party can verify the digital signature of the intermediary, and the user party establishes a session with the intermediary after the user authenticates by the intermediary, and a digitally signed information generated by the intermediary during the service authentication process. And sent to the service party with and without the user side, the two information received by the service party is the certificate that the user passes the authentication, the service party compares the two information and verifies the digital signature, only two information are the same and the number The credentials will be correct when the signature is correct. In the above example, the verification certificate issued by the intermediary is the so-called closed delivery information. Another example The following application schemes: The service party can verify the digital signature of the intermediary. After the user authenticates by the intermediary, the intermediary sends a DES key to the user as the authentication identifier. In the service provider authentication process, the service direction is first and The intermediary sends the same random sequence separately, the user encrypts the random sequence with the DES key and sends the encrypted information to the intermediary, and the intermediary decrypts the random sequence and compares it with the received from the service party, if two If the random sequence is the same, the authentication identifier is valid. If the authentication identifier is valid, the intermediary constructs a sequence with the user AUID and the generation time, and digitally signs the sequence and sends the sequence together with the digital signature to the servant. In the above example, after the so-called closed delivery is completed, the intermediary sends a verification credential to the service party, and the verification credential issued by the intermediary is not so-called closed delivery information.

The invention adopts a secure network authentication system and method for the service party to authenticate the user through the intermediary, and the authentication method is reliable, safe and convenient. Option IV

The present invention is implemented in this way, a third-party authentication system and method based on an agreed algorithm, wherein the user party, the service party and the intermediary party are all connected to the Internet, and the user party can access the service after passing the authentication. The designated service or resource of the party, the service party authenticates the user party through the intermediary, and the feature is: the user party has an agreement algorithm X that is unknown to other users, and the intermediary party has an agreement algorithm X corresponding to the user party. The agreement algorithm Y, the agreement algorithm X and the corresponding agreement algorithm Υ are the same or different, and the user party's appointment algorithm X is stored in the user side terminal or stored in the user terminal that can be connected with the user side terminal. In the setting, the agreement algorithm X and the corresponding agreement algorithm can perform the following two matching calculations. When an agreement algorithm X or Υ calculates the information B for the information, the agreement algorithm X or Y corresponds to the agreement. The algorithm Y or X can either calculate the information B or obtain the information B for the information A, or calculate the information A for the information B, or the information A and the The information B is calculated to verify that the information B is generated by the agreement algorithm X or Y, and the calculation by the agreement algorithm X is performed on the user terminal or on the user-side mobile peripheral. By convention The calculation by the method Y is performed by the intermediary, wherein when the user requests the access to the service party, one of the intermediary, the service party and the user side generates information, and the intermediary, the service party, and the user party will generate the information. The relevant information of Α or 进行 is transmitted and the calculation of the two matching matches is completed, and the intermediary or the servant will act as the verifier to judge whether the authentication passes or not by comparing or calculating the obtained information. During the authentication process, the information between the service party and the user side will not be transmitted by the intermediary party, and the information between the service party and the intermediary party will not be transmitted by the user side. The information about the information A or B can be compared or calculated with other related information of the information A or B to verify whether the related information A or B of the two information is the same, in each connection authentication process, or verification The party will get the information about the two information A or the related information of the two information B and verify whether the related information A or B of the two information is the same, or the verifier will get An information A and a message B and verify whether the information B is generated by the agreement algorithm X or Y to calculate the information A, and only if the two matching calculations are correctly completed, the result of the above verification will be It is affirmative, and the user's connection authentication will only pass when the verification result is positive. After the user authenticates through the connection, the service party will allow the user to access the specified service or resource.

The information related to the information A is either the information A itself, or the information (Al) generated corresponding to the information A, or the information generated by the information A or A1 in a specific manner (Am, An) Or, is used to calculate the information of the generated information A, and the related information of the information B is either the information B itself or the information (Bm, Bn) calculated by the information B in a specific manner.

The intermediary or the servant also starts a timer during each connection authentication process. If the intermediary or the servant does not receive the specified information within a limited time, the intermediary or the servant will abort the authentication process. Authentication on the user side will fail.

The user side may also send a connection authentication request to the servant or the intermediary before the other steps of the connection authentication, or the information sent by the user for the first time in the connection authentication. It also contains a connection authentication request from the user to the servant or intermediary.

The agreement algorithm is a key-based encryption algorithm or a decryption algorithm, wherein the calculation of the information A by the contract algorithm X or Y is an encryption operation, and the calculation of the information B by the agreement algorithm X or Y is a decryption operation. The agreement algorithm X includes a key XKEY, and the agreement algorithm Y includes a key YKEY, wherein, or the contract algorithm is a symmetric encryption and decryption algorithm, so that XKEY is the same as the corresponding YKEY, or the contract algorithm is an asymmetric encryption and decryption algorithm. Thus XKEY is different from the corresponding YKEY.

Wherein, the information A is a symmetric encryption key or the information A and A1 are a pair of asymmetric encryption keys, and the two matching calculations are encryption and decryption operations, and the information A passes the encryption and encryption during the connection authentication process. The decryption operation is carried out. If the connection authentication is passed, an encrypted communication connection is established between the user side and the intermediary or between the user side and the service side with the information A or with the information A and A1 as the key.

Wherein, one user side has two agreement algorithms X: an encryption algorithm XI and a decryption algorithm X2, and the intermediary side has two agreement algorithms Y corresponding to each user side: a decryption algorithm Y1 and an encryption algorithm Y2, wherein XI corresponds to Y1 Χ2 corresponds to Υ2, where XI and Χ2 have a common key XKEY, Y1 and Y2 have their same key YKEY, where XKEY and YKEY are the same symmetrically encrypted secret when the contract algorithm is a symmetric encryption and decryption algorithm. Key, XKEY and YKEY are a pair of asymmetrically encrypted keys when the contract algorithm is an asymmetric encryption and decryption algorithm.

The appointment algorithm is stored on the user-portable peripheral device, and the mobile peripheral device is connected to the user-side terminal by wire or wirelessly, and the mobile peripheral device has an IC chip, and the user side The calculation of the information A or the information B by the contract algorithm X is performed on the mobile peripheral.

Wherein, when the intermediary or the servant generates the information A, each of the information A cannot be inferred from the previous information A or the information A is randomly generated, or when the user sets the generated information A, the information A includes the information The verification information of the information A generation time, the intermediary or the service party will extract the letter The verification information of the generation time in the information A determines whether the generation time of the information A is within the specified range. If the generation time of the information A exceeds the specified range, the intermediary or the service party terminates the authentication process and the user side The certification will fail.

After the connection authentication is passed, the servant may allow a connection or port from the user terminal to access the specified service or resource, and the connection or port is the non-intermediary information between the servant and the user. The port or connection through which the information about A or B is passed.

The user side has passed the authentication of the intermediary or the servant and established the connection before performing the connection authentication.

Wherein, the three parties transmit the related information of the information A or B through the service party, wherein the intermediary and the user respectively transmit information to and from the service party, and the information transmission between the intermediary and the user side is also Completed by the service side.

Among them, different service parties can authenticate the same user side through the same intermediary. §卩: A user can connect to multiple servants, and the multiple servants can authenticate the user through the same intermediary.

Among them, the information transmission between the user and the service party is carried out through the Internet, and the information transmission between the service party and the intermediary party is performed through the Internet or not via the Internet. For example: The communication between the service provider and the intermediary can also be carried out through dedicated communication.

When the user requests access to the service provider, the specific solution for connection authentication is one of the following:

1) The intermediary generates the information A, and the service party acts as the authenticator. The intermediary will calculate the information A to generate the information B by using the agreement algorithm Y corresponding to the user, and the user will also calculate the information A by the agreed algorithm X to obtain the information B. The servant will receive either two information B, or information B and Bm, or information Bm and Bn, where the information Bm or Bn is generated by the user or the intermediary, and the servant will verify the two information obtained. Information B Whether it is the same, if the verification result is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;

The intermediary generates the information A, and the service party acts as the authenticator. The intermediary will calculate the information A to generate the information B according to the agreement algorithm Y corresponding to the user, and the user will calculate the information B by the agreed algorithm X to obtain the information A, the service party. Will receive either two information A, or information A and Am, or information Am and An, where the information Am or An is generated by the user or intermediary calculation, and the service party will verify the related information of the two obtained information A Whether it is the same, if the verification result is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;

The intermediary generates a pair of information A and information A1, and the service party acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user side, and the user calculates the information B by the agreed algorithm X to obtain the information A. The service party will receive the information A1 and A or the information A1 and Am or the information A and Am, wherein the information Am is generated by the user or the intermediary, and the service party will verify whether the obtained information A of the two pieces of information is Similarly, if the verification result is affirmative, the authentication is passed and the service party allows the user to access the specified service or resource;

The intermediary generates the information A, and the intermediary acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user, and the user also calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary will Received a message B or Bm, where the information Bm is generated by the user or the servant, and the intermediary will verify whether the information B generated by itself and the information B related to the received information B or Bm are the same. The verification result is affirmative, then the authentication passes and the notification service party allows the user to access the specified service or resource;

The intermediary generates the information A, and the intermediary acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user, and the user also uses the agreed algorithm X. The calculation information B obtains the information A, and the intermediary will receive a message A or Am, wherein the information Am is generated by the user, and the intermediary will verify the information A generated by itself and the information related to the received information A or Am. Whether A is the same, if the verification result is affirmative, the authentication passes and the notification service party allows the user to access the specified service or resource;

The intermediary generates a pair of information A and information A1, the intermediary acts as the authenticator, and the intermediary calculates the information A to generate the information B according to the agreement algorithm Y corresponding to the user, and the user calculates the information B by the agreed algorithm X to obtain the information A, the intermediary The party will receive the message Am, where the information Am is generated by the user or the servant, and the information A of the intermediary verification information A1 and the received information Am are the same. If the verification result is affirmative, then the intermediary The party notifies the service provider that the authentication is passed and the service party allows the user to access the specified service or resource;

The intermediary generates the information A, and the intermediary acts as the authenticator. The user will calculate the information A by the contract algorithm X to obtain the information B, and the intermediary will obtain the information B, and the intermediary will calculate the agreement algorithm Y corresponding to the user. The information B obtains the information A, the intermediary verifies that the information A generated by itself and the information A calculated from the information B are the same. If the verification result is affirmative, the authentication passes and the notification service party allows the user to access the designated Service or resource;

