WO2009089764A1 - Système et procédé d'authentification de réseau sécurisé - Google Patents

Système et procédé d'authentification de réseau sécurisé Download PDF

Info

Publication number
WO2009089764A1
WO2009089764A1 PCT/CN2008/073863 CN2008073863W WO2009089764A1 WO 2009089764 A1 WO2009089764 A1 WO 2009089764A1 CN 2008073863 W CN2008073863 W CN 2008073863W WO 2009089764 A1 WO2009089764 A1 WO 2009089764A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
party
authentication
user
service
Prior art date
Application number
PCT/CN2008/073863
Other languages
English (en)
Chinese (zh)
Inventor
Shaohua Ren
Original Assignee
Shaohua Ren
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=40885066&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=WO2009089764(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Priority claimed from CNA2008100573953A external-priority patent/CN101257511A/zh
Priority claimed from CNA2008101147065A external-priority patent/CN101286849A/zh
Priority claimed from CNA2008101161683A external-priority patent/CN101304318A/zh
Priority claimed from CNA2008101352549A external-priority patent/CN101442523A/zh
Application filed by Shaohua Ren filed Critical Shaohua Ren
Priority to CN2008801244913A priority Critical patent/CN101978650B/zh
Publication of WO2009089764A1 publication Critical patent/WO2009089764A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to a secure network authentication system and method. Background technique
  • the amount of resources and services provided by the Internet is huge and growing rapidly.
  • the Internet has become the main channel for people to access information resources and information services.
  • Many online resources and service providers require users to log in and verify. This has caused some problems.
  • each network service party uses different login information, and the login information is difficult to remember.
  • the simple user name plus password method also has the problem of too low security, which can not meet the needs of many online applications.
  • the third-party or intermediaries' authentication method is an effective way to solve the above problems, but the existing third-party (intermediary) certification solutions have some shortcomings.
  • some solutions are that the user saves the username and password of the online resource in a fixed online authentication service.
  • the online authentication service automatically completes the login of the online resource by using the user's username and password.
  • this method is convenient, it still uses a fixed username and password to log in to the online resource.
  • the user needs to record the user name and password registered at each resource site in the portal, and the security cannot be guaranteed.
  • some solutions use the end user to send a user authentication information with a time validity period to the user terminal after authenticating the identity of the service provider through the online authentication service.
  • COOKIE when the terminal connects to the service party, the online authentication service party checks the user authentication information saved by the terminal and notifies the network service party. In this way, since the user still retains valid user authentication information after the user stops using the terminal, the authentication confirmation information may be stolen. In addition, such a solution cannot be used in some terminal environments where COOKIE is disabled.
  • some solutions are authenticated by other communication terminals. But in this scheme In this case, other communication terminals of the user cannot automatically identify the authentication information and actively participate in the delivery process. Therefore, such a solution is insecure and inconvenient, such as: It is impossible to access different service party resources after one third party authentication; When the third-party authentication is suspended, the user's access to the service provider is also suspended; the third-party authentication method (IC key, etc.) cannot be combined to enhance security; only the small-digit string can be used for authentication and cannot be authenticated. Calculate changes in the information passed in the delivery; and so on.
  • some solutions are implemented by means of a third party transmitting the IP address of the user terminal, but there are some limitations, such as: In some NAT environments, the intranet user cannot obtain the external IP address of the program object; the authentication procedure cannot Get or listen to the IP address of other programs; and so on.
  • SessionlD is unchanged; some NAT restrictions IP address transfer.
  • the present invention adopts an innovative third party identity authentication system and method to solve the above mentioned problems.
  • the third-party authentication system of the present invention realizes the following functions by running a program capable of automatically responding on three parties:
  • the user terminal can access different service party resources after a third-party authentication; the user is authenticated when the third-party authentication is suspended.
  • the terminal's access to the servant is also aborted; combined with other means (mobile ICs, contracted algorithms, and closed-computable, changeable information, etc.) to enhance security; and so on.
  • the third party identity authentication system and method of the present invention specifically have four schemes, respectively Scheme I, Scheme II, Scheme III and Scheme IV, these four schemes can be combined to create a new application scheme.
  • the present invention proposes an innovative method for establishing a new connection between two parties on the Internet, which is the scheme V below.
  • Option I
  • the third-party authentication system of the present invention can realize the following functions through the active participation and automatic completion of the three-party software:
  • the requesting party can access different service party resources after one third-party authentication; the requesting party to the service party when the third-party authentication is suspended Access is also aborted; combined with other third-party authentication methods (mobile ICs, keys, etc.) to enhance security; information transmitted in closed closures is computationally altered to enhance security;
  • the present invention is implemented by a third-party identity authentication system and method, wherein three systems are respectively connected to the same network, and the three systems are respectively a service party, a requesting party, and a third party, wherein the service party requests the request.
  • the party's authentication is to be completed by a third party.
  • the three parties can complete the following steps: One party obtains the authentication information and initiates the authentication information from the above three parties.
  • the same network is the Internet.
  • the closed transit path consists of information transfer between each of the three systems, Specifically: the starting point and the ending point of the closed transmission are the same party, firstly sending information to the other party, then the last party in the other direction sends out the information, and then the last direction returns information to the first party to complete the closed transmission; or, the starting point of the closed transmission
  • the end point is not the same as the end point.
  • one party separately sends information to the other two parties, and then one of the other two parties sends a message to the other party to complete the closed transmission.
  • the content of the information that is closed and transmitted when transmitted from one party to the other is constant.
  • the closed delivery information cannot be the IP address and port number in the packet header, because for example, if one of the parties is behind NAT, the intranet IP address and port number of the application object will be mapped to the external network IP address after NAT processing. And port number.
  • the closed transmission from the three parties originating from the authentication information means that the transmitted information is the same or the transmitted information is different and conforms to a corresponding mathematical calculation corresponding rule.
  • the information transmitted is the authentication information itself.
  • the end point of the closed transmission verifies whether the received information is consistent with the issued authentication information or whether the two received information are consistent, and if they are consistent, the proof is obtained.
  • the information received originates from the starting point of the closed transmission.
  • the information transmitted between each of the closed passes is the same, and is the authentication information.
  • the authentication information may be a sequence consisting of any symbols.
  • the authentication information can be a random number generated by a random function.
  • the end point of the closed delivery can verify whether the received information is Whether the two pieces of information generated or received based on the authentication information are generated based on the same authentication information, if generated based on the authentication information or generated based on the same authentication information, the information received to prove receipt originates from the starting point of the closed delivery.
  • the information passed between each of the closed passes is not all the same.
  • the authentication information may be a randomly generated pair of numbers that conform to a specific law.
  • the closed starting point sends two of the pair of numbers to the remaining two parties, and the closing end point determines whether the received two pieces of information originate from the same authentication information by verifying whether the two numbers obtained meet the specific law.
  • the authentication information may be a random sequence. After receiving the authentication information, one party calculates its one-way hash value by an agreed algorithm and sends the hash value to the end point of the closed transmission.
  • the authentication information may be a key, a one-way hash function or other function. After receiving the authentication information, one party calculates the agreed value by the key, one-way hash function or other function and sends it to the closed end point. The closed end point determines whether the party's information originates from the starting point of the closed delivery by checking the agreed value.
  • the information transmission path between any two of the three parties does not pass through the other of the three parties.
  • each information sent by the requesting party is used only for one authentication, and each information sent by the requesting party cannot be inferred from information previously sent by the requesting party.
  • the process of the closed delivery is completed by a program running on the three systems through a computer network, and the user of the system is not included in the delivery path, and the user of the system does not need to know the content of the delivery information, and the user of the system does not need to Participate in the process of delivery.
  • the service provider is a computer system that provides resources and services to users through the Internet
  • the requesting party is a computer-enabled terminal device connected to the Internet used by the user
  • the third party is a computer capable of authenticating the user of the requesting party through the Internet.
  • the system wherein the service party provides resources and services to the requester only when the user of the requesting party passes the identity authentication of the service party, and the identity authentication of the user to the user is performed by a third party.
  • the requesting party may be a PC terminal, a mobile terminal, or the like, and the server and the third party may be a server or a server group.
  • the service party and the requester may also be user terminals that use third party services.
  • the present invention can be used in an instant messaging system in which two user terminals establish a handshake process of a point-to-point connection between two terminals through an instant messaging system, such as: a third party is an instant messaging service party, the service party And the requesting party is the user of the instant messaging service, wherein when the server needs to send a file to the requesting party or the requesting party needs to establish a dialogue connection with the service party, the server or the requesting party can generate an authentication information and directly and through the first The three parties send to the other party, and the requester or the service party that receives the authentication information verifies the received authentication information to determine whether the connection authentication of the other party passes.
  • a time stamp is generated, and only when the closed delivery destination party receives the information or receives the second information.
  • the certification will not pass until the specified period of validity has expired.
  • the servant When the servant is the start and end points of the closed delivery, the servant will mark the current system time when generating the authentication information.
  • the servant compares the return time and the generation time, only when the time difference is less than The specified value is the certification to pass.
  • the requester is the starting point of the closed transmission and the service party is the end point of the closed transmission
  • the service party compares the time difference between the first information and the second information. Only when the time difference is less than the specified value, the authentication can pass.
  • the three systems are independent of each other, the three are operated independently, the three are independently connected to the Internet, the three are not the same independent entity, and the three do not have a affiliation relationship, and any one of the three
  • the other party's system privileges do not have administrative or control rights.
  • the requesting user has a user identification code (APID) in the servant system, and the requesting user also has a user identification code (AUID) in the third party system, and the APID has a corresponding relationship with the AUID.
  • the correspondence is controlled by the server system or a third party system.
  • the user identification code is a sequence consisting of any symbol.
  • the number of the service parties is multiple, and one requester user may have several different APIDs on several application service systems, and the APIDs may correspond to the same AUID of the user on the same third party system.
  • the third-party system is one or more, and one requesting user may have an AUID on several third-party systems, and the AUIDs may correspond to the same service party of the user.
  • the communication path between each of the three parties can be encrypted, such as the connection established by SSL.
  • connection manner of the same network includes a wired mode and a wireless mode.
  • the servant may perform authentication on the requesting user with the login password before authenticating the requesting user through the third party.
  • the end point of the closed delivery is a service party or a third party, wherein when the third party is the end point of the closed delivery, the third party needs to notify the service party of the result of the authentication.
  • the authentication information is generated immediately by a party when the closed delivery is initiated or is generated in advance.
  • the information conveyed by the closure is not an IP address and a port number in the data header.
  • the closed delivery information does not depend on the IP address and port number, which provides better security and better addresses NAT penetration and other issues.
  • the requesting party sends a connection request directly to the servant or through the third directional service party, and the connection request may be completed by the information transmitted by the closure or by a separate The steps and information are completed.
  • the port or connection that the servant allows the requesting party to access after the authentication is passed is the port or connection in which the requesting party and the servant perform information transmission in the closed delivery.
  • the requesting party is a local area network user in a NAT gateway, and the requesting party performs the information transfer in the closed delivery through the port P assigned by the NAT, and the service party allows the port P to access the specified service or Resources.
  • the information transmission between the requester and the service party is carried out through the Internet.
  • Information transfer between the service provider and the third party is done via the Internet or not via the Internet.
  • Information transfer between the requesting party and the third party is done via the Internet or not via the Internet.
  • the requesting party in the closed delivery, separately communicates with the service party through two different programs.
  • the third party performs information transmission, wherein the requesting party transmits information to the third party through a program, and the requesting party accesses the service party through another program after the service party passes the authentication of the requesting party.
  • the requesting party communicates with a third party through a special authentication procedure, and the requesting party communicates with the servant through other programs and establishes an access, and the authentication program can communicate with the other program.
  • the process of the closed delivery is performed by a program running on the three systems, wherein an authentication program running on the requesting party can automatically participate in completing the closed delivery after being authenticated by a third party, wherein only The closed delivery can only be completed when the authentication program runs and passes third party authentication.
  • the service provider authentication can only be passed when the closed delivery is correctly completed. After the service provider passes the authentication, the service party responds to the requester's access request according to the requester's authority.
  • the third party when the third party is the end point of the closed delivery, the third party will pass the verification result of the verification notification closure to the service party after the closure delivery is completed.
  • the requesting party can access different servant resources after a third-party authentication.
  • the access of the requesting party to the specified service or resource of the service party is also suspended when the authentication program is suspended.
  • the third party will authenticate the requesting party each time the requesting party reconnects to the third party, and the requesting party can access multiple different servants by only one third party's identity authentication.
  • the servant will perform access authentication on the requesting party.
  • the content of the invention relates to how the third party transmits the authentication credential of the requesting party to the servant, and the way the third party authenticates the requesting party can be combined with any feasible manner, for example: a simple username and password, symmetrical Key or asymmetric key authentication, dynamic password, one-way function calculation, biometric authentication, mobile IC chip, authentication by other communication terminals of the user, SIM card recognition Etc., the specific method is not limited to the manners listed above, but may also be a combination of several methods.
  • the invention adopts a closed delivery method originating from the authentication information to transmit the authentication certificate of the third party to the requesting party to the service party, and the service party determines whether the authentication is passed by comparing whether the received information matches.
  • This solution has various implementation methods, small workload on the service side, simple program and easy implementation.
  • the closed delivery information does not depend on the IP address and port number, providing better security while better addressing NAT penetration and other issues.
  • the invention provides a security certification by a third party, and the user has a mobile ic.
  • a different identity can be conveniently accessed through a single identity authentication performed by a third party.
  • the portable IC can Implement secure identity authentication on different terminals.
  • the present invention is implemented as follows:
  • the system includes a mobile IC, a terminal, an application service system, and an authentication service system, wherein the terminal, the application service system, and the authentication service system are respectively connected to the Internet, and the application service system is to the end user through the Internet.
  • a computer system providing a service the user uses the service provided by the application service system through the Internet on the terminal, and the application service system authenticates the terminal user through the authentication service system, wherein the terminal user has a movable type
  • the IC, the mobile IC is connected to the terminal through a standard interface of the computer peripheral, and the authentication service system authenticates the terminal user through the mobile IC.
  • the authentication service system can directly authenticate the authentication information of the terminal user after the terminal user passes the identity authentication. Passed or passed through the terminal to the application service system, wherein the authentication service system can deliver the authentication information to the application service system only when the connection identifier of the mobile IC and the terminal is valid.
