WO2009097778A1 - Procédé, dispositif et système d'appel de l'interface de sécurité - Google Patents

Procédé, dispositif et système d'appel de l'interface de sécurité Download PDF

Info

Publication number
WO2009097778A1
WO2009097778A1 PCT/CN2009/070177 CN2009070177W WO2009097778A1 WO 2009097778 A1 WO2009097778 A1 WO 2009097778A1 CN 2009070177 W CN2009070177 W CN 2009070177W WO 2009097778 A1 WO2009097778 A1 WO 2009097778A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
application server
interface
service identifier
authentication
Prior art date
Application number
PCT/CN2009/070177
Other languages
English (en)
Chinese (zh)
Inventor
Chenghui Peng
Bojie Li
Wenliang Liang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009097778A1 publication Critical patent/WO2009097778A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, device, and system for calling a secure interface.
  • WiMAX Worldwide Interoperability Microwave Access for Microwave Access
  • the network puts the business capability on the interface of the application server inside or outside the network.
  • the application provider By calling the service capability interface provided by USI, the application provider will be able to make the service for WiMAX access users easier, and it will be more convenient to provide personalized services for WiMAX access users.
  • the ability of WiMAX networks to be released through U SI systems includes quality of service (QoS, Quality of service
  • the WiMAX network can query the user to operate according to the identity parameter; generally, the identity identifier is assigned to the user by the WiMAX network, and is used for providing
  • the third-party system causes the third-party system to invoke the US I interface provided by the WiMAX network to identify the object (user) of the operation.
  • the embodiment of the present invention refers to the service identifier that the WiMAX network provides to the user, which is referred to as the user service identifier.
  • the WiMAX network can query the user that the application server needs to operate according to the user service identifier, so that the user can perform the operation requested by the application server.
  • the application layer interaction is performed between the user and the application server. Therefore, the user service identifier is also provided by the user to the application server.
  • the application server invokes the USI interface through the user service identifier provided by the user to complete a specific service logic. Such as location information query, billing, etc.
  • the network does not authenticate the user service identifier provided by the user to the application server, and does not authenticate the operation of the application server to the user (that is, the interface call of the application server), for example, the user may Providing the user service identifier of the other user to the application server, or the user service identifier provided by the application server (from the non-network trust domain) is not authorized by the user, and invokes an interface that is not authorized by the user (such as a chargeback interface for the user), Therefore, the existing USI access mechanism has security issues.
  • the embodiment of the invention provides a method, a device and a system for calling a security interface, which can ensure the security of the interface call by authenticating the user service identifier during the interface call.
  • the embodiment of the invention provides a method for calling a secure interface, including:
  • the interface receives an interface call request message that is sent by the application server and carries the user service identifier and the user identity information.
  • the embodiment of the invention provides a user terminal, including:
  • a user identity information generating unit configured to generate user identity information according to a shared key of the user terminal and the network or a key derived by using the shared key
  • An information interaction unit configured to exchange information with an application server
  • the authentication information reporting unit is configured to report the authentication related information including the user service identifier and the user identity information in the information exchanged with the application server.
  • An embodiment of the present invention provides an application server, including:
  • the authentication information receiving unit is configured to receive authentication related information that is sent by the user terminal and includes the user service identifier and the user identity information;
  • the interface invoking unit is configured to invoke the related interface according to the user service identifier, and carry the received user service identifier and user identity information in the interface call request message.
  • the embodiment of the invention provides an interface call authentication system, which includes:
  • a receiving unit configured to receive an interface call request message carrying a user service identifier and user identity information
  • a user service identity authentication unit configured to: target the user service according to the received user identity information Knowledge for certification.
  • the embodiment of the invention provides a security interface calling system, including:
  • an application server configured to carry a user service identifier and user identity information in the interface call request message, and send the interface call request message;
  • the interface invokes the authentication system, and is configured to authenticate the user service identifier according to the user identity information in the received interface call request message.
  • FIG. 1 is a flowchart of a method for calling a secure interface according to an embodiment of the present invention
  • FIG. 2 is a flowchart of authenticating a user service identifier according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for calling a security interface according to another embodiment of the present invention.
  • FIG. 4 is a flowchart of a security interface invocation operation according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a security interface invocation operation according to another embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a user terminal module according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of an application server module according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an interface calling authentication system module according to an embodiment of the present invention.