The intermediary generates the information A, and the intermediary acts as the authenticator. The user will calculate the information A by the contract algorithm X to obtain the information B, and the intermediary will obtain the information B, and the intermediary will calculate the agreement algorithm Y corresponding to the user. Verifying whether the received information B is generated by the agreement algorithm X to calculate the information A generated by itself. If the verification result is affirmative, the authentication passes and the notification service party is allowed to allow the user to access the specified service or resource; Information A, the service party acts as the verifier, the intermediary calculates the information A with the agreement algorithm Y corresponding to the user side to obtain the information B, and the user calculates the information by the agreed algorithm X. B obtains the information A, the service party will receive a message A or Am, wherein the information Am is generated by the user side, and the service party verifies that the information A generated by itself and the information A related to the received information A or Am are the same. If the verification result is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;

The service party generates a pair of information A and information A1, the service party acts as the verification party, and the intermediary party calculates the information A to generate the information B according to the agreement algorithm Y corresponding to the user party, and the user calculates the information B by the agreement algorithm X to obtain the information A, the service The party will receive the information Am, where the information Am is generated by the user side, and the related information A of the service side verification information Am is the same as the information A generated by itself, and if the verification result is affirmative, the authentication passes and the service The party allows the user to access the specified service or resource;

The servant generates the information A, the service party acts as the authenticator, and the intermediary calculates the information A by the agreement algorithm Y corresponding to the user side to obtain the information B, and the user calculates the information A by the agreed algorithm X to obtain the information B, and the servant will receive or Two pieces of information B, or information B and Bm, or information Bm and Bn, wherein the information Bm or Bn is generated by the user or the intermediary, and the service party verifies whether the information B related to the two pieces of information received is Similarly, if the verification result is affirmative, the authentication is passed and the service party allows the user to access the specified service or resource;

The servant generates the information A, the service party acts as the authenticator, the user calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary calculates the information B by the agreement algorithm Y corresponding to the user to obtain the information A, and the servant will receive a message A. Information A or Am, wherein the information Am is generated by the intermediary calculation, the service party verifies that the information A generated by itself and the related information A of the received information A or Am are the same, if the verification result is affirmative, then The authentication is passed and the service party allows the user to access the specified service or resource;

The service party generates a pair of information A and information A1, the service party acts as the authenticator, and the user side calculates the information A to generate the information B by the contract algorithm X, and the intermediary party uses the agreement corresponding to the user party. The algorithm Y calculates the information B to obtain the information A, and the service party will receive the information Am, wherein the information Am is generated by the intermediary calculation, and the information A of the service side verification information A1 and the information Am is the same, if the verification result is affirmative , then the authentication is passed and the service party allows the user to access the specified service or resource;

The servant generates the information A, and the intermediary acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user, and the user also calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary obtains Two information B or information B and Bm, wherein the information Bm is generated by the user or the service party, and the intermediary will verify whether the obtained information B of the two pieces of information is the same, if the verification result is affirmative, Then the authentication is passed and the service provider is notified to allow the user to access the specified service or resource; the servant generates the information A, the intermediary acts as the authenticator, and the user calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary uses the user The corresponding agreement algorithm Y calculates information B to obtain information A, and the intermediary obtains two pieces of information A or information A and Am, wherein the information Am is generated by the user or the service party, and the two pieces of information obtained by the intermediary verification are related. Whether the information A is the same, if the verification result is affirmative, then the authentication is passed and the service party is notified to allow the user to access the finger a service or resource;

The servant generates the information A, the intermediary acts as the authenticator, the user calculates the information A by the agreed algorithm X to obtain the information B, the intermediary obtains the information A and the information B, and the information B obtained by the intermediary verification is calculated by the agreed algorithm X. The information A is generated, if the verification result is affirmative, then the authentication passes and the notification service party allows the user to access the specified service or resource;

The servant generates a pair of information A and information A1, the intermediary is used as the authenticator, the user calculates the information A by using the contract algorithm X, and the intermediary calculates the information B by the agreement algorithm Y corresponding to the user to obtain the information A, the intermediary The party obtains the information A and A1 or the information A and Am, where the information Am is generated by the servant calculation, and the intermediary verifies the two obtained Whether the information related information A is the same, if the verification result is affirmative, the authentication passes and the notification service party allows the user to access the specified service or resource;) the service party generates the information A, the intermediary acts as the verifier, the intermediary The party calculates the information A by the agreement algorithm Y corresponding to the user side to obtain the information B, the user side calculates the information B by the agreement algorithm X to obtain the information A, and the intermediary obtains two pieces of information A or information A and Am, wherein the information Am is determined by the user side. Or the servant calculation generates, the intermediary verifies whether the two information A are the same or whether the information A related to the information A and the information A is the same. If the verification result is affirmative, the authentication passes and the notification service party allows the user The party accesses the specified service or resource;

The user side generates the information A, and the service party acts as the authenticator. The user side calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary party calculates the information B to generate the information A by using the agreement algorithm Y corresponding to the user side, and the service party receives the information A. Or two pieces of information A, or information A and Am, or information Am and An, wherein the information Am or An is generated by the user or the intermediary, and the server verifies whether the related information A of the two pieces of information received is the same. If the result of the verification is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;

The user side generates a pair of information A and information A1, and the service party acts as a verifier, wherein the user side calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary side calculates the information B to generate the information A by using the agreement algorithm Y corresponding to the user side. The service party receives the information A1 and A or the information A and Am or the information A1 and Am, wherein the information Am is generated by the user or the intermediary, and the service party verifies whether the related information A of the two received information is the same. If the result of the verification is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;

The user side generates the information A, and the service party acts as the authenticator. The user side also calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary party uses the agreement algorithm Y corresponding to the user side. The calculation information A generates the information B, and the service party receives either the two information B, or the information B and Bm, or the information Bm and Bn, wherein the information Bm or Bn is generated by the user or the intermediary, and the service party verifies the receipt. Whether the information B related to the two pieces of information is the same, if the verification result is affirmative, the authentication is passed and the service party allows the user to access the specified service or resource;

The user side generates the information A, the intermediary side acts as the authenticator, the user side calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary party calculates the information B by the agreement algorithm Y corresponding to the user side to obtain the information A, and the intermediary obtains two pieces of information. B or information B and Bm, the information Bm is calculated by the user or the service party, the intermediary verifies whether the two information B or the information B of the information B and Bm are the same, if the verification result is affirmative, then The authentication passes and notifies the service party to allow the user to access the specified service or resource;

The user side generates the information A, the intermediary side acts as the verification party, the user side calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary party calculates the information B by the agreement algorithm Y corresponding to the user side to obtain the information A, and the intermediary obtains two pieces. Information A or information A and Am, the information Am is generated by the user or the servant, and the intermediary verifies whether the two information A or the information A related to the information A and Am are the same, if the verification result is affirmative, Then the authentication passes and the service provider is notified to allow the user to access the specified service or resource; the user side generates the information A, the intermediary acts as the authenticator, and the user calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary obtains the information. A and B, the intermediary verifies whether the information B is calculated by the agreement algorithm X to calculate the information A. If the verification result is affirmative, the authentication passes and the notification service party is allowed to allow the user to access the specified service or resource;

The user side generates a pair of information A and information A1, the intermediary side acts as the authenticator, the user side calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary party calculates the information B by the agreement algorithm Y corresponding to the user side to obtain the information A, The intermediary gets the information A and A1 or the information A and Am, the information Am is generated by the user or the servant, and the intermediary verifies whether the related information A of the two pieces of information received is the same. If the verification result is affirmative, the authentication is passed and the servant allows The user accesses the specified service or resource. The user side's contract algorithms are different from each other or are random.

Among them, the following is a few examples to illustrate the specific implementation of the information Al, Am, An:

1 Am is the product of A and large prime numbers: The verifier wants to verify the obtained information Am and information A, the information A is a 1024-bit large prime number, and the information Am is the product of one side multiplying the information A by another random 1024-bit prime number. The verifier divides the information Am by the information A, and if it can be divisible, the verification result is affirmative;

2 DES key A and encrypted information Am: The authenticator wants to verify the obtained information Am and information A, the information A is a DES key A, the party encrypts or digitally signs the specific content with the key A to obtain the information Am, verify The party decrypts the information Am with the key A or verifies the digital signature. If the decryption result is the same as the specific content or the digital signature is correct, the verification result is affirmative;

3 Am and An generated by the same hash function: The verifier is to verify whether a message Am and an information An match, and the information Am and the information An are the results calculated by the two parties with the same one-way hash function for the information A, The verifier compares the information Am with the information An, and if they are the same, the verification result is affirmative;

4 The largest convention is Am and An of A: The verifier is to verify whether a message Am and a message An are consistent, where the information A is a 1024-bit integer, the set L is the prime factor set of the information A, the set M and The set N is a set of two prime numbers, the set L, the set M and the set N do not intersect each other, the information Am is a product of 100 random numbers in the information A and the set M, and the information An is 100 in the information A and the set N The multiplicative product of the random number, the information Am and the information An are respectively generated by the two parties and sent to the authenticator as a third party, and the verification party seeks the greatest common divisor of the information Am and the information An, if The convention number is 1024 bits, and it is considered that the information A of the information Am and the information An is the same, that is, the verification result is affirmative;

5 Asymmetric key information A and A1: Information A and information A1 are respectively one of a pair of asymmetric encryption keys, and information Am is generated by one party encrypting or digitally signing specific content with information A, and the verification party The information A1 decrypts the received information Am or verifies the digital signature. If the decrypted result is the same as the specific content or the digital signature is correct, the information Am is the same as the information A related to the information A1, so that the verification result is affirmative;

6 Reciprocal matrix information A and A1: Information A and information A1 are a pair of 1024*1024 reciprocal matrices. The verifier multiplies information A and information A1. If the result is an identity matrix, information A is related to information A1. The information A is the same so that the verification result is affirmative, wherein the information A related to the information A is also the information A itself.

Here, examples of specific implementations of Bm and Bn are the same as those of 1, 3, and 4 in the above examples, and examples of the information Bm and Bn are obtained by replacing A, Am, and An in the examples with B, Bm, and Bn, respectively.

The specific way of connecting the mobile peripheral to the terminal is a wired connection or a wireless connection, such as: a USB interface data line, a Bluetooth wireless interface, an infrared connection, and the like.

Among them, the user can be connected to different terminals through a wired or wireless interface. The terminal connected to the user-portable peripheral is the user-side terminal.

The convention algorithm may also be a one-way hash function, a digital digest algorithm, a digital signature algorithm, a one-way function with parameters, and the like.

