WO2012130035A1 - User authentication and authorization method and implementation system thereof - Google Patents

User authentication and authorization method and implementation system thereof Download PDF

Info

Publication number
WO2012130035A1
WO2012130035A1 PCT/CN2012/072224 CN2012072224W WO2012130035A1 WO 2012130035 A1 WO2012130035 A1 WO 2012130035A1 CN 2012072224 W CN2012072224 W CN 2012072224W WO 2012130035 A1 WO2012130035 A1 WO 2012130035A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
authentication
service server
identity
password
Prior art date
Application number
PCT/CN2012/072224
Other languages
French (fr)
Chinese (zh)
Inventor
王冬梅
Original Assignee
Wang Dongmei
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wang Dongmei filed Critical Wang Dongmei
Publication of WO2012130035A1 publication Critical patent/WO2012130035A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method for user authentication and authorization and an implementation system thereof.
  • the general service provider has its own authentication and authorization center responsible for managing the subscription user information in its network. After the user signs the contract, the authentication and authorization center saves the user's subscription information.
  • the service server passes the authentication and authorization center, performs user authentication, and authorizes the user according to the subscription information.
  • the telecom operator when providing the online business hall service, the telecom operator generally uses the mobile phone number + mobile phone random password, or the mobile phone number + service password, or the mobile phone number + mobile phone random password + service password to authenticate the user as a legitimate user.
  • the common method is: login mode of mobile phone number + mobile phone random password.
  • Step 1 After the user enters the URL link URL of the service provider at the client terminal 10, the user server 20 Get the login interface and ask for the user's mobile phone number and random SMS password. At the same time, there is a random SMS acquisition button on the interface.
  • Step 2 The user enters his mobile phone number on the login interface of the user terminal 10, and clicks the random message acquisition button.
  • Step 3 then, the client 10 sends a random password request message to the service server of the service provider in the network.
  • the message contains the user's own mobile number.
  • Step 4 the service provider's business server 20 A random password is randomly generated for the user's mobile phone number and saved, and then the random password is sent to the user's mobile phone through a short message.
  • Step 5 The user reads his own mobile phone short message, enters the obtained random password into the login interface, and then clicks the login button to send a login request to the business server.
  • the login request contains the phone number and its random password.
  • Step 6 The service server 20 passes its contract database and certification authority 30 Checking the received random password and the saved random password. If they are the same, the user identity is considered legal. Otherwise, the user identity is considered illegal. If the user identity is considered legal, the service server 20 Send a service access response to the user's client 10 .
  • the above network user authentication method can use the service provided by the network service provider as long as the user's mobile phone is available. If the user's mobile phone is lost, stolen or not carried, the person using the mobile phone may not be the user himself. The problem is that the user's services and information cannot be effectively protected.
  • the technical problem to be solved by the present invention is to provide a The method for user authentication and authorization and the implementation system thereof overcome the defects described in the background art, and can effectively protect the security of user information and network services.
  • the present invention provides a method of user authentication and authorization, the method comprising:
  • the client initiates a service access request including user identity information, for example, the request includes a username, an account name, and a user ID.
  • user identity information for example, the request includes a username, an account name, and a user ID.
  • the service server determines whether it is a subscription user according to the identity information of the user, and if so, selects a communication mode of at least one social relationship user from the user subscription information, such as a mobile phone number of the social relationship user, an email address, a landline phone, and an instant message.
  • the communication mode is used as the authentication end;
  • the service server determines the legality of the user identity according to the information provided by the authentication end;
  • the service server authorizes the user and performs a corresponding service access response.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server sends a user identity authentication and authorization query to the authentication end;
  • the authentication end responds to the service server with the result of the inquiry
  • the service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
  • the authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
  • the service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
  • the UE sends the received feature string or the randomly generated password to the authentication end.
  • the service server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client. If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects a feature string or generates a random password and sends it to the client of the authentication client;
  • the authentication end sends the feature string or the randomly generated password to the user end;
  • the user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
  • the present invention also provides a system for implementing user authentication and authorization, the system comprising: The client, the service server, and the client left when signing up for the service
  • the communication mode of the at least one social relationship user such as the mobile phone number of the social relationship user, the e-mail address, the fixed telephone, the instant message, etc., when the user initiates the service access request
  • the service server judges according to the information of the user. Whether the user is a contracted user, and if so, the communication mode of the at least one social relationship user is selected from the user subscription information as the authentication end, and the legality of the user identity is determined according to the information provided by the authentication end.
  • the client performs authorization and performs corresponding service access response.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server sends a user identity authentication and authorization query to the authentication end;
  • the authentication end responds to the service server with the result of the inquiry, for example, using the IVR.
  • the mode is prompted by the service server to prompt the user of the authentication terminal to perform key operation and confirmation (for example, pressing '1' means confirming authorization, and pressing '2' means rejecting authorization);
  • the service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
  • the authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
  • the service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
  • the UE sends the received feature string or the randomly generated password to the authentication end.
  • the server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
  • the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
  • the service server selects a feature string or generates a random password and sends it to the client of the authentication client;
  • the authentication end sends the feature string or the randomly generated password to the user end;
  • the user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
  • the communication address of the at least one social relationship user is selected as the authentication end by the user information left by the user when signing the service service, and the service server judges the user end according to the information provided by the authentication end.
  • FIG. 1 is a schematic flowchart of a user authentication and authorization method in the prior art
  • FIG. 2 is a schematic structural diagram of a user authentication and authorization system in the prior art
  • FIG. 3 is a schematic flowchart of a method for user authentication and authorization according to the present invention.
  • FIG. 4 is a schematic diagram of a system structure for implementing user authentication and authorization according to the present invention.
  • FIG. 5 is a schematic structural diagram of a process according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a process according to Embodiment 2 of the present invention.
  • FIG. 7 is a schematic structural diagram of a third embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a fourth embodiment of the present invention.
  • this embodiment provides a method for user authentication and authorization, and an implementation system thereof.
  • the system includes: a client terminal 40. , business server 50 and The communication address of at least one social relationship user selected in the social relationship information such as friends and relatives left by the user when signing the business service, such as the mobile phone number, email address, fixed telephone, instant message, etc. of the social relationship user as the authentication end 60.
  • the authentication end 60 It may be a communication method of a social relationship user left by the user when signing the service service, or may be multiple communication methods of multiple social relationship users left by the user when signing the service service, for example, the mobile phone number and the mailbox at the same time. Address, for example 4 is expressed as the first authentication end of social relations, ... the social relationship nth authentication end.
  • Non-strength certification can be used to respond to different levels of user authorization.
  • Step 1 The user sends a service access request to the service server 50 at the user terminal 40, indicating that the user wants to use the service server.
  • the service and application provided, the request information includes the user identity information;
  • Step 2 The service server 50 checks whether the user is a contracted user according to the identity information of the user;
  • Step 3 If the user is a subscription user, select a communication mode of at least one social relationship user from the subscription user information as the authentication end. Authenticate;
  • Step 4 The service server 50 determines the legality of the identity of the client 40 according to the information provided by each authentication terminal 60.
  • Step 5 If the identity of the client is legal, the service service 50 is to the client 40 Authorize and perform the corresponding service access response, that is, if the user identity is legal, the client 40 is allowed to access the service server, and the services and applications provided by the server are used. Otherwise, the client is not allowed. Access the service server.
  • each authentication terminal 50 may also provide authorization information to the service server 60; the service server 50 integrates the authentication terminals. After the authentication authentication and authorization information is provided, the authorization level to the client 40 is determined.
  • the service server 50 It is also possible to update social relationship information such as friends and relatives of the user according to third party business application information, such as a network address book.
  • the business server 50 Different authentication terminals can be given different weight information weights. For example, some authentication terminals can reject one vote, one ticket, and the like.
  • the client can also specify which social relationships are used for this authentication in the service access request.
  • the user identity information of the service access request may be information such as a username, an account name, and a user ID.
  • a notification may be sent to the authentication end to notify the end result of the authentication end authentication authorization.
  • the service server 50 is based on the authentication end.
  • the information provided to determine the validity of the identity of the client can be described in the following four embodiments.
  • the service server sends at least one social relationship to the selected user.
  • the authentication end of the mobile phone user is directly
  • a user identity authentication and authorization query is sent, and the authentication terminal directly returns the result of the inquiry to the service server.
  • the service server processes the query results, the user authentication conclusion is obtained. For example, if more than half of the authentication end reply results are authenticated, the service server authenticates the user authentication and authorization, otherwise the authentication authorization fails.
  • the service server may consider that the feedback result of the authentication end is that the authentication authorization is passed. For this reason, the service server only sends a notification to the authentication end, and the user is notified that the service request is to be initiated. After the service server obtains the authentication and authorization conclusions, it makes a service access response to the client.
  • the existing bank card user when a bank card account needs to reset the bank card account password for the user reason, the existing bank card user generally operates on the teller machine by using a password, or uses a Token card + username /
  • the password method performs user authentication on the network.
  • the user forgets his or her own password, the user must go to the bank counter in person, check the original ID card, and submit the ID card and other information to modify the password, and the bank needs to verify the identity of the user after one week. You can confirm whether the password change is successful.
  • the banking server to at least one social relationship of the selected user
  • the authentication end of the mobile phone user is directly Sending user identity authentication and authorization Ask the bank to automatically notify the user's relatives and friends, verify and confirm the legality of the identity of the user who submitted the operation request.
  • the bank allows the user to reset their password, thus eliminating the need for the user to personally go to the business hall.
  • the process of being able to handle the business and submitting personal data and waiting for a week to be confirmed makes the resetting of the bank password service fast and secure.
  • a user opens an account with a bank, obtains a bank account number, and leaves his or her own contact number, but also leaves the contact mobile number or EMAIL of at least one of his or her friends and relatives. Address.
  • the user forgets the password of his account and needs to reset the password, the user sends a mobile phone message to the bank's business server, including: user name, user's bank account number, operation instructions (request for resetting the password), new password, and notes. Description (eg: I am Wang Er, the password is forgotten, need to be reset).
  • the user's application 2 friends and relatives send SMS and / or EMAIL Check with your friends and relatives whether it is the application for resetting the password proposed by Wang Er.
  • the text message includes: user name, bank account number, application operation and remarks. Such as: user 'Wang Er' applied to reset bank account 'XXXX 'The password, please check. Please reply 1 Confirmed as a legitimate user, reply 2 Confirmed as an illegal operation. Remarks: 'I am Wang Er, the password is forgotten and needs to be reset.
  • the two friends and relatives of the user verified the business operation request of Wang Er separately, by SMS and / or EMAIL Respond to the bank's inquiry to confirm whether the user who initiated the business request is the user.
  • the bank's business server confirms whether the user is a legitimate user based on the responses of two friends and relatives. If it is a legitimate user, the reset password operation is performed; otherwise, the user's business operation request is rejected.
