WO2009129753A1 - Procédé et appareil pour améliorer la sécurité de l'authentification d'identité de réseau - Google Patents

Procédé et appareil pour améliorer la sécurité de l'authentification d'identité de réseau Download PDF

Info

Publication number
WO2009129753A1
WO2009129753A1 PCT/CN2009/071463 CN2009071463W WO2009129753A1 WO 2009129753 A1 WO2009129753 A1 WO 2009129753A1 CN 2009071463 W CN2009071463 W CN 2009071463W WO 2009129753 A1 WO2009129753 A1 WO 2009129753A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal user
identity authentication
network identity
authentication
information
Prior art date
Application number
PCT/CN2009/071463
Other languages
English (en)
Chinese (zh)
Inventor
陈国乔
杨健
王雷
张惠萍
董挺
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009129753A1 publication Critical patent/WO2009129753A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and apparatus for improving network identity authentication security.
  • a Web Service is an interface that describes operations that can be accessed over the network using a standardized XML (extensible markup language) messaging mechanism.
  • a Web Service can be used to implement complex functions or business transactions, either alone or in conjunction with other Web services.
  • a terminal may use multiple web services, but not all services are located within the trust domain of its network operator.
  • the prior art provides an identity association method, that is, a network identity, which is used to describe that the status or data provided to the terminal is consistent among various network services.
  • SP Service Provider
  • IDP Identity Provider
  • DS Discovery Service
  • P AP Attribute Provider
  • SP Service Provider
  • IDP Identity Provider
  • DS Discovery Service
  • P AP Attribute Provider
  • SP Service Provider
  • IDP Identity Provider
  • DS Discovery Service
  • P AP Attribute Provider
  • the SP is an entity that provides services and/or goods to the main user.
  • IDP is used to generate, maintain, and manage identity information for the subject user and to provide authentication assertions for other service providers in an authentication domain (or even a circle of trust).
  • DS allows different entities (such as service providers) to dynamically discover a registered service for a principal.
  • the DS when the DS determines the type of service required and meets the rights set by the user, indicating that the information on the entity is allowed to be provided to the relevant entity, the DS will reply the relevant entity with a service description, including the required entity service.
  • WSDL Web Service Description Language
  • the DS can also be used as a secure token service to send the security token to the requester, which the requestor needs to present when requesting service from DS.
  • the AP is used to provide the attributes of a subject user.
  • the identity authentication by the IDP and the attributes provided by the attribute provider to the SP are required to complete the service.
  • other entities in the trust circle can use the IDP to authenticate the user information, identify the user identity through NI (Network Identity), and perform the Attibute information on the user. Acquire, and based on this, carry out related business applications.
  • the main user request service and the NI authentication process are as follows:
  • the SP after receiving the request initiated by the main user, the SP sends a request to the IDP to verify the authentication status of the main user;
  • the IDP After receiving the request sent by the SP, the IDP returns a reply request to the SP, where the reply request includes an authentication assertion describing the user authentication status, and may also include bootstrap information (optional) required to access the discovery service entity of the subject user; If there is no valid SSO (Single Sign-On) content for the principal user at the SP, the principal user needs to be authenticated by IDP in order to establish a valid SSO session;
  • SSO Single Sign-On
  • the SP uses the bootstrap information from the IDP to query the subject user's discovery service entity for a particular attribute provider;
  • the discovery service entity returns an authentication assertion to the SP, including the address information of the attribute provider of the subject user;
  • the SP accesses the attribute provider using the address information in the authentication assertion, requesting the query attribute or the operation related to the attribute from the attribute provider (for example, deleting or modifying the attribute);
  • the attribute provider returns a reply message to the SP
  • the SP After receiving the reply message from the attribute provider, the SP allows or denies the request of the subject user.
  • IDP authentication to the main user needs to call an external authentication server, such as LDAP (Light Directory Access Protocol) or relational database and access control protocol attached to the relational database.
  • LDAP Light Directory Access Protocol
  • relational database relational database and access control protocol attached to the relational database.
  • the embodiment of the present invention provides a method for improving the security of the network identity authentication, which is applied to the web service, and the method includes:
  • an embodiment of the present invention further provides an identity provider device, which is applied to a web service, where the device includes:
  • An authentication module configured to perform network identity authentication on the SP and the end user
  • a sending module configured to return an authentication result obtained by the authentication module to the SP, where the authentication result includes a network identity authentication result of the terminal user and a network identity authentication result of the SP.
  • the embodiment of the present invention further provides a service provider device, which is applied to a web service, and the device includes:
  • An authentication module configured to perform network identity authentication on the SP and the end user
  • a sending module configured to return an authentication result obtained by the authentication module to the SP, where the authentication result includes a network identity authentication result of the terminal user and a network identity authentication result of the SP.
  • the embodiment of the present invention provides a method for seamlessly switching the single sign-on process, which is applied to a web service, and the method includes:
  • the SP After the SP requests the network identity authentication from the IDP specified by the terminal user, and the result that the IDP does not support the authentication, the IDP of the SP belongs to the network identity authentication request sent by the terminal user;
  • the authentication result is returned to the terminal user.
  • the embodiment of the present invention further provides a method for seamlessly switching the single sign-on process, which is applied to a web service, and the method includes:
  • the terminal user is authenticated, and the authentication result is returned to the terminal user.
  • the embodiment of the present invention further provides an identity provider device, which is applied to a web service, where the identity provider is an identity provider to which the SP belongs, and the device includes:
  • a receiving module configured to receive a network identity authentication request sent by the terminal user