The information A is generated by one party immediately or is generated in advance. Wherein, the process of connection authentication should be completed by a program running on the three-party system through a computer network.

The user terminal, the service party and the intermediary are devices with computer functions, such as: PC, mobile phone, server, server group, and the like.

The user side has a user identification code (APID) in the server system, and the user side also has a user identification code (AUID) in the intermediary system, and the APID has a corresponding relationship with the AUID. The correspondence is mastered by the server system or the intermediary system. Wherein the user identification code is a sequence consisting of any symbol. For example: APID and AUID can be the user name of the user on the servant and the intermediary or the serial number generated by the servant and the intermediary for the user. Another example: AUID can be APID+ servant name or address.

Wherein, the service party is multiple, and one user side may have several different APIDs on several service provider systems, and these APIDs may correspond to the same AUID of the user on the same intermediary system.

Wherein, the intermediary system is one or more, and one user side may be in several The AUID is on the mediation system. These AUIDs can correspond to the same APID of the user on the same servant system.

Wherein, before the connection authentication is performed, the user side has passed the intermediary or the service party to authenticate and establish a connection at one time. This authentication can be performed by means of a login password or by means of the predetermined algorithm, which can prevent malicious eruption of a login request and the like.

Wherein, when the verifier verifies the two pieces of information related to the information A (or B), the calculation of the verification is performed after the two matching calculations are performed one by one to verify the correlation of the two pieces of information. Whether the information A (or B) is the same; and when the verifier verifies the information A and B, the calculation of the verification is performed by the latter of the two matching calculations. The information A and B are calculated by the agreement algorithm Y corresponding to the user side to verify that the information B is generated by the user side calculating the information A by the contract algorithm X.

The specific implementation of the present invention may be implemented by using an execution procedure of the SSL protocol. The information transmission between the user side and the intermediary party does not pass through the service party.

The agreed algorithms X and Y are generated by the intermediary or the user side at the same time. After the generation, the intermediary or the user sends the agreed algorithm X or Y to the corresponding user in the manner of sending or distributing the mobile peripheral. The agreement algorithms X and Y may be generated and completed before the user requests the access, or may be generated and delivered after the user requests the access. For example: the intermediary system makes a computable USB flash drive containing the encrypted private key and distributes it to the user and stores the corresponding public key in the system; when the user party registers with the intermediary, the user terminal downloads the contract algorithm X from the intermediary; the user side After successfully logging in to the intermediary, the user will establish an SSL connection with the intermediary. The master key encryption and decryption algorithm for the encrypted connection in SSL is the contract algorithm;

The invention adopts a method based on the agreement algorithm of the user side and the intermediary party to enable the service party to authenticate the user side through the intermediary party, and the authentication method is reliable, safe and convenient. Scheme V

The present invention solves the above mentioned problems by using a method of establishing a new connection between two parties on the Internet.

The present invention is implemented by a method for establishing a new connection between two parties on the Internet, wherein the first party and the second party of the two computer systems are respectively connected to the Internet, wherein the program object A on the first party can pass one The established connection sends information to the second party or receives information from the second party, wherein when the program object B on the first party wants to establish a new connection with the second party, the two parties separately Transfer between the program object A and the second party and between the program object B and the second party, wherein the two pieces of information are the same or different and have a correspondence corresponding to a specific mathematical operation rule, the two The transfer of information constitutes a closed transfer between the two parties, the program running on the two parties can automatically acquire the two information and complete the closed transfer, wherein the party that is the end point of the closed transfer can be compared by Whether the above two messages are the same or whether they meet the corresponding relationship to verify whether the received information is sent by the other party, if received New information is verified to be connected to the other of the program emitted by the object B and the transfer of information between the second party is identified and established.

The closed transmission between the two parties means: one party sends two information to the other party at the same time, or the originator sends one message to the other party and then the other party returns a 4 self.

The two pieces of information are used only once and are only used to establish a connection, and the two pieces of information cannot be inferred from previously sent information. For example: Unlike the SessionID or other application layer address, the two pieces of information are only used to establish a connection, and are not used to identify the session during the session.

Wherein, one party also generates a time stamp when transmitting the information or when receiving the first information, and the time stamp can be stored in the local information of the generation time stamp side or the information sent by the generation time stamp side, and is received as the end point of the closed transmission. At the time of the message or receive a second letter The new connection will not be confirmed and established until the specified time period has expired.

The two pieces of information are not an IP address and a port number in the data header. The closed-pass information does not depend on the IP address and port number, which better solves the NAT penetration problem in some applications.

The established connection of the program object A may be a point-to-point connection between the two parties or a connection between the two parties through a third party, and the established connection may be a two-way connection or a one-way connection. connection. For example: Program object A establishes a point-to-point connection with the second party after the second party's security authentication, and then establishes a new connection between program object B and the second party based on the secure connection that has established a point-to-point connection. Or program object A and the second party respectively log in to the common server and establish a connection through the server, and then establish a new point-to-point connection between the program object B and the second party based on the indirect secure connection.

The transfer path or communication port of the new connection of the program object B is different from the established connection of the program object A. For example: The connection of program object A is established by a third-party server, and the new connection of program object B is a point-to-point direct connection. Another example: Program object A establishes a connection through a specific application port on the first party system, and program object B establishes a connection through the HTTPS protocol port on the first system.

The one that is the end point of the closed transmission is the second party.

The two pieces of information may be the same. For example: The information may be a random number generated by a random function. Or, the two pieces of information are different. For example: the two pieces of information may be a randomly generated pair of numbers conforming to a specific law, and the issuer sends two of the pair of numbers to the other party, and the other party verifies whether the two figures obtained by the verification meet the specific law. Determine if the two messages received are from the sender. For another example, one of the information may be a random sequence, and the initiator sends the information to the other party. After receiving the information, the other party calculates the one-way hash value by the contract algorithm and sends the hash value back to the initiator. The initiator judges whether the returned information is from the other party according to the hash value. Another example: one of the information may be a key, a one-way hash function, or For other functions, the initiator sends the information to the other party. After receiving the authentication information, the other party calculates the agreed value by the key, one-way hash function or other function and sends it to the initiator. The initiator passes the agreement. Value check to determine if the information is from the other party.

The connection between the program object A and the program object B is the same program object or a different program object running on the second party.

The two pieces of information are generated immediately when the closed delivery is performed or are generated in advance.

The user of the system does not need to know the content of the information, and the user of the system does not need to participate in the process of delivery.

The first party may be a computer-enabled terminal device connected to the Internet used by the user, and the second party is a computer system that provides resources and services to the user through the Internet.

The two parties may be a PC terminal, a mobile terminal, a server, a server group, or the like. The connection manner of the Internet includes a wired mode and a wireless mode.

Among them, when program object A stops running, the connection between program object B and the second party will also be aborted.

Among them, a new connection can be established by a plurality of different program objects B through the same program object A. The present invention employs a closed transfer of two messages to cause the two parties to generate a connection to the new application object based on the established secure connection. This solution has various implementation methods, small workload, simple program and easy implementation. Moreover, the closed delivery information does not depend on the IP address and port number, providing better security while better addressing NAT penetration and other issues.

DRAWINGS

Figure 1.1 is an information transmission path diagram of Embodiment 1.1;

Figure 1.2 is a message transmission path diagram of Embodiment II.

Figure 1.3 is an information transmission path diagram of Embodiment 1.3. Figure 1.4 is an information transmission path diagram of Embodiment 1.4.

Figure 1.5 is an information transmission path diagram of Embodiment I.5;

Figure 1.6 is a typical network structure diagram of the present invention, which is applicable to schemes I, III, IV, and V. 2 is a schematic view of a typical system structure of the present invention, which is applicable to the schemes I, II, III, IV, and V. Figure 3.1, Figure 3.2, and Figure 3.3 are schematic flow diagrams of Embodiments 111.1, 111.2, and Figure 3. Figures 4.1a to 4.25c are typical information transmission diagrams of the schemes in which the serial number of the 25 schemes listed in the scheme IV of the present invention is the same as the Arabic numerals of the drawings, for example,

Figure 4.1a, Figure 4.1b and Figure 4.1c are schematic diagrams of the information transfer of the scheme 1 of the scheme of the invention.

Figure 4.25a, Figure 4.25b, and Figure 4.25c are diagrams of the information transfer scheme of Scheme IV of the inventive content,

The figure shows only a part of the information transmission mode of the corresponding solution, or the information transmission mode of the solution is not limited to the ones shown in the corresponding drawings.

In addition, Figure 4.26 is a system architecture diagram of a specific implementation of Scheme IV. Figure 5.1 and Figure 5.2 are the information transfer path diagrams of the following embodiments V.1 and V.2, respectively.

detailed description

The following embodiments illustrate specific embodiments of the five aspects of the above summary, wherein: Embodiments I.1 to I.5 may illustrate a specific embodiment of the scheme I;

Embodiment II can illustrate a specific embodiment of the scheme II;

Embodiments 111.1, 111.2, and .3 may illustrate the specific implementation manner of the scheme III;

Embodiments IV.1 to IV.6 may illustrate specific embodiments of the scheme IV;

Embodiments V.1 and V.2 may illustrate a specific implementation of the scheme V;

In addition, some of the following embodiments relate to the combination of the different aspects described and may illustrate specific embodiments of the two or more aspects. Example I.1

Figure 1.1 is an information transmission path diagram of Embodiment 1.1. The network structure of this embodiment is shown in Figure 1. The information transmitted by the closure in the embodiment I.1 is the same authentication information and the start and end points of the closed transmission are the same. In this embodiment, the requesting party is a user network terminal, the service party is a network resource, and the third party is an authentication service system that provides a third-party identity authentication service on the Internet, and the authentication information is a random number.

Embodiment 1.1 includes the following steps:

1) The user network terminal passes the identity authentication of the authentication service system;

2) the user network terminal requests a service from the network resource;

3) The network resource generates a random number and a time stamp;

4) The network resource sends the random number, the network resource URL, and the user identifier to the authentication service system;

5) The authentication service system sends the random number and the network resource URL to the user network terminal according to the user identifier;

6) the user network terminal returns the random number to the network resource according to the network resource URL;

7) The network resource compares the random number generated by itself with the random number returned from the user terminal. If the random number is the same and does not exceed the specified time validity period, the user recognizes the identity. Certificate

User ID refers to the user's APID or AUID.