  • the service server checks whether the user is a subscription user according to the identity information of the user, and if so, selects a communication mode of the at least one social relationship user from the subscription user information as the authentication end, and then the service server receives the received information.
  • the service access request is judged. If the request includes the user's own password or feature string, the service server waits for the authentication end to send an authentication message; the authentication end will negotiate the authentication port command word with the user end in advance or The feature string is submitted to the service server; the service server judges the password or the feature string of the client itself sent by the client and the authentication port command word or the feature string submitted by the authentication end. If the match is made, the client is considered to be the client.
  • the identity is legal, otherwise it is not legal.
  • the password or feature string submitted by the authentication end and the user may be the same or different.
  • the time when the authentication end submits the password or the feature string may be earlier than the time when the user sends the service access request, so that the server can quickly authenticate the user.
  • the service server checks whether the user is a subscription user according to the identity information of the user. If yes, the communication mode of the at least one social relationship user is selected from the subscription user information as the authentication end, and then the service server selects the feature string or generates a random password. Sent to the client and send to the authentication end User identity authentication and authorization query; the client sends the received feature string or randomly generated password to the authentication end; The server judges the query result of the reply by the authentication end. If the query result includes the feature string sent by the service server to the client or randomly generates the password, the user identity is considered to be legal, otherwise it is illegal.
  • the feature strings or random passwords used for different authentication ends may be the same or different.
  • the service server checks whether the user is a subscription user according to the identity information of the user. If yes, the communication mode of the at least one social relationship user is selected from the subscription user information as the authentication end, and then the service server selects the feature string or generates a random password. Sending to the authentication end; the authentication end sends the feature string or the randomly generated password to the user end; the user end sends the feature string or the randomly generated password to the service server, if the user end received by the service server sends the password If the feature string or the randomly generated password matches the information sent by the service server to the authentication end, the user identity is considered to be legal, otherwise it is illegal.
  • the feature strings or random passwords used for different authentication ends may be the same or different.
  • the message sent by the service server to the authentication end may also carry supplementary information, such as the time and location of the service access request. IP Address, terminal type, description text, etc., to facilitate each authentication terminal to verify the identity of the user.
  • the supplementary information may be directly obtained from the service access request message sent by the client to the service server, or may be obtained by the service server sorting the service access request message and the network information.
  • the supplementary information sent to different people may be the same or different.
  • the authentication method based on the authentication end can also be combined with passwords, multi-factor authentication, and the like. For example, when the user submits a username / After the password information is passed and the authentication is passed, the service server can further select the communication mode of the other social relationship users of the user as the authentication end for authentication.
  • the service server end After the service server end draws the final certification authorization conclusion, it can also send a notification to the authentication end to inform the final result of the authentication authorization.
  • the user when a telecom operator provides an online operation hall service and signs a contract with a user, the user not only has to leave his or her mobile phone number and/or Or the e-mail, but also to leave the mobile phone number, e-mail, instant message, and fixed telephone of at least one relative friend.
  • This embodiment is described by taking the mobile phone number as an example.
  • the user logs in to the online business hall, the user needs to input his mobile phone number and random password, and also needs to input the mobile phone number of his relatives and friends to obtain the random SMS password and the relative friend authentication password.
  • the mobile phone number of at least one relative friend is registered in the contract.
  • the client After the client enters the service provider's web address, the user obtains the login interface from the server, and requests the user's mobile phone number, random SMS password, and relative friend authentication password. At the same time, there is a random SMS acquisition button on the interface. The user enters his mobile phone number on the client login interface and clicks the random SMS acquisition button. Then, the client sends a random password request message to the server of the service provider in the network, and the message contains the user's own mobile phone number. The service provider's service server randomly generates a random password for the user's mobile phone number and saves it, and then sends the random password to the user's mobile phone through a short message.
  • the service server retrieves the mobile phone number of the relatives and friends registered by the user, and randomly generates a random password for the mobile phone number of the relative friend and saves the password, and then sends the random password as a friend and friend authentication password to the mobile phone of the relative friend through the short message.
  • the user reads the mobile phone short message to obtain a random password, communicates with the relatives and friends to obtain the relative friend authentication password, and inputs the obtained random password and the relative friend authentication password into the login interface, and then clicks the login button to send the login request to the service server.
  • the login request contains the phone number, random password, and friend and friend authentication password.
  • the service server checks the received login request with the random password and the friend authentication password stored in the service server. If the user is a legitimate user, the login is successful; otherwise, the user authentication fails, and the user's login request is rejected.
  • e-commerce operations generally use a mobile phone short message password to verify the legitimacy of the user.
  • the e-commerce service provider will send a random message to the user's mobile phone through a text message, and then the user submits through the network to confirm that the user is a legitimate user.
  • the phone is unavailable, the account cannot be accessed and traded.
  • the user s mobile phone is stolen, or SIM
  • the card is cloned, the user's account information can be changed all including the contact mobile number used for authentication. In this way, even if the user retrieves his mobile phone, the user will completely lose his online account.
  • SIM The card thus leads to the leakage of critical information.
  • the user's legality is verified by providing a random password through the existing mobile phone short message.
  • the e-commerce service provider When the user needs to query and modify key sensitive information such as account information, transaction limit control, mobile phone number for user transaction confirmation, the e-commerce service provider automatically informs the user's relatives and friends through SMS, MMS, etc., and the relatives and friends verify and confirm the proposed The user who operates the application is a legitimate user. After confirmation, the e-commerce service provider allows the user to query and modify the key sensitive information of the account.
  • the specific implementation process is as follows: When the user opens the e-commerce service, in addition to his mobile phone number, the user registers the information of two relatives and friends and leaves their mobile phone number. When the user operates on his own client, log in to the account and obtain daily transaction rights by means of a random password. This permission cannot query and modify the user's account profile information.
  • the client After the user clicks the button of 'acquire relatives and friends authentication passwords' on the client, the client sends a request message for obtaining the relative friend authentication password to the service server of the e-commerce service provider.
  • the service server queries the user's account information, obtains the user's relatives and friends information, generates a random password for the user account data query and a random password modified by the account data for each relative and friend, and sends the message to the mobile phone of the user's relatives and friends through the short message.
  • the user obtains a random password that can query the user account information or a random password that can modify the account information from the two relatives and friends as the friend and friend authentication password, input to the login interface of the client, and click the login button, and the client then sends the account login request to the server.
  • the request message contains the password for the relatives and friends.
  • the service server confirms that the received friend and friend authentication password is correct, thereby upgrading the access authority of the user, allowing the user to query the account profile information, or allowing the user to query the account profile information and modify it.
  • the above embodiment can also be applied in the process of authenticating a mobile phone card.
  • a mobile phone card For example, when a user's mobile phone is stolen or lost, the user generally needs to carry his/her ID card and personally add a SIM to the telecom operator's business hall. Card. The telecom operator must devote sufficient resources to review the identity of the user and serve the user's replenishment application. The user has spent a lot of time and effort because he has to go to the telecom business hall in person. At the same time, because users need to carry their own identity documents and copy copies at the telecom operators, the risk of personal identity data leakage is objectively increased.
  • SIM card When the method and system provided by the embodiment are used, it is only necessary to fill in a list of key social relationships such as contact numbers of friends and relatives in the account opening application of the telecommunication service when the user opens an account.
  • telecom operators can issue temporary payments like prepaid recharge cards.
  • SIM card to the retail store.
  • the temporary SIM card is only allowed to dial the special service number of the telecommunications carrier. After the user’s mobile phone is stolen or lost, he only needs to purchase a temporary SIM card at any retail store.
  • SIM calls the special service number, requests the temporary SIM card as the replacement card of the original phone number, and leaves a message 'I am XXX If the mobile phone is lost, you need to reissue the card.
  • the telecom operator notifies the user's relatives and friends through SMS, MMS, voicemail, etc., and verifies that the user confirms the legitimate user number of the original phone number, and confirms that the user has successfully completed the card.
  • the temporary SIM thus becomes the replacement card for the original telephone number.
  • the above embodiments can also be applied in the process of key information access control.
  • a company's key information assets are generally strictly protected to limit access by unrelated people.
  • the usual practice is for a company to establish a dedicated approval electronic stream and user group, to approve who has access to key information assets through electronic flow auditing, and to add people who have access and no access to different user groups. Only employees belonging to a specific user group can pass the enterprise IT The system accesses these key information assets.
  • the workload of managing these key information assets is very high because of the loss or replenishment of corporate personnel, the changing role of the participants, the mistakes of the staff responsible for deleting the members of the user group, and the fact that the enterprise does not allow access anytime, anywhere.
  • the enterprise employee can pass the enterprise at any time.
  • IT The network applies to read key information assets without the electronic flow approval process.
  • the management personnel are used as the authentication end, and the request for accessing the key information assets is sent to the management personnel of the information assets through SMS, mail, instant message, etc., because the management personnel knows whether the user is a legitimate user, and therefore, the authentication end of the management personnel is confirmed. If the authentication of the user is passed, the key information asset will allow the employee's reading request. It can be seen that the solution does not require electronic flow approval, and does not need to manage various user groups, so that the management of key information assets of the enterprise can timely match the changes of the enterprise.
  • the UE can also specify the scope of the authentication client in the service access request. For example, in the service access request initiated by the user to the service server, the user specifies the authenticator as 'father' and 'wife'. When the service server selects the authentication client for authentication, only the 'father' and 'wife' are selected, and both of them are required to be authenticated at the same time, indicating that the user authentication is passed.
  • the service server can update the social relationship information of the user's relatives and friends according to the third party's business application information such as a network address book.
  • the embodiment of the present invention select at least one social relationship mobile phone user and/or user information left by the user when signing the business service Or the e-mail user is used as the authentication end, and the service server judges the legality of the identity of the user end according to the information provided by the authentication end, overcomes the defects described in the background art, and effectively protects the security of the user information and the network service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Provided are a user authentication and authorization method and an implementation system thereof. When the user end initiates a service access request, a service server checks whether or not the user is a subscriber according to the identity information about the user, if he is, the communication mode of at least one social relation user from the subscription information about the user is selected as an authentication end; the service server judges whether or not the user identity is legal according to the information provided by the authentication end; if it is legal, the service server authorizes the user end and performs a corresponding service access response. According to the method and the implementation system thereof in the present invention, by way of selecting the communication mode of at least one social relation user from the subscription information left by the user when subscribing to a service as the authentication end, and having the service server judge whether or not the user end identity is legal according to the information provided by the authentication end and authorize the same end, the stated defects in the background art are overcome, and the security of user information and network service is guaranteed effectively.