  • an authentication module configured to: after the receiving module receives the network identity authentication request, perform network identity authentication on the terminal user, and return an authentication result to the terminal user.
  • an embodiment of the present invention further provides a service provider device, where the device includes:
  • a receiving module configured to receive a service request sent by the terminal user, and configured to receive, by the terminal user, an IDP that returns a result that does not support the authentication, where the result indicates that the IDP specified by the terminal user is not the SP
  • the sending module configured to: after the receiving module receives the service request, initiate a network identity authentication request to the IDP specified by the terminal user, and after the receiving module receives the result, responding to the response Giving the end user the response The IDP information to which the SP belongs is carried.
  • the embodiment of the present invention provides a method for improving the security of the network identity authentication, which is applied to the web service, and the method includes:
  • the embodiment of the present invention further provides a service provider device, which is applied to a web service, where the service provider does not have an IDP, and the device includes:
  • a receiving module configured to receive a service authentication request sent by the terminal user
  • the service authentication module is configured to: after receiving the service authentication request, the receiving module authenticates the terminal user, and returns an authentication result to the terminal user.
  • an embodiment of the present invention further provides an identity provider device, which is applied to a web service, where the device includes:
  • a receiving module configured to receive, by the SP, a request for performing network identity authentication on the terminal user, where the request includes access permission information of the service provider;
  • a control module configured to: after the receiving module receives the request, perform network identity authentication on the terminal user according to the access permission information, and return an authentication result to the SP.
  • the embodiment of the present invention improves the security between the terminal user and the SP by performing network identity authentication on both the end user and the SP in the single sign-on process.
  • the ID of the SP belongs to the end user for network identity authentication or SP.
  • the method of performing service authentication request for the terminal user realizes seamless handover in the single sign-on process and improves the terminal user experience; controlling the network identity of the terminal user by using the access authority information of the SP, and controlling the SP to the terminal user The acquisition of attribute information, so that the SP provides different services to the end user.
  • FIG. 1 is a schematic flowchart of a method for improving network identity authentication security according to an embodiment of the present invention
  • FIG. 2 is a first schematic flowchart of a method for seamlessly switching between single sign-on processes according to an embodiment of the present invention
  • FIG. 3 is a second schematic flowchart of a method for seamlessly switching a single sign-on process according to an embodiment of the present invention
  • FIG. 4 is a third schematic flowchart of a method for seamlessly switching a single sign-on process according to an embodiment of the present invention
  • FIG. 5 is a schematic flowchart of a method for improving network identity authentication security according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a first structure of an identity provider device according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a second structure of an identity provider device according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a first structure of a service provider apparatus according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a third structure of an identity provider device according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of a second structure of a service provider apparatus according to an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of a third structure of a service provider device according to an embodiment of the present invention.
  • FIG. 12 is a fourth schematic structural diagram of a service provider apparatus according to an embodiment of the present invention.
  • FIG. 13 is a fifth structural diagram of a service provider apparatus according to an embodiment of the present invention.
  • FIG. 14 is a fourth structural diagram of an identity provider device according to an embodiment of the present invention.
  • FIG. 15 is a fifth structural diagram of an identity provider device according to an embodiment of the present invention.
  • FIG. 16 is a schematic diagram of a first structure of a system for improving network identity authentication security according to an embodiment of the present invention
  • FIG. 17 is a schematic structural diagram of a system for seamlessly switching a single sign-on process according to an embodiment of the present invention
  • a second schematic structural diagram of a system for improving network identity authentication security provided by an embodiment of the present invention.
  • the embodiment of the present invention improves the security between the terminal user and the SP by performing network identity authentication on both the end user and the SP in the single sign-on process.
  • the ID of the SP belongs to the end user for network identity authentication or SP.
  • the method of performing service authentication request for the terminal user realizes seamless handover in the single sign-on process and improves the terminal user experience; controlling the network identity of the terminal user by using the access authority information of the SP, and controlling the SP to the terminal user The acquisition of attribute information, so that the SP provides different services to the end user.
  • An embodiment of the present invention provides a method for improving network identity authentication security, including: IDP performs network identity authentication on an SP and an end user, and returns an authentication result to the SP, where the authentication result includes the network identity authentication result of the SP and the use Network authentication results.
  • IDP performs network identity authentication on an SP and an end user, and returns an authentication result to the SP, where the authentication result includes the network identity authentication result of the SP and the use Network authentication results.
  • the physical devices shown in FIG. 1 are all located in a circle of trust, and the method specifically includes: 101: The terminal user initiates an authentication request to the SP, where the request carries the authentication information of the terminal user and the IDP specified by the terminal user. Identification information, and identification information of the network identity authentication result that requires the SP to return to the SP.
  • the SP After receiving the authentication request, the SP requests the corresponding IDP to perform network identity authentication on the terminal user according to the IDP identification information, and the SP may further carry the identity authentication information of the SP in the request, requesting the IDP to perform the SP Network identity authentication.