In this embodiment, an application on the user network terminal can establish a secure connection with the authentication service system. In the case of identity authentication through the authentication service system, the application can complete the following steps: The application receives a random number and a network resource URL from the authentication service system through a secure connection; the application runs browsing on the terminal Looking for the same object as the network resource URL, if not found, a new browser object is generated; the application causes the found or newly generated browser object to send a connection request to the network resource URL and add the random number to the In a connection request, such as: Add a random number to the form of the connection request.

In this embodiment, step 1) may also be performed between step 4) and step 5), in which case the user network terminal may send the user's identity authentication information together in step 4) The authentication service system, the authentication service system confirms that the identity of the user is correct, and then executes step 5).

This embodiment can be conveniently implemented in conjunction with an instant messaging tool. For example, a module that recognizes the authentication information path and performs authentication information forwarding can be added to the client software of an instant messaging tool (such as MSN, Yahoo Messenger, or QQ), and then one can be generated on the server side of the network resource provider. The present embodiment is constructed by transmitting authentication information, extracting authentication information from the access request, and performing a comparison. Among them, network resources and client software can be developed and provided by the instant messaging tool provider, and network resources and customer downloads can be used, which is very convenient and feasible.

In addition, this embodiment may also be implemented by adding a browser tool item, or by executing a special program in the network terminal.

In this embodiment, before the network resource generates the random number, the user may be authenticated once by using the username and password to avoid malicious login attacks.

In this embodiment, the network resource may set an option or a button for the login mode of the embodiment on the login page, and initiate the login of the embodiment when the user selects the option or the button. Process.

In this embodiment, the requesting party requests access authentication from the service party through a separate message and step in step 2).

In this embodiment, the process of closing the delivery is: servant one (authentication information), one third party one (authentication information), one requester one (authentication information), one servant. The information transmitted by the closure in the embodiment 1.1 is the same authentication information and the starting point and the end point of the closed transmission are the same. Other processes similar to the embodiment are: the service party 1 (authentication information), the requester 1 (authentication information) ) - third party one (authentication information) - one party; third party one (authentication information) - one requester (authentication information) one service party one (authentication information) one third party; third party one (authentication information) one service party One (authentication information) one requester one (authentication information) a third party, and so on. Example I.2

Figure 1.2 is a message transmission path diagram of Embodiment 2. The network structure of this embodiment is shown in Figure 1.6. The information conveyed by the closure in the embodiment I.2 is the same authentication information and the start and end points of the closed transmission are different. In this embodiment, the requesting party is a user network terminal, the service party is a network resource, and the third party is an authentication service system that provides a third-party identity authentication service on the Internet, and the authentication information is a random sequence.

Embodiment 1.2 includes the following steps:

2) the user network terminal generates a random sequence;

3) The user network terminal sends a username and a random sequence to the network resource and requests authentication, and the user network terminal sends the user identifier, the network resource URL, and the random sequence to the authentication service system;

4) The authentication service system sends the user identifier and the random sequence to the network resource according to the network resource URL sent by the user network terminal;

5) Network resources are compared to two random sequences received, if the random sequences are the same and received If the time difference does not exceed the specified value, the user passes the identity authentication;

User ID refers to the user's APID or AUID.

In this embodiment, an application on the user network terminal is able to establish a secure connection with the authentication service system. In the case of authentication through the authentication service system, the application can complete the following steps: The application generates a random sequence; the application passes the random sequence, username, password, etc. through a browser object access request Sended to the network resource, and the application sends the random sequence, the network resource URL and the user ID to the authentication service system through the secure connection.

In this embodiment, step 1) may also be performed between step 3) and step 4). At this time, the user network terminal may send the user's identity authentication information together in step 3) The authentication service system, the authentication service system confirms that the identity of the user is correct, and then executes step 4).

In this embodiment, an option or button for a specific network resource may be set on the user terminal program, and the login process is initiated when the user selects the option or button.

This embodiment can be conveniently implemented in combination with an instant messaging tool, or by adding a browser tool item, or by executing a special program in the network terminal.

In this embodiment, the network resource may also set a login password, and the user sends the login password, the username, and the random sequence to the network resource together in step 3).

In this embodiment, the requesting party requests access to the authentication by the servant in step 3) by directly transmitting the closed delivery information (random sequence) to the servant.

In this embodiment, the method of closing the delivery is: requesting party 1 (authentication information), a server, and requesting party 1 (authentication information), a third party (authentication information), a server. The information transmitted by the closure in embodiment I.2 is the same authentication information and the start and end points of the closed delivery are different. Other processes similar to the present embodiment are as follows: Requester 1 (authentication information) A third party, at the same time, request Fangyi (certification information) one service party one (certification information) a third party; third party → (authentication information) one service party, at the same time, third party one (authentication information) one requester one (recognition) Certificate information) a service party; service party 1 (authentication information) a third party, at the same time, service party 1 (authentication information) a requester one (authentication information) a third party, and so on. Example I.3

Figure 1.3 is an information transmission path diagram of Embodiment 1.3. The network structure of this embodiment is shown in Figure I.3. The information conveyed in the closed manner includes the authentication generation information generated based on the authentication information and the start and end points of the closed transmission. different. In this embodiment, the requesting party is a user network terminal, the service party is a network resource, and the third party is an authentication service system that provides a third-party identity authentication service on the Internet, and the authentication information is a random sequence, or a mathematical algorithm, or an algorithm. The parameter, the user network terminal generates information that needs to be sent in the closed delivery according to the authentication information and the information agreed with the authentication service system.

Embodiments 1.3 include the following steps:

2) The user network terminal sends the network resource URL and the user identifier to the authentication service system;

3) The authentication service system generates authentication information, and obtains authentication generation information by using the authentication information and the agreed information;

4) The authentication service system sends the user identification and the authentication generation information to the network resource, and the authentication service system sends the authentication information and the network resource URL to the user network terminal;

5) The user network terminal obtains the authentication generation information by using the authentication information and the information agreed with the authentication service system;

6) The user network terminal sends the obtained authentication generation information, user identifier, and the like to the corresponding network resource;

7) The network resource compares the two authentication generation information received, and if the same and the received time difference does not exceed the specified value, the user passes the identity authentication;

User ID refers to the user's APID or AUID. In this embodiment, an application on the user network terminal can establish a secure connection with the authentication service system. In the case of identity authentication through the authentication service system, the application can complete the following steps: The application sends the network resource URL and the user identifier to the authentication service system; after receiving feedback from the authentication service system, the application The authentication information and the information agreed with the authentication service system derive authentication generation information; the application sends the obtained authentication generation information to the network resource through an access request of a browser object.

In this embodiment, step 1) may also be performed between steps 2) and 3), in which case the user network terminal may send the user's identity authentication information together in step 2) The authentication service system, the authentication service system confirms that the identity of the user is correct, and then executes step 3).

In this embodiment, options or buttons for specific network resources may be set on the page of the authentication service system, and the login process is initiated when the user selects this option or button.

In this embodiment, the network resource may also set a login password, and the user sends the login password, the username, and the random sequence to the network resource together in step 6).

In this embodiment, the requesting party sends the access to the service party by transmitting the closed delivery information to the third party and then transmitting the closed delivery information to the third party in steps 2), 3) and 4). Authentication request.

In this embodiment, the authentication information may include part or all of the following: a service name or address, a requester name or address, a third party name or address, information generation time, random information, and the like. The agreed information can be: a digital digest algorithm, an encryption and decryption algorithm, a dynamic cryptographic algorithm, and the like.

In this embodiment, the manner of closing the delivery is: a third party (authentication generation information), a servant, and a third party (authentication information), a requester (authentication generation information), a servant. The information passed in the closure in embodiment I.3 includes authentication generation information generated based on the authentication information. And the starting point and the end point of the closed transmission are different, and there are other processes similar to the present embodiment, for example: a third party (authentication information), a service party, and a third party (authentication information), a requester → (authentication generation information) a service party; a service party 1 (authentication information) a third party, and at the same time, a service party 1 (authentication information) a requester 1 (authentication generation information) a third party; a requester 1 (authentication generation information) a service party, At the same time, the requesting party (authentication information) is a third party (certification generation information) a service party; and so on. Example I.4

Figure 1.4 is an information transmission path diagram of Embodiment 1.4. The network structure of this embodiment is shown in Figure I.4. The information transmitted in the closed form includes the same-origin authentication information generated based on the authentication information and the same-origin authentication information. B and the start and end of the closure are different. In this embodiment, the requesting party is a user network terminal, the service party is a network resource, and the third party is an authentication service system that provides a third-party identity authentication service on the Internet. In this embodiment, the authentication information is a randomly generated pair of numbers conforming to a specific rule, such as: a product or a sum is a fixed value or a pair of numbers in a fixed range, and the pair of numbers are respectively called homologous authentication information. A and homologous authentication information B.

Embodiment I.4 includes the following steps:

3) The authentication service system generates authentication information, and obtains the same-origin authentication information A and the same-origin authentication information B;

4) The authentication service system sends the user identifier and the homologous authentication information A to the network resource, and the authentication service system sends the network resource URL and the homologous authentication information B to the user network terminal;

5) The user network terminal sends the same-origin authentication information B and the user identifier to the network resource URL; 6) The network resource checks whether the received homologous authentication information A and the homologous authentication information B match, and if the matching and the received time difference does not exceed the specified value, the user passes the identity authentication;

User ID refers to the user's APID or AUID.

In this embodiment, an application on the user network terminal is able to establish a secure connection with the authentication service system. In the case of identity authentication through the authentication service system, the application can complete the following steps: The application receives the same-origin authentication information B and the network resource URL from the authentication service system through a secure connection; the application is on the terminal The running browser object looks for the same URL as the network resource, and if not found, generates a new browser object; the application causes the found or newly generated browser object to send a connection request to the network resource URL and authenticates the same Information B and the user ID are added to the connection request.

In this embodiment, the specific implementation of the same-origin authentication information A and the same-origin authentication information B may be the same as in Embodiment 5.