Description

一种用户认证授权的方法及其实现系统  Method for user authentication and authorization and implementation system thereof
技术领域 Technical field
本发明涉及通信技术领域,尤其涉及一种 用户认证授权的方法及其实现系统 。 The present invention relates to the field of communications technologies, and in particular, to a method for user authentication and authorization and an implementation system thereof.
背景技术 Background technique
网络技术的普及给用户带来很大便利的同时,也存在着如何在网络中认证用户身份的合法性,并如何确保用户的服务和信息不被非法窃取和使用的问题。 The popularity of network technology brings great convenience to users. At the same time, it also has the problem of how to authenticate the identity of users in the network and how to ensure that users' services and information are not illegally stolen and used.
如图 1 、图 2 所示,一般服务提供商在其网络中都有其独立的负责管理签约用户信息的认证授权中心,当用户签约后,认证授权中心就保存了用户的签约信息。当用户发起业务接入请求时,业务服务器通过认证授权中心,执行用户认证并按签约信息给用户授权。例如,电信运营商在提供网上营业厅服务时,一般采用手机号+手机随机密码、或者手机号+服务密码、或者手机号+手机随机密码+服务密码的方式,认证该用户为合法用户。其中常见的方法为:手机号+手机随机密码的登录模式。 Figure 1 and Figure 2 As shown, the general service provider has its own authentication and authorization center responsible for managing the subscription user information in its network. After the user signs the contract, the authentication and authorization center saves the user's subscription information. When the user initiates a service access request, the service server passes the authentication and authorization center, performs user authentication, and authorizes the user according to the subscription information. For example, when providing the online business hall service, the telecom operator generally uses the mobile phone number + mobile phone random password, or the mobile phone number + service password, or the mobile phone number + mobile phone random password + service password to authenticate the user as a legitimate user. The common method is: login mode of mobile phone number + mobile phone random password.
步骤 1 ,用户在用户端 10 输入服务提供商的 URL 链接网址后,从业务服务器 20 获得登录界面,要求输入用户的手机号码、随机短信密码。同时,界面上还有一个随机短信获取按钮。 Step 1: After the user enters the URL link URL of the service provider at the client terminal 10, the user server 20 Get the login interface and ask for the user's mobile phone number and random SMS password. At the same time, there is a random SMS acquisition button on the interface.
步骤 2 ,用户在用户端 10 登录界面输入自己的手机号码,并点击随机短信获取按钮。 Step 2: The user enters his mobile phone number on the login interface of the user terminal 10, and clicks the random message acquisition button.
步骤 3 ,随即,用户端 10 发送随机密码请求消息给网络中服务提供商的业务服务器 20 ,消息中包含用户自己的手机号码。 Step 3, then, the client 10 sends a random password request message to the service server of the service provider in the network. The message contains the user's own mobile number.
步骤 4 ,服务提供商的业务服务器 20 为该用户的手机号码随机产生一个随机密码并保存,然后把该随机密码通过短信发送给用户的手机。 Step 4, the service provider's business server 20 A random password is randomly generated for the user's mobile phone number and saved, and then the random password is sent to the user's mobile phone through a short message.
步骤 5 ,用户阅读自己的手机短信,把获得的随机密码输入到登录界面上,然后点击登录按钮,发送登录请求到业务服务器。登录请求中包含手机号及其随机密码。 Step 5 The user reads his own mobile phone short message, enters the obtained random password into the login interface, and then clicks the login button to send a login request to the business server. The login request contains the phone number and its random password.
步骤 6 ,业务服务器 20 通过其签约数据库和认证授权中心 30 核对收到的随机密码和保存的随机密码,如果相同,则认为该用户身份合法,否则认为给用户身份不合法,若认为该用户身份合法,则业务服务器 20 发送业务接入响应给用户所在的用户端 10 。 Step 6: The service server 20 passes its contract database and certification authority 30 Checking the received random password and the saved random password. If they are the same, the user identity is considered legal. Otherwise, the user identity is considered illegal. If the user identity is considered legal, the service server 20 Send a service access response to the user's client 10 .
上述网络用户认证方式,只要有该用户的手机,则就能够使用网络服务提供商提供的服务,如果用户的手机遗失、被盗或没有随身携带,则存在着使用该手机的人可能并非用户本人的问题,导致用户的服务和信息无法获得有效保障。 The above network user authentication method can use the service provided by the network service provider as long as the user's mobile phone is available. If the user's mobile phone is lost, stolen or not carried, the person using the mobile phone may not be the user himself. The problem is that the user's services and information cannot be effectively protected.
发明内容 Summary of the invention
为此,本发明所要解决的技术问题是:提供一种 用户认证授权的方法及其实现系统,以克服背景技术中所述的缺陷,能够有效的保障用户信息及网络服务的安全。 To this end, the technical problem to be solved by the present invention is to provide a The method for user authentication and authorization and the implementation system thereof overcome the defects described in the background art, and can effectively protect the security of user information and network services.
于是,本发明提供了 一种 用户认证授权的方法,该方法包括: Accordingly, the present invention provides a method of user authentication and authorization, the method comprising:
用户端发起包含有用户身份信息的业务接入请求,例如该请求中包含有用户名、账户名、用户 ID 等信息; The client initiates a service access request including user identity information, for example, the request includes a username, an account name, and a user ID. Information
业务服务器根据该用户身份信息判断其是否为签约用户,若是,则从其用户签约信息中选定至少一个社会关系用户的通信方式,例如社会关系用户的手机号码、电子邮箱、固定电话、即时消息等通信方式作为认证端; The service server determines whether it is a subscription user according to the identity information of the user, and if so, selects a communication mode of at least one social relationship user from the user subscription information, such as a mobile phone number of the social relationship user, an email address, a landline phone, and an instant message. The communication mode is used as the authentication end;
业务服务器根据认证端提供的信息判断用户身份合法性; The service server determines the legality of the user identity according to the information provided by the authentication end;
若用户身份合法,则业务服务器对用户端授权,并进行相应的业务接入响应。 If the user identity is legal, the service server authorizes the user and performs a corresponding service access response.
其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: The service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器向认证端发送用户身份认证和授权询问; The service server sends a user identity authentication and authorization query to the authentication end;
认证端向业务服务器回复询问结果; The authentication end responds to the service server with the result of the inquiry;
业务服务器对认证端回复的询问结果进行处理,并判断该用户端身份是否合法。 The service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
或者,其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: Or, wherein the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器对接收到的 业务接入请求进行判断,若该请求中包含有用户端自身的口令字或者特征字符串,则业务服务器等待认证端发来认证消息; Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
认证端将事先与用户端协商好的认证端口令字或者特征字符串提交给业务服务器; The authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
业务服务器对用户端发来的用户端自身的口令字或者特征字符串和认证端提交的认证端口令字或者特征字符串进行判断,若匹配,则认为该用户端身份合法,否则不合法。 The service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
或者,其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: Or, wherein the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器选择特征字符串或者生成随机密码,发送给用户端,并向认证端发送 用户身份认证和授权询问 ; The service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
用户端将收到的所述特征字符串或者随机生成密码发送给认证端; The UE sends the received feature string or the randomly generated password to the authentication end.
业务服务器对认证端回复的询问结果进行判断,若询问结果中包含了业务服务器发送给用户端的 特征字符串或者随机生成密码,则认为该用户端身份合法,否则不合法。 The service server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client. If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
或者,其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: Or, wherein the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器选择特征字符串或者生成随机密码,发送给认证户客户端; The service server selects a feature string or generates a random password and sends it to the client of the authentication client;
认证端将所述特征字符串或者随机生成密码发送给用户端; The authentication end sends the feature string or the randomly generated password to the user end;
用户端再将所述特征字符串或者随机生成密码发送给业务服务器,若业务服务器接收到的用户端发来的特征字符串或者随机生成密码与业务服务器发送给认证端的信息相符,则认为该用户端身份合法,否则不合法。 The user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
本发明还提供了一种实现 用户认证授权的系统,该系统包括: 用户端、业务服务器和以用户端签约业务服务时留下的 至少一个社会关系用户的通信方式,例如社会关系用户的手机号码、电子邮箱、固定电话、即时消息等为依托的认证端,当用户端发起业务接入请求时,业务服务器根据该用户的信息判断该用户是否为签约用户,若是,则从用户签约信息中选定至少一个社会关系用户的通信方式作为认证端,并根据所述认证端提供的信息判断该用户身份合法性,若合法,则对该用户端进行授权,并进行相应的业务接入响应。 The present invention also provides a system for implementing user authentication and authorization, the system comprising: The client, the service server, and the client left when signing up for the service The communication mode of the at least one social relationship user, such as the mobile phone number of the social relationship user, the e-mail address, the fixed telephone, the instant message, etc., when the user initiates the service access request, the service server judges according to the information of the user. Whether the user is a contracted user, and if so, the communication mode of the at least one social relationship user is selected from the user subscription information as the authentication end, and the legality of the user identity is determined according to the information provided by the authentication end. The client performs authorization and performs corresponding service access response.
其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: The service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器向认证端发送用户身份认证和授权询问 ; The service server sends a user identity authentication and authorization query to the authentication end;
认证端向业务服务器回复询问结果,例如采用 IVR 的方式由业务服务器端提示认证端的用户进行按键操作和确认(如按' 1 '表示确认授权,按' 2 '表示拒绝授权); The authentication end responds to the service server with the result of the inquiry, for example, using the IVR. The mode is prompted by the service server to prompt the user of the authentication terminal to perform key operation and confirmation (for example, pressing '1' means confirming authorization, and pressing '2' means rejecting authorization);
业务服务器对认证端回复的询问结果进行处理,并判断该用户端身份是否合法。 The service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
或者,其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: Or, wherein the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器对接收到的 业务接入请求进行判断,若该请求中包含有用户端自身的口令字或者特征字符串,则业务服务器等待认证端发来认证消息; Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
认证端将事先与用户端协商好的认证端口令字或者特征字符串提交给业务服务器; The authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
业务服务器对用户端发来的用户端自身的口令字或者特征字符串和认证端提交的认证端口令字或者特征字符串进行判断,若匹配,则认为该用户端身份合法,否则不合法。 The service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
或者,其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: Or, wherein the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器选择特征字符串或者生成随机密码,发送给用户端,并向认证端发送 用户身份认证和授权询问 ; The service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
用户端将收到的所述特征字符串或者随机生成密码发送给认证端; The UE sends the received feature string or the randomly generated password to the authentication end.
服务器对认证端回复的询问结果进行判断,若询问结果中包含了业务服务器发送给用户端的 特征字符串或者随机生成密码,则认为该用户端身份合法,否则不合法。 The server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
或者,其中,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括: Or, wherein the service server determines the legality of the identity of the user end according to the information provided by the authentication end, including:
业务服务器选择特征字符串或者生成随机密码,发送给认证户客户端; The service server selects a feature string or generates a random password and sends it to the client of the authentication client;