  • the SP may also complete the process of performing network identity authentication to the IDP before 102 or before 101.
  • the SP initiates a network identity authentication request initiated by the SP.
  • the identity authentication information of the SP may not be carried.
  • the SP simultaneously requests the IDP to perform network identity authentication on the terminal user and the SP.
  • the IDP After receiving the request sent by the SP, the IDP performs network identity authentication on the terminal user and the SP according to the saved terminal user information and the SP information, and returns an authentication result, where the authentication result includes a description of the terminal user authentication status. Authentication assertions, and the results of IDP's network authentication for the SP.
  • the authentication result returned by the IDP may further include: bootstrap information required for the SP to access the DS of the terminal user.
  • the SP After receiving the authentication result returned by the IDP, the SP returns the authentication result to the terminal user, which includes the authentication result for the terminal user and the authentication result for the SP.
  • the terminal user sends a message to the IDP, and checks the authentication status of the SP with the IDP, where the message includes the authentication result of the SP.
  • the IDP After receiving the message, the IDP returns a response, which includes an authentication assertion describing the SP authentication status. In this embodiment, the response returned by the IDP indicates that the result of the collation is that the SP is a valid SP.
  • the terminal user may further request the service from the SP, that is, the foregoing method further includes:
  • the terminal user initiates a service request to the SP, where the service request includes related operations that the terminal user needs to perform in the SP, for example, the terminal user purchases in the online mall provided by the SP.
  • the SP queries the corresponding DS for the attribute provider AP corresponding to the terminal user according to the guiding information returned by the IDP in 103.
  • the DS returns an authentication assertion to the SP, where the corresponding AP information, such as the address information of an AP, is included.
  • the SP After receiving the authentication assertion, the SP accesses the corresponding AP according to the AP information, and requests the genus of the terminal user. Sexual information.
  • the AP returns the end user's attribute information to the SP, such as the end user's name, gender, age, address, and phone number.
  • the SP After receiving the attribute information of the terminal user, the SP provides the service to the terminal user according to the attribute information.
  • the IDP may also control the network identity authentication of the terminal user according to the SP access authority information sent by the SP, such as determining whether the SP is allowed to request authentication, and if so, performing network identity on the SP and the terminal user. Authentication; otherwise, the network identity request sent by the SP is rejected.
  • the SP access permission information is usually an SP access control list sent by the terminal user, including the SP trusted by the terminal user and the SP that the terminal user does not trust, and different SPs have different access rights and the like. For example, SP1 can access the end user's name, age, and address, SP2 can access the end user's name and phone number, and more.
  • the IDP can control the SP to obtain the attribute information of the terminal user, thereby providing different services to the terminal user.
  • the IDP can also obtain the one-time information of the SP in advance. For example, in the 102, the SP sends the request initiation time as a one-time information to the IDP in the network identity authentication request, and correspondingly, in the 103 The IDP can also use the obtained one-time information of the SP to encrypt the authentication result obtained by performing network identity authentication on the terminal user, and return the encrypted information to the SP. After receiving the encrypted information, the SP can perform the authentication by decoding. result.
  • the network identity authentication (two-way authentication) is performed on the terminal user and the SP, and the security of the network identity authentication is improved.
  • the fake SP is prevented from exposing the user identity information to the user. , solved the security hole between the end user and the SP.
  • the SP can control the acquisition of the attribute information of the terminal user, thereby providing different services to the terminal user.
  • IDP can avoid replay attacks and further improve the security of network identity authentication.
  • the embodiment of the present invention further provides a method for seamlessly switching the single sign-on process, which is applied to a web service, including: after the SP requests the network identity authentication from the IDP specified by the terminal user, and obtains the result that the IDP does not support the authentication, The IDP to which the SP belongs receives the network identity authentication request sent by the terminal user; after the IDP of the SP belongs to the terminal user for network identity authentication, the authentication result is returned to the terminal user.
  • the identity provider A is the home IDP of the SP
  • the identity provider B is the IDP (usually the default) specified by the terminal user.
  • the terminal user is in the identity circle of the identity provider A and the identity provider B.
  • the embodiment belongs to the application scenario of the cross-trust circle, and the method specifically includes:
  • the terminal user initiates an authentication request to the SP, where the request carries the authentication information of the terminal user and the identifier information of the IDP specified by the terminal user.
  • the IDP specified by the terminal user is IDP B.
  • the SP After receiving the authentication request, the SP requests the corresponding IDP B to the terminal according to the IDP identification information. The user performs network identity authentication.
  • the IDP B After receiving the request sent by the SP, the IDP B performs network authentication on the terminal user according to the saved terminal user information, and returns an authentication result to the SP.
  • the authentication result includes an authentication assertion describing the authentication status of the terminal user.
  • the IDP B since the IDP B is not the ID of the SP, the network identity authentication is not supported for the terminal user. Therefore, the IDP B indicates that the IDP is not the ID of the SP, and the authentication cannot be completed.
  • the authentication result returned by the IDP may further include: guiding information required by the SP to access the DS of the terminal user.
  • the SP After receiving the authentication result returned by the IDP B, the SP sends a response to the terminal user, where the response includes the foregoing authentication result and the IDP information to which the SP belongs.
  • the IDP to which the SP belongs is IDP A.
  • the terminal user After receiving the response from the SP, the terminal user initiates a network identity authentication request to the IDP to which the SP belongs, and in this embodiment, initiates a network identity authentication request to the IDP A.
