WO2012146091A1 - Authentication information processing - Google Patents

Authentication information processing Download PDF

Info

Publication number
WO2012146091A1
WO2012146091A1 PCT/CN2012/072183 CN2012072183W WO2012146091A1 WO 2012146091 A1 WO2012146091 A1 WO 2012146091A1 CN 2012072183 W CN2012072183 W CN 2012072183W WO 2012146091 A1 WO2012146091 A1 WO 2012146091A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
information
rotation
node
authentication information
Prior art date
Application number
PCT/CN2012/072183
Other languages
English (en)
French (fr)
Inventor
Yan Li
Haofeng ZHOU
Wei Wei
Kai ZHENG
Original Assignee
International Business Machines Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation filed Critical International Business Machines Corporation
Priority to JP2014506730A priority Critical patent/JP6034368B2/ja
Priority to GB1313857.3A priority patent/GB2505563B/en
Priority to DE112012000780.8T priority patent/DE112012000780B4/de
Priority to SG2013074091A priority patent/SG194072A1/en
Publication of WO2012146091A1 publication Critical patent/WO2012146091A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Definitions

  • the present invention generally relates to a method and system for processing data, more particularly, the present invention relates to a method and system for processing authentication information.
  • Authentication technologies are used for determining whether a user or other entity is permitted to access a specific system or resource. Authentication technologies have been widely applied in various computer applications. Password-based authentication is a most common technology. In password authentication, the user will send a login request including a user account and password, and the sever end will transfer the login request to an authentication node, which authenticates the authentication information in the login request according to the authentication information stored on the node.
  • Authentication information in the prior art is usually stored in one or more fixed authentication nodes.
  • An authentication system with only one authentication node has poor security, since the authentication node is prone to be attacked by hackers.
  • the Lightweight Directory Access Protocol (LDAP) is a protocol for accessing an online directory service.
  • Distributed LDAP systems have been widely applied in authentication, so as to allow a plurality of authentication nodes to interconnect with each other to form an authentication cluster.
  • authentication information will be distributed among multiple authentication nodes. For example, assuming a company has 100 employees, with the employee numbers from No.1 -No.100.
  • the authentication information for a user to log in the company's intranet is distributed among 5 authentication nodes.
  • the authentication information of the 100 employees may be stored on 5 authentication nodes redundantly.
  • the distribution result of the authentication information may be as in the following Table 1 :
  • each authentication information in the prior art is stored on one or more authentication nodes.
  • the authentication information is stored on the one or more authentication nodes, it will not be updated, and is stored on the original authentication node(s) all the time. Therefore, this manner of storing authentication information fixedly will bring some potential security risks.
  • a hacker breaks the one or more authentication nodes, he/she will get the corresponding authentication information. If the authentication information of a company's intranet is centralized on one authentication node, the hacker can obtain the authentication information of all the employees permanently once he/she breaks the authentication node.
  • the hacker may permanently obtain the authentication information of the company's senior executives by attacking the authentication node at the place where the company's headquarter is located. That is to say, the manner of storing authentication information fixedly will enable hackers to have greater possibility to obtain the authentication information and permanently use the obtained authentication information.
  • the present invention proposes an authentication information processing technology, which will make authentication information to rotate among multiple authentication nodes, so that hackers will be unable to obtain the authentication information permanently.
  • the present invention provides a method for processing authentication information, wherein the authentication information is stored on a first authentication node, the method comprising: determining a rotation sequence of the authentication information, determining a rotation trigger condition of the authentication information, and in response to satisfaction of the rotation trigger condition, transmitting at least part of the authentication information to a second authentication node according to the rotation sequence.
  • the present invention further provides a system for processing authentication information, wherein the authentication information is stored on a first authentication node, the system comprises: a rotation sequence determining means configured to determine a rotation sequence of the authentication information, a rotation trigger condition determining means configured to determine a rotation trigger condition of the authentication information, and a transmitting means configured to, in response to satisfaction of the rotation trigger condition, transmit at least part of the authentication information to a second authentication node according to the rotation sequence.
  • the authentication information includes account information and authentication module information
  • the rotation sequence includes rotation sequence of the account information and rotation sequence of the authentication module information