认证端将所述特征字符串或者随机生成密码发送给用户端; The authentication end sends the feature string or the randomly generated password to the user end;
用户端再将所述特征字符串或者随机生成密码发送给业务服务器,若业务服务器接收到的用户端发来的特征字符串或者随机生成密码与业务服务器发送给认证端的信息相符,则认为该用户端身份合法,否则不合法。 The user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
本发明所述一种 用户认证授权的方法及其实现系统,通过在用户签约业务服务时留下的用户信息中选定至少一个社会关系用户的通信地址作为认证端,并由业务服务器根据认证端提供的信息判断用户端身份合法性的方式,克服了背景技术中所述的缺陷,有效的保障了用户信息及网络服务的安全。 One type of the invention The user authentication and authorization method and the implementation system thereof, the communication address of the at least one social relationship user is selected as the authentication end by the user information left by the user when signing the service service, and the service server judges the user end according to the information provided by the authentication end. The way of identity legitimacy overcomes the shortcomings described in the background art and effectively protects the security of user information and network services.
附图说明 DRAWINGS
图 1 为现有技术中用户认证授权方法的流程示意图; FIG. 1 is a schematic flowchart of a user authentication and authorization method in the prior art;
图 2 为现有技术中用户认证授权系统结构示意图; 2 is a schematic structural diagram of a user authentication and authorization system in the prior art;
图 3 为本发明所述 用户认证授权的方法 流程示意图; 3 is a schematic flowchart of a method for user authentication and authorization according to the present invention;
图 4 为本发明所述实现 用户认证授权的系统结构 示意图; 4 is a schematic diagram of a system structure for implementing user authentication and authorization according to the present invention;
图 5 为本发明实施例一流程结构示意图; FIG. 5 is a schematic structural diagram of a process according to an embodiment of the present invention; FIG.
图 6 为本发明实施例二流程结构示意图; 6 is a schematic structural diagram of a process according to Embodiment 2 of the present invention;
图 7 为本发明实施例三流程结构示意图; 7 is a schematic structural diagram of a third embodiment of the present invention;
图 8 为本发明实施例四流程结构示意图。 FIG. 8 is a schematic structural diagram of a fourth embodiment of the present invention.
具体实施方式 detailed description
下面,结合附图对本发明进行详细描述。 Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.
如图 3 、图 4 所示,本实施例提供了一种用户认证授权的方法及其实现系统,该系统包括:用户端 40 、业务服务器 50 和在 用户签约业务服务时留下的亲朋好友等社会关系信息中选定的至少一个社会关系用户的通信地址,例如社会关系用户的手机号码、邮箱地址、固定电话、即时消息等作为认证端 60 。其中,认证端 60 可以是用户在签约业务服务时留下的一个社会关系用户的通信方式,也可以是用户在签约业务服务时留下的多个社会关系用户的多个通信方式,例如可以同时是手机号码和邮箱地址,例如图 4 中表示为社会关系第 1 认证端, … 社会关系第 n 认证端。 As shown in FIG. 3 and FIG. 4, this embodiment provides a method for user authentication and authorization, and an implementation system thereof. The system includes: a client terminal 40. , business server 50 and The communication address of at least one social relationship user selected in the social relationship information such as friends and relatives left by the user when signing the business service, such as the mobile phone number, email address, fixed telephone, instant message, etc. of the social relationship user as the authentication end 60. Among them, the authentication end 60 It may be a communication method of a social relationship user left by the user when signing the service service, or may be multiple communication methods of multiple social relationship users left by the user when signing the service service, for example, the mobile phone number and the mailbox at the same time. Address, for example 4 is expressed as the first authentication end of social relations, ... the social relationship nth authentication end.
参与认证的社会关系的数量和范围反应认证的强度。不用强度的认证可以用于反应不同等级的用户授权。 The number and scope of social relationships involved in certification reflect the strength of certification. Non-strength certification can be used to respond to different levels of user authorization.
步骤 1 ,用户在用户端 40 向业务服务器 50 发送业务接入请求,表示该用户要使用业务服务器 40 提供的服务和应用,该请求信息中包含该用户身份信息; Step 1: The user sends a service access request to the service server 50 at the user terminal 40, indicating that the user wants to use the service server. The service and application provided, the request information includes the user identity information;
步骤 2 ,业务服务器 50 根据该用户身份信息检查其是否为签约用户; Step 2: The service server 50 checks whether the user is a contracted user according to the identity information of the user;
步骤 3 ,若该用户是签约用户,则从其签约用户信息中选定至少一个社会关系用户的通信方式作为认证端 60 进行认证; Step 3: If the user is a subscription user, select a communication mode of at least one social relationship user from the subscription user information as the authentication end. Authenticate;
步骤 4 ,业务服务器 50 根据各认证端 60 提供的信息判断用户端 40 身份的合法性; Step 4: The service server 50 determines the legality of the identity of the client 40 according to the information provided by each authentication terminal 60.
步骤 5 ,若用户端身份合法,则业务服务 50 对用户端 40 授权,并进行相应的业务接入响应,即:若用户身份合法,则允许用户端 40 接入业务服务器, 享用服务器端提供的服务和应用, 否则,不允许用户端 40 接入业务服务器。 Step 5: If the identity of the client is legal, the service service 50 is to the client 40 Authorize and perform the corresponding service access response, that is, if the user identity is legal, the client 40 is allowed to access the service server, and the services and applications provided by the server are used. Otherwise, the client is not allowed. Access the service server.
可选的,各认证端 50 也可以向业务服务器 60 提供授权信息;业务服务器 50 综合各认证端 60 提供的认证鉴权和授权信息后,确定给该用户端 40 的授权等级。  Optionally, each authentication terminal 50 may also provide authorization information to the service server 60; the service server 50 integrates the authentication terminals. After the authentication authentication and authorization information is provided, the authorization level to the client 40 is determined.
其中, 在用户签约许可的情况下,业务服务器 50 还可以根据第三方的业务应用信息,例如网络地址本等来更新用户的亲朋好友等社会关系信息。 Wherein, in the case of a user signing license, the service server 50 It is also possible to update social relationship information such as friends and relatives of the user according to third party business application information, such as a network address book.
当然,业务服务器 50 可以给不同的认证端赋予不同的权重信息的权重,例如,有些认证端可以一票否决、一票通过等。 Of course, the business server 50 Different authentication terminals can be given different weight information weights. For example, some authentication terminals can reject one vote, one ticket, and the like.
用户端还可以在业务接入请求中指定哪些社会关系用于本次认证。 The client can also specify which social relationships are used for this authentication in the service access request.
业务接入请求的用户身份信息可以是 用户名、账户名、用户 ID 等信息。 The user identity information of the service access request may be information such as a username, an account name, and a user ID.
进一步, 业务服务器 50 在得出最终的认证结论后,可以向认证端发送通知,通知认证端认证授权的最终结果。 Further, the business server 50 After the final certification conclusion is obtained, a notification may be sent to the authentication end to notify the end result of the authentication end authentication authorization.
上述步骤 4 中,业务服务器 50 根据认证端 60 提供的信息判断用户端身份合法性,可以通过以下四个实施例加以描述。 In the above step 4, the service server 50 is based on the authentication end. The information provided to determine the validity of the identity of the client can be described in the following four embodiments.
实施例一 Embodiment 1
如图 5 所示,用户在用户端向服务器发起业务接入请求后,业务服务器向选定的该用户的至少一个社会关系 手机用户所在的认证端直接 发送用户身份认证和授权询问,所述认证端向业务服务器直接回复询问的结果。业务服务器对各询问结果进行处理后,得出用户认证的结论,例如,有过半以上认证端回复结果为认证通过,则业务服务器认证用户认证授权通过,否则认证授权失败。此外,业务服务器可以缺省认为认证端的反馈结果就是认证授权通过,为此,业务服务器仅向所述认证端发送通知即可,知会该用户要发起业务请求。业务服务器得出认证和授权结论后,向客户端作出业务接入响应。 As shown in FIG. 5, after the user initiates a service access request to the server, the service server sends at least one social relationship to the selected user. The authentication end of the mobile phone user is directly A user identity authentication and authorization query is sent, and the authentication terminal directly returns the result of the inquiry to the service server. After the service server processes the query results, the user authentication conclusion is obtained. For example, if more than half of the authentication end reply results are authenticated, the service server authenticates the user authentication and authorization, otherwise the authentication authorization fails. In addition, the service server may consider that the feedback result of the authentication end is that the authentication authorization is passed. For this reason, the service server only sends a notification to the authentication end, and the user is notified that the service request is to be initiated. After the service server obtains the authentication and authorization conclusions, it makes a service access response to the client.
例如,银行卡账户由于用户原因,需要重置银行卡账户密码时,现有的银行卡用户一般采用口令的方式在柜员机上操作,或采用 Token 卡+用户名 / 口令的方式在网络上进行用户认证。但是,当用户遗忘了自己的口令时,用户必须亲自到银行柜台,核对身份证等原件,并提交身份证复印件等资料信息后方可修改密码,且银行需要通过一周的时间核实用户的身份后才可以确认修改密码是否成功。 For example, when a bank card account needs to reset the bank card account password for the user reason, the existing bank card user generally operates on the teller machine by using a password, or uses a Token card + username / The password method performs user authentication on the network. However, when the user forgets his or her own password, the user must go to the bank counter in person, check the original ID card, and submit the ID card and other information to modify the password, and the bank needs to verify the identity of the user after one week. You can confirm whether the password change is successful.
若采用本实施例所述方法和系统,那么,在用户开户时,填写自己的关键社会关系列表,例如亲友的联系电话,当用户遗忘了自己的银行账户密码时,用户只需要通过电话、邮件、上网、短信等各种方式向银行提出申请,银行业务服务器向选定的该用户的至少一个社会关系 手机用户所在的认证端直接 发送用户身份认证和授权询问银行自动通知该用户的亲友,核实和确认提出操作申请的用户身份的合法性,确认后,银行允许用户重置自己的密码,从而省去了用户需要亲自到营业厅才能够办理该业务,且提交个人资料并等待一周的时间才能够得以确认的过程,使得重置银行密码业务快捷又安全。 If the method and system are used in this embodiment, when the user opens an account, fill in a list of his key social relationships, such as the contact number of the relatives and friends. When the user forgets his bank account password, the user only needs to call or email. , online, SMS, etc. to apply to the bank, the banking server to at least one social relationship of the selected user The authentication end of the mobile phone user is directly Sending user identity authentication and authorization Ask the bank to automatically notify the user's relatives and friends, verify and confirm the legality of the identity of the user who submitted the operation request. After confirmation, the bank allows the user to reset their password, thus eliminating the need for the user to personally go to the business hall. The process of being able to handle the business and submitting personal data and waiting for a week to be confirmed makes the resetting of the bank password service fast and secure.