In this embodiment, the manner of closing transmission is: a third party (the same-origin authentication information A) - a service party, and a third party (the same-origin authentication information B) - a requester one (the same-origin authentication information B) - a service square. The information transmitted in the closed manner in the embodiment 4 includes the homologous authentication information A and the homologous authentication information B generated based on the authentication information, and the start point and the end point of the closed transmission are different, and other processes similar to the present embodiment are different. One is listed. Example I.5

Figure 1.5 is an information transmission path diagram of Embodiment 1.5. The network structure of this embodiment is shown in the figure. In this embodiment, the manner of closing the transmission is: service party 1 (authentication information)

(Homologous authentication information Α)—Requester 1 (Homologous Authentication Information Β)—Server. The homologous authentication information is generated based on the authentication information, and the homogenous authentication information B is generated based on the homologous authentication information A. The serving party that is the closed delivery end point can verify whether the homogenous authentication information B is originated from the authentication information. of. For example: The authentication information may be a 1024-bit prime number randomly generated by the service party. The service party sends the prime number to a third party. The third party generates a 64-bit prime number and calculates the product of the two prime numbers to obtain the product A. The third party will multiply the product. A is sent to the requesting party, the requesting party also generates a 64-bit prime number and calculates the product of the prime number and the product A to obtain the product B. The requesting party returns the product B to the servant, and the servant divides the product B by the prime number of 1024 bits. If it is divisible, it means that the product B originates from the large number and the authentication passes.

There are other processes similar to the present embodiment, which are not enumerated here.

The homologous authentication information A and B of the embodiments I.4 and I.5 may also be an authentication information and a digital signature thereof, and the like, respectively.

In a similar process to the listed embodiment, when the third party is the end of the closed delivery, the third party needs to notify the service party of the result of the authentication. For example: When the service requests the third party to request the authentication of the requesting party, the service party also sends an authentication serial number to the third party. After the third party completes the authentication, the third party returns the authentication result and the authentication serial number together with the service party. Example II

Fig. 2 is a schematic structural view of the system of the embodiment II. In this embodiment, the portable IC is a USB flash memory in which a key X is stored. The terminal is a computer with a USB interface, and the portable IC is connected to the terminal through a USB interface. The application service system is a server device of an internet service provider. The authentication service system is a server device of a third-party authentication service provider.

A workflow of the embodiment is: the user runs an executable program stored on the mobile IC or a login authentication service system webpage on the terminal, and the terminal passes the authentication by the key X on the mobile IC. Identity authentication of the service system; the user terminal requests authentication from the application service system, and the application service system generates a random number as the authentication information and sends the random number to the authentication service system; the authentication service system uses the secret corresponding to the user's mobile IC The key encrypts the random number, the key may be the key X or other key on the portable IC, the authentication service system sends the encrypted random number to the user terminal; the user terminal decrypts on the mobile IC The random number is calculated, and then the random number is sent to the application service system; the application service system compares the random number received from the terminal with the self-generated random number, and only the same number of random numbers can pass the authentication. In addition, in this process, when the application service system generates a random number, a time stamp can also be generated at the same time, and the random number is valid only when the time difference of the random number returned by the user is less than a certain value. The above workflows can also vary from application to application.

Another working process of this embodiment is: the user runs an executable program stored on the mobile IC or a login authentication service system webpage on the terminal, and the terminal authenticates the identity of the authentication service system by using the key X on the mobile IC; The user terminal requests authentication from the application service system, and the application service system redirects or transmits the request to the authentication service system; the authentication service system generates a random number as the authentication information and sends the random number to the application service system, and the authentication service system The key corresponding to the user's mobile IC encrypts the random number, and the key may be the key X or other key on the mobile IC, and the authentication service system sends the encrypted random number to the user terminal; the user terminal Performing decryption calculation on the mobile IC to obtain the random number, and then sending the random number to the application service system; the application service system compares the random number received from the terminal and from the authentication service system, and only the random number is the same authentication by. In addition, in this process, when the application service system receives the random number, the time stamp may be generated at the same time or the authentication service system generates the time stamp and sends the time stamp together with the random number to the application service system, when the application service system receives the return from the user. The random number is valid only when the time difference of the random number is less than a certain value. The above workflows can also vary from application to application. Example III.1 In this embodiment, the intermediary has a digital certificate issued by an authority, and the service party can use the digital certificate to verify the digital signature of the intermediary. The user authenticates by the intermediary by means of the user name and the login password, and the authentication procedure is the intermediary of the user. A special program downloaded by the party.

The specific steps of this embodiment are as follows: The user runs an authentication program on the terminal, and the authentication program automatically establishes an SSL connection with the intermediary, and the user inputs an AUID and a password to log in in the authentication program, and the authentication program sends the user to the intermediary. AUID and password, the intermediary checks the user name and password. If it is correct, the following steps are continued, otherwise the intermediary will save the user's AUID, the SSL ID and the current system time (the SSL saved by the user). The DES key is the authentication identifier. When the user needs to access the resources of a certain service party, the user can select the link of the service party resource or enter the address of the service party resource on the authentication program interface, and the authentication program will be the user side. The AUID and the address of the servant resource are sent to the intermediary by SSL connection (the SSL encryption information of the servant resource address and the AUID is the information about the authentication identifier), and the intermediary checks whether the AUID is correct after the intermediary receives the AUID from the SSL connection. And if the time is not valid, the following steps will be continued, otherwise the intermediary will stop. The pre-system time, the AUID of the user side, and the address of the servant resource form a sequence and digitally sign the sequence (the sequence and its digital signature are verification credentials), and the intermediary sends the certificate to the authentication program of the user, the user terminal The running authentication program establishes a new browser object pointing to the service provider resource address and submits the voucher as a form. After receiving the voucher, the service party continues the following if the digital signature of the verification voucher is correct and the voucher generation time has not expired. Otherwise, the service party obtains APID and user rights according to the AUID of the user side. If the user party permission allows the server to allow the browser of the user terminal to access the server resource, the authentication program aborts the resident runtime authentication. The program will abort the SSL connection with the intermediary.

In addition, the authentication program can also record each browser that is created. When the authentication program aborts the resident runtime, it can also close all browser windows created by itself. Example ΠΙ.2 In this embodiment, the intermediary has a digital certificate issued by an authority, and the service party can use the digital certificate to verify the digital signature of the intermediary. The user authenticates through the intermediary by means of the user name and the login password, and the authentication procedure is a browser.

The specific steps of this embodiment are as follows: The user runs a browser object on the terminal and inputs an intermediary address (the browser object is used as an authentication program), and the intermediary establishes an SSL-based session with the browser, wherein the intermediary Generate a 1024-bit random sequence as the SessionID of the session established with the user's browser. The user enters the AUID and password to log in on the interface launched by the intermediary. The intermediary checks the AUID and password. If it is correct, continue with the following steps. Otherwise, the intermediary saves the AUID, the SessionID, and the current system time of the user side. When the user needs to access the resources of a certain service party, the user can use the interface launched by the intermediary in the browser. Selecting the link of the servant resource or entering the address of the servant resource, the browser sends the address and AUID of the servant resource to the escrow through the established session connection, if the intermediaries find a matching SessionID and AUID and the time is not If the validity period expires, the following steps will be continued, otherwise the intermediary will The time of the system, the AUID of the user side, and the address of the servant resource form a sequence and digitally sign the sequence (the sequence and its digital signature are the credentials authenticated by the user through the intermediary), and the intermediary runs through the browsing on the user terminal. Create a new browser object pointing to the servant resource address or redirect the browser and submit the voucher as a form. After the vouchers receive the voucher, if the digital signature of the voucher is correct and the voucher generation time is not valid. Then continue the following steps or terminate, the servant obtains the APID and the user's privilege according to the AUID of the user, and if the privilege of the user allows, the servant allows the browser of the user terminal to access the servant's resource, as the browser of the authentication program. When the redirect or abort is run, the browser's SessionID is lost and the session with the intermediary (ie authenticated connection) is aborted. Example ΠΙ.3

In this embodiment, the servant knows in advance the fixed IP address of the intermediary, and the user uses the username and The way to log in to the password is authenticated by the intermediary. The authentication procedure is a special program downloaded by the user from the intermediary.

The specific steps of this embodiment are as follows: The user runs the authentication program on the terminal, the authentication program establishes a session with the intermediary, and the SessionID is a random sequence of 1024 bits generated by the intermediary, and the user inputs the user name and password to log in in the authentication program. The authentication program sends the user name and password of the user to the intermediary, and the intermediary checks the user name and password. If it is correct, the following steps are continued, otherwise the intermediary obtains the AUID of the user according to the user name of the user, and the intermediary will The AUID of the user side is saved corresponding to the session ID of the session established by the user authentication program and the current system time. When the user needs to access the resources of a certain service party, the user opens a new browser and inputs the service party. The address of the resource, the user side enters the user name of the user party on the interface of the service party, and the service party obtains the APID of the user side according to the user name of the user side, and the service party generates a random number of 1024 bits. , the server saves the random number and the user's APID and simultaneously Sending to the intermediary, the intermediary obtains the AUID of the user side according to the APID, and the intermediary finds the session established with the user party authentication program according to the AUID, and if the session is not expired, the intermediary sends the random number and the service party resource address received. To the user side authentication program (the random number is the verification certificate), the user side authentication program searches for a resource pointing to the service party in the browser object running on the user side terminal, and if not found, establishes a new resource pointing to the service party. The browser object, the authentication program sends the user's username on the servant side together with the random number to the servant through the found or newly created browser object in the form of a form, and the servant receives the user's APID and generates it after receiving it. The random number, if the random number received by the check is correct and has not expired, the following steps are continued, otherwise the servant obtains the user's right according to the user's APID. If the user's right permission allows the servant to allow the user's terminal to access the browser. The servant resource, when the authentication program aborts the resident runtime, the authentication program will be aborted The intermediary's session.

In addition, the authentication program can also record each browser that is created. When the authentication program aborts the resident operation, it can also close all browser windows of the access service. The meanings of the symbols illustrating the flow in Examples IV.1 to IV.6 and the accompanying drawings in Figures 4.1a to 4.25c are:

"s" - the servant, "a" - the intermediary, "u" a user;

"," one indicates that the steps before and after the comma can be continuously performed;

";" One indicates that the steps before and after the semicolon cannot be carried out continuously, and other steps must be carried out between the two;

"A" - generate information A, "† A&A1" - generate information A and A1;

"A→B" - Calculate the information A by the contract algorithm to get the information B, as well as "B→A"; "A→Am" - calculate the information A in a specific way to generate the information Am, as well as "B → Bm,, , "Al→Am,, "A→An,,;;

"XA=B" calculates the information by the agreed algorithm X. A gets the information B, and also has "XB=A",

"YA=B", "YB=A";

"A→a" - sends the message A to the intermediary (a), as well as "Am→s", "B→u" "A〇B" - whether the verification information B is the information A generated by the contract algorithm ;

"A〇Am" - verify the information about the two messages A is the same, also have

"Α〇Α", "Α〇ΑΓ,, "B〇Bm" and so on.

