WO2013040957A1 - Single sign-on method and system, and information processing method and system - Google Patents

Single sign-on method and system, and information processing method and system Download PDF

Info

Publication number
WO2013040957A1
WO2013040957A1 PCT/CN2012/079709 CN2012079709W WO2013040957A1 WO 2013040957 A1 WO2013040957 A1 WO 2013040957A1 CN 2012079709 W CN2012079709 W CN 2012079709W WO 2013040957 A1 WO2013040957 A1 WO 2013040957A1
Authority
WO
WIPO (PCT)
Prior art keywords
providing server
identity
user
information
service
Prior art date
Application number
PCT/CN2012/079709
Other languages
French (fr)
Chinese (zh)
Inventor
夏正雪
韦银星
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013040957A1 publication Critical patent/WO2013040957A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • the present invention relates to the field of network communications, and in particular, to a method for single sign-on, a system for single sign-on, an information processing method, an information processing system, an identity providing server, a service providing server, and a name mapping server. Background technique
  • IP Transmission Control Protocol
  • the core of the network layer is the IP protocol at the network layer, which enables mutual access between users through IP addresses.
  • IP protocols such as web browsing, mail sending and receiving, instant messaging, etc., are carried on top of the application layer protocol.
  • the user terminal Before using these services, users must access the Internet through the basic network provided by the telecom operators. Different users may have different access methods, such as various types of digital subscriber lines (xDSL), optical fibers, mobile access, and so on.
  • xDSL digital subscriber lines
  • the user terminal obtains an IP address, and the user then accesses various applications on the Internet through the IP address, which is equivalent to the temporary identity of the user.
  • IP address Since the prefix part of the IP address indicates the subnet where the user is currently located, when the user's location changes, different IP addresses must be assigned. Otherwise, the router cannot correctly forward the data packet to the user. Because the IP address has the dual attributes of identity and location, and the IP address obtained by the user is not necessarily the same every time, and thus cannot be used as the long-term identity of the user, the application system on the Internet must establish a user identity identification system. This is the so-called user account system.
  • Single-Sign On is a technology that allows users to access multiple application systems. Users only need to authenticate once when logging in, and they can access freely between multiple application systems without having to repeatedly input users. Name and password to confirm identity.
  • a user In the related art Internet single sign-on system, a user must register at an identity provider (IdP, Identity Provider) before using single sign-on, and a service provider server of a service provider (SP, Service Provider) depends on the identity.
  • IdP identity provider
  • SP Service Provider
  • the identity of the provider IdP provides the authentication result of the server to provide services to the user.
  • the identity provider IdP of the Internet is usually deployed in a distributed manner, if the service provider SP adopts the single sign-on method, the scale of its business development will largely depend on the number of IdP registered users it depends on. .
  • the main technologies involved in single sign-on are: OpenID (OpenID), Passport (passport), Liberty Alliance (Freedom Alliance), etc.
  • OpenID is easy to use, but there are security risks, and it is not good to prevent "phishing" attacks.
  • Passport is easy to use and slightly safer, but it is only suitable for internal use by service providers SP; Liberty Alliance has certain security. However, the deployment is not easy and the user is not convenient to use.
  • the operator can be used as the identity provider IdP.
  • the IdP has the following advantages: The access authentication of the operator can ensure security. At the same time, the operator, as the identity provider IdP, will not require the user to re-register, and is easy to use. As an identity provider IdP, the operator has a high-quality and mature user consumer group compared to the Internet identity provider IdP.
  • the IP address has the double attribute defect, which brings about mobility and security issues, and has become a bottleneck restricting the further development of the Internet industry.
  • HIP Home Identity Protocol
  • LISP LISP (Locator/Identifier Separation Protocol) technologies.
  • identity encoding on behalf of the user's identity
  • location encoding on behalf of the user's location.
  • Each user has both an identity code and a location code, and the user communicates based on the identity code and the peer.
  • the user's location changes, the user's identity code remains the same, and the user's location code will change. In this way, the user identity code can always correspond to the user without the problem of ambiguity of the IP address.
  • the user identity coding is only used in the network layer label. Knowing the user's identity, users still need to register for multiple registrations to access the Internet application system. On the other hand, since the user registers an account in a large number of different Internet application systems, usually for the sake of convenience, the account registered by the user has a certain regularity, and it is easy to cause the user's identity privacy information to be leaked. Summary of the invention
  • the embodiment of the invention provides a single sign-on method, a single sign-on system, an information processing method, an information processing system, an identity providing server, a service providing server and a name mapping server, so as to solve the problem that the user accesses the Internet application system.
  • the problem of secondary registration certification is a single sign-on method, a single sign-on system, an information processing method, an information processing system, an identity providing server, a service providing server and a name mapping server, so as to solve the problem that the user accesses the Internet application system.
  • the problem of secondary registration certification is a single sign-on system, an information processing method, an information processing system, an identity providing server, a service providing server and a name mapping server, so as to solve the problem that the user accesses the Internet application system.
  • the embodiment of the invention provides a method for single sign-on, the method comprising:
  • the identity providing server confirms that the user passes the access authentication
  • the identity providing server generates assertion information for the user according to the shared key between the server and the service providing server that the user wants to access, and sends the assertion information to the service providing server.
  • the method further includes:
  • the identity providing server After receiving the authentication request sent by the service providing server or the service access request sent by the user, the identity providing server checks whether the shared key exists, and if not, the service providing server passes the authentication. After that, the shared key is generated.
  • the method further includes:
  • the identity providing server obtains a pseudonym for the user and a lifetime corresponding to the pseudonym, including:
  • the identity providing server sends a name mapping server according to the anonymous service request of the user
  • NMS transmitting an anonymous identity request, and receiving a pseudonym of the user generated according to the anonymous identity request returned by the NMS and a lifetime corresponding to the pseudonym.
  • the identity providing server obtains a pseudonym for the user and corresponds to the pseudonym After the lifetime, the method further includes:
  • the identity providing server receives an anonymous update request sent by the user and carries a specified user name and a corresponding lifetime, and sends the anonymous update request to the NMS, and receives an update result returned by the NMS.
  • the assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server according to the sharing. a signature result calculated by the key; wherein the identity information of the user includes the pseudonym or the specified username.
  • the embodiment of the invention further provides a method for single sign-on, the method comprising:
  • the service providing server receives the assertion information sent by the identity providing server to the user who wants to access the service providing server; the service providing server verifies the assertion information according to the shared key between the server and the identity providing server.
  • the method further includes:
  • the service providing server creates an entry corresponding to the identity information of the user included in the assertion information, and provides a service to the user; the identity information of the user is the name of the user or Specify a username.
  • the method further includes:
  • the service providing server After receiving the service access request sent by the user, the service providing server generates a random number, and sends an authentication request carrying the random number to the identity providing server.
  • the assertion information carries the random number, the identity information of the identity providing server, the identity information of the service providing server, the identity information of the user, a signature algorithm, and the identity providing server according to the The signature result calculated by the shared key;
  • the service providing server verifies the assertion information according to a shared key between the server and the identity providing server, including:
  • the service providing server provides identity information of the server according to the identity, and the service provides Calculating the signature result by the identity information of the server, the identity information of the user, the signature algorithm, and the shared key, and comparing whether the signature result calculated by the self is consistent with the signature result calculated by the identity providing server; as well as
  • An embodiment of the present invention further provides an information processing method, where the method includes:
  • the name mapping server receives an anonymous identity request sent by the identity providing server, and the anonymous identity request carries the identity of the user;
  • the method further includes:
  • the NMS receives an anonymous update request from the user that carries the specified username and corresponding lifetime sent by the identity providing server, performs an update process according to the anonymous update request, and returns an update result.
  • the embodiment of the present invention further provides an identity providing server, where the identity providing server includes: an acknowledgment module, configured to: confirm that the user passes the access authentication;
  • the assertion information processing module is configured to: after the confirming module confirms that the user passes the access authentication, generate the assertion information for the user according to the shared key between the identity providing server and the service providing server that the user wants to access, And transmitting the assertion information to the service providing server.
  • the identity providing server further includes:
  • a key generation module configured to: after the assertion information processing module generates the assertion information for the user, after receiving the authentication request sent by the service providing server or the service access request sent by the user, checking whether the The shared key, if not present, generates the shared key after the service providing server passes the authentication.
  • the identity providing server further includes:
  • Obtaining a module configured to: after the confirmation module confirms that the user passes the access authentication, Before the assertion information processing module generates the assertion information for the user, obtain the pseudonym for the user and the lifetime corresponding to the pseudonym.
  • the obtaining module is configured to: send an anonymous identity request to a name mapping server (NMS) according to the anonymous service request of the user, and receive the user generated by the NMS according to the anonymous identity request A pseudonym and a lifetime corresponding to the pseudonym.
  • NMS name mapping server
  • the obtaining module is further configured to: receive an anonymous update request that is sent by the user and carry a specified user name and a corresponding lifetime, and send the anonymous update request to the NMS, and receive the NMS return Update results.
  • the assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server according to the sharing. a signature result calculated by the key; wherein the identity information of the user includes the pseudonym or the specified username.