  • the application service system will allow the user terminal to access the specified service after receiving the authentication information and confirming the validity.
  • each authentication information is used only once and cannot be inferred from the previous authentication information.
  • the authentication information may be information generated by the authentication service system including a time stamp and a username, and a digital signature encrypted by the private key of the information, or the authentication information may be a random number generated by the authentication service system and the authentication service system Random numbers in both direct and user terminals
  • the formula is sent to the application service system, and so on.
  • the authentication service system or the application service system can forward the authentication information to the other party through the application running on the terminal, and the terminal program can identify the authentication information and complete the forwarding of the authentication information.
  • the terminal program can identify the authentication information and complete the forwarding of the authentication information. The user does not need to know the content of the authentication information, and the terminal user does not need to participate in the forwarding process.
  • the authentication service system can transmit the authentication information to the application service system only when the connection identifier of the mobile IC and the terminal is valid.
  • the connection tag may be a tag that connects the validity period generated after authentication, or a tag that depends on a specific program object, or a tag that is valid for the current connection. For example: When the mobile IC is authenticated by the authentication service system, the authentication service system generates a time expiration mark, during which the terminal's connection tag is valid. Another example: When the mobile IC is authenticated by the authentication service system, a program object is run on the terminal, and the connection flag of the terminal is valid during the running of the program object, and the connection flag of the terminal is invalid when the program is aborted. Another example: The connection mark can also be designed such that when the portable IC is connected to the terminal, the connection mark of the terminal is valid.
  • the standard interface of the computer peripheral is a wired or wireless standard interface for interconnecting communication between the computer and the external device and the removable storage device, and the standard interface is plug and play, such as: USB interface, Bluetooth Interface and more. Plug and Play means: After the peripherals are connected to the booted computer host through this interface, they can communicate and use each other immediately without restarting the host computer.
  • the terminal, the application service system and the authentication service system are independent of each other.
  • the terminal, the application service system and the authentication service system are independent of each other, which means that the three are independently operated, and the three are independently connected to the Internet, and the three do not belong to the same independent entity, and the three do not have a belonging relationship. . Any one of the terminal, the application service system, and the authentication service system does not have management or control over the system rights of the other party.
  • the mobile IC stores a mathematical algorithm or an algorithm factor X
  • the authentication service system stores Corresponding mathematical algorithm or algorithm factor Y, mathematical algorithm or algorithm factor X and mathematical algorithm or algorithm factor ⁇ exist
  • the authentication service system can be based on mathematical algorithm or algorithm factor X and mathematical algorithm or algorithm factor ⁇ correspondence The relationship authenticates the end user.
  • mathematical algorithms or algorithmic factors X and ⁇ can also be combined with external variables or parameters to improve security, such as: adding time variables, adding instant parameters sent by the authentication server to the terminal, adding counter parameters, Add random variables, join username and password
  • the mathematical algorithm or algorithm factor X and the mathematical algorithm or algorithm factor are the same symmetrically encrypted key, or a pair of asymmetrically encrypted keys, or a dynamic cryptographic algorithm.
  • the movable IC can perform a mathematical operation on a mathematical algorithm or an algorithm factor X, and send the operation result to the terminal through a standard interface.
  • the mathematical operations may be: encryption, decryption, digital digest calculation, one-way function calculation, or dynamic password calculation, and the like.
  • the portable IC is an integrated circuit having computing and storage functions, including a chip and peripheral circuits.
  • the terminal user has an user identification code (APID) in the application service system, and the terminal user also has a user identification code (AUID) in the authentication service system, and the APID has a correspondence relationship with the AUID, and the application service system or the authentication service system stores the APID.
  • the user identification code can be a sequence of any symbol.
  • APID and AUID can be the login user name of the end user on the application service system and the authentication service system or a unique string randomly generated by the system.
  • AUID can be "application service system name + APID", and the application service system can directly obtain the AUID based on the APID and send it to the corresponding authentication service system to request identity authentication.
  • the AUID may be a string generated by the authentication service system for the end user, and the authentication service system or the application service system stores a correspondence list between the AUID and the APID, and the authentication service system or the application service system may obtain the list according to the list and the APID.
  • AUIDo AUIDo
  • the application service system is multiple, and one terminal user can serve in several applications. There are several different APIDs on the system, and these APIDs can correspond to the same AUID of the user's mobile IC on the same authentication service system.
  • the authentication service system is one or more, and the mobile IC of one end user may have an AUID on each of the several authentication service systems, and the AUIDs may correspond to the same one of the users on the same application service system. APID.
  • the terminal is a computer-enabled device connectable to the Internet.
  • the application service system is a server or a server group
  • the authentication service system is a server or a server group.
  • connection manner of the Internet includes a wired mode and a wireless mode.
  • the user identification code is a sequence consisting of any symbol.
  • the application service system is a computer system that provides resources and services on the Internet.
  • the same mobile IC can have multiple APIDs or AUIDs on the same application service system or authentication service system.
  • the application service system After the application service system receives the authentication information and confirms the validity, the user terminal is allowed to access the designated service, and when the connection flag fails, the user terminal access to the designated service of the application service system is also suspended.
  • the mobile IC completes information transmission and authentication by using an authentication program running on the user terminal and the authentication service system.
  • the authentication service system sends the authentication information to the application service system, and the application service system receives the authentication information.
  • the validation is valid, another program object of the non-authentication program running on the user terminal is allowed to access the specified service.
  • the authentication information is forwarded by the user terminal, the authentication information is sent by the user terminal to the application service system by another program object of the non-authentication program, and if the application service system receives the authentication information and confirms the validity, the non-authentication Another program of the program will be allowed to access the specified service.
  • the authentication service system in order to prevent malicious eruption of the landing request and the loss of the mobile IC, etc., Set the login password for the end user to log in to the authentication service system, application service system or mobile IC.
  • the authentication service system After the terminal user passes the simple authentication of the authentication service system with the login user name and the login password, the authentication service system authenticates the identity through the mobile IC.
  • the application service system After the terminal user passes the simple authentication of the application service system by using the login user name and the login password, the application service system authenticates the terminal through the authentication service system.
  • the user can authenticate to the authentication service system by using the mobile IC only by the login password verification of the mobile IC.
  • the content of the present invention relates to a third-party authentication service system that implements identity authentication for an end user through a mobile IC, and the specific manner in which the authentication service system transmits the authentication information of the terminal user to the application service system can be combined with various possible Method, for example:
  • the application service system sends specific information to the authentication service system. If the terminal passes the identity authentication of the authentication service system, the authentication service system returns the specific information to the application service system through the terminal, and the application service system determines according to the specific information returned by the terminal. Whether the user's authentication passed;
  • the application service system requests the authentication service system to perform identity authentication on a certain terminal. If the terminal passes the identity authentication of the authentication service system, the authentication service system directly provides specific information to the application service system, and the authentication service system sends specific information to the terminal through the terminal. The application service system returns, and the application service system determines whether the user's authentication is passed according to comparing two specific information;
  • the authentication service system generates a specific algorithm or parameter, and the authentication service system sends a specific algorithm or parameter to the terminal and the application service system, and the application service system implements the authentication of the terminal through the corresponding relationship between the specific algorithm and the parameter;
  • the authentication service system After the terminal passes the identity authentication of the authentication service system, the authentication service system sends specific information including the digital signature to the terminal, and the specific information further includes time information when the information is generated, and the terminal requests the application service system with the specific information. Certification
  • the terminal After the terminal passes the identity authentication of the authentication service system, when the application service system goes to the authentication service
  • the service system sends a request for identity authentication to the terminal and a random number.
  • the authentication service system compares the address information of the terminal with the address information of the authentication terminal or the comparison result and sends the random number back to the application service system.
  • the authentication information may be any information, and the authentication information may be generated by the authentication service system or the application service system.
  • the function of the authentication information is to notify the application service system in some manner by the authentication service system to authenticate the identity of the terminal.
  • the invention combines the method of mobile IC and third-party authentication, so that the user can realize secure and convenient identity authentication on many network resources with the lowest hardware cost and time cost, gp: - aspect, the user only needs With a mobile IC, you can securely authenticate different online resources. On the other hand, users can access different online resources only by authenticating to a fixed third party.
  • gp hardware cost and time cost
  • a secure network authentication system and method includes a user party, a service party, and an intermediary party, and at least one of the three parties can separately communicate with each other through wired or wireless means.
  • the service provider can access the specified service or resource of the service provider.
  • the service provider authenticates the user through the intermediary.
  • the user can authenticate through the service provider.
  • the servant can perform the servant authentication on the same user side through the same intermediary, and is characterized in that: after the user party authenticates through the intermediary's intermediary, the authentication program run by the user party will maintain a valid authentication connection with the intermediary or Maintaining a valid authentication identifier, when the user requests access to the servant, the servant authentication is performed.
  • the intermediary if the authentication connection or the authentication identifier is valid, the intermediary will Sent to the service party with or without the user, only when the service party receives After verifying that the correct authentication credentials through service-party certification will, in After the service provider passes the service, the service party responds to the user's access request according to the user's right authority.
  • the authentication connection or the authentication identifier of the authentication program will be invalid as long as the authentication program is suspended.
  • the verification certificate is A message sent as a whole is composed of two separately transmitted information, wherein the user does not need to send or save the user name and password that can be directly authenticated by the service party to the service party to be registered in the service party. square. If the authentication connection or the authentication identifier is invalid, the intermediary will suspend the authentication process, and the service party's authentication to the user will fail. Among them, the user side needs to perform the service party authentication every time the user establishes a connection with the service party.
  • the user's access to the specified service or resource of the service party is also suspended when the authentication program is suspended.
  • the servant may be notified to suspend the access, or the user's access to the servant's program object may be suspended.
  • the program object that the user side is allowed to access the specified service or resource of the service party is not the authentication program.
  • the specific program object of the user side accessing the service party is other program objects of the non-authentication program, and these other program objects may be initiated by the user, or the authentication program may be started on the user side.
  • the user party, the service party and the intermediary party are connected through the Internet.
  • the information transmission of the three parties is carried out through the Internet.
  • the verification voucher includes or contains information about the generation time, or contains random information generated by the servant or the intermediary.
  • the servant will first generate a random sequence and send it to the intermediary.
  • the intermediary will add the random sequence to the vouchers sent to the servant.
  • the servant will check the voucher after receiving the voucher.
  • the random sequence is correct only if the random sequence is correct.
  • the content of the voucher contains the generation time of the voucher and is digitally signed.
  • the content of the voucher includes a random number generated by the intermediary, and the random number forms a character string with the user side AUID, the voucher generation time, and the service party domain name, and the character string and the random number constitute the voucher.
  • the string and the random number are sent to the service party with and without the route of the user.
  • the service party will receive two pieces of information. Whether the random number in the comparison string is the same as the individual random number, the certificate is correct only when the two random numbers are the same.
  • the content of the verification certificate of the user side issued by the intermediary cannot be inferred from the verification certificate of the user side issued by the previous intermediary.
  • the verification credential contains randomly generated information, or the verification information is a digital signature of information containing time, and so on.
  • each verification certificate can only complete the service party authentication once. For example, if the servant receives the authentication credential of the user after accessing the user, the servant will not receive the verification credential. In addition, in this case, the servant suspends the current access of the user to request the user. Perform service party certification again.
  • the authentication connection or the certification mark or the verification certificate has a time validity period, and the expired authentication connection or the certification mark or the verification certificate will be invalid.
  • the validity period of the certification mark may be set by the user on the authentication procedure or may be set by the intermediary.
  • the authentication procedure may prompt the user to perform the intermediary authentication to refresh the authentication identifier when the authentication identifier is to expire, or may automatically perform the intermediary authentication to refresh the authentication identifier.
  • the intermediary authentication depends on the user side key, and the authentication program can automatically perform the intermediary authentication as long as the user side key is connected or stored in the user side terminal.
  • the authentication identifier cannot be derived from the previous authentication identifier.
  • the authentication identifier may also be stored on a mobile peripheral or a removable IC connected to the user terminal.
  • the intermediary and the servant have corresponding agreement algorithms, and the servant can verify whether the received verification vouchers are correct through the agreed algorithm.
  • the certificate authenticated by the user side through the intermediary may be composed of two parts of information, and the service party can determine whether the two pieces of information in the voucher match by the agreed algorithm, and if the match is matched, the voucher is sent by the intermediary or is correct.
  • the appointment algorithm may be an encryption and decryption algorithm, or a digital signature algorithm, or a one-way function algorithm, or a dynamic cryptographic algorithm or the like.
  • the appointment algorithm is based on RSA+SHA
  • the digital signature algorithm the intermediary has the RSA private key and the specific SHA, the servant can obtain the RSA public key and the specific SHA corresponding to the intermediary private key, and the intermediary generates a string including the user AUID, the generation time, and the servant domain name.
  • the string and its digital signature constitute the certificate authenticated by the user through the intermediary
  • the intermediary sends the certificate to the service party as a whole through the user, or the intermediary signs the string and digital of the certificate
  • the two parts of the information are sent to the servant by the path of the user and the user.
  • the servant verifies that the string in the voucher matches the digital signature with the RSA public key + specific SHA. If it matches, the voucher is correct. .
  • the verification credential is not the network address of the user side, and the verification of the verification credential is not implemented by comparing the network address of the user side.
  • the verification of the voucher is not based on the network address or IP address, which is suitable for more applications (such as some NAT applications), and in this way, verification of the voucher can be implemented to improve security.
  • the information transmitted between the user side and the service party does not pass through the intermediary, or the connection established by the service party to allow the user to access does not pass through the intermediary.
  • the intermediary has a secret key, and the verification of the verification credential by the service party is performed by the key, which is a private key in a pair of asymmetric encryption keys or a symmetric encryption key.
  • the intermediary generates a verification credential by means of a private key digital signature, and the service party can obtain the public key corresponding to the intermediary private key and verify the verification credential with the public key.
  • the verification credential is composed of one piece of information or two pieces of separately sent information.