  • the transmitting at least part of the authentication information to a second authentication node according to the rotation information comprises: transmitting the account information to the second authentication node according to the rotation information of the account information; the method further comprises transmitting the authentication module information to a third authentication node according to the rotation sequence of the authentication module information.
  • the authentication information comprises timestamp information to indicate a period of validity of the authentication information.
  • FIG. 1 shows a block diagram of an exemplary computing system suitable for realizing an implementation of the present invention.
  • FIG. 2 shows a flowchart of the authentication information processing method of the present invention.
  • FIG. 3 shows a flowchart for determining a rotation sequence of authentication information according to an embodiment of the present invention.
  • FIG. 4A shows a schematic diagram of authentication information according to an embodiment of the present invention.
  • Fig. 4B shows a schematic diagram of authentication information according to another embodiment of the present invention.
  • FIG. 5 shows a flowchart of dispatching an authentication request according to an embodiment of the present invention.
  • Fig. 6 shows a flowchart of dispatching an authentication request according to another embodiment of the present invention.
  • Fig. 7 shows a flowchart of processing an authentication request according to an embodiment of the present invention.
  • FIG. 8 A shows a schematic diagram of an authentication system before authentication information is rotated according to an embodiment of the present invention.
  • Fig. 8B shows a schematic diagram of an authentication system after authentication information is rotated according to an embodiment of the present invention.
  • FIG. 9 A shows a schematic diagram of an authentication system before authentication information is rotated according to another embodiment of the present invention.
  • Fig. 9B shows a schematic diagram of an authentication system after authentication information is rotated according to another embodiment of the present invention.
  • FIG. 10 shows a flowchart of an authentication information processing system of the present invention.
  • the computer readable medium may be a computer readable signal medium or computer readable storage medium.
  • the computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared or semiconductor system, apparatus, device, or any combination thereof.
  • computer readable medium More specific examples (a non-exhaustive list) of computer readable medium include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disc, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of thereof.
  • the computer readable storage medium may be any tangible medium that contain or store a program for use by or in connection with an instruction execution system, apparatus or device.
  • the computer readable signal medium may include a data signal with computer readable program code embodied therein and propagated in a baseband or as part of a carrier wave.
  • the propagated signal may take various forms, including but not limited to, an electromagnetic signal, an optical signal or any suitable combination thereof.
  • the computer readable signal medium may be any computer readable medium that is not a computer readable storage medium, but can transmit, propagate or transport a program used by or in connection with an instruction exaction system, apparatus or device.
  • the computer program code contained in the computer readable medium may be transmitted by any appropriate mediums, including but not limited to, wireless, cable, optical fiber cable, RF, or any suitable combination thereof.
  • the computer program code contained in the computer readable medium may be transmitted by any appropriate mediums, including but not limited to, wireless, cable, optical fiber cable, RF, or any suitable combination thereof.
  • the computer program code for carrying out the operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++, or the like, and conventional procedural programming languages, such as "C" programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
  • LAN local area network
  • WAN wide area network
  • Internet service provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer readable medium produce a manufactured article including instruction means that implement the functions/actions specified in the blocks in flowcharts and/or block diagrams.
  • the computer program instructions may also be loaded onto a computer or other programmable data processing apparatus, to cause a series of operation steps to be performed on the computer or the other programmable apparatus, to produce a computer implemented process such that the instructions which are executed on the computer or other programmable apparatus provide processes for implementing the functions/actions specified in the blocks of flowchart and/or block diagrams.
  • each block in the flowcharts or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specific logic function(s).
  • the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented by special purpose hardware-based systems that perform the specified functions or actions, or a combination of the special purpose hardware and computer instructions.
  • Fig. 1 shows a block diagram of an exemplary computing system suitable for realizing an implementation of the present invention.