例如,用户在银行开户,获得银行帐号,在留下自己的联系电话的同时,还要留下自己的至少一个亲友的联系手机号码或 EMAIL 地址。当用户忘记了自己帐号的密码并需要重置密码时,用户发送手机短信给银行的业务服务器,内容包括:用户名、用户的银行帐号、操作指示(申请重置密码)、新密码、及备注说明(如:我是王二,密码忘了,需重设)。银行的业务服务器收到重置密码的申请后,向该用户的 2 个亲友分别发送询问短信和 / 或者 EMAIL ,向亲友们核实是否确实是王二提出的重置密码申请,短信内容包括:用户名、银行帐号、申请的操作及备注说明。如:用户'王二'申请重置银行帐号' XXXX '的密码,请核实。请回复 1 确认为合法用户,回复 2 确认为非法操作。备注说明:'我是王二,密码忘了,需重设。'该用户的两个亲友分别核实王二的业务操作请求后,通过短信 和 / 或者 EMAIL 分别回复银行的询问,确认发起业务请求的用户是否用户本人。银行的业务服务器根据两个亲友的答复,确认该用户是否为合法用户。如果为合法用户,则执行重置密码操作;否则,拒绝该用户的业务操作请求。 For example, if a user opens an account with a bank, obtains a bank account number, and leaves his or her own contact number, but also leaves the contact mobile number or EMAIL of at least one of his or her friends and relatives. Address. When the user forgets the password of his account and needs to reset the password, the user sends a mobile phone message to the bank's business server, including: user name, user's bank account number, operation instructions (request for resetting the password), new password, and notes. Description (eg: I am Wang Er, the password is forgotten, need to be reset). After the bank's business server receives the application to reset the password, the user's application 2 friends and relatives send SMS and / or EMAIL Check with your friends and relatives whether it is the application for resetting the password proposed by Wang Er. The text message includes: user name, bank account number, application operation and remarks. Such as: user 'Wang Er' applied to reset bank account 'XXXX 'The password, please check. Please reply 1 Confirmed as a legitimate user, reply 2 Confirmed as an illegal operation. Remarks: 'I am Wang Er, the password is forgotten and needs to be reset. 'The two friends and relatives of the user verified the business operation request of Wang Er separately, by SMS and / or EMAIL Respond to the bank's inquiry to confirm whether the user who initiated the business request is the user. The bank's business server confirms whether the user is a legitimate user based on the responses of two friends and relatives. If it is a legitimate user, the reset password operation is performed; otherwise, the user's business operation request is rejected.
实施例二 Embodiment 2
如图 6 所示,用户在用户端向服务器发起业务接入请求后, 业务服务器根据该用户身份信息检查其是否为签约用户,若是,则从其签约用户信息中选定至少一个社会关系用户的通信方式作为认证端,然后, 业务服务器对接收到的 业务接入请求进行判断,若该请求中包含有用户端自身的口令字或者特征字符串,则业务服务器等待认证端发来认证消息;认证端将事先与用户端协商好的认证端口令字或者特征字符串提交给业务服务器;业务服务器对用户端发来的用户端自身的口令字或者特征字符串和认证端提交的认证端口令字或者特征字符串进行判断,若匹配,则认为该用户端身份合法,否则不合法。 As shown in Figure 6, after the user initiates a service access request to the server, The service server checks whether the user is a subscription user according to the identity information of the user, and if so, selects a communication mode of the at least one social relationship user from the subscription user information as the authentication end, and then the service server receives the received information. The service access request is judged. If the request includes the user's own password or feature string, the service server waits for the authentication end to send an authentication message; the authentication end will negotiate the authentication port command word with the user end in advance or The feature string is submitted to the service server; the service server judges the password or the feature string of the client itself sent by the client and the authentication port command word or the feature string submitted by the authentication end. If the match is made, the client is considered to be the client. The identity is legal, otherwise it is not legal.
其中,认证端和用户本人提交的口令字或特征字符串,可以相同,也可以不相同。认证端提交口令字或特征字符串的时间,还可以早于用户发出业务接入请求的时间,以方便服务器端快速认证用户。 The password or feature string submitted by the authentication end and the user may be the same or different. The time when the authentication end submits the password or the feature string may be earlier than the time when the user sends the service access request, so that the server can quickly authenticate the user.
实施例三 Embodiment 3
如图 7 所示,用户在用户端向服务器发起业务接入请求后, 业务服务器根据该用户身份信息检查其是否为签约用户,若是,则从其签约用户信息中选定至少一个社会关系用户的通信方式作为认证端,然后,业务服务器选择特征字符串或者生成随机密码,发送给用户端,并向认证端发送 用户身份认证和授权询问 ;用户端将收到的所述特征字符串或者随机生成密码发送给认证端; 服务器对认证端回复的询问结果进行判断,若询问结果中包含了业务服务器发送给用户端的 特征字符串或者随机生成密码,则认为该用户端身份合法,否则不合法。 As shown in Figure 7, after the user initiates a service access request to the server, The service server checks whether the user is a subscription user according to the identity information of the user. If yes, the communication mode of the at least one social relationship user is selected from the subscription user information as the authentication end, and then the service server selects the feature string or generates a random password. Sent to the client and send to the authentication end User identity authentication and authorization query; the client sends the received feature string or randomly generated password to the authentication end; The server judges the query result of the reply by the authentication end. If the query result includes the feature string sent by the service server to the client or randomly generates the password, the user identity is considered to be legal, otherwise it is illegal.
其中,当认证端为多个时,用于不同认证端的特征字符串或随机密码可以相同,也可以不相同。 When the number of the authentication ends is multiple, the feature strings or random passwords used for different authentication ends may be the same or different.
实施例四 Embodiment 4
如图 8 所示, 用户在用户端向服务器发起业务接入请求后, 业务服务器根据该用户身份信息检查其是否为签约用户,若是,则从其签约用户信息中选定至少一个社会关系用户的通信方式作为认证端,然后,业务服务器选择特征字符串或者生成随机密码,发送给认证端;认证端将所述特征字符串或者随机生成密码发送给用户端;用户端再将所述特征字符串或者随机生成密码发送给业务服务器,若业务服务器接收到的用户端发来的特征字符串或者随机生成密码与业务服务器发送给认证端的信息相符,则认为该用户端身份合法,否则不合法。 As shown in Figure 8, after the user initiates a service access request to the server, The service server checks whether the user is a subscription user according to the identity information of the user. If yes, the communication mode of the at least one social relationship user is selected from the subscription user information as the authentication end, and then the service server selects the feature string or generates a random password. Sending to the authentication end; the authentication end sends the feature string or the randomly generated password to the user end; the user end sends the feature string or the randomly generated password to the service server, if the user end received by the service server sends the password If the feature string or the randomly generated password matches the information sent by the service server to the authentication end, the user identity is considered to be legal, otherwise it is illegal.
其中,当认证端为多个时,用于不同认证端的特征字符串或随机密码可以相同,也可以不相同。 When the number of the authentication ends is multiple, the feature strings or random passwords used for different authentication ends may be the same or different.
在上述各实施例中,业务服务器发送给认证端的消息中,还可以携带补充信息,例如业务接入请求的发起时间、地点、 IP 地址、终端类型、说明文字等,以方便各认证端核实该用户的身份。这些补充信息可以直接来源于客户端发送给业务服务器的业务接入请求消息,还可以由业务服务器整理业务接入请求消息及网络信息获得。当认证端有个时,发送给不同的人的补充信息可以相同,也可以不相同。 In the above embodiments, the message sent by the service server to the authentication end may also carry supplementary information, such as the time and location of the service access request. IP Address, terminal type, description text, etc., to facilitate each authentication terminal to verify the identity of the user. The supplementary information may be directly obtained from the service access request message sent by the client to the service server, or may be obtained by the service server sorting the service access request message and the network information. When there is one at the authentication end, the supplementary information sent to different people may be the same or different.
基于认证端的认证方式还可以和口令,多因素认证等方式组合使用。例如,在用户提交用户名 / 口令信息且认证通过后,业务服务器可进一步选定用户的其他社会关系用户的通信方式作为认证端进行认证。 The authentication method based on the authentication end can also be combined with passwords, multi-factor authentication, and the like. For example, when the user submits a username / After the password information is passed and the authentication is passed, the service server can further select the communication mode of the other social relationship users of the user as the authentication end for authentication.
业务服务器端得出最终的认证授权结论后,还可以向认证端发送通知,告知认证授权的最终结果。 After the service server end draws the final certification authorization conclusion, it can also send a notification to the authentication end to inform the final result of the authentication authorization.
例如,电信运营商在提供网上运营厅服务,和用户签约时,在签约中用户不但要留下自己的手机号码和 / 或者电子邮箱,还要留下至少一个亲友的手机号码、电子邮箱、即时消息、固定电话,本实施例以采用留下手机号码为例加以描述。当用户登录网上营业厅时,用户除需要输入自己的手机号、随机密码外,还需要输入自己亲友的手机号码,以获得的随机短信密码及亲友认证密码。具体为:用户在和服务提供商签约时,在签约中登记至少一个亲友的手机号码。用户在客户端输入服务提供商的网址后,从服务器获得登录界面,要求输入用户的手机号码、随机短信密码、亲友认证密码。同时,界面上还有一个随机短信获取按钮。用户在客户端登录界面输入自己的手机号码,并点击随机短信获取按钮。随即,客户端发送随机密码请求消息给网络中服务提供商的服务器,消息中包含用户自己的手机号码。服务提供商的业务服务器为该用户的手机号码随机产生一个随机密码并保存,然后把该随机密码通过短信发送给用户的手机。同时,业务服务器检索该用户登记的亲友的手机号码,并为该亲友的手机号码随机产生一个随机密码并保存,然后把该随机密码作为亲友认证密码通过短信发送给该亲友的手机上。用户阅读自己的手机短信获得随机密码,和亲友沟通获得亲友认证密码,并把获得的随机密码和亲友认证密码输入到登录界面上,然后点击登录按钮,发送登录请求到业务服务器。登录请求中包含手机号、随机密码和亲友认证密码。业务服务器核对收到的登录请求与保存在业务服务器的随机密码和亲友认证密码,如果相同,则认为该用户为合法用户,登录成功;否则,用户认证失败,拒绝用户的登录请求。 For example, when a telecom operator provides an online operation hall service and signs a contract with a user, the user not only has to leave his or her mobile phone number and/or Or the e-mail, but also to leave the mobile phone number, e-mail, instant message, and fixed telephone of at least one relative friend. This embodiment is described by taking the mobile phone number as an example. When the user logs in to the online business hall, the user needs to input his mobile phone number and random password, and also needs to input the mobile phone number of his relatives and friends to obtain the random SMS password and the relative friend authentication password. Specifically, when the user signs a contract with the service provider, the mobile phone number of at least one relative friend is registered in the contract. After the client enters the service provider's web address, the user obtains the login interface from the server, and requests the user's mobile phone number, random SMS password, and relative friend authentication password. At the same time, there is a random SMS acquisition button on the interface. The user enters his mobile phone number on the client login interface and clicks the random SMS acquisition button. Then, the client sends a random password request message to the server of the service provider in the network, and the message contains the user's own mobile phone number. The service provider's service server randomly generates a random password for the user's mobile phone number and saves it, and then sends the random password to the user's mobile phone through a short message. At the same time, the service server retrieves the mobile phone number of the relatives and friends registered by the user, and randomly generates a random password for the mobile phone number of the relative friend and saves the password, and then sends the random password as a friend and friend authentication password to the mobile phone of the relative friend through the short message. The user reads the mobile phone short message to obtain a random password, communicates with the relatives and friends to obtain the relative friend authentication password, and inputs the obtained random password and the relative friend authentication password into the login interface, and then clicks the login button to send the login request to the service server. The login request contains the phone number, random password, and friend and friend authentication password. The service server checks the received login request with the random password and the friend authentication password stored in the service server. If the user is a legitimate user, the login is successful; otherwise, the user authentication fails, and the user's login request is rejected.