  • the embodiment of the present invention carries the user service identifier and the user identity information in the interface call request message in the application server call interface, so that the network can authenticate the user service identifier according to the user identity information.
  • the application server invokes the interface to carry the application provider identity information, and the network can authenticate the application server according to the identity information of the application provider and the user configuration policy information.
  • An embodiment of the present invention provides a method for calling a secure interface. As shown in FIG. 1, the method includes the following steps.
  • Step 1 In the authentication process of the user terminal logging in to the network, the user terminal and the network generate a shared key; [42] taking the USI related key as an example, and generating a USI related key based on the authentication process, the user terminal and the network,
  • the specific USI related key can be derived as follows: In the case of successful authentication, the user terminal and the network ( Generally AAA server) Generate the master session key (MSK, Master Session
  • USI-RK USI related key
  • hash is an arbitrary hash function, and may be other functions, or the shared key is directly equal to MSK or E MSK.
  • the network saves the network identity of the user terminal such as NAI, user service identity and user IP address, shared key of the network and the user terminal, and the like.
  • Step 2 The user terminal performs application layer interaction with the application server, and the application server acquires user identity information and user service identifier.
  • the application server needs to request the user service identifier and the user identity information from the user terminal, or the user terminal actively reports the user service identifier and the user identity information to the application server. .
  • the user service identifier may be a URI (Uniform Resource)
  • the format defined in rfc2396 is composed of a username (name) and a domain name (realm).
  • the user name part can be a string of characters for protecting user privacy
  • the domain name part identifies the user's home network
  • the application server can be based on the user service.
  • the domain name part of the identity is used to determine the network service provider to which the user belongs and the USI system address it provides.
  • the user service identifier is allocated by the user's home network provider, and the user service identifier and the correspondence between the user service identifier and the network access identifier (NAAl) are stored in the home network (such as the user home AAA server). .
  • the user identity information is used by the network to authenticate the service identity of the user, and may include the user digital signature and/or IP address information.
  • the user digital signature is: calculated by using a shared key of the user terminal and the network, and the user terminal and the network calculate the user digital signature and use a consistent algorithm (such as an MD5 digest algorithm).
  • the calculation ⁇ can also input the user service identifier or the application layer parameters.
  • the application server-specific key may be derived according to the identifier of the application server and the shared key of the user terminal and the network, and the user-specific key of the application server is used to calculate the user identity information specific to the application server. .
  • the user digital signature can be included in the user service identifier, such as the user name of the user service identifier, so that the user identity information can be transmitted without a separate parameter.
  • Step 3 The application server invokes the USI interface, and carries the user service identifier and the user identity information in the interface call request message, requesting to authenticate the user service identifier;
  • the interface call request message may further carry an identifier of the application server (a situation in which the user identity information is calculated by using an application server-specific key) and an application layer parameter required (calculating the user identity information and including the application layer parameter) ).
  • the USI interface may be an interface provided by the USI system for authenticating a user service identifier, or may be a general service call interface.
  • the difference between the two types of service identity authentication is as follows:
  • the special interface allows the USI system to authenticate the user service identifier by using the message type identifier, and notifies the application server of the authentication result through a special return message;
  • the general service call interface allows the USI system to authenticate the user service identity through a flag bit (ie, add an identifier to the call request related message), and return the authentication result with the access message invoked by the service. Both require that the message carries the user's business identity and user identity information.
  • Step 4 The network authenticates the user service identifier according to the user identity information provided by the application server; [58]
  • the network can authenticate the user service identifier by the user service identity authentication unit, and the authentication unit can be located inside the USI system. Or it is located outside the USI system (such as in the AAA), and the embodiment of the present invention is not limited.
  • the deployment location of the authentication unit does not affect the implementation of the present invention. In this embodiment, the authentication system is located in the USI system as an example. .
  • Step 5 After the authentication is passed, the application server can save the mapping between the user application layer identifier and the user service identifier, so that the USI system is not required to perform the service identity authentication of the user each time.
  • the USI sends the application server's private key to the application server, and the application service The server uses the private key as a shared key for communication with the user terminal to protect messages or data between the application server and the user terminal.
  • Step 21 The USI system obtains the user service identifier and the user identity information