  • the computer system 100 comprises: a CPU (central processing unit) 101, a RAM (random access memory) 102, a ROM (read-only memory) 103, a system bus 104, a hard disk controller 105, a keyboard controller 106, a serial interface bus 107, a parallel interface bus 108, a display controller 109, a hard disk 110, a keyboard 111, a serial peripheral 112, a parallel peripheral 113 and a display 114.
  • a CPU central processing unit
  • RAM random access memory
  • ROM read-only memory
  • Fig. 1 is shown only for the illustrative purpose, rather than limiting the scope of the present invention. In some cases, some devices may be added or removed depending on the specific circumstances.
  • Fig. 2 shows a flowchart of an authentication information processing method of the present invention.
  • the authentication information in the authentication information processing method shown in Fig. 2 is stored on a first authentication node.
  • the authentication information includes account information, e.g., account ID, personal identification number PIN, etc.
  • the account ID may be any account ID like a user name, an email, a license plate number, and the identification number may be any identification number like a password and an ID number.
  • Fig. 4A shows a schematic diagram of authentication information according to an embodiment of the present invention, in which the authentication information includes account information Acc A. If the account information is stored as a list, it can be shown as follows:
  • the authentication information includes account information and authentication module information.
  • Fig. 4B shows a schematic diagram of authentication information according to another embodiment of the present invention, in which the authentication information includes account information Acc A and authentication module information Mod A. Besides information like ID and PIN, the account information further includes an authentication module tag.
  • the authentication module information includes the authentication module tag and an encryption algorithm.
  • the authentication module tag is a bridge between the account information and the encryption algorithm.
  • Different account information may use a uniform encryption algorithm, or use different encryption algorithms. If different account information uses a uniform encryption algorithm, there is no need to store an authentication module tag on the authentication node. If different account information uses different encryption algorithms, it is needed to differentiate different encryption algorithms in the authentication information.
  • the authentication module information in the present embodiment may be shown as the following Table 4:
  • the number of the Tags is greater than the number of the encryption algorithms, which can increase system security, such that even if an authentication node is attacked by a hacker, it is difficult for the hacker to infer which encryption algorithm is used.
  • the account information may be shown as in the following Table 5, and the authentication module information may be shown as in the following Table 6:
  • the authentication module information can also be distributed among different authentication nodes.
  • the present invention does not have any specific limitation on the storage format of the authentication information. It may be a plain text file (like a CVS file), a database, a list or a directory tree (like LDAP and NIS (Network Information Service) directory tree, etc).
  • the rotation sequence of the authentication information is determined at step 201.
  • the rotation sequence at least describes to which authentication node an authentication node will transmit the authentication information stored thereon.
  • the rotation sequence is temporally determined before the rotation (e.g., one day or one hour before the rotation, etc.). Determining the rotation sequence temporally may increase system security, since hackers will be unable to determine where the authentication information on a node will be rotated to.
  • the rotation sequence is determined within a certain time period before the rotation (e.g., one week, one month before the rotation or even the rotation sequence of a next rotation is determined right after the last rotation).
  • a certain time period before the rotation e.g., one week, one month before the rotation or even the rotation sequence of a next rotation is determined right after the last rotation.
  • the overhead brought by determining the rotation sequence before the rotation is saved.
  • the rotation sequence may further include a rotation sequence of the account information and a rotation sequence of the authentication module information.
  • the rotation sequence of the account information and the rotation sequence of the authentication module information may be the same or different.
  • the authentication node to which the account information is rotated may be different from the authentication node to which the authentication module information is rotated; for example, the account information may be transmitted to a second authentication node while the authentication module information may be transmitted to a third authentication node.
  • the rotation trigger condition of the authentication information is determined.
  • the rotation trigger condition describes when or under what condition the rotation starts.
  • the rotation trigger condition may be either a static trigger condition or a dynamic trigger condition.
  • a static trigger condition may be reaching a predetermined time (e.g., after three months), that is to say, the rotation of the authentication information is performed every predetermined time period.
  • the predetermined time period may be a fixed period (e.g., always be three months).
  • the specific time period may be continuously adjusted (e.g., the interval between the first rotation and second rotation is 3 months, while the interval between the second rotation and third rotation is 2 months).