  • the IDP A After receiving the network identity authentication request, the IDP A performs network identity authentication on the terminal user, and returns the authentication result to the terminal user.
  • the authentication result returned by the IDP A to the terminal user is NI information, such as the NI identifier, and the terminal user can use the I identifier instead of re-entering the IDP every time the service is requested.
  • NI information such as the NI identifier
  • the terminal user After receiving the authentication result returned by the IDP A, the terminal user initiates a service request to the SP, where the service request includes the authentication result returned by the IDP A.
  • the SP After receiving the service request sent by the terminal user, the SP checks the authentication result of the terminal user with the IDP A, that is, checks the NI information of the terminal user;
  • the IDP A After receiving the verification request sent by the SP, the IDP A responds to the SP, and the response includes an authentication assertion describing the authentication status of the terminal user, that is, the result of the verification.
  • the terminal user authenticated by the IDP A.
  • the result of the NI information is correct for the end user's NI information.
  • the SP may also obtain, from the IDP A, the guidance information required to access the discovery service DS of the terminal user, that is, the IDP A may carry the guidance information in the response; correspondingly, the foregoing method further includes:
  • the SP After receiving the response returned by the IDP A, the SP accesses the corresponding DS according to the guiding information, and requests to obtain the information of the attribute provider AP.
  • the DS After receiving the request, the DS returns an authentication assertion to the SP, which includes information about the corresponding AP.
  • the SP accesses the corresponding AP according to the received AP information, and requests to obtain the attribute information of the terminal user.
  • the AP returns a response to the SP, where the response includes attribute information of the terminal user.
  • the SP After receiving the response, the SP responds to the end user and returns to the end user according to the attribute information of the obtained terminal user. End users provide services.
  • the SP may further carry the identifier information in the network identity authentication request, where the identifier information is used to request the network identity authentication result of the return SP, and accordingly, the IDP B in the 203 performs network identity authentication on the SP according to the identifier information. And carrying the result of the network identity authentication of the SP in the returned authentication result. Therefore, it is possible to prevent the fake SP from providing services to the end user and causing loss to the end user.
  • This embodiment is applicable to an application scenario in which an SP has an IDP.
  • the terminal user performs network identity authentication on the IDP of the SP, thereby implementing seamless handover in the single sign-on process. the goal of.
  • Network ID authentication of the SP through IDP can identify fake SPs, avoiding the loss of user identity information, and solving the security vulnerabilities between the end users and the SP.
  • This embodiment is similar to the embodiment shown in FIG. 2, and belongs to an application scenario without a cross-trust circle. Referring to FIG.
  • the identity provider A is an IDP to which the SP belongs
  • the identity provider B is an IDP specified by the terminal user (usually the default).
  • the end user is in the trust circle of the identity provider B
  • the SP is in the trust circle of the identity provider A
  • the two trust circles do not cross, the terminal user cannot complete the authentication at the IDP to which the SP belongs.
  • the embodiment of the invention further provides a method for seamlessly switching the single sign-on process, and the method specifically includes:
  • Steps 301 to 306 are the same as 201 to 206 in the embodiment shown in FIG. 2, and details are not described herein again.
  • the authentication result returned by the IDP A to the terminal user in 306 is the result of the authentication failure.
  • the terminal user may further request the IDP B to obtain the boot information required by the SP to access the DS of the terminal user.
  • the IDP B After receiving the request sent by the terminal user, the IDP B responds to the terminal user, including the boot information required by the SP to access the DS.
  • the terminal user After receiving the response returned by the IDP B, the terminal user initiates a service authentication request to the SP, including the terminal user information, the password information, and the like, and may also carry the foregoing guiding information.
  • the SP After receiving the service authentication request of the terminal user, the SP accesses the corresponding DS according to the guiding information, and requests to obtain the attribute provider AP corresponding to the terminal user.
  • the DS After receiving the SP request, the DS returns an authentication assertion to the SP, where the AP information, such as an AP address information, is included.
  • the SP After receiving the authentication assertion, the SP accesses the corresponding AP according to the AP information, and requests to acquire the terminal user. Attribute information.
  • the AP returns the end user's attribute information to the SP, such as the end user's name, gender, age, address, and phone number.
  • the SP After receiving the attribute information of the terminal user, the SP provides the service to the terminal user according to the attribute information.
  • the SP may further carry the identifier information in the network identity authentication request, where the identifier information is used to request the return of the network identity authentication result of the SP, and accordingly, the IDP B or the IDP A performs the network on the SP according to the identifier information.
  • the authentication is performed, and the result of the network identity authentication of the SP is carried in the returned authentication result, so that the fake SP can be prevented from providing services to the terminal user, thereby causing loss to the terminal user.
  • the present embodiment is applicable to an application scenario in which an IDP to which an SP belongs is not an IDP to which the terminal user belongs.
  • the service authentication is performed on the terminal user through the SP. , the purpose of seamless switching during the single sign-on process.
  • the service interruption in the handover process is avoided to bring losses to the end user.
  • Network ID authentication of the SP through the IDP can identify the fake SP, avoiding the loss of the user's identity information and the like, and solving the security vulnerability between the end user and the SP.
  • the embodiment of the present invention further provides a method for seamlessly switching between the single sign-on process, and is applied to a web service, including: when the SP has no belonging IDP, the SP receives a service authentication request sent by the terminal user; The user performs authentication and returns the authentication result to the end user.
  • the identity provider specifies the IDP (usually the default) for the terminal user, the end user is in the identity provider's trust circle, and the SP has no assigned IDP.