  • the embodiment of the present invention further provides a service providing server, where the service providing server includes: a receiving module, configured to: receive an assertion information sent by an identity providing server to a user who wants to access the service provider;
  • a verification module configured to: verify the assertion information according to a shared key between the service providing server and the identity providing server.
  • the service providing server further includes:
  • a service providing module configured to: after the verification module verifies the information through the assertion information, create an entry corresponding to the identity information of the user included in the assertion information, and provide a service to the user.
  • An embodiment of the present invention provides a name mapping server (NMS), where the NMS includes: a receiving module, configured to: receive an anonymous identity request sent by an identity providing server, where the anonymous identity request carries an identity of the user;
  • NMS name mapping server
  • And generating a sending module configured to: return, according to the anonymous identity request received by the receiving module, the pseudonym of the user and a lifetime corresponding to the pseudonym.
  • the generating and sending module is further configured to: receive the identity providing server to send An anonymous update request from the user carrying the specified username and corresponding lifetime, updating processing according to the anonymous update request, and returning the update result.
  • An embodiment of the present invention further provides an information processing system, where the system includes the foregoing identity providing server and the name mapping server.
  • the embodiment of the invention further provides a single sign-on system, which comprises the above identity providing server and the above service providing server.
  • the embodiment of the invention further provides a single sign-on system, which comprises the above-mentioned identity providing server, the above-mentioned name mapping server and the above-mentioned service providing server.
  • FIG. 1 is a schematic structural diagram of a network element according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of an embodiment of a single sign-on method according to the present invention.
  • FIG. 3 is a signaling flow diagram of an embodiment of a single sign-on method initiated by a service providing server according to the present invention
  • FIG. 4 is a signaling flow diagram of an embodiment of a single sign-on method initiated by an identity providing server according to the present invention
  • FIG. 5 is a schematic structural diagram of an embodiment of an identity providing server according to the present invention.
  • FIG. 6 is a schematic structural diagram of an embodiment of a service providing server according to the present invention.
  • FIG. 7 is a schematic structural diagram of an embodiment of a name mapping server according to the present invention.
  • FIG. 8 is a schematic structural diagram of an embodiment of an information processing apparatus according to the present invention.
  • FIG. 9 is a schematic structural diagram of an embodiment of a single sign-on system according to the present invention. Preferred embodiment of the invention
  • the architecture includes a user terminal (Mobile Node, MN) 101, an access service node (ASN) 102, and an authentication center 103.
  • a server 107 is provided, wherein:
  • the MN accessing the network may be one or more of a mobile terminal and a fixed terminal, such as a mobile phone, a fixed telephone, a computer, and an application server;
  • the ASN is configured to: provide access services for the user terminal, maintain the connection between the terminal and the network, assign a Routing Identifier (RID) to the terminal, and register with the Identity Location Register (ILR)/Message Forwarding Function Entity (PTF). Register and query the RID of the terminal, maintain the Access Identifier (AID)-RID mapping information, and implement routing and forwarding of data packets.
  • RID Routing Identifier
  • ILR Identity Location Register
  • PTF Message Forwarding Function Entity
  • the authentication center is set to: record attribute information of the network user, such as user category, authentication information, and user service level, complete access authentication and authorization for the terminal, and also have a charging function.
  • the authentication center supports two-way authentication between the terminal and the network, and can generate user security information for authentication, integrity protection, and confidentiality protection;
  • the identity providing server provides the service providing server with the assertion information of the user, and authenticates the service providing server, and checks the legality of the service providing server; and queries the corresponding attribute information of the user through the interface with the authentication center, and provides an interface with the NMS.
  • User's pseudonym service
  • the NMS generates a pseudonym based on the identity of the user provided by the identity providing server, as an alternate identity of the user, and creates a pseudonym and user identity information, a service provider server uniform resource locator (URL), and an entry corresponding to the lifetime (lifetime), if the user modifies the pseudonym And the life of the pseudonym, the NMS also updates the information after receiving the anonymous update request from the identity providing server; wherein, the NMS and the identity providing server can be separately deployed, or the NMS can be used as a function module of the identity providing server. Deployment
  • ISN used to query and maintain the AID-RID mapping information of the network terminal, encapsulate, route and forward the data between the network and the traditional IP network, implement the network and the traditional IP network.
  • Interconnection function which includes a format conversion module, configured to convert an IPv4/IPv6 address of the network terminal included in a data packet sent by the traditional IP network into a corresponding AID, and convert the AID of the network terminal After being in the IPv4/IPv6 address format, it is sent to the terminal of the traditional IP network.
  • the service providing server is an application system for providing services to users on the Internet.
  • the embodiment of the invention provides a method for single sign-on, which is described from the identity providing server side, and the method includes:
  • Step 11 The identity providing server confirms that the user passes the access authentication.
  • the identity providing server confirms that the user passes the access authentication according to the identity of the user
  • Step 12 The identity providing server generates the assertion information for the user according to the shared key between the service provider and the service provider that the user wants to access, and sends the assertion information to the service providing server.
  • the embodiment of the invention further provides a method for single sign-on, which is described from the service providing server side, and the method includes:
  • Step 21 The service providing server receives the assertion information sent by the identity providing server to the user who wants to access the service providing server.
  • Step 22 The service providing server provides the assertion information according to the shared key insurance certificate between the server and the identity providing server.
  • the foregoing service providing server uses the assertion information sent by the identity providing server to perform authentication, so that the user accessing the Internet application system does not need to perform multiple registration authentication, and the embodiment of the present invention provides an information processing method.
  • the method is described from the name mapping server side, and the method includes:
  • Step 31 The name mapping server (NMS) receives an anonymous identity request sent by the identity providing server, where the anonymous identity request carries the identity of the user;
  • Step 32 The NMS generates a pseudonym of the user corresponding to the identity identifier and a lifetime corresponding to the pseudonym according to the anonymous identity request, and returns a pseudonym of the user to the identity providing server and the Name corresponds to the lifetime.
  • the single sign-on method is implemented according to the present invention. A flowchart of an example, the method comprising the steps of:
  • Step 201 After receiving the authentication request of the service providing server or the service access request of the user, the identity providing server checks whether there is a shared key Ks between itself and the service providing server. If not, the authentication service providing server authenticates. After the success, the shared key Ks is generated.
  • the authentication method includes but is not limited to: pre-shared key, TLS, public key infrastructure (PKI), protocol security (IPsec), etc., since they are all existing Technology, no more details here.
  • Step 202 The identity providing server confirms that the user passes the access authentication, and protects the user identity by using the name mapping server to generate a pseudonym according to the anonymous service request of the user, and generates the assertion information for the user for the service providing server.
  • Step 203 After receiving the assertion information sent by the identity providing server, the service providing server verifies the assertion information. If the verification succeeds, the entry corresponding to the user pseudonym is created, and the service is provided to the user.
  • the above single sign-on method by reusing access authentication and pseudonym, solves the problem that the user accessing the Internet application system requires multiple registration authentication and identity privacy leakage.
  • FIG. 3 it is a signaling flowchart of an embodiment of a single sign-on method initiated by a service providing server according to the present invention, where the method includes:
  • Step 301 Perform access authentication between the MN, the ASN, and the authentication center. After the authentication is passed, the identity separation network allocates an access identifier AID to the user.
  • the packet sent by the user terminal is transmitted by the AID, the ASN allocates the RID to the user, and the routing is selected by the RID to find the ISN.
  • the ISN obtains the AID of the user from the packet, and converts the packet into an IPv4/IPv6 address and sends the packet to the traditional IP address.
  • the internet The internet.
  • Step 302 The MN initiates a service access request to the service providing server.
  • Step 303 The user selects an identity providing server on the service providing server page, and the service provides The server generates a random number R1 according to the current timestamp, as a temporary identifier of the user in the service providing server, and constructs an authentication request message, where the message carries the service providing server URL, the identity providing server URL, and the random number R1;
  • Step 304 The service providing server redirects the authentication request message to the identity providing server by using a hypertext transfer protocol (HTTP);
  • HTTP hypertext transfer protocol
  • Step 305 The user sends an anonymous service request to the identity providing server through the terminal.
  • Step 306 The identity providing server obtains the access identifier AID of the user from the packet, confirms that the user passes the access authentication, and checks whether it is between the server and the service providing server. The shared key Ks exists. If not, the authentication service providing server generates a shared key Ks after the authentication succeeds; determines that there is no pseudonym corresponding to the user or the corresponding pseudonym lifetime expires;
  • the manner in which the identity providing server authenticates the service providing server includes, but is not limited to, a pre-shared key, a PKI, a TLS, or an IPsec authentication method. Since they are all prior art, they are not described here;
  • Step 307 The identity providing server sends an anonymous identity request message to the NMS, where the request message carries the user's AID and the URL of the service providing server.
  • Step 308 After receiving the anonymous identity request message, the NMS generates a random number R2 and a default lifetime, and R2 is used as the pseudonym of the corresponding user, and constructs an AID of the MN, a service providing server URL, and an entry corresponding to R2, lifetime, as shown in Table 1. Shown
  • Step 309 The NMS sends an anonymous identity response message to the identity providing server, where the response message carries the user's AID, the service provider server URL, the random number R2, and the lifetime;
  • Step 310 The identity providing server sends an anonymous service response message to the user terminal, where the response message carries the service providing server URL, the random number R2, and the lifetime;
  • Step 311 The user sends the specified username and its lifetime to the identity providing server through the terminal.