  • the management cost of using a static trigger condition is low, since so long as the clocks on the authentication nodes are accurate and stable, the rotation of the authentication information can be performed according to the static trigger condition.
  • the rotation trigger condition is a dynamic trigger condition.
  • the rotation of the authentication information may be triggered when an authentication node is attacked by hackers.
  • the system administrator may trigger the rotation of the authentication information at any time according to specific conditions.
  • the rotation of the authentication information may also be triggered when the number of accesses to the authentication node reaches a certain number.
  • an authentication node does not participate in rotation for many times since it is always busy, this authentication node may trigger the rotation of the authentication information by itself.
  • the present invention may further include other dynamic trigger conditions.
  • a dynamic condition in the present invention can be used at the same time with a static trigger condition.
  • the static trigger condition is to rotate once every three months; however, an authentication node triggers the rotation of the authentication information on some day in the second month since it is attacked by a hacker.
  • the rotation trigger condition includes starting the rotation of the authentication information when the node is idle.
  • the authentication node usually will not be accessed frequently at night, and it can be selected to perform rotation of the authentication information at night. Or, for example, if an authentication node is still busy at the predetermined rotation time, then the node can be skipped to not participate in the rotation process.
  • the busy state of each authentication node may be queried before the due rotation time; if a node is busy, the rotation start time may be delayed until all the authentication nodes are in an idle state.
  • step 205 in response to that the rotation trigger condition is satisfied, at least part of the authentication information is transmitted according to the rotation sequence; for example, a first authentication node transmits the authentication information stored thereon to a second authentication node such that the second authentication node processes the authentication request related to the authentication information.
  • steps 201 and 203 in Fig. 2 is not fixed; step 201 may be performed either prior to or subsequent to step 203; or, steps 201 and 203 may be performed concurrently.
  • Fig. 3 shows a flowchart of determining the rotation sequence of authentication information according to an embodiment of the present invention.
  • Fig. 3 is a further description of step 201 in Fig. 2.
  • each authentication node generates a random number.
  • a commander node is determined according to the generated random numbers.
  • the commander node determines the rotation sequence.
  • Fig. 8 A shows a schematic diagram of an authentication system before authentication information is rotated according to an embodiment of the present invention.
  • the authentication system shown in Fig. 8A has 5 authentication nodes, Node 1-Node 5, respectively.
  • the encryption algorithm of each authentication information is the same, and thus the authentication information stored on the authentication nodes only includes account information and does not include authentication module information.
  • the current Node 1 stores authentication information Acc A
  • Node 2 stores authentication information Acc B
  • Node 4 stores authentication information Acc C.
  • each authentication node generates a random number ranging from 0 to 99, and the results of each authentication node generating a random number is shown as in the following Table 7:
  • a commander node is determined according to the random numbers generated by each authentication node. For example, the node generating the biggest random number may be used as the commander node. In Table 7, Node 3 generates the biggest random number, and hence Node 3 becomes the commander node.
  • the commander node Node 3 determines the rotation sequence.
  • Node 3 may temporarily generate an integer sequence consisting of numbers 1-5, e.g., 5->3->4->l->2->5.
  • the integer sequence describes the rotation sequence of the next rotation process, that is, if there is authentication information on Node 5, it is transmitted to Node 3; if there is authentication information on Node 3, it is transmitted to Node 4; if there is authentication information on Node 4, it is transmitted to Node 1; if there is authentication information on Node 1, it is transmitted to Node 2; if there is authentication information on Node 2, it is transmitted to Node 5.
  • Fig. 8B shows a schematic diagram of an authentication system after authentication information is rotated according to an embodiment of the present invention. After the rotation, the authentication information is stored by a new authentication node, and the authentication request related to the authentication information will also be processed by the new authentication node.
  • the rotation sequence in the present invention may either refer to the sequence of transmitting, from one authentication node the authentication information thereon to another authentication node, e.g., 5->3, or refer to the rotation sequence of authentication information among a plurality of authentication nodes, e.g., 5->3->4->l->2->5.