  • this embodiment belongs to the cross-trust circle.
  • An application scenario of switching with an untrusted circle the method specifically includes:
  • the end user initiates a service request to the SP.
  • the SP After receiving the service request, the SP finds that the SP does not have a home IDP, that is, does not support IDP authentication, and returns a response to the terminal user, requesting the user to perform authentication.
  • the terminal user may request the SPP to access the pilot information required by the SP before the 401 or 402, such as 401'. Accordingly, after receiving the SP request, the IDP replies to the terminal user, including the SP access terminal. The boot information required by the user's DS, such as 402'.
  • the terminal user After receiving the response from the SP, the terminal user initiates a service authentication request to the SP, including the terminal user information, the password information, and the like. Further, the terminal information may further include the foregoing guiding information.
  • the SP After receiving the service authentication request of the terminal user, the SP performs service authentication on the terminal user. At this time, the SP can directly return the result of the service authentication to the terminal user, or obtain the attribute information of the terminal user first, and then return. As a result of the service authentication, in this embodiment, the SP accesses the corresponding DS according to the foregoing guiding information, and requests to acquire the corresponding end user. AP information.
  • the DS returns an authentication assertion to the SP, which includes information about the corresponding AP, such as the address information of an AP.
  • 406 After receiving the authentication assertion, the SP accesses the corresponding AP according to the AP information, and requests to obtain the attribute information of the terminal user.
  • the AP After receiving the SP request, the AP returns the attribute information of the terminal user to the SP.
  • the SP After receiving the attribute information of the terminal user, the SP returns a response to the terminal user, and provides a service to the terminal user according to the attribute information.
  • the embodiment of the present invention further provides a method for improving network identity authentication security, which is applied to a web service, including: the IDP receives a request for network identity authentication sent by the SP, and the IDP accesses the SP according to the request. The permission information performs network identity authentication on the terminal user, and returns the authentication result to the SP.
  • the IDP maintains an access control list of an SP, and the SP controls the attribute information of the terminal user.
  • the method includes:
  • the terminal user initiates a network identity authentication request to the IDP, where the request carries the SP access permission information set by the terminal user, which is an access control list of the SP in this embodiment.
  • the list includes two trusted SPs: SP1 and SP2, and SP1 can access the end user's name, age, and address, SP2 can access the end user's name and phone number, and so on, as well as an untrusted SP3, the SP3. Cannot request network identity authentication from IDP, etc.
  • the IDP After receiving the network identity authentication request, the IDP performs network identity authentication on the terminal user, saves the SP access permission information set by the terminal user, and returns the result of the authentication to the terminal user.
  • 501 and 502 are the process of single sign-on for the end user.
  • the authentication result returned by the IDP to the terminal user is NI information, such as the NI identifier.
  • the terminal user can use the NI identifier to re-do the IDP every time the service is requested.
  • Network identity authentication only the SP can verify the NI identity by IDP check.
  • the terminal user After receiving the IDP authentication result, the terminal user initiates a service request to the SP, where the request includes the identity authentication information of the terminal user and the IDP identifier information specified by the terminal user.
  • the SP After receiving the service request, the SP requests, according to the IDP identifier information, the network identity authentication to the terminal user according to the IDP.
  • the IDP After receiving the network identity authentication request sent by the SP, the IDP determines, according to the saved access control list of the SP, that the SP identity is allowed to request authentication, and if yes, performs network identity authentication on the terminal user, and returns the authentication result. give SP; Otherwise, the network authentication request of the SP is rejected.
  • the SP is an SP trusted by the terminal user, and the authentication result is returned to the SP.
  • the IDP authenticates the end user by the network identity, which means that the I information of the terminal user sent by the SP is checked, that is, the terminal user has logged into the web service system, and only the end user's network identity can be checked at this time, without re-repairing Authenticate
  • the authentication result returned by the IDP may further include boot information required by the SP to access the DS of the terminal user. 506: After receiving the authentication result returned by the IDP, the SP accesses the corresponding DS according to the foregoing guiding information, and requests to obtain the information of the attribute provider AP corresponding to the terminal user.
  • the DS After receiving the request, the DS returns an authentication assertion to the SP, which includes information about the corresponding AP, such as the address information of an AP.
  • the SP After receiving the authentication assertion, the SP accesses the corresponding AP according to the AP information, and requests to obtain the attribute information of the terminal user.
  • the AP After receiving the request, the AP returns the attribute information of the terminal user to the SP.
  • the SP After receiving the attribute information of the terminal user returned by the AP, the SP returns a response to the terminal user, and provides a service to the terminal user according to the attribute information.
  • the SP may also carry the identifier information in the network identity authentication request, where the identifier information is used to request the return of the network identity authentication result of the SP, and accordingly, the IDP in the 505 performs network identity authentication on the SP according to the identifier information, and The result of the network identity authentication for the SP is carried in the returned authentication result. Therefore, it is possible to prevent the fake SP from providing services to the terminal user and causing loss to the terminal user.
  • the IDP can also obtain one-time information of the SP in advance, such as in 504.
  • the SP sends the request initiation time as a one-time information to the IDP in the network identity authentication request. Accordingly, the IDP can also use the acquired SP one-time information to encrypt the authentication result obtained by performing network identity authentication on the terminal user. And returning the encrypted information to the SP; after receiving the encrypted information, the SP performs decoding to obtain the authentication result.