  • the user can modify the random number R2 to the specified user name, that is, the user name desired to be presented, and specify the desired lifetime;
  • Step 312 The identity providing server sends an anonymous update request message to the NMS, where the message carries the user's AID, the random number R2, the user-specified pseudonym, and the lifetime;
  • Step 313 After adding the user-specified pseudonym and updating the lifetime, the NMS sends an anonymous update response message to the identity providing server, where the message carries the result of the successful or failed update.
  • Step 314 The identity providing server constructs an authentication response message, where the authentication response message includes the assertion information, where the assertion information carries a random number R1, a service providing server URL, an identity providing server URL, a pseudonym R2 generated by the NMS, or a user-specified username, The signature algorithm, and the signature result of Ks;
  • the signature result here is the signature result calculated by the identity providing server according to the service providing server URL, the identity providing server URL, the pseudonym R2 generated by the NMS, or the user-specified username and the shared key using the signature algorithm; the identity in this embodiment Providing the server URL to represent the identity information of the identity providing server; the service providing server URL represents the identity information of the service providing server; the pseudonym R2 generated by the NMS or the user name specified by the user represents the identity information of the user; the random number R1 is used to prevent the replay attack; Step 315: The identity providing server sends an authentication response message to the service providing server by using HTTP redirection;
  • Step 316 The service providing server verifies the integrity of the assertion by using the shared key Ks with the identity providing server, and checks whether R1 is recently generated, whether it is repeated, or the like;
  • the service providing server calculates the signature according to the service providing server URL carried in the assertion information, the identity providing server URL, the pseudonym R2 generated by the NMS, or the user-specified username and the shared key negotiated with the identity providing server using the signature algorithm carried in the assertion information.
  • the signature result is compared with the signature result carried in the assertion information, and if the two are consistent, the assertion is complete; and at the same time, it is determined according to the generation time of R1 whether it is recently generated and repeated; if it is recently generated and is not repeated , then the danger certificate passed.
  • Step 317 After the foregoing verification is passed, the service providing server creates a random number R2 or an entry of the specified user name for the user MN; Step 318: The service providing server returns a service access response to the user, and uses R2 or the user name as the user to provide the service to the user in the identifier of the service providing server.
  • FIG. 4 it is a signaling flowchart of an embodiment of a single sign-on method initiated by an identity providing server according to the present invention. The method includes the following steps:
  • Step 401 The access authentication is performed between the MN, the ASN, and the authentication center. After the authentication is passed, the identity separation network allocates an access identifier AID to the user.
  • the packet sent by the user terminal is transmitted by the AID, the ASN allocates the RID to the user, and the routing is selected by the RID to find the ISN.
  • the ISN obtains the AID of the user from the packet, and converts the packet into an IPv4/IPv6 address and sends the packet to the traditional IP address.
  • the internet The internet.
  • Step 402 The MN initiates a service access request to the identity providing server.
  • Step 403 The MN selects a service to be accessed on the identity providing server page, and sends an anonymous service request to the identity providing server.
  • Step 404 The identity providing server obtains the access identifier AID of the user from the packet, confirms that the user passes the access authentication, and checks whether there is a shared key Ks between the server and the service providing server. If not, the authentication service provides After the server passes the authentication, the shared key Ks is generated. Check that there is no pseudonym corresponding to the AID or the corresponding pseudonym expires;
  • Step 405 The identity providing server sends an anonymous identity request message to the NMS according to the anonymous service request of the user, where the request message carries the user's AID and the service providing server URL;
  • Step 406 After receiving the anonymous identity request message, the NMS generates a random number R2 and a default lifetime as the pseudonym of the corresponding user, and constructs an AID of the MN, a service provider server URL, and an entry corresponding to R2, lifetime, as shown in Table 1. Show
  • Step 407 The NMS sends an anonymous identity response message to the identity providing server, where the response message carries the user's AID, the service provider server URL, the random number R2, and the lifetime;
  • Step 408 The identity providing server sends an anonymous service response message to the user, where the response message carries the service providing server URL, the random number R2, and the lifetime;
  • Step 409 The user sends the specified username and its lifetime to the identity providing server through the terminal.
  • the user can modify the random number R2 to the specified user name, that is, the user name desired to be presented, and specify the desired lifetime;
  • Step 410 The identity providing server sends an anonymous update request message to the NMS, where the message carries the user's AID, the random number R2, the user-specified pseudonym, and the lifetime;
  • Step 411 After adding the user-specified pseudonym and updating the lifetime, the NMS sends an anonymous update response message to the identity providing server, where the message carries the result of the successful or failed update.
  • Step 412 The identity providing server generates a random number R1 according to the current timestamp, and constructs an authentication response message, where the authentication response message includes the assertion information, where the assertion information carries the random number R1, the service provider server URL, the identity providing server URL, and the NMS generated. Kana R2 or user-specified username, signature algorithm, and signature result of Ks;
  • Step 413 The identity providing server sends an authentication response message to the service providing server by using HTTP redirection;
  • Step 414 The service providing server verifies the integrity of the assertion by using the shared key Ks with the identity providing server, and checks whether R1 is recently generated, whether it is repeated, or the like;
  • Step 415 After the foregoing verification is passed, the service providing server creates a random number R2 or an entry of the specified user name for the user MN;
  • Step 416 The service providing server returns a service access response to the user, and uses R2 or the user name as the user to provide the service to the user in the identifier of the service providing server.
  • steps 403-416 in this embodiment are similar to the processes in steps 305-318 in the above embodiment, they are not described in detail in this embodiment.
  • the identity providing server includes a confirming module 51 and an assertion information processing module 52, where:
  • the confirmation module 51 is set to confirm that the user passes the access authentication
  • the assertion information processing module 52 is configured to: after the confirmation module 51 confirms that the user passes the access authentication, generate the assertion information for the user according to the shared key between the identity providing server and the service providing server that the user wants to access, And transmitting the assertion information to the service providing server.
  • the identity providing server further includes: a key generating module, configured to receive an authentication request sent by the service providing server or a service access sent by the user before the assertion information processing module generates the assertion information for the user After the request, it is checked whether the shared key exists, and if not, the shared key is generated after the service providing server passes the authentication.
  • the identity providing server further includes: an obtaining module, configured to: after the confirming module confirms that the user passes the access authentication, before the assertion information processing module generates the assertion information for the user, Obtaining a pseudonym for the user and a lifetime corresponding to the pseudonym.
  • the obtaining module is configured to send an anonymous identity request to a name mapping server (NMS) according to the anonymous service request of the user, and receive a pseudonym of the user generated by the NMS according to the anonymous identity request. And the lifetime corresponding to the pseudonym.
  • NMS name mapping server
  • the user may also modify the username, so the obtaining module is further configured to receive an anonymous update request sent by the user and carrying the specified user name and the corresponding lifetime, and send the anonymous update request to the NMS. And receiving an update result returned by the NMS.
  • the assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server according to the shared secret
  • the signature result calculated by the key; wherein the identity information of the user includes the pseudonym or the specified username.
  • the service providing server After confirming that the user passes the access authentication, the service providing server provides the service providing server with the assertion information of the user, so that the user does not need to input the authentication information when accessing the service providing server.
  • FIG. 6 is a schematic structural diagram of an embodiment of a service providing server according to the present invention.
  • the service providing server includes a receiving module 61 and a verifying module 62, where:
  • the receiving module 61 is configured to receive the assertion information sent by the identity providing server to the user who wants to access the service providing server;
  • the verification module 62 is configured to assert the information according to the shared key insurance between the service providing server and the identity providing server.
  • the service providing server further includes: a service providing module, configured to be the verification mode After the block verification passes the assertion information, an entry corresponding to the identity information of the user included in the assertion information is created, and the service is provided to the user.
  • a service providing module configured to be the verification mode After the block verification passes the assertion information, an entry corresponding to the identity information of the user included in the assertion information is created, and the service is provided to the user.
  • the verification module calculates the signature according to the service providing server URL carried in the assertion information, the identity providing server URL, the pseudonym R2 generated by the NMS, or the user-specified username and the shared key negotiated with the identity providing server using the signature algorithm carried in the assertion information.
  • the signature result is compared with the signature result carried in the assertion information, and if the two are consistent, the assertion is complete; and at the same time, it is determined according to the generation time of R1 whether it is recently generated and repeated; if it is recently generated and is not repeated , then the danger certificate passed.
  • the service providing server performs the single sign-on of the user according to the assertion information sent by the server according to the identity providing server, and effectively protects the privacy of the user.
  • the NMS includes a receiving module 71 and a generating and transmitting module 72, where:
  • the receiving module 71 is configured to receive an anonymous identity request sent by the identity providing server, where the anonymous identity request carries the identity of the user;
  • the generating and sending module 72 is configured to return the pseudonym of the user and the lifetime corresponding to the pseudonym according to the anonymous identity requesting the receiving server received by the receiving module.
  • the generating and sending module is further configured to receive an anonymous update request from the user that carries the specified user name and the corresponding lifetime, which is sent by the identity providing server, according to the anonymous update request. Perform update processing and return the update results.
  • the name mapping server shown in FIG. 7 and the identity providing server shown in FIG. 5 can be combined.