  • each authentication node generates a random number, e.g., as in Table 7. Then the rotation sequence is determined according to the order of the sizes of the generated random numbers, e.g., 3->2->4->5->l . If there is authentication information on Node 3, it is transmitted to Node 2; if there is authentication information on Node 2, it is transmitted to Node 4; if there is authentication information on Node 4, it is transmitted to Node 5; if there is authentication information on Node 5, it is transmitted to Node 1; if there is authentication information on Node 1, it is transmitted to Node 3.
  • each authentication node generates a random number, then a modulus operation is performed on the generated random numbers, and the rotation sequence is determined according to the order of the sizes of the remainders of the modulus operation.
  • a random sequence is generated by the authentication node initiating the rotation of the authentication information, e.g., the random sequence is formed by 5 numbers of 1-5 (e.g., 31245), and the rotation sequence is determined to be 3->l->2->4->5->3 according to the generated random sequence.
  • the determination of the rotation sequence in the present invention may be associated with the determination of the rotation trigger condition; for different rotation trigger conditions, there may be different rotation sequence generation manners.
  • the rotation trigger condition is a dynamic trigger condition
  • the rotation sequence may be determined dynamically by a certain authentication node.
  • the present invention is not limited to the above described rotation sequence generation manners, and can be extended to more rotation sequence generation manners.
  • the rotation sequence of the authentication information may be determined through random numbers, and the random numbers may be a random sequence generated by an authentication node, or random numbers generated by a plurality of nodes.
  • Fig. 9 A shows a schematic diagram of an authentication system before authentication information is rotated according to another embodiment of the present invention.
  • the account information and the corresponding authentication module information in the authentication information are stored in the same authentication node before rotation (the account information Acc A and the authentication module information Mod A are both stored in the authentication node Node 1, the account information Acc B and the authentication module information Mod B are both stored in the authentication node Node 2, and the account information Acc C and the authentication module information Mod C are both stored in the authentication node Node 4), while after rotation, the account information and the corresponding authentication module information are stored in different authentication nodes.
  • the account information and the corresponding authentication module information are stored in different authentication nodes.
  • FIG. 9B shows a schematic diagram of an authentication system after authentication information is rotated according to another embodiment of the present invention.
  • the authentication node Node 1 stores the account information Acc C and the authentication module information Mod A
  • the authentication node Node 2 stores the account information Acc A
  • the authentication node Node 3 stores the authentication module information Mod B
  • the authentication node Node 4 stores the authentication module information Mod C
  • the authentication node Node 5 stores the account information Acc B.
  • a simple implementation is to store an authentication module tag corresponding to an account in an authentication node, so as to identify a corresponding encryption algorithm; wherein the rotation sequence of the authentication module information may be either the same as or different from the rotation sequence of the account information. If the rotation sequence of the authentication module information is the same as the rotation sequence of the account information, the authentication module information will be bound to the corresponding account information permanently. If the rotation sequence of the authentication module information is different from that of the account information, the two may be stored on different authentication nodes, and the account information and the authentication module information may go through subsequent rotations in their respective separate manners.
  • only the account information may be rotated while the authentication module information may not be rotated.
  • only the authentication module information may be rotated while the account information may not be rotated.
  • the authentication module tag Tag may be modified to further increase system security.
  • the modified account information and authentication module information are shown as in the following Tables 8 and 9:
  • the authentication information may further include timestamp information to indicate the period of validity of the authentication information.
  • the timestamp information is "20110417, 3", indicating that the authentication information was rotated to the local authentication node on April 17, 2011, and its period of validity is 3 months. That is to say, the next rotation needs to be performed after three months.
  • the timestamp information is "20110717”, indicating that the authentication information is valid before July 17, 2011.
  • the timestamp information is "20110417, valid”, indicating that the authentication information was rotated to the local authentication node on April 17, 2011, and the "valid" status bit of the authentication information is "valid".
  • the "valid" status bit will be set as "invalid".
  • This example is suitable for a solution using a dynamic trigger condition to trigger rotation.
  • the present invention is not limited in respect of using other expressions to denote timestamp information. Authentication information using timestamp information may further increase system security. Once a hacker attacks an authentication node, he/she can not always use the authentication information in the node.