  • the two pieces of information can be the same or different.
  • two pieces of information can be sent by the same route or different routes.
  • the service party determines whether the service provider authentication is passed by using the obtained two pieces of information.
  • the validity of the authentication connection or the authentication identifier is that the authentication connection or the authentication identifier exists and is correct.
  • the invalidation of the authentication connection or the authentication identifier means that the authentication connection or the authentication identifier does not exist or is deleted. Or not correct. For example: When the certification process is aborted The certificate program will notify the intermediary, and the intermediary will know that the authentication connection or the authentication ID of the authentication program has expired, and then the intermediary considers that the authentication connection or the authentication identifier is incorrect.
  • the user side's authentication procedure and the way to save the authentication identifier are not standard browsers.
  • the authentication program may not be a standard browser, and the authentication identifier may be stored in a manner other than a cookie.
  • the authentication program can be composed of a standard browser plus a dedicated authentication function execution module, or a dedicated authentication function execution program.
  • the authentication program can also be a standard browser, and the authentication identifier is saved in the manner of a session cookie.
  • the user needs to request access to the service party by selecting the service party that needs to log in from the interface of the authentication program.
  • the servant will allow a connection or port from the user terminal to access the specified service or resource, and the connection or port is the port or connection to which the user forwards the credential to the servant.
  • the user side requests to access the service party, specifically, the user party directly sends an access request to the service party or the user sends a request to the intermediary party to the access service party.
  • the user side can request access directly on the service party interface, and the user side can also request access to the service party on the authentication program interface.
  • the authentication connection is a session connection established between the authentication program run by the user side and the intermediary party after the user side authenticates by the intermediary.
  • SessionlD can be random and has enough digits to ensure security, such as: SessionlD is a 1024-bit non-repeating random sequence.
  • the authentication identifier is a random long string, or an encrypted string, or an encryption key, or a dynamic cryptographic algorithm, or a one-way function, and the like.
  • the authentication identifier may be a SessionID in which the authentication program establishes a session with the intermediary.
  • the user's authentication program sends information about the authentication identifier to the intermediary to enable the intermediary to verify the authentication identifier and the user, and when the verification is correct, the intermediary
  • the verification certificate will be sent to the service party with or without the user.
  • the information about the authentication identifier is either the authentication identifier itself or the information having a verifiable mathematical correspondence with the authentication identifier.
  • the authentication identifier is one of a pair of asymmetric keys or a symmetric key
  • the intermediary has the other of the pair of asymmetric keys or also has the symmetric key
  • the authentication program uses the key identified by the authentication.
  • the encrypted information or digital signature is information about the authentication identifier, and the intermediary verifies the encrypted information or the digital signature with the owned key, and if it is correct, the verification is passed.
  • the user side may also invalidate the authentication connection or the authentication identifier if the authentication program does not suspend the resident operation.
  • the user side has a mobile peripheral device, and only when the mobile peripheral device and the user terminal are connected by wire or wirelessly, the user can authenticate through the intermediary.
  • the specific way of connecting the mobile peripheral to the terminal is a wired connection or a wireless connection, such as: a USB interface data line, a Bluetooth wireless interface, an infrared connection, and the like.
  • the user can be connected to different terminals through a wired or wireless interface.
  • the terminal connected to the user's mobile peripheral is the user terminal.
  • the user has an IC with a USB interface, and the IC stores a private key, and the intermediary authentication is completed by calculating the private key on the IC.
  • the user has passed a simple authentication of the service party before the service party certification.
  • This authentication can be done by means of a login password, which can prevent malicious eruption of login requests and other issues.
  • the service party can communicate with each other by wired or wireless connection with the other two parties.
  • the user side can separately communicate with each other through wired or wireless means. After the user's access to the designated service or resource of the service party is suspended, the user needs to re-authenticate through the intermediary to perform the service provider authentication.
  • the information transfer between the authentication program and the external objects of two different addresses or different domain names does not cause the authentication connection or the authentication identifier to be invalid, the information transmission or the authentication program identifies and receives the information from the service party or the intermediary, or The certification process is sent to the servant or intermediary
  • the three-party information transmission can also be performed by the user side.
  • the user side can also authenticate the service party through the intermediary in the same way, ⁇ :
  • the terminal and the service party perform the exchange in the above-mentioned connection authentication process, and the terminal can complete the authentication to the service party.
  • connection authentication should be completed by a program running on the three-party system through a computer network.
  • the service party may be a server system that provides resources and services to the user through the Internet, such as various websites.
  • the service party may also be a terminal of another user on the Internet. After the authentication of the user party is passed, the terminal of the user side is allowed to access the specified service or resource of the terminal of the other user.
  • the present invention can be used in a handshake process in which two user terminals establish a point-to-point connection between two terminals in an instant messaging system.
  • the designated resource or service of the service party may be a file resource, a browser service, a multimedia resource or service, an audio and video connection, an instant messaging conversation service, a search service, an online account operation service, an online transaction service, and the like.
  • the servant for example: online game operators, online forums, instant messenger service providers, resource download sites, online banking, online stores, a terminal that has access to instant messaging systems (such as MSN), and so on.
  • the intermediary is a computer system that performs third-party authentication on the Internet.
  • the user terminal, the service party and the intermediary are devices with computer functions, such as:
  • the user side has a user identification code (APID) in the servant system, and the user side also has a user identification code (AUID) in the intermediary system, and the APID has a corresponding relationship with the AUID.
  • the correspondence is mastered by the server system or the intermediary system.
  • the user identification code is a sequence consisting of any symbol.
  • APID and AUID can be the user name of the user on the servant and the intermediary or the serial number generated by the servant and the intermediary for the user.
  • AUID can be APID+ servant name or address.
  • the service party stores the APID and user rights of the user side.
  • the communication path between the service party and the intermediary, or between the intermediary and the terminal, or between the service provider and the user may be encrypted, such as a connection established by using SSL.
  • the intermediary authentication can be performed in different ways, for example, the manner of the user name and password, the way of moving the IC, the way of returning the authentication number through other terminals of the user, and the like.
  • the invention can be implemented by loading a special module on the instant messaging terminal or the client software of the browser.
  • the authentication program is the client software of the instant messaging terminal or the browser.
  • the present invention can be combined with other solutions that the inventors have applied to form a new solution, including: the service party authentication can be completed in combination with the closed delivery based on the authentication information ("Through a third party identity authentication system and method", Patent application number: 200810056123.1), the service party authentication can also be completed in a manner that the user side and the intermediary have the corresponding agreement algorithm ("the third-party authentication system and method based on the agreed algorithm", patent application number: 200810114706.5).
  • the service party can verify the digital signature of the intermediary, and the user party establishes a session with the intermediary after the user authenticates by the intermediary, and a digitally signed information generated by the intermediary during the service authentication process.
  • the two information received by the service party is the certificate that the user passes the authentication, the service party compares the two information and verifies the digital signature, only two information are the same and the number The credentials will be correct when the signature is correct.
  • the verification certificate issued by the intermediary is the so-called closed delivery information.
  • the service party can verify the digital signature of the intermediary. After the user authenticates by the intermediary, the intermediary sends a DES key to the user as the authentication identifier.
  • the service direction is first and The intermediary sends the same random sequence separately, the user encrypts the random sequence with the DES key and sends the encrypted information to the intermediary, and the intermediary decrypts the random sequence and compares it with the received from the service party, if two If the random sequence is the same, the authentication identifier is valid. If the authentication identifier is valid, the intermediary constructs a sequence with the user AUID and the generation time, and digitally signs the sequence and sends the sequence together with the digital signature to the servant. In the above example, after the so-called closed delivery is completed, the intermediary sends a verification credential to the service party, and the verification credential issued by the intermediary is not so-called closed delivery information.
  • the invention adopts a secure network authentication system and method for the service party to authenticate the user through the intermediary, and the authentication method is reliable, safe and convenient.
  • Option IV
  • the present invention is implemented in this way, a third-party authentication system and method based on an agreed algorithm, wherein the user party, the service party and the intermediary party are all connected to the Internet, and the user party can access the service after passing the authentication.
  • the agreement algorithm Y, the agreement algorithm X and the corresponding agreement algorithm ⁇ are the same or different, and the user party's appointment algorithm X is stored in the user side terminal or stored in the user terminal that can be connected with the user side terminal.
  • the agreement algorithm X and the corresponding agreement algorithm can perform the following two matching calculations.
  • an agreement algorithm X or ⁇ calculates the information B for the information
  • the agreement algorithm X or Y corresponds to the agreement.
  • the algorithm Y or X can either calculate the information B or obtain the information B for the information A, or calculate the information A for the information B, or the information A and the
  • the information B is calculated to verify that the information B is generated by the agreement algorithm X or Y, and the calculation by the agreement algorithm X is performed on the user terminal or on the user-side mobile peripheral.
  • the calculation by the method Y is performed by the intermediary, wherein when the user requests the access to the service party, one of the intermediary, the service party and the user side generates information, and the intermediary, the service party, and the user party will generate the information.
  • the relevant information of ⁇ or ⁇ is transmitted and the calculation of the two matching matches is completed, and the intermediary or the servant will act as the verifier to judge whether the authentication passes or not by comparing or calculating the obtained information.
  • the information between the service party and the user side will not be transmitted by the intermediary party, and the information between the service party and the intermediary party will not be transmitted by the user side.
  • the information about the information A or B can be compared or calculated with other related information of the information A or B to verify whether the related information A or B of the two information is the same, in each connection authentication process, or verification
  • the party will get the information about the two information A or the related information of the two information B and verify whether the related information A or B of the two information is the same, or the verifier will get An information A and a message B and verify whether the information B is generated by the agreement algorithm X or Y to calculate the information A, and only if the two matching calculations are correctly completed, the result of the above verification will be It is affirmative, and the user's connection authentication will only pass when the verification result is positive.
  • the service party will allow the user to access the specified service or resource.
  • the information related to the information A is either the information A itself, or the information (Al) generated corresponding to the information A, or the information generated by the information A or A1 in a specific manner (Am, An) Or, is used to calculate the information of the generated information A, and the related information of the information B is either the information B itself or the information (Bm, Bn) calculated by the information B in a specific manner.
  • the intermediary or the servant also starts a timer during each connection authentication process. If the intermediary or the servant does not receive the specified information within a limited time, the intermediary or the servant will abort the authentication process. Authentication on the user side will fail.
  • the user side may also send a connection authentication request to the servant or the intermediary before the other steps of the connection authentication, or the information sent by the user for the first time in the connection authentication. It also contains a connection authentication request from the user to the servant or intermediary.
  • the agreement algorithm is a key-based encryption algorithm or a decryption algorithm, wherein the calculation of the information A by the contract algorithm X or Y is an encryption operation, and the calculation of the information B by the agreement algorithm X or Y is a decryption operation.
  • the agreement algorithm X includes a key XKEY
  • the agreement algorithm Y includes a key YKEY
  • the contract algorithm is a symmetric encryption and decryption algorithm, so that XKEY is the same as the corresponding YKEY, or the contract algorithm is an asymmetric encryption and decryption algorithm.
  • XKEY is different from the corresponding YKEY.
  • the information A is a symmetric encryption key or the information A and A1 are a pair of asymmetric encryption keys, and the two matching calculations are encryption and decryption operations, and the information A passes the encryption and encryption during the connection authentication process.
  • the decryption operation is carried out. If the connection authentication is passed, an encrypted communication connection is established between the user side and the intermediary or between the user side and the service side with the information A or with the information A and A1 as the key.
  • one user side has two agreement algorithms X: an encryption algorithm XI and a decryption algorithm X2, and the intermediary side has two agreement algorithms Y corresponding to each user side: a decryption algorithm Y1 and an encryption algorithm Y2, wherein XI corresponds to Y1 ⁇ 2 corresponds to ⁇ 2, where XI and ⁇ 2 have a common key XKEY, Y1 and Y2 have their same key YKEY, where XKEY and YKEY are the same symmetrically encrypted secret when the contract algorithm is a symmetric encryption and decryption algorithm.
  • Key, XKEY and YKEY are a pair of asymmetrically encrypted keys when the contract algorithm is an asymmetric encryption and decryption algorithm.
  • the appointment algorithm is stored on the user-portable peripheral device, and the mobile peripheral device is connected to the user-side terminal by wire or wirelessly, and the mobile peripheral device has an IC chip, and the user side
  • the calculation of the information A or the information B by the contract algorithm X is performed on the mobile peripheral.
  • the intermediary or the servant when the intermediary or the servant generates the information A, each of the information A cannot be inferred from the previous information A or the information A is randomly generated, or when the user sets the generated information A, the information A includes the information The verification information of the information A generation time, the intermediary or the service party will extract the letter The verification information of the generation time in the information A determines whether the generation time of the information A is within the specified range. If the generation time of the information A exceeds the specified range, the intermediary or the service party terminates the authentication process and the user side The certification will fail.
  • the servant may allow a connection or port from the user terminal to access the specified service or resource, and the connection or port is the non-intermediary information between the servant and the user.
  • the user side has passed the authentication of the intermediary or the servant and established the connection before performing the connection authentication.
  • the three parties transmit the related information of the information A or B through the service party, wherein the intermediary and the user respectively transmit information to and from the service party, and the information transmission between the intermediary and the user side is also Completed by the service side.
  • a user can connect to multiple servants, and the multiple servants can authenticate the user through the same intermediary.
  • the information transmission between the user and the service party is carried out through the Internet, and the information transmission between the service party and the intermediary party is performed through the Internet or not via the Internet.
  • the communication between the service provider and the intermediary can also be carried out through dedicated communication.
  • the specific solution for connection authentication is one of the following:
  • the intermediary generates the information A, and the service party acts as the authenticator.
  • the intermediary will calculate the information A to generate the information B by using the agreement algorithm Y corresponding to the user, and the user will also calculate the information A by the agreed algorithm X to obtain the information B.
  • the servant will receive either two information B, or information B and Bm, or information Bm and Bn, where the information Bm or Bn is generated by the user or the intermediary, and the servant will verify the two information obtained.
  • Information B Whether it is the same, if the verification result is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;
  • the intermediary generates the information A, and the service party acts as the authenticator.
  • the intermediary will calculate the information A to generate the information B according to the agreement algorithm Y corresponding to the user, and the user will calculate the information B by the agreed algorithm X to obtain the information A, the service party.
  • the intermediary generates a pair of information A and information A1, and the service party acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user side, and the user calculates the information B by the agreed algorithm X to obtain the information A.
  • the service party will receive the information A1 and A or the information A1 and Am or the information A and Am, wherein the information Am is generated by the user or the intermediary, and the service party will verify whether the obtained information A of the two pieces of information is Similarly, if the verification result is affirmative, the authentication is passed and the service party allows the user to access the specified service or resource;