For example, s(†A&Al, Al→Am, Al→a, A→u) means: The servant generates the information A and A1, the servant calculates the information A1 to generate the information Am in a specific manner, and the servant sends the information Am to the intermediary. The service party sends the information B to the user.

For another example, a(†A, YA=B, A→s, B→u) means: the intermediary generates the information A, the intermediary calculates the information A by the agreement algorithm Y to obtain the information B, and the intermediary sends the information A to the service party. The intermediary sends the message B to the user.

For another example, u(XA=B, A→Am, B→a) means: the user side calculates the information A by the agreement algorithm X to obtain the information B, and the user side calculates the information A to generate the information Am in a specific manner, and the user side will Information B is sent to the intermediary.

For another example, _S (A 〇 A) indicates whether the two pieces of information A obtained by the servant's face certificate are the same, and s (A 〇 A1) indicates whether the information A obtained by the servant verification and the information A related to A1 are the same, a (ΑΘΒ) indicates whether the information B obtained by the intermediary verification is generated by the calculation of the agreement algorithm. Example IV.1

Embodiment IV.1 is one of the specific implementations of the connection authentication scheme 1) of Scheme IV in the above summary (see Figure 4.1a). In an embodiment, the information A is a random sequence, and the contract algorithm is a digest encryption algorithm based on RSA and SHA. When the user registers with the intermediary, the user terminal obtains the RSA key and the SHA digest algorithm preset by the intermediary (RSA). The digest encryption algorithm composed of SHA and SHA is the contract algorithm X). The intermediator has the same RSA key and SHA digest algorithm as the user side (the agreed algorithm Y and X are the same).

The specific steps in this embodiment are: the user terminal requests the access to the service party, and the service party sends the APID of the user side to the intermediary party, and the intermediary obtains the AUID of the user party according to the service provider address and the APID, and the intermediary The AUID obtains the key and digest algorithm corresponding to the user side, and the intermediaries generate a random sequence (information A) and calculate the digital digest of the information A by using the digest algorithm corresponding to the user side, and then encrypt the corresponding key to obtain the information B. The intermediary sends the information A and B to the service party, and the service party sends the information A to the user. The user terminal also calculates the information A (random sequence) with its own key and SHA hash function to generate the digest encryption value information. B. The user terminal sends the information B to the service party through a port. When the service party connects to the authentication process, a timer is started. If the service party receives two information B within the specified time limit, the following steps are continued, otherwise the authentication process is terminated. The service party compares the two information B. If the same, the authentication passes, and after the authentication is passed, the service party will allow the terminal from the user. The port accesses the service or resource specified by the service provider. (See Figure 4.1a)

Figure 4.1a shows: a(†A, YA=B, A→s, B→s), s(A→u), u(XA=B, B→ S), S (B〇B).

Figure 4.1b shows: a(† A, YA=B, A→u, B→s), u(XA=B , B→s), s(B〇

B). Example IV.2

Embodiment IV.2 is one of the specific implementations of the second) connection authentication procedure based on the scheme IV of the above summary (see Fig. 4.2a). In an embodiment, the information A is an AES encryption key, the contract algorithm is an RSA encryption and decryption algorithm, and the user side has an intermediary peripheral to make a distributed USB peripheral, and the user has an RSA private key on the USB peripheral and the service side It also has an RSA public key that corresponds to the user's private key.

The specific steps in this embodiment are as follows: The user terminal requests access from the service party, and the service party sends the user APID to the intermediary party. The intermediary finds the user party AUID according to the user side APID and the service party identifier, and the intermediary party uses the user party AUID. The RSA public key corresponding to the user is found, the intermediary generates an AES key (information A), and the intermediary encrypts the AES key with the RSA public key corresponding to the user to obtain the encrypted information (the information A is obtained by the agreement algorithm Y) The intermediary sends the AES key and the encrypted information (information A and B) to the service party, and the service party sends the information B to the user terminal, and the user terminal transmits the encrypted information (information B) to the user's USB peripheral. The user side USB peripheral decrypts the encrypted information to the AES key with the RSA private key (the information B is obtained by the agreement algorithm X), and the user side USB peripheral transmits the AES key to the user terminal, and the user terminal uses the AES Key (information A) The encryption agreement content gets the information Am, and the agreed content may include the user party name, the authenticator name, the service party address, and the request access service. The number, the generation time stamp, and the like, the user terminal sends the information Am to the service party through the port P, and the service party decrypts the information Am with the received AES key (the information A corresponding to the information A and Am is the same) If the decrypted content meets the requirements and the user's authentication passes, the servant will allow the port P of the user's terminal to access the requested service or resource.

Figure 4.2a shows: a(† A, YA=B, B→s, A→s), s(B→u), u(XB=A, A→ Am, Am ^→ s), s (A〇Am).

Figure 4.2b Flow: a(† A, YA=B, A→s, B→u), u(XB=A, A→s), s(A〇

A). Example IV.3

Embodiment IV.3 is one of the specific implementations of the connection authentication scheme 9) of Scheme IV in the above summary (see Figure 4.9a). In an embodiment, the information A is a 128-bit random sequence, the contract algorithm is an RSA encryption and decryption algorithm, and the user side has a mobile interface of a USB interface distributed by the intermediary, and the user side RSA encryption set by the intermediary is stored on the IC. The private key, the intermediary has the RSA public key corresponding to the private key of the user (see Figure 4.26 for the system architecture).

The specific steps of this embodiment are as follows: The user terminal sends an access request, a username and a login password to the service party, and the service party verifies that the username and the login password are correct, and the following steps are continued, and the server generates a 128-bit random sequence ( Information A), the service party sends the information A and the user party APID to the intermediary, the intermediary obtains the user identification code AUID according to the APID and the service party name, and the intermediary obtains the RSA public key corresponding to the user party according to the AUID and encrypts it. The information A obtains the information B (the agreed algorithm Y is the RSA encryption algorithm), the intermediary sends the information B and the APID to the service party, and the service party sends the information B to the corresponding user terminal according to the user's APID, and the user terminal passes the USB again. The interface sends the information B to the user-portable IC connected to the terminal, and the mobile IC decrypts the information B with the user-side RSA private key to obtain the information A (the agreed algorithm X is the RSA decryption algorithm), and the mobile IC sends the information A. Sent to the user terminal, the user terminal sends the information A and the user identification code APID to the service party through a port P, the service party According to the APID, the information A (random sequence) corresponding to the user side generated by the user is obtained and compared with the received information A. If they are the same, the calculation performed by the intermediary and the user side is matched, and the verification is correct and The user party passes the authentication if other conditions are also met, and the service provider accordingly allows the port P from the user terminal to access the requested service or resource (see Figure 4.9a).

In the above specific steps, the other conditions described are as follows: The service party will generate the information A after When the timer is activated, the authentication can only be passed when the service party receives another message A for a period of time that does not exceed the specified time range.

Figure 4.9a Flow: s(†A, A→a), a(YA=B, B→s), s(B→u), u(XB=A, A ^→ s), s(A〇A) .

Figure 4.9b shows: s(†A, A→a), a(YA=B, B→u), u(XB=A, A→Am, Am →s), s(A〇Am). Example IV.4

Embodiment IV.4 is one of the specific implementations of the connection authentication scheme 10) of Scheme IV in the above summary (see Figure 4.10a). In an embodiment, the information A is an RSA encrypted private key, the contracting algorithm is an ECC encryption and decryption algorithm, and the user side has a removable IC of the USB interface distributed by the intermediary, and the user side ECC encryption set by the intermediary is stored on the IC. The private key, the intermediary has an ECC public key corresponding to the private key of the user.

The specific steps in this embodiment are as follows: The user terminal requests access to the service party, and the service party generates a pair of RSA keys (the private key is information A, the public key is information A1), and the service party uses the RSA private key (information) A) sent to the intermediary, the intermediary obtains the information B by using the ECC public key corresponding to the user A (the agreed algorithm Y is the ECC encryption algorithm), and the intermediary sends the information B to the user terminal through the service party, the user side The terminal sends the information B to the user-portable IC connected to the terminal through the USB interface, and the mobile IC decrypts the information B with the ECC private key to obtain the information A (the agreed algorithm X is the ECC decryption algorithm), and the mobile IC will The RSA private key (information A) is sent to the user terminal, and the user terminal digitally signs the agreed content by using the RSA private key and the MD5 function, and the agreed content may include the user name, the authenticator name, the servant address, and the request connection. Enter the service number, generate the time stamp, etc., the content of the agreement and its digital signature is the information Am, the terminal sends the information Am and the name of the user to the service party through a port P, and the service party according to the user name In a corresponding RSA public key (information A1) and the same MD5 function verifies the digital signature of the agreement content is correct, if correct, the description of the RSA public and private keys are matched (That is, the information A is the related information A of the information A1 or the related information A of the information A and A1 is the same), and the user passes the authentication if the verification is correct and other conditions are also met, the service party Correspondingly, port P from the user-side terminal is allowed to access the requested service or resource (see Figure 4.10a).

In the above specific steps, the other conditions are as follows: The service party extracts the generation time stamp in the agreed content, and the authentication can only pass when the agreed content does not exceed the specified time range, or the service party checks the agreed content. Format, only the correct format can pass, and so on.

In the above specific steps, after the user side passes the authentication, the server and the user side can transmit the encrypted information by using the RSA key pair (information A and A1), for example: the two parties exchange a DES key through RSA encryption, and The DES key then establishes an encrypted communication connection.

Figure 4.10a Flow: s(† A&A1 , A→a), a(YA=B, B→s), s(B→u), u(XB=A, A ^→ Am, Am ^→ s), s( Al〇Am).

In this embodiment, the connection authentication scheme 13) in the above invention may also be implemented at the same time: wherein the user has the agreed algorithms XI and X2, XI is the decryption algorithm, X2 is the encryption algorithm, and XI and X2 are based on the same ECC private Key, the intermediary has the agreement algorithms Y1 and Y2, Y1 is the encryption algorithm, Υ2 is the decryption algorithm, Y1 and Υ2 are based on the ECC public key corresponding to the user, which can be the same as the implementation scheme 10) and scheme 13) (see the attached figure 4.13a and the following figure 4.13a).

Figure 4.13a Flow: s(† A&Al , A→u), u(XA=B, B→s), s(B→a), a(YB=A, A ^→ Am, Am ^→ s), s( A10Am Example IV.5

Embodiment IV.5 is one of the specific implementations of the connection authentication scheme 15) of Scheme IV in the above summary (see Figure 4.15a). In an embodiment, the appointment algorithm is a master key based encryption and decryption algorithm for SSL connections.