  • only partial rotation of the authenticating nodes is performed during a rotation period.
  • the originally set rotation time is 2:00 am; however, before the rotation time, the real performance of the second authentication node is evaluated. If the second authentication node is found to be busy through the evaluation, this rotation process may skip the second authentication node and perform the rotation of authentication information among other nodes. Further, in order to avoid an authentication node from being skipped in multiple rotation processes, the real performance of the authentication node may be revised to prevent that the authentication node cannot participate in rotation forever.
  • the value of the real performance is a score ranging from 0 to 100, with a higher score indicating that the authentication node is busier, while a lower score indicating that the authentication node is idler.
  • the revised performance after the real performance is revised may be as follows:
  • Equation 1 Therein CP denotes the performance score after the revision, RP denotes the real performance score of the authentication node, W denotes a weight, and T denotes the number of times that the authentication node did not participate in rotation. From Equation 1, it can be seen that with the increase of the number of times that an authentication node did not participate in rotation, the performance score after the revision will be reduced. If the performance score after the revision is lower than a certain threshold, the authentication node should participate in the rotation of the authentication information. Equation 1 prevents an authentication node from being always unable to participate in the rotation of the authentication information due to its being always busy.
  • the present invention does not exclude using other ways to avoid that some authentication node is always ignored in a rotation process, e.g., it may be specified that any authentication node is not allowed to not participate in a rotation process of the authentication information for two consecutive times.
  • Fig. 5 shows a flowchart of dispatching an authentication request according to an embodiment of the present invention.
  • Fig. 5 is corresponding to Figs. 8A and 8B.
  • the authentication information includes account information and does not include authentication module information, that is to say, the same encryption algorithm is applied to all the account information.
  • an authentication request is received.
  • the authentication request may be form a client, e.g., the authentication request may be from a login request sent by an employee when he/she logs in the company's intranet.
  • the authentication request is dispatched to corresponding authentication nodes.
  • multicasting can be used to broadcast the authentication request in the authentication network consisting of authentication nodes.
  • the addresses of the authentication nodes in the authentication network form a multicast address set.
  • the network address of the new authentication node also joins the multicast address set.
  • the authentication node receiving an authentication request in the authentication network will check whether there is information satisfying the authentication request on the node. If there is not, no response is made. If there is, then the subsequent steps are performed.
  • the ID and PIN (or a variant of the PIN) are sent to an authentication node, which checks the IDs stored thereon to determine whether there is information satisfying the authentication request thereon. After that, the authentication node will authenticate the user according to the PIN input by the user.
  • the authentication node In another example, assume the user inputs an account ID and a password PIN at the client, only the ID is sent to an authentication node, and when the authentication node checks the ID information stored thereon to determine that there is information satisfying the authentication request thereon, the authentication node will further contact the client to obtain the PIN, so as to perform subsequent process steps.
  • the authentication node not only needs to contact the client to get the PIN, but also needs to contact a special authentication node to perform subsequent processing of the authentication request, e.g, it needs to contact a server of a government department to determine whether the ID card number input by the user is correct.
  • the node router is responsible for dispatching an authentication request to corresponding authentication nodes to be processed.
  • the node router can be undertaken by a special node, or undertaken by one of a plurality of authentication nodes.
  • the node router can store a dispatch table thereon, which is shown as in the following Table 10:
  • Table 10 [0074] The contents in Table 10 indicate that the authentication information of the user name James is stored on the first node. Therefore, the node router may transmit an authentication request related to James to the first node. If the authentication information on the authentication node is rotated, then after the rotation, the dispatch table will be updated to reflect the latest authentication information storage status. For example, if the authentication information on Node 1 is rotated to Node 2, then the dispatch table may be modified as shown in the following Table 11:
  • step 505 the authentication request is processed at step 505.
  • step 507 the authentication result is returned to indicate whether the authentication request passes or fails the authentication.
  • Fig. 6 shows a flowchart of dispatching an authentication request according to another embodiment of the present invention.
  • the embodiment of Fig. 6 corresponds to that of Figs. 9A and 9B.