  • the USI system may return an authentication failure message to the application server, where the authentication failure message carries the information of the failure reason (such as the lack of the user service identifier). Information).
  • step 22 If the USI system obtains the user service identifier and user identity information, step 22 is performed;
  • Step 22 After the user service identifier and the user identity information are obtained by the USI system, check whether the user terminal is registered in the USI system according to the user service identifier or the IP address information.
  • the USI system requires the user terminal to register with the USI system after accessing the network, and the user terminal registers with the USI system.
  • the USI system saves the user's network identity such as NAI, user service identity, user IP address, and shared secret between the network and the user terminal. key.
  • the authentication failure message may be returned to the application server, and the information of the failure reason may be carried in the authentication failure message.
  • Step 23 The USI system authenticates the user service identifier according to the user identity information
  • the USI system sends the user identity information and the user service identifier, optionally including the identifier of the application server and the application layer parameter, to the user service identity authentication unit to perform user service identity authentication.
  • the authentication process includes:
  • the authentication unit queries the shared key in the registration information according to the user service identifier or the IP address, and uses the shared key or the application server derived by the shared key.
  • the key uses a preset algorithm consistent with the user terminal, including the same parameters as the user terminal, and calculates the user's digital signature.
  • the private key of the application server may be calculated by the authentication unit according to the same algorithm as the user terminal. Comparing the calculated digital signature of the user with the digital signature of the user carried in the interface call request message. If they are consistent, the user service identifier is authenticated. Otherwise the authentication fails;
  • the user identity information is an IP address
  • the user IP address in the interface call is directly used as an index, and the user service identifier corresponding to the IP address is found in the registration information, and compared with the user service identifier carried in the interface call.
  • the user service identifier carried in the interface call is used as an index, and the corresponding IP address is found in the registration information, and is compared with the IP address carried in the interface call. If the authentication is consistent, the authentication is passed, otherwise the authentication fails.
  • the user identity information contains the user's digital signature and IP address information, the above two authentication processes are performed. If any one of the certifications fails, the authentication fails and both authentications are passed, indicating that the authentication is successful.
  • an authentication success message may be returned to the application server.
  • the above process implements the authentication of the user service identifier by the application server by calling the USI interface.
  • the application server may be authenticated at the same time as the user service identifier is authenticated, as in the following As described in the embodiments.
  • the present invention further provides another implementation manner.
  • the difference between the implementation manner and the foregoing embodiment is that the application server invokes the USI interface, carries the user service identifier and the user identity information, and carries the application provider identity information.
  • the authentication process of the user service identifier of the USI system is the same as that of the first embodiment.
  • the USI system can authenticate the application server according to the application provider identity information and the user policy data configuration information.
  • the authentication to the application server includes authentication of the identity of the application server by the network and authentication of the operation of the user by the application server (ie, authentication of an interface call to the application server).
  • Step 31 The application server invokes the USI interface, carrying the user service identifier and the user identity information, and the application provider identity information;
  • Step 32 The network authenticates the identity of the application server based on the identity information of the application provider;
  • the network authenticates the identity of the application server, that is, the network provider verifies whether the application server is allowed to invoke an interface provided by the network, and the specific authentication process is:
  • the application server needs to carry the application provider identity information on the calling interface, and is used by the USI system to confirm the identity of the application server. Only the application provider that runs the USI system after signing with the network operator can access the USI interface.
  • Authentication technology for application server identity belongs to the prior art, the present invention The embodiment is not limited. For example, a public certificate such as a certificate or a shared key may be used for identity authentication.
  • step 33 is performed; otherwise, the authentication failure message is returned to the application server, and the information of the failure reason may be carried in the authentication failure message;
  • Step 33 The network authenticates the user service identifier according to the user identity information provided by the application server.
  • the specific authentication process for the user service identifier is the same as that described in the foregoing implementation manner, and is not described herein.
  • step 34 After the authentication of the user service identifier is successful, step 34 is performed. Otherwise, the authentication failure message is returned to the application server, and the information of the failure reason may be carried in the authentication failure message.
  • Step 34 The USI system authenticates the interface call of the application server