The specific steps of this embodiment are as follows: The user first logs in to the intermediary with the username and password. If the login succeeds, the intermediary initiates an SSL connection to the user, and the SSL connection is successfully established. Both the user and the intermediary have the same master key (the encryption and decryption algorithms based on the master key are the contracting algorithms X and Y respectively), the user requests the connection from the server, and the server generates random information (information A) and Sent to the user, the user sends the message A to the intermediary via the SSL connection.

(where the encryption and decryption operations are respectively two matching calculations of the agreed algorithm), the intermediary sends the received information A to the service party, and the service party compares the generated information A with the received information A, if the same Certification passed.

Figure 4.15a Flow: s(†A, A→u), u(XA=B, B→a), a(B→A, A→s), s(A 〇A). Example IV.6

Embodiment IV.6 is one of the specific implementations of the connection authentication scheme 24) of Scheme IV in the above summary (see Figure 4.24a). In an embodiment, the contract algorithm is a digital signature algorithm consisting of SHA and RSA, and the user terminal has the SHA and RSA private keys preset by the intermediary, and the intermediary has the same SHA and the private party with the user. The RSA public key corresponding to the key.

The specific steps in this embodiment are as follows: The user terminal generates information A, which is composed of a random sequence, information generation time, user side APID, AUID, service party identifier, request service identifier, etc., which is owned by the user terminal. The SHA and the RSA private key calculate the information A to generate a digital signature (information B), and the user terminal sends the information A and B to the service party through the port P, and the service party sends the information A and B to the intermediary, and the intermediary uses the The digital signature of the SHA and DSA public key authentication information A of the user side is not information B. If the verification result is affirmative and the information generation time in the information A is not expired, then the user's authentication is passed, and the authenticator notifies the service provider of the authentication result— - The user party authenticates, and the service party will allow the port P of the user terminal to access the requested service.

Figure 4.24a Flow: u(† A, XA=B, A→s, B→s), s(A→a, B→a), a(A〇B, notification→s). Example V.l

Figure 5.1 is a message transfer path diagram of the embodiment V.l.

This embodiment describes a system for implementing identity authentication by a third party on the Internet, where the first party's program object A has established a connection with the second party through a third party, and the first party is a user network terminal. The second party is a network resource, and the third party is an authentication service system that provides a third-party identity authentication service on the Internet, and the two pieces of information are a random number.

Embodiment V.1 includes the following steps:

1) The program object A on the user network terminal authenticates with the authentication service system and establishes a connection with the authentication service system, and the authentication service system has a connection with the network resource, and thus, the program object A establishes an indirect connection with the network resource;

2) The program object on the user network terminal A requests the service from the network resource through the authentication service system;

3) The network resource generates a random number and a time stamp;

5) The authentication service system sends the random number and the network resource URL to the program object A on the user network terminal according to the user identifier;

6) Program object on the user network terminal A assigns the random number and the network resource URL to the program object B;

7) Program object B returns the random number to the network resource according to the network resource URL;

8) The network resource compares the random number generated by itself with the random number returned from the user terminal, and if the random number is the same and does not exceed the specified time validity period, a new connection is established with the program object B;

In this embodiment, the program object A can complete the following steps: The program object A receives the random number and the network resource URL from the authentication service system through the established connection; the program object A is at the end The browser object running on the terminal looks for the same URL as the network resource. If it is not found, a new browser object is generated. The browser object found by program object A or newly generated is the program object B; the program object B is directed to the network resource. The URL sends a connection request and adds a random number to the connection request, such as: Adds a random number to the form of the connection request.

This embodiment can be conveniently implemented in conjunction with an instant messaging tool. For example, program object A can be implemented by adding a module on the client software of the instant messaging tool that automatically recognizes the closed delivery information and path and performs information forwarding. Among them, network resources and client software can be developed and provided by the instant messaging tool provider, and network resources and customer downloads can be used, which is very convenient and feasible. Example V.2

Figure 5.2 is an information transfer path diagram of Embodiment V.2.

This embodiment describes that the user terminal has established a point-to-point connection with the network resource and then establishes a new connection through the new program object. Possible applications are as follows: Two clients of the point-to-point communication in the IM instant messaging tool send the file. A new connection needs to be established when receiving. In program 2, program object A has established a point-to-point direct connection with the second party. In this embodiment, the first party is a user network terminal, and the second party is a network resource. The two pieces of information are randomly generated pairs of numbers conforming to a specific law, such as: a 128-bit prime number and a product of the prime number and another 128-bit prime number of 256 bits, and the second party calculates the received two numbers. Whether the 256-bit number can be divisible by the 128-bit prime number to determine whether the information comes from the first party.

Embodiment V.2 includes the following steps:

1) The program object of the user network terminal A establishes a trust connection with the network resource;

2) The program object of the user network terminal A randomly generates a pair of numbers that conform to a specific rule;

3) The program object A of the user network terminal requests the authentication by sending the user identifier and one of a pair of random numbers to the network resource through the established connection, and the program object A of the user network terminal generates the program object B and the user identifier and a pair of random Another number of writes The sequence object B sends a connection request to the network resource according to the network resource URL;

4) The network resource compares the received two random numbers. If the two random numbers meet the specific rule and the received time difference does not exceed the specified value, the user passes the identity authentication. In this embodiment, the program object A can complete the following steps. The program object A randomly generates a pair of numbers conforming to a specific rule; generating the program object B and writing the user identifier and the other of the pair of random numbers into the connection request sent by the program object B to the network resource according to the network resource URL.

In this embodiment, step 1) can also be performed between steps 3) and 4). This embodiment can also be implemented in conjunction with the instant messaging tool IM of the point-to-point communication method. The object program A is built in the user software, and the corresponding service software is configured in the network resource to implement the embodiment. Of course, the present invention may be embodied in various other various modifications and changes without departing from the spirit and scope of the invention. Modifications are intended to fall within the scope of the appended claims.

Claims

Claim

1. A third-party identity authentication system, characterized in that three systems are respectively connected to the same network, and the three systems are respectively a service party, a requesting party and a third party, wherein the service party passes the authentication of the requesting party. The third party completes, wherein, when the requesting party requests the access authentication, the three parties can complete the following steps: One party obtains the authentication information and initiates a closed transmission from the above three parties from the authentication information, wherein The program running on both sides can automatically recognize the information and path of the closed transfer and respond to the completion of the closed transfer, wherein the end point of the closed transfer in the above three parties can verify whether the received information originates from the starting point of the closed transfer, only when received The information originates from the beginning of the closed delivery, and the authentication can only be passed. Only when the requesting party passes the third-party authentication, the third party will participate in the completion of the closed delivery.

2. The third party identity authentication system according to claim 1, wherein the closed delivery path is composed of information transfer between each of the three systems, specifically: a starting point of closed delivery and The end point is the same party. First, the other party sends a message to the other party, and then the other party sends a message to the other party. Then the last party returns information to the first party to complete the closed transmission. Alternatively, the start and end points of the closed transmission are not the same party. The information is separately sent to the other two parties, and then one of the other two parties sends a message to the other party to complete the closed transmission.

3. The third party identity authentication system according to claim 1, wherein in the closed delivery, the transmitted information is the authentication information itself, and at this time, the end point of the closed delivery verifies the received information and is sent out. Whether the authentication information is consistent or whether the two received information are consistent. If they are consistent, it proves that the received information originates from the starting point of the closed delivery.

4. The third party identity authentication system according to claim 1, wherein in the closed delivery, at least one of the transmitted information is not authentication information, and the information is authenticated by one or both parties. Information generated, at this time, the end point of the closed delivery can verify whether the received information is generated based on the authentication information or whether the two received information are based on the same The information generated by the authentication information, if generated based on the authentication information or generated based on the same authentication information, proves that the received information originates from the starting point of the closed delivery.

5. The third party identity authentication system according to claim 1, wherein in the closed delivery, each information sent by the requesting party is used only for one authentication, and each information sent by the requesting party. It cannot be inferred from the information previously sent by the requesting party.

6. The third party identity authentication system according to claim 1, wherein the closed delivery information is not an IP address and a port number in a data header.

7. The third party identity authentication system according to claim 1, wherein different service parties are capable of authenticating the same requestor through the same third party.

8. The third party identity authentication system according to claim 1, wherein in the closed delivery, the requesting party separately transmits information to the server and the third party through two different programs, wherein the requesting party The information is transmitted to the third party through a program, and the requesting party accesses the service party through another program after the service party passes the authentication of the requesting party.

9. The third party identity authentication system according to claim 1, wherein said closed delivery process is performed by a program running on said three systems, wherein an authentication run on the requesting party The program can automatically participate in the closed delivery after being authenticated by a third party, wherein the closed delivery can only be completed when the authentication program runs and passes the third party authentication.

10. The third party identity authentication system according to claim 9, wherein the requesting party's access to the specified service or resource of the service party is also suspended when the authentication program is suspended.

11. The third-party identity authentication system according to claim 1, wherein the requesting party authenticates the requesting party each time the requesting party reconnects to the third party, and the requesting party only needs to pass the third-party identity authentication. You can access multiple different servants.

12. A third-party identity authentication system based on a mobile IC, the system including a mobile An IC, a terminal, an application service system, and an authentication service system, wherein the terminal, the application service system, and the authentication service system are respectively connected to the Internet, and the application service system is a computer system that provides services to the terminal user through the Internet, and the user passes the Internet on the terminal. Using the service provided by the application service system, the application service system authenticates the end user through the authentication service system, wherein the end user has a mobile IC, and the portable IC is connected to the terminal through a standard interface of the computer peripheral, and the authentication service is provided. The system authenticates the end user through the mobile IC. After the end user passes the identity authentication, the authentication service system can directly transmit the authentication information of the end user or pass the terminal to the application service system, wherein only the mobile IC When the connection tag with the terminal is valid, the authentication service system can pass the authentication information to the application service system.

13. The portable IC-based third party identity authentication system according to claim 12, wherein each authentication information is used only once and cannot be inferred from the previous authentication information.

The third-party identity authentication system based on the mobile IC according to claim 12, wherein the authentication service system or the application service system can pass the application running on the terminal when the authentication information is transmitted through the terminal. The program forwards the authentication information to the other party, and the terminal program can identify the authentication information and complete the forwarding of the authentication information. The terminal user does not need to know the content of the authentication information, and the terminal user does not need to participate in the forwarding process.