  • the SP may delete the information of the terminal user in the authentication result, and the information is not cached locally, thereby greatly reducing the maintenance of the SP data information and the data storage of the SP.
  • the quantity reduces the security vulnerability and reduces the storage location of the end user information, eliminating the registration process of the end user for the SP.
  • an embodiment of the present invention provides an identity provider device, which is applied to a web service, and the device includes: an authentication module 601, configured to perform network identity authentication on an SP and an end user;
  • the sending module 602 is configured to return the authentication result obtained by the authentication module 601 to the SP, where the authentication result includes the network identity authentication result of the terminal user and the network identity authentication result of the SP.
  • FIG. 7 further includes:
  • the first receiving module 603 is configured to receive a network identity authentication request sent by the SP, where the network identity authentication request includes the identity authentication information of the SP and the identity authentication information of the terminal user.
  • the authentication module 601 is specifically configured to perform network identity authentication on the SP and the terminal user according to the identity authentication information of the SP and the identity authentication information of the terminal user after the first receiving module 603 receives the network identity authentication request.
  • the apparatus shown in Figure 6 further includes:
  • the second receiving module is configured to receive a network identity authentication request sent by the SP, where the network identity authentication request includes the identifier information and the identity authentication information of the terminal user, where the identifier information is used to request the network identity authentication result of the SP to be returned;
  • the authentication module 601 specifically includes:
  • a first authentication unit configured to perform network identity authentication on the SP
  • the second authentication unit is configured to perform network identity authentication on the terminal user according to the identity authentication information of the terminal user after the second receiving module 604 receives the network identity authentication request.
  • apparatus shown in FIG. 6 further includes:
  • the verification module is configured to: after receiving the request from the terminal user to verify the network identity authentication result of the SP, verify the network identity verification result of the SP, and return the verification result to the terminal user.
  • FIG. 7 further includes:
  • the third receiving module 604 is configured to receive a network identity authentication request sent by the SP.
  • the processing module 605 is configured to: after the third receiving module receives the network identity authentication request, determine, according to the SP access permission information in the request, whether the SP is allowed to request authentication, and if yes, trigger the authentication module to work; otherwise, reject the SP. request.
  • the apparatus shown in FIG. 6 further includes: An obtaining module, configured to obtain one-time information from the SP;
  • the sending module 602 specifically includes:
  • the encryption unit is configured to encrypt the authentication result obtained by the authentication module according to the one-time information acquired by the obtaining module, and the sending unit is configured to return the encrypted information of the encryption unit to the SP.
  • the network identity authentication (two-way authentication) is performed on the terminal user and the SP, and the security of the network identity authentication is improved.
  • the fake SP is prevented from exposing the user identity information to the user. , solved the security hole between the end user and the SP.
  • replay attacks can be avoided, and the security of the network identity authentication is further improved.
  • an embodiment of the present invention further provides a service provider device, which is applied to a web service, and the device includes: a receiving module 801, configured to receive a service request sent by a terminal user, where the service request includes the identifier information and the terminal.
  • the user's identity authentication information which is used to request the return of the service provider's network identity authentication result;
  • the sending module 802 is configured to initiate a network identity authentication request to the IDP, and carry the identity information and the identity authentication information of the terminal user in the network identity authentication request.
  • the sending module 802 in the apparatus shown in FIG. 8 specifically includes:
  • the sending unit is configured to initiate a network identity authentication request to the IDP, and carry the identity information, the identity authentication information of the terminal user, and the identity authentication information of the service provider in the network identity authentication request.
  • the transmitting module 802 in the apparatus shown in FIG. 8 further includes:
  • a one-time information sending unit configured to send a one-time information of the service provider to the IDP
  • the device further includes:
  • the decryption module is configured to perform decryption after the device receives the encrypted information obtained by the IDP according to the one-time information.
  • the IDP is sent to the IDP to enable the IDP to perform network identity authentication on the SP, thereby improving the security of the network identity authentication.
  • the fake SP is prevented from exposing the identity information of the user to the user. The loss has solved the security hole between the end user and the SP.
  • the IDP encrypts the authentication result according to the information, which can avoid replay attacks and further improve the security of the network identity authentication.
  • an embodiment of the present invention further provides an identity provider device, which is applied to a web service, where the identity provider is an identity provider to which the SP belongs, and the device includes:
  • the receiving module 901 is configured to receive a network identity authentication request sent by the terminal user.
  • the authentication module 902 is configured to perform network identity authentication on the terminal user after receiving the network identity authentication request, and return the authentication result to the terminal user.
  • an embodiment of the present invention further provides a service provider device, where the device includes:
  • the receiving module 1001 is configured to receive a service request sent by the terminal user, and is further configured to receive a result that the IDP specified by the terminal user does not support the authentication, and the result indicates that the IDP specified by the terminal user is not an IDP to which the SP belongs;
  • the sending module 1002 is configured to: after receiving the service request, the receiving module 1001 initiates a network identity authentication request to the IDP specified by the terminal user, and after receiving the result, the receiving module sends a response to the terminal user, where the response carries the IDP information of the SP attribution. .