  • the user terminal configuration policy may be implemented in the USI system or the AAA server or the server (user policy server). If the user configuration policy information is not in the USI system, The USI system needs to exchange messages with the AAA server or the user terminal configuration policy server, and use the user service identifier or the user NAI for indexing, and the message (XCAP or HTTP).
  • the get message is used to obtain configuration policy data of the user terminal, and is used to determine whether to allow the application server to operate on the user terminal. If the authentication succeeds, an authentication success message is returned to the application; if the authentication fails, an authentication failure message is returned to the application.
  • the application scenario of an embodiment is: user A is a WiMAX network user, and the same is a paying video user, the application server B of the paid video can invoke the USI interface of the WiMAX network to which the user A belongs; the user A is in the application server B. Watch the paid video and charge the account through the WiMAX network.
  • the application server B deducts the fee through the USI withholding fee interface provided by the WiMAX network.
  • the service identifier of the user A is required.
  • Perform authentication as shown in Figure 4, the specific process includes [91] 41. After user A logs into the WiMAX network, initiate registration with the USI system;
  • the registration information includes: user network identity information, such as NAI, the user's IP address, the user service identifier, and the shared key information of the network and the user; the USI records the registration information of the user A, and returns the user A registration success message;
  • user network identity information such as NAI, the user's IP address, the user service identifier, and the shared key information of the network and the user
  • the USI records the registration information of the user A, and returns the user A registration success message
  • the application server B carries the user service identifier and the user identity information to initiate a user withholding fee request to the user A home network USI system, and requests the USI system to authenticate the user service identifier (if the called interface is a general service) When the interface is invoked, the request message carries the flag information that requires the USI system to authenticate the user service identifier);
  • the USI system authenticates the identity of the application server, and authenticates the user service identifier after the application server identity authentication is passed;
  • the application server authentication fails, the authentication failure message is directly returned, and the authentication process for the user service identification is not performed. If the application server identity authentication succeeds, the user service identifier is authenticated, and if the authentication fails, the authentication failure response is returned to the application server B;
  • the accounting system can return a response message according to the user's balance. If the user's balance is not enough, the failure response is returned, and the reason is carried, such as insufficient cost; if the deduction is successful, a successful response is returned.
  • the foregoing embodiment implements the authentication of the user service identifier in the process of calling the USI interface by the application server, and improves the security of the interface call.
  • the application scenario of another embodiment is as follows: User A is a WiMAX network user, and the user is also a message user, that is, the application server B of the message can invoke the USI interface of the WiMAX network to which the user A belongs; User A registers his user service identifier on the instant messaging application server B, and allows user A to send the instant message sent to him via the message server interface provided by the WiMAX network to the user application server B. User A, in the process of invoking the message server interface of the application server B, needs to authenticate the user service identifier and the application server B. As shown in FIG. 5, the specific process is as follows:
  • the registration information includes: user network identity information (such as NAI), IP address, user service identifier, and shared key of the network and the user; the USI records the registration information of the user A, and returns the user A registration success message;
  • user network identity information such as NAI
  • IP address such as IP address
  • user service identifier such as IP address
  • shared key such as shared key
  • the message application server B initiates a user service identity authentication request message to the USI system to which the user A belongs, and carries the user identity information of the user A and the user service identifier provided by the user A;
  • the user identity information includes a user digital signature and/or user IP address information.
  • the USI system After receiving the request message for requesting the authentication of the service identifier of the user, the USI system first authenticates the identity of the application server B, and after the authentication is passed, authenticates the user service identifier according to the user identity information (such as a digital signature), if the authentication is performed. If yes, the authentication success message is returned to the instant messaging application server B. If the previous authentication fails, the subsequent authentication is not performed, and if any of the authentication fails, the authentication failure message is returned to the instant messaging application server B, and Then perform the subsequent operations.
  • the user identity information such as a digital signature
  • the USI system can also authenticate whether the application server B allows the operation of the user A according to the user configuration policy (user level), that is, authenticate the interface call of the application server B. After the authentication is completed, the authentication response message is returned to the application server B. If the authentication succeeds, the authentication success message is returned to the application server B. If the authentication fails, the authentication failure message is returned to the application server B.
  • the user configuration policy user level
  • the application server B binds the service identifier of the user A to the application layer identifier of the user A. After the foregoing operation, the user A exits the instant message application server B, that is, the message application server. User A on B is offline;