上述实施例,还可以应用在保护电子商务账户的关键信息中。例如,电子商务操作一般采用手机短信随机密码的方式来验证用户的合法性。当用户申请访问自己的电子商务账户或进行交易时,电子商务服务提供商会通过短信发送随机信息给用户的手机,然后由用户通过网络提交,以确认该用户为合法用户。当手机处于不可用状态时,该账户无法访问和交易。当用户的手机被盗、或 SIM 卡被克隆时,该用户的账户信息可以被全部更改包括用于认证的联系手机号码。这样,即使用户找回自己的手机,用户也将彻底失去自己的网络账户。另外,当用户的身份证遗失、被盗或被冒用时,非法用户也可以在电信营业厅申请新的 SIM 卡从而导致关键信息泄漏。采用本实施例提供的所述方法和系统时,只需要在用户开户时,在电子商务的账户信息表中填写自己的关键社会关系列表如亲友的联系电话。当用户做日常交易时,通过现有的手机短信提供随机密码的方式验证用户的合法性。当用户需要查询和修改账户信息、交易限额控制、用于用户交易确认的手机号码等关键敏感信息时,电子商务服务提供商通过短信、彩信等方式自动通知用户的亲友,由亲友核实并确认提出操作申请的用户为合法用户,确认后,电子商务服务提供商允许用户查询和修改该账户的关键敏感信息。具体实现过程为:用户在开通电子商务服务时,除自己的手机号码外,登记两个亲友的信息并留下他们的手机号码。当用户在自己的客户端进行操作,通过随机密码的方式,登录账户并获取日常交易权限。该权限不能查询和修改用户的账户资料信息。用户在客户端上点击'获取亲友认证密码'的按钮后,客户端向电子商务服务提供商的业务服务器发送获取亲友认证密码的请求消息。业务服务器查询用户的账户资料,获得该用户的亲友信息,为每个亲友产生用户帐户资料查询的随机密码和账户资料修改的随机密码并通过短信发送到该用户的亲友的手机上。用户从两个亲友那里获得可以查询用户帐户资料的随机密码或可以修改账户资料的随机密码作为亲友认证密码,输入到客户端的登录界面上,并点击登录按钮,客户端随后发送账户登录请求到服务器,请求消息中包含亲友认证密码。业务服务器确认收到的亲友认证密码正确,由此升级该用户的访问权限,允许用户查询账户资料信息,或者允许用户查询账户资料信息并修改。 The above embodiments can also be applied to key information for protecting e-commerce accounts. For example, e-commerce operations generally use a mobile phone short message password to verify the legitimacy of the user. When a user applies to access his or her own e-commerce account or conduct a transaction, the e-commerce service provider will send a random message to the user's mobile phone through a text message, and then the user submits through the network to confirm that the user is a legitimate user. When the phone is unavailable, the account cannot be accessed and traded. When the user’s mobile phone is stolen, or SIM When the card is cloned, the user's account information can be changed all including the contact mobile number used for authentication. In this way, even if the user retrieves his mobile phone, the user will completely lose his online account. In addition, when the user's ID card is lost, stolen or fraudulent, the illegal user can also apply for a new one in the telecom business hall. SIM The card thus leads to the leakage of critical information. When the method and system provided by the embodiment are used, it is only necessary to fill in a list of key social relationships such as contact numbers of friends and relatives in the account information table of the e-commerce when the user opens the account. When the user makes daily transactions, the user's legality is verified by providing a random password through the existing mobile phone short message. When the user needs to query and modify key sensitive information such as account information, transaction limit control, mobile phone number for user transaction confirmation, the e-commerce service provider automatically informs the user's relatives and friends through SMS, MMS, etc., and the relatives and friends verify and confirm the proposed The user who operates the application is a legitimate user. After confirmation, the e-commerce service provider allows the user to query and modify the key sensitive information of the account. The specific implementation process is as follows: When the user opens the e-commerce service, in addition to his mobile phone number, the user registers the information of two relatives and friends and leaves their mobile phone number. When the user operates on his own client, log in to the account and obtain daily transaction rights by means of a random password. This permission cannot query and modify the user's account profile information. After the user clicks the button of 'acquire relatives and friends authentication passwords' on the client, the client sends a request message for obtaining the relative friend authentication password to the service server of the e-commerce service provider. The service server queries the user's account information, obtains the user's relatives and friends information, generates a random password for the user account data query and a random password modified by the account data for each relative and friend, and sends the message to the mobile phone of the user's relatives and friends through the short message. The user obtains a random password that can query the user account information or a random password that can modify the account information from the two relatives and friends as the friend and friend authentication password, input to the login interface of the client, and click the login button, and the client then sends the account login request to the server. The request message contains the password for the relatives and friends. The service server confirms that the received friend and friend authentication password is correct, thereby upgrading the access authority of the user, allowing the user to query the account profile information, or allowing the user to query the account profile information and modify it.
上述实施例,还可以应用在手机卡补卡认证过程中。例如,当用户的手机被盗、遗失后,用户一般需要携带自己的身份证件,亲自到电信运营商的营业厅补一张 SIM 卡。电信运营商必须投入足够的资源来审核用户的身份,并服务好用户的补卡申请。而用户由于必须亲自到电信营业厅,而耗费了大量的时间和精力。同时,由于用户需要携带自己的身份证件且在电信运营商那里要复印留底,客观上增加了个人身份资料外泄的风险。采用本实施例提供的所述方法和系统时,只需要在用户开户时,在电信服务的开户申请中填写自己的关键社会关系列表如亲友的联系电话。同时,电信运营商可以像发放预付费充值卡一样,发放临时 SIM 卡给零售商店。该临时 SIM 卡只被允许拨打电信运营商的特殊服务号码。该用户的手机被盗、遗失后,只需要在任一零售商店购买临时 SIM 卡,通过临时 SIM 呼叫特殊服务号码,申请该临时 SIM 卡为原电话号码的补办卡,并留言'我是 XXX ,因手机遗失,需补办卡。'电信运营商通过短信、彩信、语音留言等方式通知用户的亲友,并核实该用户确认为原电话号码的合法用户后,确认该用户补卡成功。该临时 SIM 卡由此成为原电话号码的补办卡。 The above embodiment can also be applied in the process of authenticating a mobile phone card. For example, when a user's mobile phone is stolen or lost, the user generally needs to carry his/her ID card and personally add a SIM to the telecom operator's business hall. Card. The telecom operator must devote sufficient resources to review the identity of the user and serve the user's replenishment application. The user has spent a lot of time and effort because he has to go to the telecom business hall in person. At the same time, because users need to carry their own identity documents and copy copies at the telecom operators, the risk of personal identity data leakage is objectively increased. When the method and system provided by the embodiment are used, it is only necessary to fill in a list of key social relationships such as contact numbers of friends and relatives in the account opening application of the telecommunication service when the user opens an account. At the same time, telecom operators can issue temporary payments like prepaid recharge cards. SIM card to the retail store. The temporary SIM card is only allowed to dial the special service number of the telecommunications carrier. After the user’s mobile phone is stolen or lost, he only needs to purchase a temporary SIM card at any retail store. SIM calls the special service number, requests the temporary SIM card as the replacement card of the original phone number, and leaves a message 'I am XXX If the mobile phone is lost, you need to reissue the card. 'The telecom operator notifies the user's relatives and friends through SMS, MMS, voicemail, etc., and verifies that the user confirms the legitimate user number of the original phone number, and confirms that the user has successfully completed the card. The temporary SIM The card thus becomes the replacement card for the original telephone number.
上述实施例,还可以应用在关键信息访问控制过程中。例如,企业的关键信息资产一般会被严格的保护,以限制非相关人员的访问。通常的做法是企业建立一个专用的审批电子流和用户群组,通过电子流审核批准哪些人有权访问关键信息资产,并把有权访问和没有权访问的人分别加入不同的用户群组。只有属于特定的用户群组的员工,才能通过企业的 IT 系统访问这些关键信息资产。由于企业人员会流失或补充、参与人员的角色会变化、负责增加删除用户群组成员的工作人员的失误等原因,以及企业也并不是随时随地都允许访问,管理这些关键信息资产的工作量很大,审批节奏慢、时间长,并有可能因不能及时匹配企业员工的角色调整等原因而导致信息泄漏。采用本实施例提供的所述方法和系统时,企业员工可以在任何时候通过企业的 IT 网络申请阅读关键信息资产,而无需电子流审批过程。将管理人员作为认证端,查阅关键信息资产的请求通过短信、邮件、即时消息等方式向信息资产的管理人员,由于管理人员了解该用户是否为合法用户,因此,由管理人员所在的认证端确认该用户的合法性及对应的权限,若认证端认证通过,则关键信息资产随即允许该企业员工的阅读请求。可见,该方案不需要电子流审批,不需要管理各种用户群组,使企业关键信息资产的管理能及时匹配企业的变化。 The above embodiments can also be applied in the process of key information access control. For example, a company's key information assets are generally strictly protected to limit access by unrelated people. The usual practice is for a company to establish a dedicated approval electronic stream and user group, to approve who has access to key information assets through electronic flow auditing, and to add people who have access and no access to different user groups. Only employees belonging to a specific user group can pass the enterprise IT The system accesses these key information assets. The workload of managing these key information assets is very high because of the loss or replenishment of corporate personnel, the changing role of the participants, the mistakes of the staff responsible for deleting the members of the user group, and the fact that the enterprise does not allow access anytime, anywhere. Large, the approval pace is slow, the time is long, and there may be information leakage due to the inability to timely match the role adjustment of the company's employees. When the method and system provided by the embodiment are adopted, the enterprise employee can pass the enterprise at any time. IT The network applies to read key information assets without the electronic flow approval process. The management personnel are used as the authentication end, and the request for accessing the key information assets is sent to the management personnel of the information assets through SMS, mail, instant message, etc., because the management personnel knows whether the user is a legitimate user, and therefore, the authentication end of the management personnel is confirmed. If the authentication of the user is passed, the key information asset will allow the employee's reading request. It can be seen that the solution does not require electronic flow approval, and does not need to manage various user groups, so that the management of key information assets of the enterprise can timely match the changes of the enterprise.
另外,用户端也可以在业务接入请求中指定认证客户端的范围。例如,用户在用户端向业务服务器发起的业务接入请求中,指定认证者为'父亲'和'妻子'。业务服务器在选择进行认证的认证客户端时,仅选择'父亲'和'妻子',并且要求两者要同时认证通过,才表示该用户认证通过。 In addition, the UE can also specify the scope of the authentication client in the service access request. For example, in the service access request initiated by the user to the service server, the user specifies the authenticator as 'father' and 'wife'. When the service server selects the authentication client for authentication, only the 'father' and 'wife' are selected, and both of them are required to be authenticated at the same time, indicating that the user authentication is passed.
在用户签约许可的情况下, 业务服务器可以根据第三方的业务应用信息如网络地址本等来更新用户的亲朋好友等社会关系信息。 In the case of a user signing license, The service server can update the social relationship information of the user's relatives and friends according to the third party's business application information such as a network address book.
综上所述,本实发明实施例所述一种 用户认证授权的方法及其实现系统,通过在用户签约业务服务时留下的用户信息中选定至少一个社会关系手机用户和 / 或者电子邮箱用户作为认证端,并由业务服务器根据认证端提供的信息判断用户端身份合法性的方式,克服了背景技术中所述的缺陷,有效的保障了用户信息及网络服务的安全。 In summary, the embodiment of the present invention The method for user authentication and authorization and the implementation system thereof, select at least one social relationship mobile phone user and/or user information left by the user when signing the business service Or the e-mail user is used as the authentication end, and the service server judges the legality of the identity of the user end according to the information provided by the authentication end, overcomes the defects described in the background art, and effectively protects the security of the user information and the network service.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are included in the spirit and scope of the present invention, should be included in the present invention. Within the scope of protection.