  • the intermediary generates the information A, and the intermediary acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user, and the user also calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary will Received a message B or Bm, where the information Bm is generated by the user or the servant, and the intermediary will verify whether the information B generated by itself and the information B related to the received information B or Bm are the same. The verification result is affirmative, then the authentication passes and the notification service party allows the user to access the specified service or resource;
  • the intermediary generates the information A, and the intermediary acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user, and the user also uses the agreed algorithm X.
  • the calculation information B obtains the information A, and the intermediary will receive a message A or Am, wherein the information Am is generated by the user, and the intermediary will verify the information A generated by itself and the information related to the received information A or Am. Whether A is the same, if the verification result is affirmative, the authentication passes and the notification service party allows the user to access the specified service or resource;
  • the intermediary generates a pair of information A and information A1, the intermediary acts as the authenticator, and the intermediary calculates the information A to generate the information B according to the agreement algorithm Y corresponding to the user, and the user calculates the information B by the agreed algorithm X to obtain the information A, the intermediary The party will receive the message Am, where the information Am is generated by the user or the servant, and the information A of the intermediary verification information A1 and the received information Am are the same. If the verification result is affirmative, then the intermediary The party notifies the service provider that the authentication is passed and the service party allows the user to access the specified service or resource;
  • the intermediary generates the information A, and the intermediary acts as the authenticator.
  • the user will calculate the information A by the contract algorithm X to obtain the information B, and the intermediary will obtain the information B, and the intermediary will calculate the agreement algorithm Y corresponding to the user.
  • the information B obtains the information A, the intermediary verifies that the information A generated by itself and the information A calculated from the information B are the same. If the verification result is affirmative, the authentication passes and the notification service party allows the user to access the designated Service or resource;
  • the intermediary generates the information A, and the intermediary acts as the authenticator.
  • the user will calculate the information A by the contract algorithm X to obtain the information B, and the intermediary will obtain the information B, and the intermediary will calculate the agreement algorithm Y corresponding to the user.
  • Information A the service party acts as the verifier, the intermediary calculates the information A with the agreement algorithm Y corresponding to the user side to obtain the information B, and the user calculates the information by the agreed algorithm X.
  • the service party obtains the information A
  • the service party will receive a message A or Am, wherein the information Am is generated by the user side, and the service party verifies that the information A generated by itself and the information A related to the received information A or Am are the same. If the verification result is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;
  • the service party generates a pair of information A and information A1, the service party acts as the verification party, and the intermediary party calculates the information A to generate the information B according to the agreement algorithm Y corresponding to the user party, and the user calculates the information B by the agreement algorithm X to obtain the information A, the service
  • the party will receive the information Am, where the information Am is generated by the user side, and the related information A of the service side verification information Am is the same as the information A generated by itself, and if the verification result is affirmative, the authentication passes and the service The party allows the user to access the specified service or resource;
  • the servant generates the information A
  • the service party acts as the authenticator
  • the intermediary calculates the information A by the agreement algorithm Y corresponding to the user side to obtain the information B
  • the user calculates the information A by the agreed algorithm X to obtain the information B
  • the servant will receive or Two pieces of information B, or information B and Bm, or information Bm and Bn, wherein the information Bm or Bn is generated by the user or the intermediary, and the service party verifies whether the information B related to the two pieces of information received is Similarly, if the verification result is affirmative, the authentication is passed and the service party allows the user to access the specified service or resource;
  • the servant generates the information A
  • the service party acts as the authenticator
  • the user calculates the information A by the agreed algorithm X to obtain the information B
  • the intermediary calculates the information B by the agreement algorithm Y corresponding to the user to obtain the information A
  • the servant will receive a message A.
  • Information A or Am wherein the information Am is generated by the intermediary calculation
  • the service party verifies that the information A generated by itself and the related information A of the received information A or Am are the same, if the verification result is affirmative, then The authentication is passed and the service party allows the user to access the specified service or resource;
  • the service party generates a pair of information A and information A1, the service party acts as the authenticator, and the user side calculates the information A to generate the information B by the contract algorithm X, and the intermediary party uses the agreement corresponding to the user party.
  • the algorithm Y calculates the information B to obtain the information A, and the service party will receive the information Am, wherein the information Am is generated by the intermediary calculation, and the information A of the service side verification information A1 and the information Am is the same, if the verification result is affirmative , then the authentication is passed and the service party allows the user to access the specified service or resource;
  • the servant generates the information A, and the intermediary acts as the authenticator, wherein the intermediary calculates the information A by using the agreement algorithm Y corresponding to the user, and the user also calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary obtains Two information B or information B and Bm, wherein the information Bm is generated by the user or the service party, and the intermediary will verify whether the obtained information B of the two pieces of information is the same, if the verification result is affirmative, Then the authentication is passed and the service provider is notified to allow the user to access the specified service or resource; the servant generates the information A, the intermediary acts as the authenticator, and the user calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary uses the user
  • the corresponding agreement algorithm Y calculates information B to obtain information A, and the intermediary obtains two pieces of information A or information A and Am, wherein the information Am is generated by the user or the service party, and the two pieces of information obtained by the intermediary
  • the servant generates the information A
  • the intermediary acts as the authenticator
  • the user calculates the information A by the agreed algorithm X to obtain the information B
  • the intermediary obtains the information A and the information B
  • the information B obtained by the intermediary verification is calculated by the agreed algorithm X.
  • the information A is generated, if the verification result is affirmative, then the authentication passes and the notification service party allows the user to access the specified service or resource;
  • the servant generates a pair of information A and information A1, the intermediary is used as the authenticator, the user calculates the information A by using the contract algorithm X, and the intermediary calculates the information B by the agreement algorithm Y corresponding to the user to obtain the information A, the intermediary
  • the party obtains the information A and A1 or the information A and Am, where the information Am is generated by the servant calculation, and the intermediary verifies the two obtained Whether the information related information A is the same, if the verification result is affirmative, the authentication passes and the notification service party allows the user to access the specified service or resource;) the service party generates the information A, the intermediary acts as the verifier, the intermediary
  • the party calculates the information A by the agreement algorithm Y corresponding to the user side to obtain the information B, the user side calculates the information B by the agreement algorithm X to obtain the information A, and the intermediary obtains two pieces of information A or information A and Am, wherein the information Am is determined by the user side.
  • the intermediary verifies whether the two information A are the same or whether the information A related to the information A and the information A is the same. If the verification result is affirmative, the authentication passes and the notification service party allows the user The party accesses the specified service or resource;
  • the user side generates the information A, and the service party acts as the authenticator.
  • the user side calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary party calculates the information B to generate the information A by using the agreement algorithm Y corresponding to the user side, and the service party receives the information A.
  • two pieces of information A, or information A and Am, or information Am and An wherein the information Am or An is generated by the user or the intermediary, and the server verifies whether the related information A of the two pieces of information received is the same. If the result of the verification is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;
  • the user side generates a pair of information A and information A1, and the service party acts as a verifier, wherein the user side calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary side calculates the information B to generate the information A by using the agreement algorithm Y corresponding to the user side.
  • the service party receives the information A1 and A or the information A and Am or the information A1 and Am, wherein the information Am is generated by the user or the intermediary, and the service party verifies whether the related information A of the two received information is the same. If the result of the verification is affirmative, the authentication is passed and the servant allows the user to access the specified service or resource;
  • the user side generates the information A, and the service party acts as the authenticator.
  • the user side also calculates the information A by the agreement algorithm X to obtain the information B, and the intermediary party uses the agreement algorithm Y corresponding to the user side.
  • the calculation information A generates the information B, and the service party receives either the two information B, or the information B and Bm, or the information Bm and Bn, wherein the information Bm or Bn is generated by the user or the intermediary, and the service party verifies the receipt.
  • the information B related to the two pieces of information is the same, if the verification result is affirmative, the authentication is passed and the service party allows the user to access the specified service or resource;
  • the user side generates the information A
  • the intermediary side acts as the authenticator
  • the user side calculates the information A by the agreement algorithm X to obtain the information B
  • the intermediary party calculates the information B by the agreement algorithm Y corresponding to the user side to obtain the information A
  • the intermediary obtains two pieces of information.
  • B or information B and Bm the information Bm is calculated by the user or the service party
  • the intermediary verifies whether the two information B or the information B of the information B and Bm are the same, if the verification result is affirmative, then
  • the authentication passes and notifies the service party to allow the user to access the specified service or resource;
  • the user side generates the information A
  • the intermediary side acts as the verification party
  • the user side calculates the information A by the agreement algorithm X to obtain the information B
  • the intermediary party calculates the information B by the agreement algorithm Y corresponding to the user side to obtain the information A
  • the intermediary obtains two pieces.
  • Information A or information A and Am the information Am is generated by the user or the servant, and the intermediary verifies whether the two information A or the information A related to the information A and Am are the same, if the verification result is affirmative, Then the authentication passes and the service provider is notified to allow the user to access the specified service or resource; the user side generates the information A, the intermediary acts as the authenticator, and the user calculates the information A by the agreed algorithm X to obtain the information B, and the intermediary obtains the information. A and B, the intermediary verifies whether the information B is calculated by the agreement algorithm X to calculate the information A. If the verification result is affirmative, the authentication passes and the notification service party is allowed to allow the user to access the specified service or resource;
  • the user side generates a pair of information A and information A1
  • the intermediary side acts as the authenticator
  • the user side calculates the information A by the agreement algorithm X to obtain the information B
  • the intermediary party calculates the information B by the agreement algorithm Y corresponding to the user side to obtain the information A
  • the intermediary gets the information A and A1 or the information A and Am
  • the information Am is generated by the user or the servant
  • the intermediary verifies whether the related information A of the two pieces of information received is the same. If the verification result is affirmative, the authentication is passed and the servant allows The user accesses the specified service or resource.
  • the user side's contract algorithms are different from each other or are random.
  • 1 Am is the product of A and large prime numbers:
  • the verifier wants to verify the obtained information Am and information A, the information A is a 1024-bit large prime number, and the information Am is the product of one side multiplying the information A by another random 1024-bit prime number.
  • the verifier divides the information Am by the information A, and if it can be divisible, the verification result is affirmative;
  • the authenticator wants to verify the obtained information Am and information A, the information A is a DES key A, the party encrypts or digitally signs the specific content with the key A to obtain the information Am, verify The party decrypts the information Am with the key A or verifies the digital signature. If the decryption result is the same as the specific content or the digital signature is correct, the verification result is affirmative;
  • the verifier is to verify whether a message Am and an information An match, and the information Am and the information An are the results calculated by the two parties with the same one-way hash function for the information A, The verifier compares the information Am with the information An, and if they are the same, the verification result is affirmative;
  • the verifier is to verify whether a message Am and a message An are consistent, where the information A is a 1024-bit integer, the set L is the prime factor set of the information A, the set M and The set N is a set of two prime numbers, the set L, the set M and the set N do not intersect each other, the information Am is a product of 100 random numbers in the information A and the set M, and the information An is 100 in the information A and the set N
  • the multiplicative product of the random number, the information Am and the information An are respectively generated by the two parties and sent to the authenticator as a third party, and the verification party seeks the greatest common divisor of the information Am and the information An, if The convention number is 1024 bits, and it is considered that the information A of the information Am and the information An is the same, that is, the verification result is affirmative;
  • Asymmetric key information A and A1 are respectively one of a pair of asymmetric encryption keys, and information Am is generated by one party encrypting or digitally signing specific content with information A, and the verification party The information A1 decrypts the received information Am or verifies the digital signature. If the decrypted result is the same as the specific content or the digital signature is correct, the information Am is the same as the information A related to the information A1, so that the verification result is affirmative;
  • Reciprocal matrix information A and A1 are a pair of 1024*1024 reciprocal matrices. The verifier multiplies information A and information A1. If the result is an identity matrix, information A is related to information A1. The information A is the same so that the verification result is affirmative, wherein the information A related to the information A is also the information A itself.
  • examples of specific implementations of Bm and Bn are the same as those of 1, 3, and 4 in the above examples, and examples of the information Bm and Bn are obtained by replacing A, Am, and An in the examples with B, Bm, and Bn, respectively.
  • the specific way of connecting the mobile peripheral to the terminal is a wired connection or a wireless connection, such as: a USB interface data line, a Bluetooth wireless interface, an infrared connection, and the like.
  • the user can be connected to different terminals through a wired or wireless interface.
  • the terminal connected to the user-portable peripheral is the user-side terminal.
  • the convention algorithm may also be a one-way hash function, a digital digest algorithm, a digital signature algorithm, a one-way function with parameters, and the like.
  • the user side can also authenticate the service party through the intermediary in the same way, ⁇ :
  • the terminal and the service party perform the exchange in the above-mentioned connection authentication process, and the terminal can complete the authentication to the service party.
  • the information A is generated by one party immediately or is generated in advance.
  • the process of connection authentication should be completed by a program running on the three-party system through a computer network.
  • the service party may be a server system that provides resources and services to the user through the Internet, such as various websites.
  • the service party may also be a terminal of another user on the Internet. After the authentication of the user party is passed, the terminal of the user side is allowed to access the specified service or resource of the terminal of the other user.
  • the present invention can be used in a handshake process in which two user terminals establish a point-to-point connection between two terminals in an instant messaging system.
  • the designated resource or service of the service party may be a file resource, a browser service, a multimedia resource or service, an audio and video connection, an instant messaging conversation service, a search service, an online account operation service, an online transaction service, and the like.
  • the servant for example: online game operators, online forums, instant messenger service providers, resource download sites, online banking, online stores, a terminal that has access to instant messaging systems (such as MSN), and so on.
  • the intermediary is a computer system that performs third-party authentication on the Internet.
  • the user terminal, the service party and the intermediary are devices with computer functions, such as: PC, mobile phone, server, server group, and the like.
  • the user side has a user identification code (APID) in the server system, and the user side also has a user identification code (AUID) in the intermediary system, and the APID has a corresponding relationship with the AUID.
  • the correspondence is mastered by the server system or the intermediary system.
  • the user identification code is a sequence consisting of any symbol.
  • APID and AUID can be the user name of the user on the servant and the intermediary or the serial number generated by the servant and the intermediary for the user.
  • AUID can be APID+ servant name or address.
  • the service party is multiple, and one user side may have several different APIDs on several service provider systems, and these APIDs may correspond to the same AUID of the user on the same intermediary system.
  • the intermediary system is one or more, and one user side may be in several