  • the authentication information includes account information and authentication module information, that is to say, different encryption algorithms are applied to different account information.
  • receive an authentication request receives an authentication request.
  • the authentication module information e.g., the encryption algorithm
  • step 607 dispatch the account information and the authentication request to the authentication node including the authentication module information, so that the authentication node including the authentication module information processes the authentication request.
  • step 609 process the authentication request. The details of step 609 will be described in detail below.
  • step 611 return the authentication result to determine whether the authentication request is successful.
  • Fig. 7 shows a flowchart of processing an authentication request according to an embodiment of the present invention.
  • the flowchart in Fig. 7 is a further description of step 505 in Fig. 5 and step 609 in Fig. 6.
  • processing of the authentication request may be either paused or not paused during transmitting the authentication information.
  • the authentication request will be forwarded to a new authentication node to be processed after the rotation ends, that is to say, the authentication information can be transmitted from the original authentication node to the new authentication node by means of cut, and the original authentication node will no longer save the copy of the original authentication information.
  • the processing of the authentication request is not paused, the authentication request can still be processed by the original authentication node during transmitting the authentication information, and after all the authentication information has been copied from the original authentication node to the new authentication node, the new authentication node processes the authentication request.
  • the authentication information can be transmitted from the original authentication node to the new authentication node by means of copy and paste.
  • step 703 it is further determined whether the processing of the authentication request needs to be paused. If the processing of the authentication request needs to be paused, then at step 705, the authentication request is dispatched to another authentication node after the time period of transmitting the authentication information ends, and the other authentication node processes the authentication request.
  • the action of dispatching to the other authentication node may be accomplished in the above-described multicast manner, or assisted by the above-described node router, or the authentication node may directly forward the authentication request to be solved to another authentication node.
  • step 703 it is determined that the process to the authentication node needs not to be paused, then at step 707, the authentication node accomplishes the processing of the authentication request. If at step 701, it is determined that the authentication node is not in the time period of transmitting the authentication information, then the flow directly proceeds to step 707, at which the authentication node processes the authentication request.
  • Fig. 10 shows a flowchart of an authentication information processing system of the present invention.
  • the authentication information processing system in Fig. 10 comprise rotation sequence determining means, rotation trigger condition determining means and transmitting means.
  • the authentication information is stored in a first authentication node.
  • the rotation sequence determining means in Fig. 10 is configured to determine a rotation sequence of the authentication information.
  • the rotation trigger condition determining means is configured to determine a rotation trigger condition of the authentication information.
  • the transmitting means is configured to transmit at least part of the authentication information to a second authentication node so that the second authentication node, in response to satisfaction of the rotation trigger condition, processes the authentication request related to the authentication information according to the rotation sequence.
  • the authentication information in Fig. 10 includes account information. [0081] According to another embodiment of the present invention, the authentication information in Fig. 10 further includes authentication module information besides the account information.
  • the rotation sequence in Fig. 10 includes a rotation sequence of the account information and a rotation sequence of the authentication module information.
  • the transmitting means is further configured to: transmit the account information to a second authentication node and transmit the authentication module information to a third authentication node.
  • the rotation trigger condition comprises starting rotation of the authentication information after a certain time period interval.
  • the rotation trigger condition is a dynamic trigger condition.
  • the rotation trigger condition comprises starting rotation of the authentication information when the node is idle.
  • the authentication information includes time stamp to indicate the period of validity of the authentication information.
PCT/CN2012/072183 2011-04-26 2012-03-12 Authentication information processing WO2012146091A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
JP2014506730A JP6034368B2 (ja) 2011-04-26 2012-03-12 認証情報処理
GB1313857.3A GB2505563B (en) 2011-04-26 2012-03-12 Authentication information processing
DE112012000780.8T DE112012000780B4 (de) 2011-04-26 2012-03-12 Verarbeiten von Berechtigungsprüfungsdaten
SG2013074091A SG194072A1 (en) 2011-04-26 2012-03-12 Authentication information processing