  • the message application server B receives the instant message sent by the user A friend to the user A in the offline state of the user A, that is, the message application server B is set on the instant message application server B according to the user A.
  • the policy invokes the message interface of the USI to forward the message.
  • the user configuration policy is pre-configured by the user. The policy may be that the user A does not log in to the application server B, that is, offline, and the message sent by the friend is sent to the WiMAX terminal of the user A through the USI interface, and the message carries the service identifier of the user A; [113] 57.
  • the USI After receiving the message interface call message, the USI performs identity authentication and interface call authentication for the instant message application server B, that is, checks the configuration policy of user A, and verifies whether application server B is allowed to send a message to user A.
  • the call message is forwarded to the message server, and the message server forwards the message to the user A;
  • the USI may replace the user service identifier with the user's NAI address according to the corresponding relationship between the stored user service identifier and the user network identity information, such as the NAI, and then forward the message to the message server.
  • This embodiment implements the authentication of the user service identifier and the application interface call during the interface call process, and effectively ensures the security of the interface call.
  • An embodiment of the present invention provides a secure interface calling system, including an application server and an interface calling authentication system.
  • the application server is configured to carry a user service identifier and user identity information in an interface call request message.
  • the application server may be further configured to: after interacting with the user terminal, obtain the user identity information and the user service identifier, and, in the calling interface, carry the message in the interface call request message. User service identification and user identity information.
  • the user identity information includes a user digital signature and/or user IP address information.
  • the interface call request message optionally carries application provider identity information.
  • the interface call authentication system is configured to obtain user identity information and a user service identifier provided by the application server, and use the user identity information to authenticate the user service identifier;
  • the information obtained by the interface calling authentication system from the application server further includes application provider identity information, an identifier of the application server, and an application layer parameter.
  • application provider identity information e.g., an identifier of the application server
  • application layer parameter e.g., an application protocol
  • the process of authenticating a service identifier by using user identity information includes:
  • the network is based on the received user service identifier or user.
  • the IP address finds the shared key of the user terminal and the network, and uses the shared key or the key derived by using the shared key to calculate the user digital signature using an algorithm consistent with the user terminal, and compares with the received user digital signature. If the agreement is the same, the user service ID is authenticated. Otherwise, the user service ID authentication fails.
  • the IP address is used as an index, and the user service identifier corresponding to the IP address is found in the registration information, and compared with the user service identifier carried in the interface call; Or the user service identifier carried in the interface request request message is used as an index, and the corresponding IP address is found in the registration information, and is compared with the IP address carried in the interface call request message. Indicates that the user service ID authentication failed.
  • the user service identifier and the user identity information are carried in the interface call process, and the user service identifier is authenticated according to the user identity information, thereby effectively ensuring the security of the interface call.
  • FIG. 6 is a schematic diagram of a module of the user terminal 60.
  • the user terminal 60 is configured to report user identity information and user service after interacting with an application server. logo.
  • the user terminal 60 is provided with:
  • the user identity information generating unit 600 is configured to generate user identity information according to the shared key of the user terminal 60 and the shared key of the network or the key derived by using the shared key. The calculation generates user identity information, and may also input the user's service identifier or application layer parameters.
  • the user identity information generated by the calculation is a digital signature of the user.
  • the authentication information reporting unit 602 is configured to report, in the information that interacts with the application server, authentication related information including the user service identifier and the user identity information.
  • the reported user identity information may include a user digital signature and/or user IP address information.
  • the user terminal reports the authentication related information including the user service identifier and the user identity information during the interaction with the application server, which facilitates subsequent use of the user identity information to perform the user service identifier in the interface call process.
  • Authentication ensures the security of the interface call.
  • An embodiment of the present invention provides an application server. As shown in FIG. 7, a schematic diagram of the application server 70 is used. The application server 70 is configured to acquire user identity information and user services after interacting with the user terminal. After the interface is invoked, the user service identifier and the user identity information are carried in the interface call request message, and the user service identifier is requested to be authenticated.
  • the application server 70 is provided with:
  • the authentication information receiving unit 700 is configured to receive authentication related information that is sent by the user terminal and includes the user service identifier and the user identity information.