Claims (10)

1. 一种 用户认证授权的方法,其特征在于,包括:A method for user authentication and authorization, characterized in that it comprises:
用户端发起包含有用户身份信息的业务接入请求;The client initiates a service access request including user identity information;
业务服务器根据该用户身份信息检查其是否为签约用户,若是,则从其用户签约信息中选定至少一个社会关系用户的通信方式作为认证端;The service server checks whether the user is a subscription user according to the user identity information, and if so, selects a communication mode of the at least one social relationship user from the user subscription information as the authentication end;
业务服务器根据认证端提供的信息判断用户身份合法性;The service server determines the legality of the user identity according to the information provided by the authentication end;
若用户身份合法,则业务服务器对用户端授权,并进行相应的业务接入响应。If the user identity is legal, the service server authorizes the user and performs a corresponding service access response.
2. 根据权利要求 1 所述的方法,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:2. The method of claim 1 wherein said said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器向认证端发送用户身份认证和授权询问;The service server sends a user identity authentication and authorization query to the authentication end;
认证端向业务服务器回复询问结果;The authentication end responds to the service server with the result of the inquiry;
业务服务器对认证端回复的询问结果进行处理,并判断该用户端身份是否合法。The service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
3. 根据权利要求 1 所述的方法,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:3. The method of claim 1 wherein said said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器对接收到的 业务接入请求进行判断,若该请求中包含有用户端自身的口令字或者特征字符串,则业务服务器等待认证端发来认证消息;Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
认证端将事先与用户端协商好的认证端口令字或者特征字符串提交给业务服务器;The authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
业务服务器对用户端发来的用户端自身的口令字或者特征字符串和认证端提交的认证端口令字或者特征字符串进行判断,若匹配,则认为该用户端身份合法,否则不合法。The service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
4. 根据权利要求 1 所述的方法,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:4. The method of claim 1 wherein said said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器选择特征字符串或者生成随机密码,发送给用户端,并向认证端发送 用户身份认证和授权询问 ;The service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
用户端将收到的所述特征字符串或者随机生成密码发送给认证端;The UE sends the received feature string or the randomly generated password to the authentication end.
业务服务器对认证端回复的询问结果进行判断,若询问结果中包含了业务服务器发送给用户端的 特征字符串或者随机生成密码,则认为该用户端身份合法,否则不合法。The service server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client. If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
5. 根据权利要求 1 所述的方法,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:5. The method of claim 1 wherein said said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器选择特征字符串或者生成随机密码,发送给认证端;The service server selects a feature string or generates a random password and sends it to the authentication end.
认证端将所述特征字符串或者随机生成密码发送给用户端;The authentication end sends the feature string or the randomly generated password to the user end;
用户端再将所述特征字符串或者随机生成密码发送给业务服务器,若业务服务器接收到的用户端发来的特征字符串或者随机生成密码与业务服务器发送给认证端的信息相符,则认为该用户端身份合法,否则不合法。The user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
6. 一种实现 用户认证授权的系统,其特征在于,包括: 用户端、业务服务器和以用户端签约业务服务时留下的 至少一个社会关系用户的通信方式为依托的认证端,当用户端发起业务接入请求时,业务服务器根据该业务接入请求中的用户身份信息判断该用户是否为签约用户,若是,则从签约用户信息中选定至少一个社会关系用户的通信方式作为认证端,并根据所述认证端提供的信息判断该用户身份合法性,再对该用户端进行相应业务接入响应。A system for implementing user authentication and authorization, comprising: a user terminal, a service server, and a service left when the user service is contracted by the user end. The communication mode of the at least one social relationship user is the authentication end. When the user initiates the service access request, the service server determines whether the user is a subscription user according to the user identity information in the service access request, and if yes, the subscription is signed. The communication mode of the at least one social relationship user is selected as the authentication end, and the validity of the user identity is determined according to the information provided by the authentication end, and then the corresponding service access response is performed on the user end.
7. 根据权利要求 6 所述的系统,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:7. The system of claim 6 wherein said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器向认证端发送用户身份认证和授权询问;The service server sends a user identity authentication and authorization query to the authentication end;
认证端向业务服务器回复询问结果;The authentication end responds to the service server with the result of the inquiry;
业务服务器对认证端回复的询问结果进行处理,并判断该用户端身份是否合法。The service server processes the query result replied by the authentication end, and determines whether the identity of the client is legal.
8. 根据权利要求 6 所述的系统,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:8. The system of claim 6 wherein said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器对接收到的 业务接入请求进行判断,若该请求中包含有用户端自身的口令字或者特征字符串,则业务服务器等待认证端发来认证消息;Business server received The service access request is judged. If the request includes the password or the feature string of the user end, the service server waits for the authentication end to send the authentication message.
认证端将事先与用户端协商好的认证端口令字或者特征字符串提交给业务服务器;The authentication end submits the authentication port command word or feature string negotiated with the client to the service server.
业务服务器对用户端发来的用户端自身的口令字或者特征字符串和认证端提交的认证端口令字或者特征字符串进行判断,若匹配,则认为该用户端身份合法,否则不合法。The service server judges the password or the feature string of the user end sent by the user end and the authentication port command word or the feature string submitted by the authentication end. If the match is matched, the user end is considered to be legal, otherwise it is illegal.
9. 根据权利要求 6 所述的系统,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:9. The system of claim 6 wherein said said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器选择特征字符串或者生成随机密码,发送给用户端,并向认证端发送 用户身份认证和授权询问 ;The service server selects the feature string or generates a random password, sends it to the client, and sends the user identity authentication and authorization query to the authentication end. ;
用户端将收到的所述特征字符串或者随机生成密码发送给认证端;The UE sends the received feature string or the randomly generated password to the authentication end.
服务器对认证端回复的询问结果进行判断,若询问结果中包含了业务服务器发送给用户端的 特征字符串或者随机生成密码,则认为该用户端身份合法,否则不合法。The server judges the query result of the reply by the authentication end, and if the query result includes the service server sends the result to the client If the feature string or the password is randomly generated, the identity of the client is considered legal, otherwise it is illegal.
10. 根据权利要求 6 所述的系统,其特征在于,所述 业务服务器根据认证端提供的信息判断用户端身份合法性,包括:10. The system of claim 6 wherein said The service server determines the legality of the identity of the client according to the information provided by the authentication terminal, including:
业务服务器选择特征字符串或者生成随机密码,发送给认证户客户端;The service server selects a feature string or generates a random password and sends it to the client of the authentication client;
认证端将所述特征字符串或者随机生成密码发送给用户端;The authentication end sends the feature string or the randomly generated password to the user end;
用户端再将所述特征字符串或者随机生成密码发送给业务服务器,若业务服务器接收到的用户端发来的特征字符串或者随机生成密码与业务服务器发送给认证端的信息相符,则认为该用户端身份合法,否则不合法。The user end sends the feature string or the randomly generated password to the service server. If the feature string or the randomly generated password sent by the service server received by the service server matches the information sent by the service server to the authentication end, the user is considered as the user. The identity is legal, otherwise it is not legal.
PCT/CN2012/072224 2011-04-01 2012-03-13 User authentication and authorization method and implementation system thereof WO2012130035A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110081289.0A CN102111275B (en) 2011-04-01 2011-04-01 User authentication and authorization method and system for implementing user authentication and authorization method
CN201110081289.0 2011-04-01