  • the AUID is on the mediation system. These AUIDs can correspond to the same APID of the user on the same servant system.
  • the communication path between the service party and the intermediary, or between the intermediary and the terminal, or between the service provider and the user may be encrypted, such as a connection established by using SSL.
  • connection authentication the user side has passed the intermediary or the service party to authenticate and establish a connection at one time.
  • This authentication can be performed by means of a login password or by means of the predetermined algorithm, which can prevent malicious eruption of a login request and the like.
  • the calculation of the verification is performed after the two matching calculations are performed one by one to verify the correlation of the two pieces of information. Whether the information A (or B) is the same; and when the verifier verifies the information A and B, the calculation of the verification is performed by the latter of the two matching calculations.
  • the information A and B are calculated by the agreement algorithm Y corresponding to the user side to verify that the information B is generated by the user side calculating the information A by the contract algorithm X.
  • the specific implementation of the present invention may be implemented by using an execution procedure of the SSL protocol.
  • the information transmission between the user side and the intermediary party does not pass through the service party.
  • the agreed algorithms X and Y are generated by the intermediary or the user side at the same time. After the generation, the intermediary or the user sends the agreed algorithm X or Y to the corresponding user in the manner of sending or distributing the mobile peripheral.
  • the agreement algorithms X and Y may be generated and completed before the user requests the access, or may be generated and delivered after the user requests the access.
  • the intermediary system makes a computable USB flash drive containing the encrypted private key and distributes it to the user and stores the corresponding public key in the system; when the user party registers with the intermediary, the user terminal downloads the contract algorithm X from the intermediary; the user side After successfully logging in to the intermediary, the user will establish an SSL connection with the intermediary.
  • the master key encryption and decryption algorithm for the encrypted connection in SSL is the contract algorithm;
  • the invention adopts a method based on the agreement algorithm of the user side and the intermediary party to enable the service party to authenticate the user side through the intermediary party, and the authentication method is reliable, safe and convenient.
  • the present invention solves the above mentioned problems by using a method of establishing a new connection between two parties on the Internet.
  • the present invention is implemented by a method for establishing a new connection between two parties on the Internet, wherein the first party and the second party of the two computer systems are respectively connected to the Internet, wherein the program object A on the first party can pass one
  • the established connection sends information to the second party or receives information from the second party, wherein when the program object B on the first party wants to establish a new connection with the second party, the two parties separately Transfer between the program object A and the second party and between the program object B and the second party, wherein the two pieces of information are the same or different and have a correspondence corresponding to a specific mathematical operation rule, the two The transfer of information constitutes a closed transfer between the two parties, the program running on the two parties can automatically acquire the two information and complete the closed transfer, wherein the party that is the end point of the closed transfer can be compared by Whether the above two messages are the same or whether they meet the corresponding relationship to verify whether the received information is sent by the other party, if received New information is verified to be connected to the other of the program
  • the closed transmission between the two parties means: one party sends two information to the other party at the same time, or the originator sends one message to the other party and then the other party returns a 4 self.
  • the two pieces of information are used only once and are only used to establish a connection, and the two pieces of information cannot be inferred from previously sent information. For example: Unlike the SessionID or other application layer address, the two pieces of information are only used to establish a connection, and are not used to identify the session during the session.
  • one party also generates a time stamp when transmitting the information or when receiving the first information, and the time stamp can be stored in the local information of the generation time stamp side or the information sent by the generation time stamp side, and is received as the end point of the closed transmission.
  • the time stamp can be stored in the local information of the generation time stamp side or the information sent by the generation time stamp side, and is received as the end point of the closed transmission.
  • the new connection will not be confirmed and established until the specified time period has expired.
  • the two pieces of information are not an IP address and a port number in the data header.
  • the closed-pass information does not depend on the IP address and port number, which better solves the NAT penetration problem in some applications.
  • the established connection of the program object A may be a point-to-point connection between the two parties or a connection between the two parties through a third party, and the established connection may be a two-way connection or a one-way connection. connection.
  • Program object A establishes a point-to-point connection with the second party after the second party's security authentication, and then establishes a new connection between program object B and the second party based on the secure connection that has established a point-to-point connection.
  • program object A and the second party respectively log in to the common server and establish a connection through the server, and then establish a new point-to-point connection between the program object B and the second party based on the indirect secure connection.
  • the transfer path or communication port of the new connection of the program object B is different from the established connection of the program object A.
  • the connection of program object A is established by a third-party server, and the new connection of program object B is a point-to-point direct connection.
  • Program object A establishes a connection through a specific application port on the first party system, and program object B establishes a connection through the HTTPS protocol port on the first system.
  • the one that is the end point of the closed transmission is the second party.
  • the two pieces of information may be the same.
  • the information may be a random number generated by a random function.
  • the two pieces of information are different.
  • the two pieces of information may be a randomly generated pair of numbers conforming to a specific law, and the issuer sends two of the pair of numbers to the other party, and the other party verifies whether the two figures obtained by the verification meet the specific law. Determine if the two messages received are from the sender.
  • one of the information may be a random sequence, and the initiator sends the information to the other party. After receiving the information, the other party calculates the one-way hash value by the contract algorithm and sends the hash value back to the initiator.
  • the initiator judges whether the returned information is from the other party according to the hash value.
  • one of the information may be a key, a one-way hash function, or
  • the initiator sends the information to the other party.
  • the other party calculates the agreed value by the key, one-way hash function or other function and sends it to the initiator.
  • the initiator passes the agreement. Value check to determine if the information is from the other party.
  • connection between the program object A and the program object B is the same program object or a different program object running on the second party.
  • the two pieces of information are generated immediately when the closed delivery is performed or are generated in advance.
  • the user of the system does not need to know the content of the information, and the user of the system does not need to participate in the process of delivery.
  • the first party may be a computer-enabled terminal device connected to the Internet used by the user, and the second party is a computer system that provides resources and services to the user through the Internet.
  • the two parties may be a PC terminal, a mobile terminal, a server, a server group, or the like.
  • the connection manner of the Internet includes a wired mode and a wireless mode.
  • a new connection can be established by a plurality of different program objects B through the same program object A.
  • the present invention employs a closed transfer of two messages to cause the two parties to generate a connection to the new application object based on the established secure connection.
  • This solution has various implementation methods, small workload, simple program and easy implementation.
  • the closed delivery information does not depend on the IP address and port number, providing better security while better addressing NAT penetration and other issues.
  • Figure 1.1 is an information transmission path diagram of Embodiment 1.1;
  • Figure 1.2 is a message transmission path diagram of Embodiment II.
  • Figure 1.3 is an information transmission path diagram of Embodiment 1.3.
  • Figure 1.4 is an information transmission path diagram of Embodiment 1.4.
  • Figure 1.5 is an information transmission path diagram of Embodiment I.5;
  • Figure 1.6 is a typical network structure diagram of the present invention, which is applicable to schemes I, III, IV, and V.
  • 2 is a schematic view of a typical system structure of the present invention, which is applicable to the schemes I, II, III, IV, and V.
  • Figure 3.1, Figure 3.2, and Figure 3.3 are schematic flow diagrams of Embodiments 111.1, 111.2, and Figure 3.
  • Figures 4.1a to 4.25c are typical information transmission diagrams of the schemes in which the serial number of the 25 schemes listed in the scheme IV of the present invention is the same as the Arabic numerals of the drawings, for example,
  • Figure 4.1a, Figure 4.1b and Figure 4.1c are schematic diagrams of the information transfer of the scheme 1 of the scheme of the invention.
  • Figure 4.25a, Figure 4.25b, and Figure 4.25c are diagrams of the information transfer scheme of Scheme IV of the inventive content
  • the figure shows only a part of the information transmission mode of the corresponding solution, or the information transmission mode of the solution is not limited to the ones shown in the corresponding drawings.
  • Figure 4.26 is a system architecture diagram of a specific implementation of Scheme IV.
  • Figure 5.1 and Figure 5.2 are the information transfer path diagrams of the following embodiments V.1 and V.2, respectively.
  • Embodiments I.1 to I.5 may illustrate a specific embodiment of the scheme I;
  • Embodiment II can illustrate a specific embodiment of the scheme II
  • Embodiments 111.1, 111.2, and .3 may illustrate the specific implementation manner of the scheme III;
  • Embodiments IV.1 to IV.6 may illustrate specific embodiments of the scheme IV;
  • Embodiments V.1 and V.2 may illustrate a specific implementation of the scheme V;
  • Figure 1.1 is an information transmission path diagram of Embodiment 1.1.
  • the network structure of this embodiment is shown in Figure 1.
  • the information transmitted by the closure in the embodiment I.1 is the same authentication information and the start and end points of the closed transmission are the same.
  • the requesting party is a user network terminal
  • the service party is a network resource
  • the third party is an authentication service system that provides a third-party identity authentication service on the Internet
  • the authentication information is a random number.
  • Embodiment 1.1 includes the following steps:
  • the user network terminal passes the identity authentication of the authentication service system
  • the network resource generates a random number and a time stamp
  • the network resource sends the random number, the network resource URL, and the user identifier to the authentication service system;
  • the authentication service system sends the random number and the network resource URL to the user network terminal according to the user identifier
  • the user network terminal returns the random number to the network resource according to the network resource URL;
  • the network resource compares the random number generated by itself with the random number returned from the user terminal. If the random number is the same and does not exceed the specified time validity period, the user recognizes the identity. Certificate
  • User ID refers to the user's APID or AUID.
  • an application on the user network terminal can establish a secure connection with the authentication service system.
  • the application can complete the following steps: The application receives a random number and a network resource URL from the authentication service system through a secure connection; the application runs browsing on the terminal Looking for the same object as the network resource URL, if not found, a new browser object is generated; the application causes the found or newly generated browser object to send a connection request to the network resource URL and add the random number to the In a connection request, such as: Add a random number to the form of the connection request.
  • step 1) may also be performed between step 4) and step 5), in which case the user network terminal may send the user's identity authentication information together in step 4)
  • the authentication service system the authentication service system confirms that the identity of the user is correct, and then executes step 5).
  • This embodiment can be conveniently implemented in conjunction with an instant messaging tool.
  • a module that recognizes the authentication information path and performs authentication information forwarding can be added to the client software of an instant messaging tool (such as MSN, Yahoo Messenger, or QQ), and then one can be generated on the server side of the network resource provider.
  • the present embodiment is constructed by transmitting authentication information, extracting authentication information from the access request, and performing a comparison.
  • network resources and client software can be developed and provided by the instant messaging tool provider, and network resources and customer downloads can be used, which is very convenient and feasible.
  • this embodiment may also be implemented by adding a browser tool item, or by executing a special program in the network terminal.
  • the user may be authenticated once by using the username and password to avoid malicious login attacks.
  • the network resource may set an option or a button for the login mode of the embodiment on the login page, and initiate the login of the embodiment when the user selects the option or the button. Process.
  • the requesting party requests access authentication from the service party through a separate message and step in step 2).
  • the process of closing the delivery is: servant one (authentication information), one third party one (authentication information), one requester one (authentication information), one servant.
  • the information transmitted by the closure in the embodiment 1.1 is the same authentication information and the starting point and the end point of the closed transmission are the same.
  • Other processes similar to the embodiment are: the service party 1 (authentication information), the requester 1 (authentication information) ) - third party one (authentication information) - one party; third party one (authentication information) - one requester (authentication information) one service party one (authentication information) one third party; third party one (authentication information) one service party One (authentication information) one requester one (authentication information) a third party, and so on.
  • Example I.2 Example I.2
  • Figure 1.2 is a message transmission path diagram of Embodiment 2.
  • the network structure of this embodiment is shown in Figure 1.6.
  • the information conveyed by the closure in the embodiment I.2 is the same authentication information and the start and end points of the closed transmission are different.
  • the requesting party is a user network terminal
  • the service party is a network resource
  • the third party is an authentication service system that provides a third-party identity authentication service on the Internet
  • the authentication information is a random sequence.
  • Embodiment 1.2 includes the following steps:
  • the user network terminal passes the identity authentication of the authentication service system
  • the user network terminal sends a username and a random sequence to the network resource and requests authentication, and the user network terminal sends the user identifier, the network resource URL, and the random sequence to the authentication service system;
  • the authentication service system sends the user identifier and the random sequence to the network resource according to the network resource URL sent by the user network terminal;
  • Network resources are compared to two random sequences received, if the random sequences are the same and received If the time difference does not exceed the specified value, the user passes the identity authentication;
  • User ID refers to the user's APID or AUID.
  • an application on the user network terminal is able to establish a secure connection with the authentication service system.
  • the application can complete the following steps: The application generates a random sequence; the application passes the random sequence, username, password, etc. through a browser object access request Sended to the network resource, and the application sends the random sequence, the network resource URL and the user ID to the authentication service system through the secure connection.
  • step 1) may also be performed between step 3) and step 4).
  • the user network terminal may send the user's identity authentication information together in step 3)
  • the authentication service system the authentication service system confirms that the identity of the user is correct, and then executes step 4).
  • an option or button for a specific network resource may be set on the user terminal program, and the login process is initiated when the user selects the option or button.
  • This embodiment can be conveniently implemented in combination with an instant messaging tool, or by adding a browser tool item, or by executing a special program in the network terminal.
  • the network resource may also set a login password, and the user sends the login password, the username, and the random sequence to the network resource together in step 3).
  • the requesting party requests access to the authentication by the servant in step 3) by directly transmitting the closed delivery information (random sequence) to the servant.
  • the method of closing the delivery is: requesting party 1 (authentication information), a server, and requesting party 1 (authentication information), a third party (authentication information), a server.
  • the information transmitted by the closure in embodiment I.2 is the same authentication information and the start and end points of the closed delivery are different.
  • Requester 1 authentication information
  • request Fangyi certification information
  • third party ⁇ authentication information
  • third party 1 authentication information
  • service party 1 authentication information
  • service party 1 authentication information
  • Figure 1.3 is an information transmission path diagram of Embodiment 1.3.
  • the network structure of this embodiment is shown in Figure I.3.
  • the information conveyed in the closed manner includes the authentication generation information generated based on the authentication information and the start and end points of the closed transmission.
  • the requesting party is a user network terminal
  • the service party is a network resource
  • the third party is an authentication service system that provides a third-party identity authentication service on the Internet
  • the authentication information is a random sequence, or a mathematical algorithm, or an algorithm.
  • the parameter, the user network terminal generates information that needs to be sent in the closed delivery according to the authentication information and the information agreed with the authentication service system.
  • Embodiments 1.3 include the following steps:
  • the user network terminal passes the identity authentication of the authentication service system
  • the user network terminal sends the network resource URL and the user identifier to the authentication service system;
  • the authentication service system generates authentication information, and obtains authentication generation information by using the authentication information and the agreed information;
  • the authentication service system sends the user identification and the authentication generation information to the network resource, and the authentication service system sends the authentication information and the network resource URL to the user network terminal;