  • the device after the combination is as shown in FIG. 8.
  • the functions of the related modules in the device are shown in FIG. 5 and FIG.
  • the functions of the corresponding modules are the same and will not be described here.
  • the embodiment of the present invention further provides a single sign-on system.
  • the system includes a service providing server 91, an identity providing server 92, and a name mapping server 93.
  • the system includes a single sign-on method.
  • the function of the relevant module in the middle and the function of the corresponding module in Figure 5-7 Can be the same, will not repeat them here.
  • the identity providing server after receiving the authentication request of the service providing server or the service access request of the user, the identity providing server checks whether the shared key Ks exists, and if not, the authentication service providing server, after the authentication is passed, The shared key Ks is generated, and the identity providing server confirms the user's access authentication according to the user's identity, and protects the user's identity by generating a pseudonym through a name mapping server (NMS, Name Mapping Server) according to the anonymous service request of the user.
  • NMS Name Mapping Server
  • the service providing server generates the assertion information of the user, and after receiving the assertion information of the identity providing server, the service providing server verifies the validity of the assertion information, and if the verification passes, creates an entry corresponding to the pseudonym and provides the service to the user.
  • the name mapping server may not be included in the above system, and accordingly, the obtaining module is not required to be included in the identity providing server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

A single sign-on method, a single sign-on system, an information processing method, an information processing device, an identity provision server, a service provision server, and a name mapping server. The single sign-on method includes: an identity provision server confirming that a user has passed access authentication; the identity provision server providing an inter-server shared key according to itself and the service to be accessed by the user to generate assertion information about the user, and sending the assertion information to the service provision server. By reusing access authentication, the embodiments in the present invention solve the problem that the user has to undergo register authentication many times when accessing the Internet, protect user privacy by generating a pseudonym, and avoid leakage of user privacy.

Description

单点登录的方法、 系统和信息处理方法、 系统  Single sign-on method, system and information processing method, system
技术领域 Technical field
本发明涉及网络通信领域, 尤其涉及一种单点登录的方法、 单点登录的 系统、 信息处理方法、 信息处理系统、 身份提供服务器、 业务提供服务器和 名字映射服务器。 背景技术  The present invention relates to the field of network communications, and in particular, to a method for single sign-on, a system for single sign-on, an information processing method, an information processing system, an identity providing server, a service providing server, and a name mapping server. Background technique
在传输控制协议(TCP ) /网际协议(IP )体系中, 最为核心的是网络层 的 IP协议, 通过 IP地址实现用户之间的相互访问。 各种应用, 如网络浏览、 邮件收发、 即时通讯等, 都承载在应用层协议之上。  In the Transmission Control Protocol (TCP)/Internet Protocol (IP) system, the core of the network layer is the IP protocol at the network layer, which enables mutual access between users through IP addresses. Various applications, such as web browsing, mail sending and receiving, instant messaging, etc., are carried on top of the application layer protocol.
用户在使用这些业务之前必须通过电信运营商提供的基础网络接入互联 网, 不同的用户可能有不同的接入方式, 如各种类型数字用户线路(xDSL ) 、 光纤、 移动接入等等。 一般情况下, 用户终端都会获取到一个 IP地址, 用户 此后就通过这个 IP地址访问互联网上的各种应用, 这个 IP地址就相当于用 户的临时身份。  Before using these services, users must access the Internet through the basic network provided by the telecom operators. Different users may have different access methods, such as various types of digital subscriber lines (xDSL), optical fibers, mobile access, and so on. In general, the user terminal obtains an IP address, and the user then accesses various applications on the Internet through the IP address, which is equivalent to the temporary identity of the user.
由于 IP地址的前缀部分表示用户当前所在的子网, 当用户位置发生变化 时, 必须分配不同的 IP地址, 否则路由器无法正确地把数据包转发给用户。 而因为 IP地址具有身份和位置的双重属性, 同时用户每次获取到的 IP地址 不一定相同, 从而无法作为用户的长期身份标识, 因此互联网上的应用系统 必须自建一套用户身份标识系统, 即通常所说的用户账号系统。  Since the prefix part of the IP address indicates the subnet where the user is currently located, when the user's location changes, different IP addresses must be assigned. Otherwise, the router cannot correctly forward the data packet to the user. Because the IP address has the dual attributes of identity and location, and the IP address obtained by the user is not necessarily the same every time, and thus cannot be used as the long-term identity of the user, the application system on the Internet must establish a user identity identification system. This is the so-called user account system.
由此可见, 用户在访问互联网上的应用时存在二次认证的情况, 运营商 在用户接入互联网时进行一次认证, 互联网上的应用系统在用户访问时进行 自身的认证。  It can be seen that there is a secondary authentication when the user accesses the application on the Internet, and the operator performs authentication once when the user accesses the Internet, and the application system on the Internet performs its own authentication when the user accesses.
随着信息技术和网络技术的迅猛发展,互联网上的应用系统也越来越多。 由于这些应用系统相互独立, 用户在使用每一个系统之前必须先进行注册登 记, 并按照相应的身份进行登录, 为此用户必须记住每个应用系统的用户名 和密码, 这给用户带来了很大的麻烦。 在这种情况下, 单点登录的概念被提 了出来, 并得到应用。 With the rapid development of information technology and network technology, there are more and more application systems on the Internet. Since these applications are independent of each other, users must register before using each system and log in according to their respective identities. For this reason, users must remember the username and password of each application system, which brings a lot of users. Big trouble. In this case, the concept of single sign-on is mentioned Come out and get applied.
单点登录(SSO, Single-Sign On )是一种方便用户访问多个应用系统的 技术, 用户只需要在登录时进行一次认证, 就可以在多个应用系统之间自由 访问, 不必重复输入用户名和密码来确认身份。  Single-Sign On (SSO) is a technology that allows users to access multiple application systems. Users only need to authenticate once when logging in, and they can access freely between multiple application systems without having to repeatedly input users. Name and password to confirm identity.
相关技术的互联网单点登录体系中, 用户在使用单点登录之前, 必须在 身份提供商(IdP, Identity Provider )处进行注册登记,业务提供商(SP, Service Provider )的业务提供服务器依赖于身份提供商 IdP的身份提供服务器的认证 结果向用户提供业务。 此外由于互联网的身份提供商 IdP通常是分散部署的, 因而,如果业务提供商 SP釆用单点登录方式, 那么它的业务发展规模将很大 程度上取决于它所依赖的 IdP注册用户的数量。单点登录涉及的主要技术有: 开放身份 ( OpenID ) 、 Passport (通行证) 、 Liberty Alliance (自由联盟)等。 这里, OpenID易于使用, 但存在安全隐患, 不能很好地防范 "钓鱼" 攻击; Passport易于使用, 安全性稍高, 但目前仅适用于业务提供商 SP内部使用; Liberty Alliance有一定的安全性, 但部署不易, 用户使用也不方便。  In the related art Internet single sign-on system, a user must register at an identity provider (IdP, Identity Provider) before using single sign-on, and a service provider server of a service provider (SP, Service Provider) depends on the identity. The identity of the provider IdP provides the authentication result of the server to provide services to the user. In addition, since the identity provider IdP of the Internet is usually deployed in a distributed manner, if the service provider SP adopts the single sign-on method, the scale of its business development will largely depend on the number of IdP registered users it depends on. . The main technologies involved in single sign-on are: OpenID (OpenID), Passport (passport), Liberty Alliance (Freedom Alliance), etc. Here, OpenID is easy to use, but there are security risks, and it is not good to prevent "phishing" attacks. Passport is easy to use and slightly safer, but it is only suitable for internal use by service providers SP; Liberty Alliance has certain security. However, the deployment is not easy and the user is not convenient to use.
由于用户在访问互联网应用之前, 需要接入运营商网络, 因而可以将运 营商作为身份提供商 IdP。运营商作为身份提供商 IdP具有如下优势: 通过运 营商的接入认证,能够很好的保证安全性,同时,运营商作为身份提供商 IdP, 将不需要用户重新进行注册登记,易于使用,并且运营商作为身份提供商 IdP, 相对于互联网的身份提供商 IdP, 有一个优质成熟的用户消费群体。  Since the user needs to access the carrier network before accessing the Internet application, the operator can be used as the identity provider IdP. As an identity provider, the IdP has the following advantages: The access authentication of the operator can ensure security. At the same time, the operator, as the identity provider IdP, will not require the user to re-register, and is easy to use. As an identity provider IdP, the operator has a high-quality and mature user consumer group compared to the Internet identity provider IdP.
当前, IP地址具有双重属性的缺陷, 带来了移动性和安全性问题, 已经 成为了制约互联网产业进一步发展的瓶颈。 为了解决这个问题, 业界提出了 HIP( Host Identity Protocol,主机标识协议 )和 LISP( Locator/Identifier Separation Protocol,位置 /标识分离协议)技术等。这些技术的共同点是引入了两类编码: 代表用户身份的身份编码和代表用户位置的位置编码, 每个用户都既有一个 身份编码又有一个位置编码, 用户基于身份编码和对端发生通信, 当用户位 置发生变化时, 用户的身份编码保持不变, 而用户的位置编码将随之变化。 这样, 通过用户身份编码就可以始终对应到用户, 而不会存在 IP地址二义性 的问题。  At present, the IP address has the double attribute defect, which brings about mobility and security issues, and has become a bottleneck restricting the further development of the Internet industry. To solve this problem, the industry has proposed HIP (Host Identity Protocol) and LISP (Locator/Identifier Separation Protocol) technologies. Common to these techniques is the introduction of two types of encoding: identity encoding on behalf of the user's identity and location encoding on behalf of the user's location. Each user has both an identity code and a location code, and the user communicates based on the identity code and the peer. When the user's location changes, the user's identity code remains the same, and the user's location code will change. In this way, the user identity code can always correspond to the user without the problem of ambiguity of the IP address.