  • the receiving module 1001 is further configured to: when the IDP to which the SP belongs is not the IDP to which the terminal user belongs, receive the service authentication request sent by the terminal user;
  • the above device further comprises:
  • the service authentication module 1003 is configured to: after receiving the service authentication request, the receiving module 1001 authenticates the terminal user, and returns an authentication result to the terminal user.
  • an embodiment of the present invention further provides a service provider device, which is applied to a web service, where the service provider does not have an IDP, and the device includes:
  • the receiving module 1201 is configured to receive a service authentication request sent by the terminal user.
  • the service authentication module 1202 is configured to: after receiving the service authentication request, the receiving module 1201 authenticates the terminal user, and returns an authentication result to the terminal user.
  • the receiving module 1201 is further configured to receive a service request sent by the terminal user.
  • the above device further comprises:
  • the sending module 1203 is configured to: after receiving the service request, the receiving module 1201 returns a response to the terminal user, in response Indicates that the service provider does not have an assigned IDP.
  • an embodiment of the present invention further provides an identity provider device, which is applied to a web service, and the device includes: a receiving module 1401, configured to receive a request for network identity authentication sent by an SP to an end user;
  • the control module 1402 is configured to: after receiving the request, the receiving module 1401 determines, according to the preset SP access right information, whether the SP is allowed to request authentication, and if yes, performs network identity authentication on the terminal user, and returns the authentication result to the SP; otherwise , reject the SP request.
  • the above apparatus further includes:
  • the encryption processing module 1403 is configured to encrypt the authentication result obtained by the control module according to the one-time information of the SP included in the request received by the receiving module, and return the encrypted information to the SP.
  • an embodiment of the present invention further provides a system for improving network identity authentication security, which is applied to a web service, including an SP device 1601 and an IDP device 1602.
  • the SP device 1601 is configured to receive a service request sent by the terminal user, where the service request includes the identifier information and the identity authentication information of the terminal user, initiate a network identity authentication request to the IDP device 1602, and carry the foregoing in the network identity authentication request. Identification information and identity authentication information of the terminal user, the identifier information being used to request returning the network identity authentication result of the SP;
  • the IDP device 1602 is configured to perform network identity authentication on the SP. After receiving the network identity authentication request sent by the SP device 1601 and including the identity information of the terminal user, the network identity authentication is performed on the terminal user, and the obtained The network user authentication result of the end user and the network identity authentication result of the SP are returned to the SP device 1601.
  • an embodiment of the present invention further provides a system for seamlessly switching between single sign-on processes, which is applied to a web service, including an SP device 1701, a first IDP device 1702 designated by a terminal user, and a second IDP to which an SP belongs.
  • the SP device 1701 is configured to receive a service request sent by the terminal user, initiate a network identity authentication request to the first IDP device 1702 designated by the terminal user, and receive a result that the first IDP device 1702 returns the unsupported authentication, and the response is returned to the terminal.
  • the user carries the IDP information of the SP attribution in the response;
  • the first IDP device 1702 is configured to receive a network identity authentication request sent by the SP device 1701, and return a result of not supporting the authentication to the SP device 1701, where the result indicates that the IDP specified by the terminal user is not the IDP to which the SP belongs;
  • the second IDP device 1703 is configured to receive a network identity authentication request sent by the terminal user, perform network identity authentication on the terminal user, and return the authentication result to the terminal user.
  • an embodiment of the present invention further provides a system for improving network identity authentication security, which is applied to a web service, including an SP device 1801 and an IDP device 1802;
  • the SP device 1801 is configured to send a request for network identity authentication to the terminal user to the IDP device, where the request includes the access authority information of the SP;
  • the IDP device 1802 is configured to receive a request for network identity authentication of the terminal user sent by the SP device 1801, perform network identity authentication on the terminal user according to the access permission information, and return the authentication result to the SP device 1801. It will be understood by those skilled in the art that all or part of the steps carried by the method of the foregoing embodiment may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, and the program is executed. Including one or a combination of the steps of the method embodiments.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention porte sur un procédé et un appareil pour améliorer la sécurité de l'authentification d'identité de réseau et sur un procédé et un appareil pour réaliser le transfert transparent durant l'authentification unique (SSO), est appliquée à un service web, et appartient au domaine technique des communications. Par exécution de l'authentification d'identité de réseau pour un fournisseur de service (SP) et un utilisateur de terminal, ou commande de l'authentification d'identité de réseau conformément aux informations d'autorisation d'accès du SP, le procédé d'amélioration de la sécurité de l'authentification d'identité de réseau améliore la sécurité de l'authentification d'identité de réseau et peut commander le SP afin d'obtenir les informations d'attribut de l'utilisateur de terminal, permettant ainsi au SP de fournir différents services pour l'utilisateur de terminal. Par exécution de l'authentification d'identité de réseau pour l'utilisateur de terminal par le fournisseur d'identité (IDP) nominal du SP, ou exécution de l'authentification pour l'utilisateur de terminal par le SP, le procédé pour réaliser le transfert transparent durant l'authentification unique réalise le transfert transparent durant l'authentification unique. Les appareils sont un appareil de fournisseur d'identité et un appareil de fournisseur de service.
PCT/CN2009/071463 2008-04-26 2009-04-24 Procédé et appareil pour améliorer la sécurité de l'authentification d'identité de réseau WO2009129753A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008100948776A CN101567878B (zh) 2008-04-26 2008-04-26 提高网络身份认证安全性的方法
CN200810094877.6 2008-04-26