  • the user network terminal obtains the authentication generation information by using the authentication information and the information agreed with the authentication service system;
  • the user network terminal sends the obtained authentication generation information, user identifier, and the like to the corresponding network resource;
  • the network resource compares the two authentication generation information received, and if the same and the received time difference does not exceed the specified value, the user passes the identity authentication;
  • User ID refers to the user's APID or AUID.
  • an application on the user network terminal can establish a secure connection with the authentication service system.
  • the application can complete the following steps: The application sends the network resource URL and the user identifier to the authentication service system; after receiving feedback from the authentication service system, the application The authentication information and the information agreed with the authentication service system derive authentication generation information; the application sends the obtained authentication generation information to the network resource through an access request of a browser object.
  • step 1) may also be performed between steps 2) and 3), in which case the user network terminal may send the user's identity authentication information together in step 2)
  • the authentication service system the authentication service system confirms that the identity of the user is correct, and then executes step 3).
  • buttons or buttons for specific network resources may be set on the page of the authentication service system, and the login process is initiated when the user selects this option or button.
  • This embodiment can be conveniently implemented in combination with an instant messaging tool, or by adding a browser tool item, or by executing a special program in the network terminal.
  • the network resource may also set a login password, and the user sends the login password, the username, and the random sequence to the network resource together in step 6).
  • the requesting party sends the access to the service party by transmitting the closed delivery information to the third party and then transmitting the closed delivery information to the third party in steps 2), 3) and 4). Authentication request.
  • the authentication information may include part or all of the following: a service name or address, a requester name or address, a third party name or address, information generation time, random information, and the like.
  • the agreed information can be: a digital digest algorithm, an encryption and decryption algorithm, a dynamic cryptographic algorithm, and the like.
  • the manner of closing the delivery is: a third party (authentication generation information), a servant, and a third party (authentication information), a requester (authentication generation information), a servant.
  • the information passed in the closure in embodiment I.3 includes authentication generation information generated based on the authentication information.
  • a third party authentication information
  • a service party and a third party (authentication information), a requester ⁇ (authentication generation information) a service party
  • a service party 1 authentication information
  • a service party 1 authentication information
  • a requester 1 authentication generation information
  • the requesting party is a third party (certification generation information) a service party; and so on.
  • Figure 1.4 is an information transmission path diagram of Embodiment 1.4.
  • the network structure of this embodiment is shown in Figure I.4.
  • the information transmitted in the closed form includes the same-origin authentication information generated based on the authentication information and the same-origin authentication information. B and the start and end of the closure are different.
  • the requesting party is a user network terminal
  • the service party is a network resource
  • the third party is an authentication service system that provides a third-party identity authentication service on the Internet.
  • the authentication information is a randomly generated pair of numbers conforming to a specific rule, such as: a product or a sum is a fixed value or a pair of numbers in a fixed range, and the pair of numbers are respectively called homologous authentication information.
  • a and homologous authentication information B is an information transmission path diagram of Embodiment 1.4.
  • the network structure of this embodiment is shown in Figure I.4.
  • the information transmitted in the closed form includes the same-origin authentication information generated based on the authentication information and the same
  • Embodiment I.4 includes the following steps:
  • the user network terminal passes the identity authentication of the authentication service system
  • the user network terminal sends the network resource URL and the user identifier to the authentication service system;
  • the authentication service system generates authentication information, and obtains the same-origin authentication information A and the same-origin authentication information B;
  • the authentication service system sends the user identifier and the homologous authentication information A to the network resource, and the authentication service system sends the network resource URL and the homologous authentication information B to the user network terminal;
  • the user network terminal sends the same-origin authentication information B and the user identifier to the network resource URL; 6) The network resource checks whether the received homologous authentication information A and the homologous authentication information B match, and if the matching and the received time difference does not exceed the specified value, the user passes the identity authentication;
  • User ID refers to the user's APID or AUID.
  • an application on the user network terminal is able to establish a secure connection with the authentication service system.
  • the application can complete the following steps: The application receives the same-origin authentication information B and the network resource URL from the authentication service system through a secure connection; the application is on the terminal
  • the running browser object looks for the same URL as the network resource, and if not found, generates a new browser object; the application causes the found or newly generated browser object to send a connection request to the network resource URL and authenticates the same Information B and the user ID are added to the connection request.
  • step 1) may also be performed between steps 2) and 3), in which case the user network terminal may send the user's identity authentication information together in step 2)
  • the authentication service system the authentication service system confirms that the identity of the user is correct, and then executes step 3).
  • the network resource may also set a login password, and the user sends the login password, the username, and the random sequence to the network resource together in step 6).
  • the specific implementation of the same-origin authentication information A and the same-origin authentication information B may be the same as in Embodiment 5.
  • the manner of closing transmission is: a third party (the same-origin authentication information A) - a service party, and a third party (the same-origin authentication information B) - a requester one (the same-origin authentication information B) - a service square.
  • the information transmitted in the closed manner in the embodiment 4 includes the homologous authentication information A and the homologous authentication information B generated based on the authentication information, and the start point and the end point of the closed transmission are different, and other processes similar to the present embodiment are different. One is listed.
  • Example I.5 Example I.5
  • Figure 1.5 is an information transmission path diagram of Embodiment 1.5.
  • the network structure of this embodiment is shown in the figure.
  • the manner of closing the transmission is: service party 1 (authentication information)
  • the homologous authentication information is generated based on the authentication information, and the homogenous authentication information B is generated based on the homologous authentication information A.
  • the serving party that is the closed delivery end point can verify whether the homogenous authentication information B is originated from the authentication information. of.
  • the authentication information may be a 1024-bit prime number randomly generated by the service party.
  • the service party sends the prime number to a third party.
  • the third party generates a 64-bit prime number and calculates the product of the two prime numbers to obtain the product A.
  • the third party will multiply the product.
  • the requesting party also generates a 64-bit prime number and calculates the product of the prime number and the product A to obtain the product B.
  • the requesting party returns the product B to the servant, and the servant divides the product B by the prime number of 1024 bits. If it is divisible, it means that the product B originates from the large number and the authentication passes.
  • the homologous authentication information A and B of the embodiments I.4 and I.5 may also be an authentication information and a digital signature thereof, and the like, respectively.
  • the third party when the third party is the end of the closed delivery, the third party needs to notify the service party of the result of the authentication. For example: When the service requests the third party to request the authentication of the requesting party, the service party also sends an authentication serial number to the third party. After the third party completes the authentication, the third party returns the authentication result and the authentication serial number together with the service party.
  • Example II When the service requests the third party to request the authentication of the requesting party, the service party also sends an authentication serial number to the third party. After the third party completes the authentication, the third party returns the authentication result and the authentication serial number together with the service party.
  • Fig. 2 is a schematic structural view of the system of the embodiment II.
  • the portable IC is a USB flash memory in which a key X is stored.
  • the terminal is a computer with a USB interface, and the portable IC is connected to the terminal through a USB interface.
  • the application service system is a server device of an internet service provider.
  • the authentication service system is a server device of a third-party authentication service provider.
  • a workflow of the embodiment is: the user runs an executable program stored on the mobile IC or a login authentication service system webpage on the terminal, and the terminal passes the authentication by the key X on the mobile IC.
  • Identity authentication of the service system the user terminal requests authentication from the application service system, and the application service system generates a random number as the authentication information and sends the random number to the authentication service system; the authentication service system uses the secret corresponding to the user's mobile IC
  • the key encrypts the random number, the key may be the key X or other key on the portable IC, the authentication service system sends the encrypted random number to the user terminal; the user terminal decrypts on the mobile IC
  • the random number is calculated, and then the random number is sent to the application service system; the application service system compares the random number received from the terminal with the self-generated random number, and only the same number of random numbers can pass the authentication.
  • a time stamp can also be generated at the same time, and the random number is valid only when the time difference of the random number returned by the user is less than a certain value.
  • Another working process of this embodiment is: the user runs an executable program stored on the mobile IC or a login authentication service system webpage on the terminal, and the terminal authenticates the identity of the authentication service system by using the key X on the mobile IC;
  • the user terminal requests authentication from the application service system, and the application service system redirects or transmits the request to the authentication service system; the authentication service system generates a random number as the authentication information and sends the random number to the application service system, and the authentication service system
  • the key corresponding to the user's mobile IC encrypts the random number, and the key may be the key X or other key on the mobile IC, and the authentication service system sends the encrypted random number to the user terminal;
  • the user terminal Performing decryption calculation on the mobile IC to obtain the random number, and then sending the random number to the application service system; the application service system compares the random number received from the terminal and from the authentication service system, and only the random number is the same authentication by.
  • the time stamp may be generated at the same time or the authentication service system generates the time stamp and sends the time stamp together with the random number to the application service system, when the application service system receives the return from the user.
  • the random number is valid only when the time difference of the random number is less than a certain value.
  • the intermediary has a digital certificate issued by an authority, and the service party can use the digital certificate to verify the digital signature of the intermediary.
  • the user authenticates by the intermediary by means of the user name and the login password, and the authentication procedure is the intermediary of the user.
  • a special program downloaded by the party is a special program downloaded by the party.
  • the specific steps of this embodiment are as follows:
  • the user runs an authentication program on the terminal, and the authentication program automatically establishes an SSL connection with the intermediary, and the user inputs an AUID and a password to log in in the authentication program, and the authentication program sends the user to the intermediary.
  • AUID and password the intermediary checks the user name and password. If it is correct, the following steps are continued, otherwise the intermediary will save the user's AUID, the SSL ID and the current system time (the SSL saved by the user).
  • the DES key is the authentication identifier.
  • the AUID and the address of the servant resource are sent to the intermediary by SSL connection (the SSL encryption information of the servant resource address and the AUID is the information about the authentication identifier), and the intermediary checks whether the AUID is correct after the intermediary receives the AUID from the SSL connection. And if the time is not valid, the following steps will be continued, otherwise the intermediary will stop.
  • the pre-system time, the AUID of the user side, and the address of the servant resource form a sequence and digitally sign the sequence (the sequence and its digital signature are verification credentials), and the intermediary sends the certificate to the authentication program of the user, the user terminal
  • the running authentication program establishes a new browser object pointing to the service provider resource address and submits the voucher as a form.
  • the service party After receiving the voucher, the service party continues the following if the digital signature of the verification voucher is correct and the voucher generation time has not expired. Otherwise, the service party obtains APID and user rights according to the AUID of the user side. If the user party permission allows the server to allow the browser of the user terminal to access the server resource, the authentication program aborts the resident runtime authentication. The program will abort the SSL connection with the intermediary.
  • the authentication program can also record each browser that is created. When the authentication program aborts the resident runtime, it can also close all browser windows created by itself.
  • Example ⁇ .2 the intermediary has a digital certificate issued by an authority, and the service party can use the digital certificate to verify the digital signature of the intermediary. The user authenticates through the intermediary by means of the user name and the login password, and the authentication procedure is a browser.
  • the specific steps of this embodiment are as follows:
  • the user runs a browser object on the terminal and inputs an intermediary address (the browser object is used as an authentication program), and the intermediary establishes an SSL-based session with the browser, wherein the intermediary Generate a 1024-bit random sequence as the SessionID of the session established with the user's browser.
  • the user enters the AUID and password to log in on the interface launched by the intermediary.
  • the intermediary checks the AUID and password. If it is correct, continue with the following steps. Otherwise, the intermediary saves the AUID, the SessionID, and the current system time of the user side.
  • the user can use the interface launched by the intermediary in the browser.
  • the browser sends the address and AUID of the servant resource to the escrow through the established session connection, if the intermediaries find a matching SessionID and AUID and the time is not If the validity period expires, the following steps will be continued, otherwise the intermediary will The time of the system, the AUID of the user side, and the address of the servant resource form a sequence and digitally sign the sequence (the sequence and its digital signature are the credentials authenticated by the user through the intermediary), and the intermediary runs through the browsing on the user terminal. Create a new browser object pointing to the servant resource address or redirect the browser and submit the voucher as a form.
  • the servant obtains the APID and the user's privilege according to the AUID of the user, and if the privilege of the user allows, the servant allows the browser of the user terminal to access the servant's resource, as the browser of the authentication program.
  • the browser's SessionID is lost and the session with the intermediary (ie authenticated connection) is aborted.
  • the servant knows in advance the fixed IP address of the intermediary, and the user uses the username and The way to log in to the password is authenticated by the intermediary.
  • the authentication procedure is a special program downloaded by the user from the intermediary.
  • the specific steps of this embodiment are as follows:
  • the user runs the authentication program on the terminal, the authentication program establishes a session with the intermediary, and the SessionID is a random sequence of 1024 bits generated by the intermediary, and the user inputs the user name and password to log in in the authentication program.
  • the authentication program sends the user name and password of the user to the intermediary, and the intermediary checks the user name and password. If it is correct, the following steps are continued, otherwise the intermediary obtains the AUID of the user according to the user name of the user, and the intermediary will The AUID of the user side is saved corresponding to the session ID of the session established by the user authentication program and the current system time.
  • the user When the user needs to access the resources of a certain service party, the user opens a new browser and inputs the service party.
  • the address of the resource the user side enters the user name of the user party on the interface of the service party, and the service party obtains the APID of the user side according to the user name of the user side, and the service party generates a random number of 1024 bits.
  • the server saves the random number and the user's APID and simultaneously Sending to the intermediary, the intermediary obtains the AUID of the user side according to the APID, and the intermediary finds the session established with the user party authentication program according to the AUID, and if the session is not expired, the intermediary sends the random number and the service party resource address received.
  • the user side authentication program searches for a resource pointing to the service party in the browser object running on the user side terminal, and if not found, establishes a new resource pointing to the service party.
  • the browser object the authentication program sends the user's username on the servant side together with the random number to the servant through the found or newly created browser object in the form of a form, and the servant receives the user's APID and generates it after receiving it.
  • the random number if the random number received by the check is correct and has not expired, the following steps are continued, otherwise the servant obtains the user's right according to the user's APID. If the user's right permission allows the servant to allow the user's terminal to access the browser.
  • the servant resource when the authentication program aborts the resident runtime, the authentication program will be aborted The intermediary's session.
  • the authentication program can also record each browser that is created. When the authentication program aborts the resident operation, it can also close all browser windows of the access service.
  • s( ⁇ A&Al, Al ⁇ Am, Al ⁇ a, A ⁇ u) means: The servant generates the information A and A1, the servant calculates the information A1 to generate the information Am in a specific manner, and the servant sends the information Am to the intermediary. The service party sends the information B to the user.