15. The mobile IC-based third party identity authentication system according to claim 12, wherein the mobile IC stores a mathematical algorithm or algorithm factor X, and the authentication service system stores a corresponding mathematical algorithm or algorithm factor. Y, there is a correspondence between the mathematical algorithm or algorithm factor X and the mathematical algorithm or algorithm factor ,, and the authentication service system can authenticate the end user based on the mathematical algorithm or the correspondence between the algorithm factor X and the mathematical algorithm or algorithm factor Υ.

16. The mobile IC-based third party identity authentication system according to claim 15, wherein the mathematical algorithm or algorithm factor X and the mathematical algorithm or algorithm factor are the same symmetrically encrypted key, or a pair. Asymmetrically encrypted key, or dynamic cryptographic algorithm.

17. The mobile IC-based third party identity authentication system according to claim 15, wherein the movable IC can perform a mathematical operation on a mathematical algorithm or an algorithm factor X, and pass the operation result through a standard. The interface is sent to the terminal.

18. The mobile IC-based third party identity authentication system according to claim 12, wherein the terminal user has a user identification code (APID) in the application service system, and the terminal user also has a user in the authentication service system. The identification code (AUID), the APID and the AUID have a corresponding relationship, and the application service system or the authentication service system stores the correspondence between the APID and the AUID, the application service system is multiple, and one terminal user can separately on several application service systems. There are several different APIDs that can correspond to the same AUID of the user's mobile IC on the same authentication service system.

19. The mobile IC-based third-party identity authentication system according to claim 12, wherein the connection tag is a tag that depends on a specific program object, and after the mobile IC is authenticated by the authentication service system, the terminal Running a program object, the connection mark of the terminal is valid during the running of the program object, and the connection mark of the terminal is invalid when the program is suspended; or the connection mark is designed to be connected when the movable IC is connected to the terminal , the terminal's connection tag is valid.

20. The mobile IC-based third-party identity authentication system according to claim 12, wherein the application service system receives the authentication information and confirms that the user terminal is allowed to access the specified service when the connection is valid, when the connection is When the tag fails, the user terminal's access to the specified service of the application service system is also aborted.

21. The mobile IC-based third party identity authentication system according to claim 12, wherein the mobile IC completes information transmission and authentication by an authentication program running on the user terminal and the authentication service system, and the authentication service system After the terminal user passes the authentication, the authentication information is sent to the application service system. After the application service system receives the authentication information and confirms the validity, the application program allows another program object of the non-authentication program running on the user terminal to access the specified service.

22. A secure network authentication system, wherein the user party, the service party and the intermediary party, at least one of the three parties can communicate with each other through wired or wireless means, and the user party authenticates through the service party. After that, the service provider can access the designated service or resource of the service party. The service party authenticates the user party through the intermediary. After the user is authenticated by the intermediary, the user can authenticate through the service party. Different service parties can use the same intermediary. The party authenticates the same user side, and is characterized in that: after the user party authenticates through the intermediary's intermediary, the authentication program run by the user side will maintain a valid authentication connection with the intermediary or maintain a valid authentication identifier. When the user requests access to the service party, the service party authentication is performed. In the service provider authentication, if the authentication connection or the authentication identifier is valid, the intermediary will pass the verification certificate of the user side with or without the user side. The method is sent to the service party, only when the service party receives and verifies that the verification certificate is positive. After the service party's authentication is passed, the service party will respond to the user's access request according to the user's right. The authentication connection and the authentication ID of the authentication program will be as long as the authentication program is suspended. Invalidation, wherein the verification credential is formed by one piece of information sent by the whole or by two separately sent information, wherein the user side does not need to register himself with the service party, and can complete the access authentication directly on the service side. The username and password are sent to or saved in the intermediary.

23. A secure network authentication system according to claim 22, wherein access by the user to the specified service or resource of the service party is suspended when the authentication process is suspended.

24. A secure network authentication system according to claim 22, wherein the program object to which the user is allowed to access the specified service or resource of the service party is not an authentication program.

25. A secure network authentication system according to claim 22, wherein the user party, the service party and the intermediary are connected via the Internet.

26. The secure network authentication system according to claim 22, wherein the verification voucher includes or contains information about the generation time or contains random information generated by the servant or the intermediary.

27. The secure network authentication system according to claim 22, wherein the content of the verification certificate of the user side issued by the intermediary cannot be inferred from the verification certificate of the user issued by the previous intermediary.

28. A secure network authentication system according to claim 22, wherein each authentication credential can only be authenticated once.

29. The secure network authentication system according to claim 22, wherein the authentication connection or the authentication identifier or the verification credential has a time validity period, and the expired authentication connection or the authentication identifier or the verification credential may be invalid.

30. The secure network authentication system according to claim 22, wherein the intermediary has a corresponding agreement algorithm with the service party, and the service party can verify whether the received verification certificate is correct by the owned agreement algorithm.

The secure network authentication system according to claim 22, wherein the verification credential is not a network address of the user side, and the verification of the verification credential is not implemented by comparing the network address of the user side.

32. The secure network authentication system according to claim 22, wherein the information transmitted between the user side and the service party does not pass through the intermediary, or the connection established by the service party to allow the user to access does not pass through the intermediary. .

33. The secure network authentication system according to claim 22, wherein the intermediary has a secret key, and the verification of the verification credential by the service party is performed by the key, and the key is a pair of asymmetric encryption. The private key in the key or a symmetric encryption key.

34. A third-party authentication system based on an agreed algorithm, wherein the user party, the service party, and the intermediary party are all connected to the Internet, and the user party can access the specified service or resource of the service party after passing the authentication. The service party authenticates the user side through the intermediary, and the feature is: the user party has an agreement algorithm X that is unknown to other users, and the intermediary party has an agreement algorithm Y corresponding to the agreement algorithm X of the user party, and the agreement algorithm X The corresponding agreement algorithm Y is The same or different, the user's appointment algorithm X is stored in the user terminal or stored in the user-portable peripheral that can be connected to the user terminal, wherein the agreement algorithm X and the corresponding appointment algorithm Y can Completing the following two matching calculations, when an appointment algorithm X or Y calculates the information B for the information A, the agreement algorithm Y or X corresponding to the agreement algorithm X or Y can calculate or obtain the information also for the information A. B, or the information A is calculated for the information B, or the information A and the information B are calculated to verify that the information B is generated by the agreement algorithm X or Y, and the information is generated by the agreement algorithm X. The calculation is performed on the user side terminal or on the user side mobile peripheral, and the calculation by the agreed algorithm Y is performed by the intermediary, wherein when the user requests access to the service party, the intermediary, the service party and One of the user parties will generate information A, and the intermediary, the servant, and the user will transfer the related information of the information A or B and complete the two matching calculations, the intermediary or service. The verification party will judge whether the authentication is passed by comparing or calculating the obtained information. In each connection authentication process, the information between the service party and the user side will not be related to the information of the information A or B through the intermediary. In the delivery, the information between the service party and the intermediary party will not be transmitted by the user side, and the related information of the information A or B can be compared or calculated with other related information of the information A or B. Verify that the information A or B related to the two messages is the same. In each connection authentication process, the authenticator will get the information about the two messages A or the information about the two messages B and verify the information. Whether the related information A or B is the same, or the authenticator will get an information A and a message B and verify whether the information B is generated by the agreement algorithm X or Y to calculate the information A, only in the two times described If the matching calculations are completed correctly, the result of the above verification will be affirmative, and only when the verification result is positive, the user's connection authentication will pass, and the user will pass. After the connection is authenticated, the servant will allow the user to access the specified service or resource.

35. The third-party authentication system based on the agreement algorithm according to claim 34, wherein the appointment algorithm is a key-based encryption algorithm or a decryption algorithm, where The calculation of the information Α by the method X or Y is an encryption operation, and the calculation of the information B by the agreement algorithm X or Y is a decryption operation, wherein the agreement algorithm X includes a key XKEY, and the agreement algorithm Y includes a key. YKEY, wherein, or the contracting algorithm is a symmetric encryption and decryption algorithm such that XKEY is the same as the corresponding YKEY, or the contracting algorithm is an asymmetric encryption and decryption algorithm such that XKEY is different from the corresponding YKEY.

36. The third-party authentication system based on an appointment algorithm according to claim 34, wherein the appointment algorithm is stored on a user-portable peripheral device, and the mobile peripheral device and the user-side terminal are connected by wire or wirelessly. Connected communication, the mobile peripheral has an IC chip, and the calculation performed by the user side on the information A or the information B by the contract algorithm X is performed on the mobile peripheral.

37. The third party authentication system based on an appointment algorithm according to claim 34, wherein when the intermediary or the service party generates the information A, each information A cannot be inferred from the previous information A or the information A is random. The generated information or the service party extracts the verification information of the generation time of the information A, and the information of the generation time of the information A is determined by the user A to determine the information A. If the generation time is within the specified range, if the generation time of the information A exceeds the specified range, the intermediary or the servant will abort the authentication process and the authentication of the user side will fail.

38. The third party authentication system based on an appointment algorithm according to claim 34, wherein different service parties are capable of authenticating the same user side by the same intermediary.

39. The third party authentication system based on an appointment algorithm according to claim 34, wherein the information transfer between the user side and the intermediary party does not pass through the service party.

40. A method for establishing a new connection between two parties on the Internet, wherein the first party and the second party of the two computer systems are respectively connected to the Internet, wherein the program object A on the first party can pass an established The connection sends information to the second party or receives information from the second party, wherein when the program object B on the first party wants to establish a new connection with the second party, the two parties will have two The information is transmitted between the program object A and the second party and between the program object B and the second party, wherein the two information are the same or different and have a correspondence corresponding to a specific mathematical operation rule. The transfer of the two pieces of information constitutes a closed transfer between the two parties, the program running on the two sides being able to automatically acquire the two pieces of information and complete the closed transfer, wherein, as the end point of the closed transfer It is possible to verify whether the received information is sent by the other party by comparing whether the information transmitted by the above two is the same or whether the corresponding information is met, and if the received information is verified to be issued by the other party, the program object B and the second A new connection that passes information between the parties is confirmed and established.

41. A method of establishing a new connection between two parties on the Internet according to claim 40, wherein the two pieces of information are used only once and are used only to establish one connection, and the two pieces of information cannot be issued previously. Information inference.

42. A method of establishing a new connection between two parties on the Internet according to claim 40, wherein said two pieces of information are not an IP address and a port number in a data header.

43. A method of establishing a new connection between two parties on the Internet according to claim 40, wherein when the program object A is suspended, the connection between the program object B and the second party is also terminated.