  • the authentication related information may further include an identifier of the application server, an application layer parameter, and application provider identity information.
  • the interface invoking unit 701 is configured to invoke the related interface according to the user service identifier, and carry the received user service identifier and user identity information in the interface call request message;
  • the interface call request message optionally carries application provider identity information, an identifier of an application server, and/or an application layer parameter.
  • the application server can also be configured with:
  • the flag setting unit 702 is configured to set a flag for requesting authentication of the user service identifier in the interface call request message.
  • the application server carries the user service identifier and the user identity information in the interface call request message, and requests the user service identifier to be authenticated, so that the interface can be based on the user identity information. Authenticate the user service ID, effectively guarantee the security of the interface call
  • An embodiment of the present invention provides an interface call authentication system, as shown in FIG. 8 is a schematic diagram of a module calling the authentication system 80, which is used to obtain user identity information and user service identifiers provided by the application server. And authenticating the user service identifier by using the user identity information;
  • the information obtained by the interface calling authentication system 80 from the application server may further include application provider identity information, an identifier of the application server, and an application layer parameter.
  • the interface invokes the authentication system to authenticate the identity of the application server and the interface call of the application server.
  • the receiving unit 800 is configured to receive an interface call request that carries the user service identifier and the user identity information. Message
  • the user identity information includes a user digital signature and/or user IP address information.
  • the interface call request message optionally includes an application provider identity. One or more of information, application server identity, and application layer parameters.
  • the user service identity authentication unit 801 is configured to authenticate the user service identity according to the received user identity information.
  • the network searches for the shared key of the user terminal and the network according to the received user service identifier or the user IP address, and uses the shared key or the secret derived by using the shared key.
  • the key is calculated by using an algorithm that is consistent with the user terminal, and is compared with the received user digital signature. If the key is consistent, the user service identity authentication is passed, otherwise the user service identity authentication fails.
  • the IP address is used as an index, and the user service identifier corresponding to the IP address is found in the registration information, and compared with the user service identifier carried in the interface call; Or the user service identifier carried in the interface request request message is used as an index, and the corresponding IP address is found in the registration information, and is compared with the IP address carried in the interface call request message. Indicates that the user service ID authentication failed.
  • the interface call authentication system can also be set with:
  • the application authentication unit 802 is configured to authenticate the identity of the application server and the interface call of the application server.
  • the application authentication unit 802 obtains a user configuration policy according to the user service identifier that is authenticated, and determines whether to allow the interface of the application server to be invoked according to the configuration policy. If allowed, the interface invokes the authentication. Pass, if not allowed, the interface fails to authenticate.
  • the application authentication unit performs authentication according to the identity of the server corresponding to the received application provider identity information.
  • the interface calling authentication system can also be configured with a special user service identity authentication interface, and the application server can call the interface to authenticate the user service identity.
  • the interface invocation authentication system may be a USI system, or may be another system capable of implementing the function, which is not limited by the embodiment of the present invention.
  • the embodiment of the present invention ensures the security of the interface call by authenticating the user service identifier during the interface call process.
  • the interface receives an interface call request message that is sent by the application server and carries the user service identifier and the user identity information;
  • the storage medium mentioned above may be a readable memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé destiné à appeler l'interface de sécurité dans le domaine des techniques de communication, ledit procédé comportant les étapes suivantes : l'interface reçoit une demande comprenant l'identification du service utilisateur et les informations d'identification de l'utilisateur en provenance du serveur d'applications, et authentifie l'identification du service utilisateur incluse dans la demande avec les informations reçues d'identification de l'utilisateur. Si l'authentification réussit, alors l'authentification des informations d'identification de l'utilisateur est réussie. Si l'authentification ne réussit pas, l'authentification des informations d'identification de l'utilisateur échoue. L'invention concerne également un dispositif et un système d'appel de l'interface de sécurité. Dans le mode de réalisation de la présente invention, l'identification du service utilisateur est authentifiée au cours du processus d'appel de l'interface, ce qui permet d'assurer efficacement la sécurité de l'appel de l'interface.
PCT/CN2009/070177 2008-02-01 2009-01-16 Procédé, dispositif et système d'appel de l'interface de sécurité WO2009097778A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810007068.7A CN101499904A (zh) 2008-02-01 2008-02-01 一种安全接口调用方法、装置及系统
CN200810007068.7 2008-02-01