但在相关的身份位置分离网络技术中, 用户身份编码只用于在网络层标 识用户身份, 因而用户访问互联网应用系统仍然需要多次注册认证。 另一方 面, 由于用户在大量不同的互联网应用系统中注册账号, 通常为了方便起见, 用户注册的账号具有一定的规律性, 那么很容易就导致用户的身份隐私信息 被泄露。 发明内容 However, in the related identity location separation network technology, the user identity coding is only used in the network layer label. Knowing the user's identity, users still need to register for multiple registrations to access the Internet application system. On the other hand, since the user registers an account in a large number of different Internet application systems, usually for the sake of convenience, the account registered by the user has a certain regularity, and it is easy to cause the user's identity privacy information to be leaked. Summary of the invention
本发明实施例提供了一种单点登录的方法、 单点登录的系统、 信息处理 方法、 信息处理系统、 身份提供服务器、 业务提供服务器和名字映射服务器, 以解决用户访问互联网应用系统需进行多次注册认证的问题。  The embodiment of the invention provides a single sign-on method, a single sign-on system, an information processing method, an information processing system, an identity providing server, a service providing server and a name mapping server, so as to solve the problem that the user accesses the Internet application system. The problem of secondary registration certification.
本发明实施例提供了一种单点登录的方法, 该方法包括:  The embodiment of the invention provides a method for single sign-on, the method comprising:
身份提供服务器确认用户通过接入认证;  The identity providing server confirms that the user passes the access authentication;
所述身份提供服务器根据自身和所述用户欲访问的业务提供服务器间的 共享密钥生成对用户的断言信息, 并向所述业务提供服务器发送所述断言信 息。  The identity providing server generates assertion information for the user according to the shared key between the server and the service providing server that the user wants to access, and sends the assertion information to the service providing server.
优选地, 所述身份提供服务器根据自身和所述用户欲访问的业务提供服 务器间的共享密钥生成对用户的断言信息之前, 所述方法还包括:  Preferably, before the identity providing server generates the assertion information for the user according to the shared key between the service provider and the service provider that the user wants to access, the method further includes:
所述身份提供服务器在接收到所述业务提供服务器发送的认证请求或所 述用户发送的业务访问请求后, 检查是否存在所述共享密钥, 若不存在, 则 在所述业务提供服务器通过认证后, 生成所述共享密钥。  After receiving the authentication request sent by the service providing server or the service access request sent by the user, the identity providing server checks whether the shared key exists, and if not, the service providing server passes the authentication. After that, the shared key is generated.
优选地, 所述身份提供服务器生成对用户的断言信息之前, 所述方法还 包括:  Preferably, before the identity providing server generates the assertion information for the user, the method further includes:
优选地, 所述身份提供服务器为所述用户获得假名及与所述假名对应的 生存期, 包括: Preferably, the identity providing server obtains a pseudonym for the user and a lifetime corresponding to the pseudonym, including:
所述身份提供服务器根据所述用户的匿名服务请求向名字映射服务器 The identity providing server sends a name mapping server according to the anonymous service request of the user
( NMS )发送匿名身份请求, 以及接收所述 NMS返回的根据所述匿名身份 请求生成的该用户的假名及与所述假名对应的生存期。 (NMS) transmitting an anonymous identity request, and receiving a pseudonym of the user generated according to the anonymous identity request returned by the NMS and a lifetime corresponding to the pseudonym.
优选地, 所述身份提供服务器为所述用户获得假名及与所述假名对应的 生存期之后, 所述方法还包括: Preferably, the identity providing server obtains a pseudonym for the user and corresponds to the pseudonym After the lifetime, the method further includes:
所述身份提供服务器接收所述用户发送的携带指定用户名及相应生存期 的匿名更新请求,并向所述 NMS发送所述匿名更新请求,以及接收所述 NMS 返回的更新结果。  The identity providing server receives an anonymous update request sent by the user and carries a specified user name and a corresponding lifetime, and sends the anonymous update request to the NMS, and receives an update result returned by the NMS.
优选地, 所述断言信息中携带有随机数、 所述身份提供服务器的身份信 息、 所述业务提供服务器的身份信息、 所述用户的身份信息、 签名算法以及 所述身份提供服务器根据所述共享密钥计算出的签名结果; 其中, 所述用户 的身份信息包括所述假名或所述指定用户名。  Preferably, the assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server according to the sharing. a signature result calculated by the key; wherein the identity information of the user includes the pseudonym or the specified username.
本发明实施例还提供了一种单点登录的方法, 该方法包括:  The embodiment of the invention further provides a method for single sign-on, the method comprising:
业务提供服务器接收身份提供服务器发送的对欲访问所述业务提供服务 器的用户的断言信息; 所述业务提供服务器根据自身和所述身份提供服务器之间的共享密钥验 证所述断言信息。  The service providing server receives the assertion information sent by the identity providing server to the user who wants to access the service providing server; the service providing server verifies the assertion information according to the shared key between the server and the identity providing server.
优选地, 所述业务提供服务器根据自身和所述身份提供服务器之间的共 享密钥验证所述断言信息之后, 所述方法还包括:  Preferably, after the service providing server verifies the assertion information according to the sharing key between the server and the identity providing server, the method further includes:
如果验证通过, 则所述业务提供服务器创建与所述断言信息中包含的用 户的身份信息对应的条目, 并向所述用户提供业务; 所述用户的身份信息为 所述用户的^^名或指定用户名。  If the verification is passed, the service providing server creates an entry corresponding to the identity information of the user included in the assertion information, and provides a service to the user; the identity information of the user is the name of the user or Specify a username.
优选地, 所述业务提供服务器接收身份提供服务器发送的对欲访问所述 业务提供服务器的用户的断言信息之前, 所述方法还包括:  Preferably, before the service providing server receives the assertion information sent by the identity providing server to the user who wants to access the service providing server, the method further includes:
所述业务提供服务器接收到所述用户发送的业务访问请求之后, 生成随 机数, 并向所述身份提供服务器发送携带所述随机数的认证请求。  After receiving the service access request sent by the user, the service providing server generates a random number, and sends an authentication request carrying the random number to the identity providing server.
优选地, 所述断言信息中携带有所述随机数、 所述身份提供服务器的身 份信息、 所述业务提供服务器的身份信息、 所述用户的身份信息、 签名算法 以及所述身份提供服务器根据所述共享密钥计算出的签名结果;  Preferably, the assertion information carries the random number, the identity information of the identity providing server, the identity information of the service providing server, the identity information of the user, a signature algorithm, and the identity providing server according to the The signature result calculated by the shared key;
所述业务提供服务器根据自身和所述身份提供服务器之间的共享密钥验 证所述断言信息, 包括:  The service providing server verifies the assertion information according to a shared key between the server and the identity providing server, including:
所述业务提供服务器根据所述身份提供服务器的身份信息、 所述业务提 供服务器的身份信息、 所述用户的身份信息、 所述签名算法和所述共享密钥 计算出签名结果, 并比较自己计算出的签名结果与所述身份提供服务器计算 出的签名结果是否一致; 以及 The service providing server provides identity information of the server according to the identity, and the service provides Calculating the signature result by the identity information of the server, the identity information of the user, the signature algorithm, and the shared key, and comparing whether the signature result calculated by the self is consistent with the signature result calculated by the identity providing server; as well as
判断所述随机数的生成时间是否是当前最近的且所述随机数是否唯一。 本发明实施例还提供了一种信息处理方法, 该方法包括:  It is determined whether the generation time of the random number is currently the most recent and whether the random number is unique. An embodiment of the present invention further provides an information processing method, where the method includes:
名字映射服务器(NMS )接收身份提供服务器发送的匿名身份请求, 所 述匿名身份请求中携带有用户的身份标识;  The name mapping server (NMS) receives an anonymous identity request sent by the identity providing server, and the anonymous identity request carries the identity of the user;
所述 NMS根据所述匿名身份请求生成与该身份标识对应的用户的假名 及与所述假名对应的生存期, 并向所述身份提供服务器返回所述用户的假名 及与所述假名对应的生存期。  Generating, according to the anonymous identity request, the pseudonym of the user corresponding to the identity identifier and the lifetime corresponding to the pseudonym, and returning, to the identity providing server, the pseudonym of the user and the survival corresponding to the pseudonym period.