  • S (A ⁇ A) indicates whether the two pieces of information A obtained by the servant's face certificate are the same, and s (A ⁇ A1) indicates whether the information A obtained by the servant verification and the information A related to A1 are the same, a ( ⁇ ) indicates whether the information B obtained by the intermediary verification is generated by the calculation of the agreement algorithm.
  • S (A ⁇ A) indicates whether the two pieces of information A obtained by the servant's face certificate are the same, and s (A ⁇ A1) indicates whether the information A obtained by the servant verification and the information A related to A1 are the same, a ( ⁇ ) indicates whether the information B obtained by the intermediary verification is generated by the calculation of the agreement algorithm.
  • Embodiment IV.1 is one of the specific implementations of the connection authentication scheme 1) of Scheme IV in the above summary (see Figure 4.1a).
  • the information A is a random sequence
  • the contract algorithm is a digest encryption algorithm based on RSA and SHA.
  • the user terminal obtains the RSA key and the SHA digest algorithm preset by the intermediary (RSA).
  • the digest encryption algorithm composed of SHA and SHA is the contract algorithm X).
  • the intermediator has the same RSA key and SHA digest algorithm as the user side (the agreed algorithm Y and X are the same).
  • the specific steps in this embodiment are: the user terminal requests the access to the service party, and the service party sends the APID of the user side to the intermediary party, and the intermediary obtains the AUID of the user party according to the service provider address and the APID, and the intermediary
  • the AUID obtains the key and digest algorithm corresponding to the user side
  • the intermediaries generate a random sequence (information A) and calculate the digital digest of the information A by using the digest algorithm corresponding to the user side, and then encrypt the corresponding key to obtain the information B.
  • the intermediary sends the information A and B to the service party, and the service party sends the information A to the user.
  • the user terminal also calculates the information A (random sequence) with its own key and SHA hash function to generate the digest encryption value information.
  • B The user terminal sends the information B to the service party through a port.
  • a timer is started. If the service party receives two information B within the specified time limit, the following steps are continued, otherwise the authentication process is terminated.
  • the service party compares the two information B. If the same, the authentication passes, and after the authentication is passed, the service party will allow the terminal from the user.
  • the port accesses the service or resource specified by the service provider. (See Figure 4.1a)
  • Embodiment IV.2 is one of the specific implementations of the second) connection authentication procedure based on the scheme IV of the above summary (see Fig. 4.2a).
  • the information A is an AES encryption key
  • the contract algorithm is an RSA encryption and decryption algorithm
  • the user side has an intermediary peripheral to make a distributed USB peripheral
  • the user has an RSA private key on the USB peripheral and the service side It also has an RSA public key that corresponds to the user's private key.
  • the specific steps in this embodiment are as follows:
  • the user terminal requests access from the service party, and the service party sends the user APID to the intermediary party.
  • the intermediary finds the user party AUID according to the user side APID and the service party identifier, and the intermediary party uses the user party AUID.
  • the RSA public key corresponding to the user is found, the intermediary generates an AES key (information A), and the intermediary encrypts the AES key with the RSA public key corresponding to the user to obtain the encrypted information (the information A is obtained by the agreement algorithm Y)
  • the intermediary sends the AES key and the encrypted information (information A and B) to the service party, and the service party sends the information B to the user terminal, and the user terminal transmits the encrypted information (information B) to the user's USB peripheral.
  • the user side USB peripheral decrypts the encrypted information to the AES key with the RSA private key (the information B is obtained by the agreement algorithm X), and the user side USB peripheral transmits the AES key to the user terminal, and the user terminal uses the AES Key (information A)
  • the encryption agreement content gets the information Am, and the agreed content may include the user party name, the authenticator name, the service party address, and the request access service.
  • the user terminal sends the information Am to the service party through the port P, and the service party decrypts the information Am with the received AES key (the information A corresponding to the information A and Am is the same) If the decrypted content meets the requirements and the user's authentication passes, the servant will allow the port P of the user's terminal to access the requested service or resource.
  • Embodiment IV.3 is one of the specific implementations of the connection authentication scheme 9) of Scheme IV in the above summary (see Figure 4.9a).
  • the information A is a 128-bit random sequence
  • the contract algorithm is an RSA encryption and decryption algorithm
  • the user side has a mobile interface of a USB interface distributed by the intermediary
  • the user side RSA encryption set by the intermediary is stored on the IC.
  • the private key, the intermediary has the RSA public key corresponding to the private key of the user (see Figure 4.26 for the system architecture).
  • the specific steps of this embodiment are as follows:
  • the user terminal sends an access request, a username and a login password to the service party, and the service party verifies that the username and the login password are correct, and the following steps are continued, and the server generates a 128-bit random sequence ( Information A), the service party sends the information A and the user party APID to the intermediary, the intermediary obtains the user identification code AUID according to the APID and the service party name, and the intermediary obtains the RSA public key corresponding to the user party according to the AUID and encrypts it.
  • Information A Information A
  • the service party sends the information A and the user party APID to the intermediary
  • the intermediary obtains the user identification code AUID according to the APID and the service party name
  • the intermediary obtains the RSA public key corresponding to the user party according to the AUID and encrypts it.
  • the information A obtains the information B (the agreed algorithm Y is the RSA encryption algorithm), the intermediary sends the information B and the APID to the service party, and the service party sends the information B to the corresponding user terminal according to the user's APID, and the user terminal passes the USB again.
  • the interface sends the information B to the user-portable IC connected to the terminal, and the mobile IC decrypts the information B with the user-side RSA private key to obtain the information A (the agreed algorithm X is the RSA decryption algorithm), and the mobile IC sends the information A.
  • the user terminal Sent to the user terminal, the user terminal sends the information A and the user identification code APID to the service party through a port P, the service party According to the APID, the information A (random sequence) corresponding to the user side generated by the user is obtained and compared with the received information A. If they are the same, the calculation performed by the intermediary and the user side is matched, and the verification is correct and The user party passes the authentication if other conditions are also met, and the service provider accordingly allows the port P from the user terminal to access the requested service or resource (see Figure 4.9a).
  • the other conditions described are as follows:
  • the service party will generate the information A after When the timer is activated, the authentication can only be passed when the service party receives another message A for a period of time that does not exceed the specified time range.
  • Embodiment IV.4 is one of the specific implementations of the connection authentication scheme 10) of Scheme IV in the above summary (see Figure 4.10a).
  • the information A is an RSA encrypted private key
  • the contracting algorithm is an ECC encryption and decryption algorithm
  • the user side has a removable IC of the USB interface distributed by the intermediary
  • the user side ECC encryption set by the intermediary is stored on the IC.
  • the private key, the intermediary has an ECC public key corresponding to the private key of the user.
  • the specific steps in this embodiment are as follows:
  • the user terminal requests access to the service party, and the service party generates a pair of RSA keys (the private key is information A, the public key is information A1), and the service party uses the RSA private key (information) A) sent to the intermediary, the intermediary obtains the information B by using the ECC public key corresponding to the user A (the agreed algorithm Y is the ECC encryption algorithm), and the intermediary sends the information B to the user terminal through the service party, the user side
  • the terminal sends the information B to the user-portable IC connected to the terminal through the USB interface, and the mobile IC decrypts the information B with the ECC private key to obtain the information A (the agreed algorithm X is the ECC decryption algorithm), and the mobile IC will
  • the RSA private key (information A) is sent to the user terminal, and the user terminal digitally signs the agreed content by using the RSA private key and the MD5 function, and the agreed content may include the user name, the authenticator name, the
  • the content of the agreement and its digital signature is the information Am
  • the terminal sends the information Am and the name of the user to the service party through a port P
  • the service party according to the user name
  • a corresponding RSA public key (information A1) and the same MD5 function verifies the digital signature of the agreement content is correct, if correct, the description of the RSA public and private keys are matched (That is, the information A is the related information A of the information A1 or the related information A of the information A and A1 is the same)
  • the user passes the authentication if the verification is correct and other conditions are also met
  • port P from the user-side terminal is allowed to access the requested service or resource (see Figure 4.10a).
  • the other conditions are as follows:
  • the service party extracts the generation time stamp in the agreed content, and the authentication can only pass when the agreed content does not exceed the specified time range, or the service party checks the agreed content. Format, only the correct format can pass, and so on.
  • the server and the user side can transmit the encrypted information by using the RSA key pair (information A and A1), for example: the two parties exchange a DES key through RSA encryption, and The DES key then establishes an encrypted communication connection.
  • the RSA key pair information A and A1
  • the two parties exchange a DES key through RSA encryption
  • the DES key then establishes an encrypted communication connection.
  • connection authentication scheme 13) in the above invention may also be implemented at the same time: wherein the user has the agreed algorithms XI and X2, XI is the decryption algorithm, X2 is the encryption algorithm, and XI and X2 are based on the same ECC private Key, the intermediary has the agreement algorithms Y1 and Y2, Y1 is the encryption algorithm, ⁇ 2 is the decryption algorithm, Y1 and ⁇ 2 are based on the ECC public key corresponding to the user, which can be the same as the implementation scheme 10) and scheme 13) (see the attached figure 4.13a and the following figure 4.13a).
  • Embodiment IV.5 is one of the specific implementations of the connection authentication scheme 15) of Scheme IV in the above summary (see Figure 4.15a).
  • the appointment algorithm is a master key based encryption and decryption algorithm for SSL connections.
  • the specific steps of this embodiment are as follows: The user first logs in to the intermediary with the username and password. If the login succeeds, the intermediary initiates an SSL connection to the user, and the SSL connection is successfully established. Both the user and the intermediary have the same master key (the encryption and decryption algorithms based on the master key are the contracting algorithms X and Y respectively), the user requests the connection from the server, and the server generates random information (information A) and Sent to the user, the user sends the message A to the intermediary via the SSL connection.
  • the encryption and decryption algorithms based on the master key are the contracting algorithms X and Y respectively
  • the intermediary sends the received information A to the service party, and the service party compares the generated information A with the received information A, if the same Certification passed.
  • Embodiment IV.6 is one of the specific implementations of the connection authentication scheme 24) of Scheme IV in the above summary (see Figure 4.24a).
  • the contract algorithm is a digital signature algorithm consisting of SHA and RSA
  • the user terminal has the SHA and RSA private keys preset by the intermediary, and the intermediary has the same SHA and the private party with the user.
  • the RSA public key corresponding to the key.
  • the specific steps in this embodiment are as follows:
  • the user terminal generates information A, which is composed of a random sequence, information generation time, user side APID, AUID, service party identifier, request service identifier, etc., which is owned by the user terminal.
  • the SHA and the RSA private key calculate the information A to generate a digital signature (information B), and the user terminal sends the information A and B to the service party through the port P, and the service party sends the information A and B to the intermediary, and the intermediary uses the
  • the digital signature of the SHA and DSA public key authentication information A of the user side is not information B.
  • the user's authentication is passed, and the authenticator notifies the service provider of the authentication result— -
  • the user party authenticates, and the service party will allow the port P of the user terminal to access the requested service.
  • Figure 5.1 is a message transfer path diagram of the embodiment V.l.
  • This embodiment describes a system for implementing identity authentication by a third party on the Internet, where the first party's program object A has established a connection with the second party through a third party, and the first party is a user network terminal.
  • the second party is a network resource
  • the third party is an authentication service system that provides a third-party identity authentication service on the Internet, and the two pieces of information are a random number.
  • Embodiment V.1 includes the following steps:
  • the program object A on the user network terminal authenticates with the authentication service system and establishes a connection with the authentication service system, and the authentication service system has a connection with the network resource, and thus, the program object A establishes an indirect connection with the network resource;
  • the network resource generates a random number and a time stamp
  • the network resource sends the random number, the network resource URL, and the user identifier to the authentication service system;
  • the authentication service system sends the random number and the network resource URL to the program object A on the user network terminal according to the user identifier;
  • Program object on the user network terminal A assigns the random number and the network resource URL to the program object B;
  • Program object B returns the random number to the network resource according to the network resource URL;
  • the network resource compares the random number generated by itself with the random number returned from the user terminal, and if the random number is the same and does not exceed the specified time validity period, a new connection is established with the program object B;
  • the program object A can complete the following steps: The program object A receives the random number and the network resource URL from the authentication service system through the established connection; the program object A is at the end. The browser object running on the terminal looks for the same URL as the network resource. If it is not found, a new browser object is generated. The browser object found by program object A or newly generated is the program object B; the program object B is directed to the network resource. The URL sends a connection request and adds a random number to the connection request, such as: Adds a random number to the form of the connection request.
  • program object A can be implemented by adding a module on the client software of the instant messaging tool that automatically recognizes the closed delivery information and path and performs information forwarding.
  • network resources and client software can be developed and provided by the instant messaging tool provider, and network resources and customer downloads can be used, which is very convenient and feasible.
  • Figure 5.2 is an information transfer path diagram of Embodiment V.2.
  • This embodiment describes that the user terminal has established a point-to-point connection with the network resource and then establishes a new connection through the new program object.
  • Possible applications are as follows: Two clients of the point-to-point communication in the IM instant messaging tool send the file. A new connection needs to be established when receiving.
  • program 2 program object A has established a point-to-point direct connection with the second party.
  • the first party is a user network terminal
  • the second party is a network resource.
  • the two pieces of information are randomly generated pairs of numbers conforming to a specific law, such as: a 128-bit prime number and a product of the prime number and another 128-bit prime number of 256 bits, and the second party calculates the received two numbers. Whether the 256-bit number can be divisible by the 128-bit prime number to determine whether the information comes from the first party.
  • Embodiment V.2 includes the following steps:
  • the program object A of the user network terminal requests the authentication by sending the user identifier and one of a pair of random numbers to the network resource through the established connection, and the program object A of the user network terminal generates the program object B and the user identifier and a pair of random Another number of writes
  • the sequence object B sends a connection request to the network resource according to the network resource URL;
  • the network resource compares the received two random numbers. If the two random numbers meet the specific rule and the received time difference does not exceed the specified value, the user passes the identity authentication.
  • the program object A can complete the following steps. The program object A randomly generates a pair of numbers conforming to a specific rule; generating the program object B and writing the user identifier and the other of the pair of random numbers into the connection request sent by the program object B to the network resource according to the network resource URL.
  • step 1) can also be performed between steps 3) and 4).
  • This embodiment can also be implemented in conjunction with the instant messaging tool IM of the point-to-point communication method.
  • the object program A is built in the user software, and the corresponding service software is configured in the network resource to implement the embodiment.
  • the present invention may be embodied in various other various modifications and changes without departing from the spirit and scope of the invention. Modifications are intended to fall within the scope of the appended claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un système et un procédé d'authentification de réseau sécurisé. La sécurité et la commodité de l'authentification de réseau peuvent être considérablement améliorées lorsque l'authentification est exécutée au niveau du tiers, toutefois, les solutions d'authentification de réseau par l'intermédiaire du tiers présentent des inconvénients considérables jusqu'à présent. Pour palier les inconvénients de l'authentification du tiers, un système et un procédé novateurs d'authentification d'identification du tiers ont été élaborés. Selon le mode de réalisation décrit dans cette invention, le système d'authentification du tiers utilise un programme qui est exécuté sur les trois parties et qui peut être traité automatiquement pour former un système permettant la mise en oeuvre des fonctions suivantes: l'équipement utilisateur peut accéder à différentes ressources de partie serveur avec une seule authentification du tiers; lorsque l'authentification du tiers s'achève, l'accès de l'équipement utilisateur à la partie serveur s'achève également; la sécurité peut être améliorée avec d'autres procédés (le CI portable, l'algorithme agréé, les informations avec émission en boucle fermée et calcul changeant), etc.
PCT/CN2008/073863 2008-01-10 2008-12-30 Système et procédé d'authentification de réseau sécurisé WO2009089764A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008801244913A CN101978650B (zh) 2008-01-10 2008-12-30 安全的网络认证系统和方法