Publications (1)

Publication Number Publication Date
WO2009097778A1 true WO2009097778A1 (fr) 2009-08-13

Family

ID=40946797

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070177 WO2009097778A1 (fr) 2008-02-01 2009-01-16 Procédé, dispositif et système d'appel de l'interface de sécurité

Country Status (2)

Country Link
CN (1) CN101499904A (fr)
WO (1) WO2009097778A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112583606A (zh) * 2020-12-16 2021-03-30 深圳市欢太科技有限公司 安全校验方法及服务器、终端、存储介质

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721163A (zh) * 2009-08-11 2016-06-29 中兴通讯股份有限公司 一种访问拜访地服务提供商的系统及方法
CN102779071A (zh) * 2012-06-14 2012-11-14 华为技术有限公司 软件接口调用方法、装置和系统
CN105471931B (zh) * 2014-08-06 2020-06-26 腾讯科技(北京)有限公司 一种查询业务数据的方法、装置和系统
CN106209751B (zh) * 2015-05-08 2019-05-03 中标软件有限公司 基于操作系统授权证书的面向服务的接口认证方法
CN105741444B (zh) * 2016-01-29 2019-01-01 广州广电运通金融电子股份有限公司 基于Linux系统金融自助设备的应用认证方法和装置
CN107888548A (zh) * 2016-09-30 2018-04-06 北京金山云网络技术有限公司 一种信息验证方法及装置
CN107426266B (zh) * 2017-03-14 2020-08-04 阿里巴巴集团控股有限公司 数据处理方法和服务器
CN107580322A (zh) * 2017-08-28 2018-01-12 驭势科技(北京)有限公司 无人驾驶车辆软件系统的升级方法、装置和无人驾驶车辆
CN108365961B (zh) * 2018-01-02 2019-07-19 深圳壹账通智能科技有限公司 接口调用方法及终端设备、接口调用的响应方法及服务器
CN108600264B (zh) * 2018-05-09 2020-10-02 聚龙股份有限公司 一种应用于授信认证的加密解密方法及授信认证系统
CN109067818B (zh) * 2018-06-04 2019-08-20 杭州数梦工场科技有限公司 一种业务访问方法及装置
CN109309667B (zh) * 2018-08-28 2021-08-13 东软集团股份有限公司 接口调用的认证方法和装置,存储介质和电子设备
CN111371881A (zh) * 2020-02-28 2020-07-03 北京字节跳动网络技术有限公司 服务调用方法及设备
CN113159737B (zh) * 2021-05-27 2022-11-01 中国平安人寿保险股份有限公司 Rpa业务处理方法、rpa管理平台、设备及介质
CN113452771B (zh) * 2021-06-24 2023-01-31 北京沃东天骏信息技术有限公司 一种接口调用方法、装置和系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731723A (zh) * 2005-08-19 2006-02-08 上海林果科技有限公司 电子/手机令牌动态口令认证系统
CN1889430A (zh) * 2006-06-21 2007-01-03 南京联创网络科技有限公司 基于802.1x的终端宽带接入的安全认证控制方法
US20070022469A1 (en) * 2005-07-20 2007-01-25 Cooper Robin R Network user authentication system and method
CN1946022A (zh) * 2006-10-31 2007-04-11 华为技术有限公司 转接第三方登陆的方法、系统及第三方网站、业务服务器
US20070143830A1 (en) * 2005-12-20 2007-06-21 International Business Machines Corporation Method, apparatus and system for preventing unauthorized access to password-protected system
CN101102192A (zh) * 2007-07-18 2008-01-09 北京飞天诚信科技有限公司 认证设备、方法和系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070022469A1 (en) * 2005-07-20 2007-01-25 Cooper Robin R Network user authentication system and method
CN1731723A (zh) * 2005-08-19 2006-02-08 上海林果科技有限公司 电子/手机令牌动态口令认证系统
US20070143830A1 (en) * 2005-12-20 2007-06-21 International Business Machines Corporation Method, apparatus and system for preventing unauthorized access to password-protected system
CN1889430A (zh) * 2006-06-21 2007-01-03 南京联创网络科技有限公司 基于802.1x的终端宽带接入的安全认证控制方法
CN1946022A (zh) * 2006-10-31 2007-04-11 华为技术有限公司 转接第三方登陆的方法、系统及第三方网站、业务服务器
CN101102192A (zh) * 2007-07-18 2008-01-09 北京飞天诚信科技有限公司 认证设备、方法和系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112583606A (zh) * 2020-12-16 2021-03-30 深圳市欢太科技有限公司 安全校验方法及服务器、终端、存储介质
CN112583606B (zh) * 2020-12-16 2023-05-09 深圳市欢太科技有限公司 安全校验方法及服务器、终端、存储介质