优选地,所述 NMS向所述身份提供服务器发送所述用户的假名及与所述 假名对应的生存期之后, 所述方法还包括:  Preferably, after the NMS sends the user's pseudonym and the lifetime corresponding to the pseudonym to the identity providing server, the method further includes:
所述 NMS接收所述身份提供服务器发送的来自所述用户的携带指定用 户名及相应生存期的匿名更新请求, 根据匿名更新请求进行更新处理, 并返 回更新结果。  The NMS receives an anonymous update request from the user that carries the specified username and corresponding lifetime sent by the identity providing server, performs an update process according to the anonymous update request, and returns an update result.
本发明实施例还提供了一种身份提供服务器, 该身份提供服务器包括: 确认模块, 其设置为: 确认用户通过接入认证;  The embodiment of the present invention further provides an identity providing server, where the identity providing server includes: an acknowledgment module, configured to: confirm that the user passes the access authentication;
断言信息处理模块, 其设置为: 在所述确认模块确认用户通过接入认证 后, 根据所述身份提供服务器和所述用户欲访问的业务提供服务器间的共享 密钥生成对用户的断言信息, 并向所述业务提供服务器发送所述断言信息。  The assertion information processing module is configured to: after the confirming module confirms that the user passes the access authentication, generate the assertion information for the user according to the shared key between the identity providing server and the service providing server that the user wants to access, And transmitting the assertion information to the service providing server.
优选地, 所述身份提供服务器还包括:  Preferably, the identity providing server further includes:
密钥生成模块, 其设置为: 在断言信息处理模块生成对用户的断言信息 之前, 在接收到所述业务提供服务器发送的认证请求或所述用户发送的业务 访问请求后, 检查是否存在所述共享密钥, 若不存在, 则在所述业务提供服 务器通过认证后, 生成所述共享密钥。  a key generation module, configured to: after the assertion information processing module generates the assertion information for the user, after receiving the authentication request sent by the service providing server or the service access request sent by the user, checking whether the The shared key, if not present, generates the shared key after the service providing server passes the authentication.
优选地, 所述身份提供服务器还包括:  Preferably, the identity providing server further includes:
获得模块, 其设置为: 在所述确认模块确认所述用户通过接入认证之后, 所述断言信息处理模块生成对用户的断言信息之前, 为所述用户获得假名及 与所述假名对应的生存期。 Obtaining a module, configured to: after the confirmation module confirms that the user passes the access authentication, Before the assertion information processing module generates the assertion information for the user, obtain the pseudonym for the user and the lifetime corresponding to the pseudonym.
优选地, 所述获得模块, 是设置为: 根据所述用户的匿名服务请求向名 字映射服务器(NMS )发送匿名身份请求, 以及接收所述 NMS返回的根据 所述匿名身份请求生成的该用户的假名及与所述假名对应的生存期。  Preferably, the obtaining module is configured to: send an anonymous identity request to a name mapping server (NMS) according to the anonymous service request of the user, and receive the user generated by the NMS according to the anonymous identity request A pseudonym and a lifetime corresponding to the pseudonym.
优选地, 所述获得模块, 还其设置为: 接收所述用户发送的携带指定用 户名及相应生存期的匿名更新请求, 并向所述 NMS发送所述匿名更新请求, 以及接收所述 NMS返回的更新结果。  Preferably, the obtaining module is further configured to: receive an anonymous update request that is sent by the user and carry a specified user name and a corresponding lifetime, and send the anonymous update request to the NMS, and receive the NMS return Update results.
优选地, 所述断言信息中携带有随机数、 所述身份提供服务器的身份信 息、 所述业务提供服务器的身份信息、 所述用户的身份信息、 签名算法以及 所述身份提供服务器根据所述共享密钥计算出的签名结果; 其中, 所述用户 的身份信息包括所述假名或所述指定用户名。  Preferably, the assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server according to the sharing. a signature result calculated by the key; wherein the identity information of the user includes the pseudonym or the specified username.
本发明实施例还提供了一种业务提供服务器, 该业务提供服务器包括: 接收模块, 其设置为: 接收身份提供服务器发送的对欲访问所述业务提 供 Λ良务器的用户的断言信息;  The embodiment of the present invention further provides a service providing server, where the service providing server includes: a receiving module, configured to: receive an assertion information sent by an identity providing server to a user who wants to access the service provider;
验证模块, 其设置为: 根据所述业务提供服务器和所述身份提供服务器 之间的共享密钥验证所述断言信息。  And a verification module, configured to: verify the assertion information according to a shared key between the service providing server and the identity providing server.
优选地, 所述业务提供服务器还包括:  Preferably, the service providing server further includes:
业务提供模块, 其设置为: 所述验证模块验证通过所述断言信息后, 创 建与所述断言信息中包含的用户的身份信息对应的条目, 并向所述用户提供 业务。  And a service providing module, configured to: after the verification module verifies the information through the assertion information, create an entry corresponding to the identity information of the user included in the assertion information, and provide a service to the user.
本发明实施例提供了一种名字映射服务器(NMS ) , 该 NMS包括: 接收模块, 其设置为: 接收身份提供服务器发送的匿名身份请求, 所述 匿名身份请求中携带有用户的身份标识;  An embodiment of the present invention provides a name mapping server (NMS), where the NMS includes: a receiving module, configured to: receive an anonymous identity request sent by an identity providing server, where the anonymous identity request carries an identity of the user;
生成发送模块, 其设置为: 根据所述接收模块接收的所述匿名身份请求 身份提供服务器返回所述用户的假名及与所述假名对应的生存期。  And generating a sending module, configured to: return, according to the anonymous identity request received by the receiving module, the pseudonym of the user and a lifetime corresponding to the pseudonym.
优选地, 所述生成发送模块, 还设置为: 接收所述身份提供服务器发送 的来自所述用户的携带指定用户名及相应生存期的匿名更新请求, 根据匿名 更新请求进行更新处理, 并返回更新结果。 Preferably, the generating and sending module is further configured to: receive the identity providing server to send An anonymous update request from the user carrying the specified username and corresponding lifetime, updating processing according to the anonymous update request, and returning the update result.
本发明实施例还提供了一种信息处理系统, 该系统包括上述身份提供服 务器和上述名字映射服务器。  An embodiment of the present invention further provides an information processing system, where the system includes the foregoing identity providing server and the name mapping server.
本发明实施例还提供了一种单点登录系统, 该系统包括上述身份提供服 务器和上述业务提供服务器。  The embodiment of the invention further provides a single sign-on system, which comprises the above identity providing server and the above service providing server.
本发明实施例还提供了一种单点登录系统, 该系统包括上述身份提供服 务器、 上述名字映射服务器和上述业务提供服务器。  The embodiment of the invention further provides a single sign-on system, which comprises the above-mentioned identity providing server, the above-mentioned name mapping server and the above-mentioned service providing server.
本发明实施例, 通过重利用接入认证, 很好地解决了用户访问互联网多 次注册认证的问题, 通过生成假名对用户隐私起到了保护的作用, 避免了用 户隐私的泄露。 附图概述  In the embodiment of the present invention, by reusing access authentication, the problem of user accessing the Internet for multiple registration authentication is well solved, and the pseudonym is used to protect the privacy of the user, thereby avoiding leakage of user privacy. BRIEF abstract
图 1为本发明实施例所涉及的网元架构示意图;  FIG. 1 is a schematic structural diagram of a network element according to an embodiment of the present invention;
图 2为本发明单点登录方法实施例的流程图;  2 is a flowchart of an embodiment of a single sign-on method according to the present invention;
图 3为本发明由业务提供服务器发起的单点登录方法实施例的信令流程 图;  3 is a signaling flow diagram of an embodiment of a single sign-on method initiated by a service providing server according to the present invention;
图 4为本发明由身份提供服务器发起的单点登录方法实施例的信令流程 图;  4 is a signaling flow diagram of an embodiment of a single sign-on method initiated by an identity providing server according to the present invention;
图 5为本发明身份提供服务器实施例的结构示意图;  FIG. 5 is a schematic structural diagram of an embodiment of an identity providing server according to the present invention; FIG.
图 6为本发明业务提供服务器实施例的结构示意图;  6 is a schematic structural diagram of an embodiment of a service providing server according to the present invention;
图 7为本发明名字映射服务器实施例的结构示意图;  7 is a schematic structural diagram of an embodiment of a name mapping server according to the present invention;
图 8为本发明信息处理装置实施例的结构示意图;  8 is a schematic structural diagram of an embodiment of an information processing apparatus according to the present invention;
图 9为本发明单点登录系统实施例的结构示意图。 本发明的较佳实施方式  FIG. 9 is a schematic structural diagram of an embodiment of a single sign-on system according to the present invention. Preferred embodiment of the invention
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。 首先介绍一下本发明实施例所涉及的网元架构, 如图 1所示, 该架构包 括用户终端(Mobile Node, MN ) 101、 接入服务节点( Access Service Node , ASN ) 102、 认证中心 103、 身份提供商 (Identity Provider, IdP ) 的身份提供 服务器 104、 名字映射服务器(Name Mapping Server, NMS ) 105、 互联服务 节点 ( Interconnect Service Node, ISN ) 106和业务提供商 ( Service Provider, SP ) 的业务提供服务器 107, 其中: Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that In the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other. First, the network element architecture involved in the embodiment of the present invention is introduced. As shown in FIG. 1, the architecture includes a user terminal (Mobile Node, MN) 101, an access service node (ASN) 102, and an authentication center 103. Identity Provider (IdP) identity providing server 104, Name Mapping Server (NMS) 105, Interconnect Service Node (ISN) 106, and Service Provider (SP) services A server 107 is provided, wherein:
接入网络的 MN可以是移动终端、 固定终端中的一种或多种, 如手机、 固定电话、 电脑和应用服务器等;  The MN accessing the network may be one or more of a mobile terminal and a fixed terminal, such as a mobile phone, a fixed telephone, a computer, and an application server;
ASN, 设置为: 为用户终端提供接入服务、 维护终端与网络的连接, 为 终端分配路由标识( Routing Identifier, RID ) , 并到身份位置寄存器(ILR ) /报文转发功能实体( PTF )登记注册和查询终端的 RID,维护接入标识( Access Identifier, AID ) -RID映射信息, 以及实现数据报文的路由和转发;  The ASN is configured to: provide access services for the user terminal, maintain the connection between the terminal and the network, assign a Routing Identifier (RID) to the terminal, and register with the Identity Location Register (ILR)/Message Forwarding Function Entity (PTF). Register and query the RID of the terminal, maintain the Access Identifier (AID)-RID mapping information, and implement routing and forwarding of data packets.