Applications Claiming Priority (18)

Application Number Priority Date Filing Date Title
CN200810055847 2008-01-10
CN200810055847.4 2008-01-10
CN200810001167.4 2008-01-18
CN200810001167 2008-01-18
CN200810000860 2008-01-24
CN200810000860.X 2008-01-24
CNA2008100573953A CN101257511A (zh) 2008-02-01 2008-02-01 互联网上两方之间建立新连接的方法
CN200810057395.3 2008-02-01
CNA2008101147065A CN101286849A (zh) 2008-06-11 2008-06-11 基于约定算法的第三方认证系统和方法
CN200810114706.5 2008-06-11
CN200810116168.3 2008-07-04
CNA2008101161683A CN101304318A (zh) 2008-07-04 2008-07-04 安全的网络认证系统和方法
CN200810117828.X 2008-08-05
CN200810117828 2008-08-05
CN200810135254.9 2008-08-06
CNA2008101352549A CN101442523A (zh) 2008-01-18 2008-08-06 通过第三方的身份认证系统和方法
CN200810119470 2008-09-01
CN200810119470.4 2008-09-01

Publications (1)

Publication Number Publication Date
WO2009089764A1 true WO2009089764A1 (fr) 2009-07-23

Family

ID=40885066

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073863 WO2009089764A1 (fr) 2008-01-10 2008-12-30 Système et procédé d'authentification de réseau sécurisé

Country Status (2)

Country Link
CN (1) CN101978650B (fr)
WO (1) WO2009089764A1 (fr)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420798A (zh) * 2010-09-27 2012-04-18 任少华 网络认证系统和方法
CN102983975A (zh) * 2012-11-12 2013-03-20 天地融科技股份有限公司 动态口令显示方法
CN103543980A (zh) * 2013-11-07 2014-01-29 吴胜远 数字数据处理的方法及装置
CN103546462A (zh) * 2013-10-08 2014-01-29 任少华 具有特定关联流程的第三方认证系统或方法
US20140053242A1 (en) * 2012-08-15 2014-02-20 Verizon Patent And Licensing, Inc. Management of private information
CN109347813A (zh) * 2018-09-27 2019-02-15 广州邦讯信息系统有限公司 物联网设备登录方法、系统、计算机设备和存储介质
CN111765823A (zh) * 2020-05-14 2020-10-13 矿冶科技集团有限公司 一种远程起爆方法及系统
CN114900288A (zh) * 2022-05-23 2022-08-12 科大天工智能装备技术(天津)有限公司 一种基于边缘服务的工业环境认证方法
WO2023273933A1 (fr) * 2021-06-30 2023-01-05 寒武纪行歌(南京)科技有限公司 Procédé d'authentification de système sur puce et produit associé

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102740141A (zh) * 2012-05-31 2012-10-17 董爱平 一种移动互联即时视频隐私保护方法及系统
CN103391541B (zh) * 2013-05-10 2016-12-28 华为终端有限公司 无线设备的配置方法及装置、系统
CN103546292A (zh) * 2013-10-08 2014-01-29 任少华 多识别码的第三方认证系统或方法
CN103546290B (zh) * 2013-10-08 2019-06-18 任少华 具有用户组的第三方认证系统或方法
CN103546293A (zh) * 2013-10-08 2014-01-29 任少华 第三方认证系统或方法
CN105357196A (zh) * 2015-11-03 2016-02-24 北京铭嘉实咨询有限公司 网络登录方法与系统
TWI644279B (zh) * 2016-09-02 2018-12-11 台新綜合證券股份有限公司 用於促成線上證券戶開立之方法及系統

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149880A1 (en) * 2002-02-04 2003-08-07 Rafie Shamsaasef Method and system for providing third party authentication of authorization
CN1866822A (zh) * 2005-05-16 2006-11-22 联想(北京)有限公司 一种统一认证的实现方法
CN101022337A (zh) * 2007-03-28 2007-08-22 胡祥义 一种网络身份证的实现方法
CN101051372A (zh) * 2006-04-06 2007-10-10 北京易富金川科技有限公司 电子商务中对金融业务信息安全认证的方法
CN101252438A (zh) * 2008-01-10 2008-08-27 任少华 基于可移动式ic的第三方身份认证系统
CN101257511A (zh) * 2008-02-01 2008-09-03 任少华 互联网上两方之间建立新连接的方法
CN101286849A (zh) * 2008-06-11 2008-10-15 任少华 基于约定算法的第三方认证系统和方法
CN101304318A (zh) * 2008-07-04 2008-11-12 任少华 安全的网络认证系统和方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442523A (zh) * 2008-01-18 2009-05-27 任少华 通过第三方的身份认证系统和方法

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149880A1 (en) * 2002-02-04 2003-08-07 Rafie Shamsaasef Method and system for providing third party authentication of authorization
CN1866822A (zh) * 2005-05-16 2006-11-22 联想(北京)有限公司 一种统一认证的实现方法
CN101051372A (zh) * 2006-04-06 2007-10-10 北京易富金川科技有限公司 电子商务中对金融业务信息安全认证的方法
CN101022337A (zh) * 2007-03-28 2007-08-22 胡祥义 一种网络身份证的实现方法
CN101252438A (zh) * 2008-01-10 2008-08-27 任少华 基于可移动式ic的第三方身份认证系统
CN101257511A (zh) * 2008-02-01 2008-09-03 任少华 互联网上两方之间建立新连接的方法
CN101286849A (zh) * 2008-06-11 2008-10-15 任少华 基于约定算法的第三方认证系统和方法
CN101304318A (zh) * 2008-07-04 2008-11-12 任少华 安全的网络认证系统和方法

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420798A (zh) * 2010-09-27 2012-04-18 任少华 网络认证系统和方法
US9202016B2 (en) * 2012-08-15 2015-12-01 Verizon Patent And Licensing Inc. Management of private information
US20140053242A1 (en) * 2012-08-15 2014-02-20 Verizon Patent And Licensing, Inc. Management of private information
CN102983975A (zh) * 2012-11-12 2013-03-20 天地融科技股份有限公司 动态口令显示方法
CN103546462A (zh) * 2013-10-08 2014-01-29 任少华 具有特定关联流程的第三方认证系统或方法
CN103543980B (zh) * 2013-11-07 2021-10-22 吴胜远 数字数据处理的方法及装置
CN103543980A (zh) * 2013-11-07 2014-01-29 吴胜远 数字数据处理的方法及装置
CN109347813A (zh) * 2018-09-27 2019-02-15 广州邦讯信息系统有限公司 物联网设备登录方法、系统、计算机设备和存储介质
CN109347813B (zh) * 2018-09-27 2021-09-03 广州邦讯信息系统有限公司 物联网设备登录方法、系统、计算机设备和存储介质
CN111765823A (zh) * 2020-05-14 2020-10-13 矿冶科技集团有限公司 一种远程起爆方法及系统
WO2023273933A1 (fr) * 2021-06-30 2023-01-05 寒武纪行歌(南京)科技有限公司 Procédé d'authentification de système sur puce et produit associé
CN114900288A (zh) * 2022-05-23 2022-08-12 科大天工智能装备技术(天津)有限公司 一种基于边缘服务的工业环境认证方法
CN114900288B (zh) * 2022-05-23 2023-08-25 北京科技大学 一种基于边缘服务的工业环境认证方法

Also Published As

Publication number Publication date
CN101978650A (zh) 2011-02-16
CN101978650B (zh) 2012-08-15

Similar Documents

Publication Publication Date Title
WO2009089764A1 (fr) Système et procédé d'authentification de réseau sécurisé
CN107948189B (zh) 非对称密码身份鉴别方法、装置、计算机设备及存储介质
KR101265873B1 (ko) 분산된 단일 서명 서비스 방법
US9490980B2 (en) Authentication and secured information exchange system, and method therefor
US8407475B2 (en) Augmented single factor split key asymmetric cryptography-key generation and distributor
JP4847322B2 (ja) 二重要素認証されたキー交換方法及びこれを利用した認証方法とその方法を含むプログラムが貯蔵された記録媒体
KR100990320B1 (ko) 공용 서버로부터 콘텐츠를 요청할 때 클라이언트프라이버시를 제공하는 방법 및 시스템
US8868909B2 (en) Method for authenticating a communication channel between a client and a server
CN108965338B (zh) 多服务器环境下的三因素身份认证及密钥协商的方法
US20080034216A1 (en) Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords
CN107040513B (zh) 一种可信访问认证处理方法、用户终端和服务端
WO2016177052A1 (fr) Procédé et appareil d'authentification d'utilisateur
US20060005033A1 (en) System and method for secure communications between at least one user device and a network entity
JP7140785B2 (ja) ワンタイムパスコードを組み込む持続性認証システム
US9225754B2 (en) Ad-hoc network communications
KR20080005344A (ko) 인증서버가 사용자단말기를 인증하는 시스템
EP1623551B1 (fr) Procede et systeme de securite de reseau
KR20070035342A (ko) 패스워드 기반의 경량화된 상호 인증 방법
JP2008152737A (ja) サービス提供サーバ、認証サーバ、および認証システム
Pathare et al. Sahnet: a secure system for ad-hoc networking using ecc
Anitha Kumari et al. A Review: PAKE Security for Distributed Environment
Bochmann et al. A secure authentication infrastructure for mobile users
NO327337B1 (no) En anordning og en metode for sterk brukerautentisering og kryptering av brukerdata i private virtuelle nettverk

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200880124491.3

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08871121

Country of ref document: EP

Kind code of ref document: A1

DPE2 Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08871121

Country of ref document: EP

Kind code of ref document: A1