Also Published As

Publication number Publication date
CN101499904A (zh) 2009-08-05

Similar Documents

Publication Publication Date Title
WO2009097778A1 (fr) Procédé, dispositif et système d'appel de l'interface de sécurité
KR102018971B1 (ko) 네트워크 액세스 디바이스가 무선 네트워크 액세스 포인트를 액세스하게 하기 위한 방법, 네트워크 액세스 디바이스, 애플리케이션 서버 및 비휘발성 컴퓨터 판독가능 저장 매체
US8024488B2 (en) Methods and apparatus to validate configuration of computerized devices
US11510054B2 (en) Methods, apparatuses, and computer program products for performing identification and authentication by linking mobile device biometric confirmation with third-party mobile device account association
US8978100B2 (en) Policy-based authentication
KR101158956B1 (ko) 통신 시스템에 증명서를 배분하는 방법
JP5688087B2 (ja) 信頼できる認証およびログオンのための方法および装置
US8195819B1 (en) Application single sign on leveraging virtual local area network identifier
EP3069493B1 (fr) Système d'authentification
WO2015154066A1 (fr) Procédé pour authentifier et garantir la conformité de dispositifs accédant à des services externes.
EP2767029B1 (fr) Communication sécurisée
WO2005096644A1 (fr) Procede d'etablissement d'une association de securite entre l'abonne itinerant et le serveur du reseau visite
WO2012094602A1 (fr) Signature unique de groupe client-serveur comprenant un openid local
WO2006000152A1 (fr) Procede pour la gestion d'equipement d'utilisateur d'acces au reseau au moyen de l'architecture d'authentification generique
WO2012058896A1 (fr) Procédé et système pour ouverture de session unique
US20210084020A1 (en) System and method for identity and authorization management
WO2009129753A1 (fr) Procédé et appareil pour améliorer la sécurité de l'authentification d'identité de réseau
WO2006058493A1 (fr) Procede et systeme d'authentification de domaine et d'autorite de reseau
WO2013056619A1 (fr) Procédé, idp, sp et système pour la fédération d'identités
WO2009053818A2 (fr) Procédé et appareil pour fournir une liaison sécurisée à une identité d'utilisateur dans un système de gestion de droits numériques
US20130091355A1 (en) Techniques to Prevent Mapping of Internal Services in a Federated Environment
JP2020078067A (ja) モバイルデバイスを有するユーザがスタンドアロンコンピューティングデバイスの能力にアクセスすることをセキュアに可能にするためのシステム及び方法
KR20090054774A (ko) 분산 네트워크 환경에서의 통합 보안 관리 방법
EP3381208B1 (fr) Authentification d'enregistrement de charge pour une utilisation de service de réseau rendu anonyme
WO2012000313A1 (fr) Procédé et système de certification de passerelle de rattachement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09708567

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2963/KOLNP/2010

Country of ref document: IN

122 Ep: pct application non-entry in european phase

Ref document number: 09708567

Country of ref document: EP

Kind code of ref document: A1