认证中心, 设置为: 记录本网络用户的属性信息如用户类别、 认证信息 和用户服务等级等, 完成对终端的接入认证和授权, 还可具有计费功能。 认 证中心支持终端与网络间的双向认证, 可产生用于认证、 完整性保护和机密 性保护的用户安全信息;  The authentication center is set to: record attribute information of the network user, such as user category, authentication information, and user service level, complete access authentication and authorization for the terminal, and also have a charging function. The authentication center supports two-way authentication between the terminal and the network, and can generate user security information for authentication, integrity protection, and confidentiality protection;
身份提供服务器向业务提供服务器提供对用户的断言信息, 并对业务提 供服务器进行认证, 检查业务提供服务器的合法性; 通过与认证中心的接口 查询用户相应的属性信息, 通过与 NMS的接口, 提供用户的假名服务;  The identity providing server provides the service providing server with the assertion information of the user, and authenticates the service providing server, and checks the legality of the service providing server; and queries the corresponding attribute information of the user through the interface with the authentication center, and provides an interface with the NMS. User's pseudonym service;
NMS根据身份提供服务器提供的用户身份产生假名,作为用户的替代身 份, 并创建假名和用户身份信息、 业务提供服务器统一资源定位符(URL ) 、 生存期 ( lifetime )对应的条目, 如果用户修改假名以及假名的 lifetime, 则 NMS在接收到身份提供服务器的匿名更新请求后, 也将此信息进行更新; 其中, NMS和身份提供服务器可以分别单独部署, 也可以将 NMS作为 身份提供服务器的功能模块进行部署;  The NMS generates a pseudonym based on the identity of the user provided by the identity providing server, as an alternate identity of the user, and creates a pseudonym and user identity information, a service provider server uniform resource locator (URL), and an entry corresponding to the lifetime (lifetime), if the user modifies the pseudonym And the life of the pseudonym, the NMS also updates the information after receiving the anonymous update request from the identity providing server; wherein, the NMS and the identity providing server can be separately deployed, or the NMS can be used as a function module of the identity providing server. Deployment
ISN, 用于查询、 维护本网络终端的 AID-RID映射信息, 封装、 路由和 转发本网络与传统 IP网络之间往来的数据 文、 实现本网络与传统 IP网络 之间的互联互通功能, 其中包括格式转换模块, 用于将传统 IP网络发来的数 据报文中包含的本网络终端的 IPv4/IPv6地址转换成对应的 AID ,以及将本网 络终端的 AID转换成 IPv4/IPv6地址格式后, 再发送到传统 IP网络的终端; 业务提供服务器, 是互联网上为用户提供业务的应用系统。 ISN, used to query and maintain the AID-RID mapping information of the network terminal, encapsulate, route and forward the data between the network and the traditional IP network, implement the network and the traditional IP network. Interconnection function, which includes a format conversion module, configured to convert an IPv4/IPv6 address of the network terminal included in a data packet sent by the traditional IP network into a corresponding AID, and convert the AID of the network terminal After being in the IPv4/IPv6 address format, it is sent to the terminal of the traditional IP network. The service providing server is an application system for providing services to users on the Internet.
本发明实施例提供了一种单点登录的方法, 该方法从身份提供服务器侧 进行描述, 该方法包括: The embodiment of the invention provides a method for single sign-on, which is described from the identity providing server side, and the method includes:
步骤 11、 身份提供服务器确认用户通过接入认证;  Step 11. The identity providing server confirms that the user passes the access authentication.
身份提供服务器根据用户的身份标识确认用户通过接入认证;  The identity providing server confirms that the user passes the access authentication according to the identity of the user;
步骤 12、 所述身份提供服务器根据自身和所述用户欲访问的业务提供服 务器间的共享密钥生成对用户的断言信息, 并向所述业务提供服务器发送所 述断言信息。  Step 12: The identity providing server generates the assertion information for the user according to the shared key between the service provider and the service provider that the user wants to access, and sends the assertion information to the service providing server.
本发明实施例还提供了一种单点登录的方法, 该方法从业务提供服务器 侧进行描述, 该方法包括:  The embodiment of the invention further provides a method for single sign-on, which is described from the service providing server side, and the method includes:
步骤 21、 业务提供服务器接收身份提供服务器发送的对欲访问所述业务 提供服务器的用户的断言信息;  Step 21: The service providing server receives the assertion information sent by the identity providing server to the user who wants to access the service providing server.
步骤 22、 所述业务提供服务器根据自身和所述身份提供服务器之间的共 享密钥险证所述断言信息。  Step 22: The service providing server provides the assertion information according to the shared key insurance certificate between the server and the identity providing server.
上述业务提供服务器利用身份提供服务器发送的断言信息进行认证, 使 得用户访问互联网应用系统不需要进行多次注册认证, 同时, 为了避免用户 隐私泄露, 本发明实施例又提供了一种信息处理方法, 该方法从名字映射服 务器侧进行描述, 该方法包括:  The foregoing service providing server uses the assertion information sent by the identity providing server to perform authentication, so that the user accessing the Internet application system does not need to perform multiple registration authentication, and the embodiment of the present invention provides an information processing method. The method is described from the name mapping server side, and the method includes:
步骤 31、 名字映射服务器(NMS )接收身份提供服务器发送的匿名身份 请求, 所述匿名身份请求中携带有用户的身份标识;  Step 31: The name mapping server (NMS) receives an anonymous identity request sent by the identity providing server, where the anonymous identity request carries the identity of the user;
步骤 32、 所述 NMS根据所述匿名身份请求生成与该身份标识对应的用 户的假名及与所述假名对应的生存期, 并向所述身份提供服务器返回所述用 户的假名及与所述艮名对应的生存期。 为了更清楚地描述本发明实施例的单点登录方法, 下面从身份提供服务 器、 业务提供服务器和名字映射服务器三者交互的角度进行描述, 如图 2所 示, 为本发明单点登录方法实施例的流程图, 所述方法包括以下步骤: Step 32: The NMS generates a pseudonym of the user corresponding to the identity identifier and a lifetime corresponding to the pseudonym according to the anonymous identity request, and returns a pseudonym of the user to the identity providing server and the Name corresponds to the lifetime. In order to more clearly describe the single sign-on method of the embodiment of the present invention, the following describes the interaction between the identity providing server, the service providing server, and the name mapping server. As shown in FIG. 2, the single sign-on method is implemented according to the present invention. A flowchart of an example, the method comprising the steps of:
步骤 201、 身份提供服务器在接收到业务提供服务器的认证请求或者用 户的业务访问请求后, 检查是否存在它自身和业务提供服务器间的共享密钥 Ks, 如果不存在, 则认证业务提供服务器, 认证成功后, 生成共享密钥 Ks; 其中, 所述认证方法包括但不限于: 预共享密钥、 TLS、 公钥基础结构 ( PKI ) 、 协议安全性(IPsec )等技术, 由于其均为现有技术, 这里不再赘 述。  Step 201: After receiving the authentication request of the service providing server or the service access request of the user, the identity providing server checks whether there is a shared key Ks between itself and the service providing server. If not, the authentication service providing server authenticates. After the success, the shared key Ks is generated. The authentication method includes but is not limited to: pre-shared key, TLS, public key infrastructure (PKI), protocol security (IPsec), etc., since they are all existing Technology, no more details here.
步骤 202、 身份提供服务器确认用户通过接入认证, 并根据用户的匿名 服务请求通过名字映射服务器产生假名的方式对用户身份进行保护, 同时为 业务提供服务器生成对该用户的断言信息;  Step 202: The identity providing server confirms that the user passes the access authentication, and protects the user identity by using the name mapping server to generate a pseudonym according to the anonymous service request of the user, and generates the assertion information for the user for the service providing server.
步骤 203、 业务提供服务器接收到身份提供服务器发送的断言信息后, 对断言信息进行验证, 如果验证通过, 则创建用户假名对应的条目, 并向用 户提供业务。  Step 203: After receiving the assertion information sent by the identity providing server, the service providing server verifies the assertion information. If the verification succeeds, the entry corresponding to the user pseudonym is created, and the service is provided to the user.