Publications (1)

Publication Number Publication Date
WO2012130035A1 true WO2012130035A1 (en) 2012-10-04

Family

ID=44175310

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/072224 WO2012130035A1 (en) 2011-04-01 2012-03-13 User authentication and authorization method and implementation system thereof

Country Status (2)

Country Link
CN (1) CN102111275B (en)
WO (1) WO2012130035A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109635531A (en) * 2018-11-26 2019-04-16 北京金钝宏安科技有限公司 It is a kind of using identity information certification as the information authentication method of carrier and device
CN110727933A (en) * 2019-09-10 2020-01-24 阿里巴巴集团控股有限公司 Identity authentication method and device, electronic equipment and storage medium
CN111581613A (en) * 2020-04-29 2020-08-25 支付宝(杭州)信息技术有限公司 Account login verification method and system
CN117349811A (en) * 2023-10-18 2024-01-05 广州元沣智能科技有限公司 Information authentication system based on user identity

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111275B (en) * 2011-04-01 2014-12-03 王冬梅 User authentication and authorization method and system for implementing user authentication and authorization method
CN102255923A (en) * 2011-08-25 2011-11-23 盛大计算机(上海)有限公司 System and method for user identity authentication
CN103179098B (en) * 2011-12-23 2017-03-01 阿里巴巴集团控股有限公司 A kind of password method for retrieving of network account and device
CN103188218B (en) * 2011-12-28 2018-01-05 富泰华工业(深圳)有限公司 Password retrieving system and password method for retrieving
CN102811228B (en) * 2012-08-31 2016-07-06 中国联合网络通信集团有限公司 Network login method, equipment and system
CN102984335B (en) * 2012-12-03 2015-07-29 中国联合网络通信集团有限公司 Dial the identity identifying method of landline telephone, equipment and system
CN103905400B (en) * 2012-12-27 2017-06-23 中国移动通信集团公司 A kind of service authentication method, apparatus and system
CN104009844B (en) * 2013-02-26 2018-10-19 勤智数码科技股份有限公司 A kind of multistage cipher processing method based on safety management
CN103501292B (en) * 2013-09-24 2017-05-17 长沙裕邦软件开发有限公司 Method and system for achieving data safety protection by using standby mobile phone
CN104732376B (en) * 2013-12-24 2020-01-24 腾讯科技(深圳)有限公司 Payment password resetting method, terminal and system
CN104901925A (en) * 2014-03-05 2015-09-09 中国移动通信集团北京有限公司 End-user identity authentication method, device and system and terminal device
CN106941475B (en) * 2016-01-04 2020-09-25 阿里巴巴集团控股有限公司 Authentication method and device based on trust relationship
CN107347054B (en) * 2016-05-05 2021-08-03 腾讯科技(深圳)有限公司 Identity verification method and device
CN107203830A (en) * 2016-12-22 2017-09-26 中企云链(北京)金融信息服务有限公司 A kind of crowd of enterprise organization structure Self management recognizes mechanism realization method and system
CN107104979B (en) * 2017-05-25 2020-01-14 杭州东信北邮信息技术有限公司 Method and system for realizing voice callback verification service
CN108364416A (en) * 2018-01-08 2018-08-03 四川省茂扬科技有限公司 A kind of self-service control method of 24 hours intelligent libraries
CN108615160A (en) * 2018-03-15 2018-10-02 阿里巴巴集团控股有限公司 Authentication method and device
CN108418830A (en) * 2018-03-23 2018-08-17 无锡海德曼医疗设备有限公司 The control method and control system of dentistry oiling machine material filling
CN109067791B (en) * 2018-09-25 2020-05-12 阿里巴巴集团控股有限公司 User identity authentication method and device in network
US10880436B2 (en) 2019-01-23 2020-12-29 Weils Fargo Bank, N.A. Transaction fraud prevention tool

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004246715A (en) * 2003-02-14 2004-09-02 Fujitsu Ltd Authentication information processing method
CN1620166A (en) * 2003-11-21 2005-05-25 华为技术有限公司 Method of identifying legalness of mobile terminal user
CN101291217A (en) * 2007-04-20 2008-10-22 章灵军 Network identity authentication method
CN101605331A (en) * 2008-06-12 2009-12-16 中国移动通信集团公司 The consuming method of portable terminal, Apparatus and system
CN102111275A (en) * 2011-04-01 2011-06-29 王冬梅 User authentication and authorization method and system for implementing user authentication and authorization method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101015166A (en) * 2004-08-20 2007-08-08 身份警报有限公司 Identify theft protection and notification system
US8103874B2 (en) * 2005-11-18 2012-01-24 Tp Lab Inc. Object delivery authentication
CN100593297C (en) * 2007-11-26 2010-03-03 唐荣华 A secure protection method and system with dual identity authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004246715A (en) * 2003-02-14 2004-09-02 Fujitsu Ltd Authentication information processing method
CN1620166A (en) * 2003-11-21 2005-05-25 华为技术有限公司 Method of identifying legalness of mobile terminal user
CN101291217A (en) * 2007-04-20 2008-10-22 章灵军 Network identity authentication method
CN101605331A (en) * 2008-06-12 2009-12-16 中国移动通信集团公司 The consuming method of portable terminal, Apparatus and system
CN102111275A (en) * 2011-04-01 2011-06-29 王冬梅 User authentication and authorization method and system for implementing user authentication and authorization method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109635531A (en) * 2018-11-26 2019-04-16 北京金钝宏安科技有限公司 It is a kind of using identity information certification as the information authentication method of carrier and device
CN110727933A (en) * 2019-09-10 2020-01-24 阿里巴巴集团控股有限公司 Identity authentication method and device, electronic equipment and storage medium
CN111581613A (en) * 2020-04-29 2020-08-25 支付宝(杭州)信息技术有限公司 Account login verification method and system
CN111581613B (en) * 2020-04-29 2023-11-14 支付宝(杭州)信息技术有限公司 Account login verification method and system
CN117349811A (en) * 2023-10-18 2024-01-05 广州元沣智能科技有限公司 Information authentication system based on user identity
CN117349811B (en) * 2023-10-18 2024-04-05 广州元沣智能科技有限公司 Information authentication system based on user identity

Also Published As

Publication number Publication date
CN102111275A (en) 2011-06-29
CN102111275B (en) 2014-12-03

Similar Documents

Publication Publication Date Title
WO2012130035A1 (en) User authentication and authorization method and implementation system thereof
US7707626B2 (en) Authentication management platform for managed security service providers
EP2873192B1 (en) Methods and systems for using derived credentials to authenticate a device across multiple platforms
WO2019091000A1 (en) Bank account report/unlock service processing method, system, terminal, and storage medium
WO2013040916A1 (en) Transaction payment method and system
WO2016197330A1 (en) Access control management method and system
US20080181380A1 (en) Proxy for authenticated caller name
JP5764501B2 (en) Authentication device, authentication method, and program
US9256724B2 (en) Method and system for authorizing an action at a site
WO2019100604A1 (en) Account inquiry method, apparatus, device, and computer readable storage medium
JP2007264835A (en) Authentication method and system
US20060294387A1 (en) Method of controlling access
WO2019090995A1 (en) Self-service account opening and card issuing method, self-service terminal, and computer-readable storage medium
US20200036525A1 (en) Method for determining approval for access to gate through network, and server and computer-readable recording media using the same
JP2005216250A (en) Reception system, reception auxiliary server, and reception processing server
TWI326183B (en)
WO2020141783A1 (en) Method and server for managing user identity using blockchain network, and method and terminal for authenticating user using blockchain network-based user identity
KR100563544B1 (en) Method for authenticating a user with one-time password
WO2019234801A1 (en) Service provision system and service provision method
WO2018209623A1 (en) Systems, devices, and methods for performing verification of communications received from one or more computing devices
KR100545551B1 (en) Certification service system of the confidence using the cyber resident registration number and method thereof
WO2022163893A1 (en) Method for providing payment service, and electronic device performing same
WO2016019535A1 (en) Mailbox payment method and mailbox payment system
US20220245629A1 (en) A computer implemented method of authorizing a user of a communication device access to restricted content on a server.
WO2019205279A1 (en) Bank card authentication method, apparatus, device and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12763055

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12763055

Country of ref document: EP

Kind code of ref document: A1