Publications (1)

Publication Number Publication Date
WO2009129753A1 true WO2009129753A1 (fr) 2009-10-29

Family

ID=41216446

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/071463 WO2009129753A1 (fr) 2008-04-26 2009-04-24 Procédé et appareil pour améliorer la sécurité de l'authentification d'identité de réseau

Country Status (2)

Country Link
CN (2) CN101567878B (fr)
WO (1) WO2009129753A1 (fr)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215107B (zh) * 2010-04-12 2015-09-16 中兴通讯股份有限公司 一种实现身份管理互操作的方法及系统
CN102238148B (zh) * 2010-04-22 2015-10-21 中兴通讯股份有限公司 身份管理方法及系统
CN101867589B (zh) * 2010-07-21 2012-11-28 深圳大学 一种网络身份认证服务器及其认证方法与系统
US9536074B2 (en) 2011-02-28 2017-01-03 Nokia Technologies Oy Method and apparatus for providing single sign-on for computation closures
CN102413198A (zh) * 2011-09-30 2012-04-11 山东中创软件工程股份有限公司 一种基于安全标记的访问控制方法和相关系统
CN103078834A (zh) * 2011-10-26 2013-05-01 中兴通讯股份有限公司 一种安全连接的方法、系统及网元
CN109040032B (zh) 2013-11-15 2021-02-23 华为终端有限公司 一种网络访问控制方法及装置
US10412585B2 (en) 2015-09-28 2019-09-10 Guangdong Oppo Mobile Telecommunicaions Corp., Ltd. User identity authentication method and device
EP3510514A4 (fr) * 2016-10-18 2020-01-22 Hewlett-Packard Development Company, L.P. Génération d'assertions d'authentification comprenant un score d'assurance
CN109088890A (zh) * 2018-10-18 2018-12-25 国网电子商务有限公司 一种身份认证方法、相关装置及系统
CN110134859B (zh) * 2019-04-02 2021-05-07 中国科学院数据与通信保护研究教育中心 一种个人信息管理方法及系统
CN115333792A (zh) * 2019-12-31 2022-11-11 华为云计算技术有限公司 一种身份认证方法、装置及相关设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116637A1 (en) * 2000-12-21 2002-08-22 General Electric Company Gateway for securely connecting arbitrary devices and service providers
US20040030887A1 (en) * 2002-08-07 2004-02-12 Harrisville-Wolff Carol L. System and method for providing secure communications between clients and service providers
CN1554053A (zh) * 2002-05-20 2004-12-08 ������������ʽ���� 服务提供系统和服务提供方法
CN1816822A (zh) * 2003-08-11 2006-08-09 索尼株式会社 验证方法、验证系统和验证服务器

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1705598A3 (fr) * 2005-03-20 2007-03-07 ActivIdentity (Australia) Pty Ltd. Procédé et système de fourniture d'un accès utilisateur à une application sécurisée
CN101051896B (zh) * 2006-04-07 2011-01-05 华为技术有限公司 一种认证方法和系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020116637A1 (en) * 2000-12-21 2002-08-22 General Electric Company Gateway for securely connecting arbitrary devices and service providers
CN1554053A (zh) * 2002-05-20 2004-12-08 ������������ʽ���� 服务提供系统和服务提供方法
US20040030887A1 (en) * 2002-08-07 2004-02-12 Harrisville-Wolff Carol L. System and method for providing secure communications between clients and service providers
CN1816822A (zh) * 2003-08-11 2006-08-09 索尼株式会社 验证方法、验证系统和验证服务器

Also Published As

Publication number Publication date
CN102739664B (zh) 2016-03-30
CN102739664A (zh) 2012-10-17
CN101567878A (zh) 2009-10-28
CN101567878B (zh) 2012-07-25

Similar Documents

Publication Publication Date Title
US10397239B2 (en) Secure access to cloud-based services
WO2009129753A1 (fr) Procédé et appareil pour améliorer la sécurité de l'authentification d'identité de réseau
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
EP3462701B1 (fr) Dispositif, son procédé de commande et programme
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
JP4742903B2 (ja) 分散認証システム及び分散認証方法
EP3308499B1 (fr) Gestion de certificat de fournisseur de services
CN112822675B (zh) 面向MEC环境的基于OAuth2.0的单点登录机制
JP2013138474A (ja) 暗号証拠の再検証に基づく認証委任
KR20160127167A (ko) 다중 팩터 인증 기관
EP2957064B1 (fr) Procédé de preuve de fiabilité du respect de confidentialité entre trois parties qui communiquent
KR20090017962A (ko) 통신 수행 방법 및 그 장치와, 통신 수행 제어 방법 및 그장치
WO2006058493A1 (fr) Procede et systeme d'authentification de domaine et d'autorite de reseau
US20130091355A1 (en) Techniques to Prevent Mapping of Internal Services in a Federated Environment
JP2024501326A (ja) アクセス制御方法、装置、ネットワーク側機器、端末及びブロックチェーンノード
WO2011063658A1 (fr) Procédé et système d'authentification de sécurité unifiée
JP7043480B2 (ja) 情報処理システムと、その制御方法とプログラム
CN113660284B (zh) 一种基于票据的分布式认证方法
WO2012028168A1 (fr) Passerelle de gestion d'identité
CN116366274A (zh) 处理访问控制的装置、方法及系统
Liberty SAML Implementation Guidelines

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09734302

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09734302

Country of ref document: EP

Kind code of ref document: A1