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110104879.0 2011-04-26
CN201110104879.0A CN102761520B (zh) 2011-04-26 2011-04-26 认证信息处理方法和系统

Publications (1)

Publication Number Publication Date
WO2012146091A1 true WO2012146091A1 (en) 2012-11-01

Family

ID=47055842

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/072183 WO2012146091A1 (en) 2011-04-26 2012-03-12 Authentication information processing

Country Status (6)

Country Link
JP (1) JP6034368B2 (ja)
CN (1) CN102761520B (ja)
DE (1) DE112012000780B4 (ja)
GB (1) GB2505563B (ja)
SG (1) SG194072A1 (ja)
WO (1) WO2012146091A1 (ja)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738045A (zh) * 2020-12-23 2021-04-30 中科三清科技有限公司 多源融合的身份认证系统和方法

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201811773D0 (en) * 2018-07-19 2018-09-05 Nchain Holdings Ltd Computer-implemented system and method
CN110704823A (zh) * 2019-09-10 2020-01-17 平安科技(深圳)有限公司 数据请求方法、装置、存储介质及电子设备
CN113312656B (zh) * 2021-07-29 2022-04-15 阿里云计算有限公司 数据轮转方法、装置、设备及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1767437A (zh) * 2004-10-29 2006-05-03 国际商业机器公司 基于访问模式有效认证多个对象的系统和方法
CN101321078A (zh) * 2007-03-09 2008-12-10 双子星移动科技公司 在线环境下的选择性用户监控
CN101938461A (zh) * 2009-06-29 2011-01-05 索尼公司 信息处理服务器、信息处理设备、以及信息处理方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0668047A (ja) * 1992-08-13 1994-03-11 Nippon Telegr & Teleph Corp <Ntt> 分散システムのネットワーク利用共有記憶方法
JP3559471B2 (ja) * 1999-03-31 2004-09-02 株式会社東芝 設定情報サーバ装置、利用者計算機及び設定情報配送方法
US7322040B1 (en) * 2001-03-27 2008-01-22 Microsoft Corporation Authentication architecture
US7617257B2 (en) * 2004-12-03 2009-11-10 Oracle International Corporation System for persistent caching of LDAP metadata in a cluster LDAP server topology
US9390156B2 (en) * 2009-06-29 2016-07-12 International Business Machines Corporation Distributed directory environment using clustered LDAP servers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1767437A (zh) * 2004-10-29 2006-05-03 国际商业机器公司 基于访问模式有效认证多个对象的系统和方法
CN101321078A (zh) * 2007-03-09 2008-12-10 双子星移动科技公司 在线环境下的选择性用户监控
CN101938461A (zh) * 2009-06-29 2011-01-05 索尼公司 信息处理服务器、信息处理设备、以及信息处理方法

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738045A (zh) * 2020-12-23 2021-04-30 中科三清科技有限公司 多源融合的身份认证系统和方法

Also Published As

Publication number Publication date
CN102761520A (zh) 2012-10-31
JP6034368B2 (ja) 2016-11-30
CN102761520B (zh) 2015-04-22
DE112012000780T5 (de) 2013-11-14
DE112012000780B4 (de) 2014-07-31
SG194072A1 (en) 2013-11-29
JP2014513351A (ja) 2014-05-29
GB2505563B (en) 2015-07-01
GB201313857D0 (en) 2013-09-18
GB2505563A (en) 2014-03-05

Similar Documents

Publication Publication Date Title
JP6563134B2 (ja) 証明書更新及び展開
CN106664302B (zh) 使用信令撤销会话的方法和系统
US9882940B2 (en) Method for logging in a website hosted by a server by multi-account and the client
US8554855B1 (en) Push notification delivery system
US8544075B2 (en) Extending a customer relationship management eventing framework to a cloud computing environment in a secure manner
US10587697B2 (en) Application-specific session authentication
US9401911B2 (en) One-time password certificate renewal
US9985829B2 (en) Management and provisioning of cloud connected devices
US9774582B2 (en) Private cloud connected device cluster architecture
KR20220006623A (ko) 블록체인 합의 방법, 디바이스 및 시스템
US20170126908A1 (en) Robust mesh printer network with distributed queue management
US8468585B2 (en) Management of credentials used by software applications
US20170187725A1 (en) User verification
CN108289074B (zh) 用户账号登录方法及装置
WO2014152076A1 (en) Retry and snapshot enabled cross-platform synchronized communication queue
JP2015079343A (ja) 情報処理システム、情報処理方法、及びプログラム
WO2012146091A1 (en) Authentication information processing
CN112511316A (zh) 单点登录接入方法、装置、计算机设备及可读存储介质
US20140280840A1 (en) Systems, methods, and computer program products for providing a universal persistence cloud service
US11252143B2 (en) Authentication system, authentication server and authentication method
US20210160180A1 (en) Secure preloading of serverless function sequences
WO2016155266A1 (zh) 虚拟桌面的数据共享方法和装置
US20090276851A1 (en) Detecting malicious behavior in a series of data transmission de-duplication requests of a de-duplicated computer system
US10165088B2 (en) Providing unit of work continuity in the event initiating client fails over
WO2023009929A1 (en) Certificate revocation at datacenters as a service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12776171

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2014506730

Country of ref document: JP

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 1313857

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20120312

WWE Wipo information: entry into national phase

Ref document number: 1313857.3

Country of ref document: GB

WWE Wipo information: entry into national phase

Ref document number: 1120120007808

Country of ref document: DE

Ref document number: 112012000780

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12776171

Country of ref document: EP

Kind code of ref document: A1