上述单点登录方法, 通过重利用接入认证和假名, 很好地解决了用户访 问互联网应用系统需多次注册认证和身份隐私泄露的问题。  The above single sign-on method, by reusing access authentication and pseudonym, solves the problem that the user accessing the Internet application system requires multiple registration authentication and identity privacy leakage.
如图 3所示, 为本发明由业务提供服务器发起的单点登录方法实施例的 信令流程图, 所述方法包括: As shown in FIG. 3, it is a signaling flowchart of an embodiment of a single sign-on method initiated by a service providing server according to the present invention, where the method includes:
步骤 301、 MN、 ASN以及认证中心之间进行接入认证, 认证通过后, 身 份位置分离网络为用户分配接入标识 AID;  Step 301: Perform access authentication between the MN, the ASN, and the authentication center. After the authentication is passed, the identity separation network allocates an access identifier AID to the user.
此后, 用户终端发送的报文通过 AID进行传输, ASN为用户分配 RID, 并通过 RID进行路由选路找到 ISN, ISN从报文中获取用户的 AID, 并转换 成 IPv4/IPv6地址发送到传统 IP网络。  After that, the packet sent by the user terminal is transmitted by the AID, the ASN allocates the RID to the user, and the routing is selected by the RID to find the ISN. The ISN obtains the AID of the user from the packet, and converts the packet into an IPv4/IPv6 address and sends the packet to the traditional IP address. The internet.
步骤 302、 MN向业务提供服务器发起业务访问请求;  Step 302: The MN initiates a service access request to the service providing server.
步骤 303、 用户在业务提供服务器页面上选择身份提供服务器, 业务提 供服务器根据当前时间戳生成随机数 R1 ,作为用户在业务提供服务器的临时 标识, 并构建认证请求消息, 消息中携带业务提供服务器 URL、 身份提供服 务器 URL和随机数 R1 ; Step 303: The user selects an identity providing server on the service providing server page, and the service provides The server generates a random number R1 according to the current timestamp, as a temporary identifier of the user in the service providing server, and constructs an authentication request message, where the message carries the service providing server URL, the identity providing server URL, and the random number R1;
步骤 304、业务提供服务器将认证请求消息通过超文本传输协议 ( HTTP ) 重定向到身份提供服务器;  Step 304: The service providing server redirects the authentication request message to the identity providing server by using a hypertext transfer protocol (HTTP);
步骤 305、 用户通过终端向身份提供服务器发送匿名服务请求; 步骤 306、 身份提供服务器从报文中获取用户的接入标识 AID, 确认用 户通过接入认证; 并检查它自身和业务提供服务器间是否存在共享密钥 Ks, 如果不存在, 则认证业务提供服务器, 认证成功后, 生成共享密钥 Ks; 确定 不存在用户对应的假名或对应的假名生存期 (lifetime )过期;  Step 305: The user sends an anonymous service request to the identity providing server through the terminal. Step 306: The identity providing server obtains the access identifier AID of the user from the packet, confirms that the user passes the access authentication, and checks whether it is between the server and the service providing server. The shared key Ks exists. If not, the authentication service providing server generates a shared key Ks after the authentication succeeds; determines that there is no pseudonym corresponding to the user or the corresponding pseudonym lifetime expires;
其中, 身份提供服务器认证业务提供服务器的方式包括但不限于预共享 密钥、 PKI、 TLS或者 IPsec等等认证方式。 由于其均为现有技术, 因此这里 不再赘述;  The manner in which the identity providing server authenticates the service providing server includes, but is not limited to, a pre-shared key, a PKI, a TLS, or an IPsec authentication method. Since they are all prior art, they are not described here;
步骤 307、 身份提供服务器向 NMS发送匿名身份请求消息, 请求消息中 携带用户的 AID、 业务提供服务器的 URL;  Step 307: The identity providing server sends an anonymous identity request message to the NMS, where the request message carries the user's AID and the URL of the service providing server.
步骤 308、 NMS接收到匿名身份请求消息后, 生成随机数 R2 以及默认 的 lifetime, R2作为相应用户的假名, 并构建一条 MN的 AID、 业务提供服 务器 URL和 R2、 lifetime对应的条目, 如表 1所示;  Step 308: After receiving the anonymous identity request message, the NMS generates a random number R2 and a default lifetime, and R2 is used as the pseudonym of the corresponding user, and constructs an AID of the MN, a service providing server URL, and an entry corresponding to R2, lifetime, as shown in Table 1. Shown
表 1 MN对应的条目  Table 1 MN corresponding entries
Figure imgf000013_0001
Figure imgf000013_0001
步骤 309、 NMS向身份提供服务器发送匿名身份响应消息, 响应消息中 携带用户的 AID、 业务提供服务器 URL和随机数 R2以及 lifetime;  Step 309: The NMS sends an anonymous identity response message to the identity providing server, where the response message carries the user's AID, the service provider server URL, the random number R2, and the lifetime;
步骤 310、 身份提供服务器向用户终端发送匿名服务响应消息, 响应消 息中携带业务提供服务器 URL、 随机数 R2和 lifetime;  Step 310: The identity providing server sends an anonymous service response message to the user terminal, where the response message carries the service providing server URL, the random number R2, and the lifetime;
步骤 311、 用户通过终端向身份提供服务器发送指定的用户名及其 lifetime; 用户可将随机数 R2修改为指定的用户名即期望展现的用户名 ,并指定期 望的 lifetime; Step 311: The user sends the specified username and its lifetime to the identity providing server through the terminal. The user can modify the random number R2 to the specified user name, that is, the user name desired to be presented, and specify the desired lifetime;
步骤 312、 身份提供服务器向 NMS发送匿名更新请求消息, 消息中携带 用户的 AID、 随机数 R2、 用户指定的假名和 lifetime;  Step 312: The identity providing server sends an anonymous update request message to the NMS, where the message carries the user's AID, the random number R2, the user-specified pseudonym, and the lifetime;
步骤 313、 NMS在添加用户指定的假名和更新 lifetime后, 向身份提供服 务器发送匿名更新响应消息, 消息中携带更新成功或失败的结果;  Step 313: After adding the user-specified pseudonym and updating the lifetime, the NMS sends an anonymous update response message to the identity providing server, where the message carries the result of the successful or failed update.
步骤 314、 身份提供服务器构建认证响应消息, 认证响应消息中包含断 言信息, 该断言信息中携带随机数 Rl、 业务提供服务器 URL、 身份提供服 务器 URL、 NMS生成的假名 R2或者用户指定的用户名、 签名算法、 以及 Ks的签名结果;  Step 314: The identity providing server constructs an authentication response message, where the authentication response message includes the assertion information, where the assertion information carries a random number R1, a service providing server URL, an identity providing server URL, a pseudonym R2 generated by the NMS, or a user-specified username, The signature algorithm, and the signature result of Ks;
此处的签名结果为身份提供服务器根据业务提供服务器 URL、身份提供 服务器 URL、 NMS生成的假名 R2或者用户指定的用户名、共享密钥使用签 名算法计算出的签名结果; 本实施例中的身份提供服务器 URL代表身份提供服务器的身份信息; 业务提供服务器 URL代表业务提供服务器的身份信息; NMS生成的假名 R2 或者用户指定的用户名代表用户的身份信息; 随机数 R1用于防止重放攻击; 步骤 315、 身份提供服务器通过 HTTP重定向将认证响应消息发送到业 务提供服务器;  The signature result here is the signature result calculated by the identity providing server according to the service providing server URL, the identity providing server URL, the pseudonym R2 generated by the NMS, or the user-specified username and the shared key using the signature algorithm; the identity in this embodiment Providing the server URL to represent the identity information of the identity providing server; the service providing server URL represents the identity information of the service providing server; the pseudonym R2 generated by the NMS or the user name specified by the user represents the identity information of the user; the random number R1 is used to prevent the replay attack; Step 315: The identity providing server sends an authentication response message to the service providing server by using HTTP redirection;
步骤 316、 业务提供服务器通过和身份提供服务器之间的共享密钥 Ks验 证断言的完整性, 以及检查 R1是否是最近生成, 是否重复等;  Step 316: The service providing server verifies the integrity of the assertion by using the shared key Ks with the identity providing server, and checks whether R1 is recently generated, whether it is repeated, or the like;
业务提供服务器根据断言信息中携带的业务提供服务器 URL、身份提供 服务器 URL、 NMS生成的假名 R2或者用户指定的用户名和与身份提供服务 器协商的共享密钥使用断言信息中携带的签名算法计算出签名结果, 并将该 签名结果和断言信息中携带的签名结果进行比较, 若二者一致, 则断言完整; 同时,根据 R1的生成时间判断其是否是最近生成且是否重复; 若是最近生成 且不重复, 则险证通过。  The service providing server calculates the signature according to the service providing server URL carried in the assertion information, the identity providing server URL, the pseudonym R2 generated by the NMS, or the user-specified username and the shared key negotiated with the identity providing server using the signature algorithm carried in the assertion information. As a result, the signature result is compared with the signature result carried in the assertion information, and if the two are consistent, the assertion is complete; and at the same time, it is determined according to the generation time of R1 whether it is recently generated and repeated; if it is recently generated and is not repeated , then the danger certificate passed.
步骤 317、 在上述验证通过后, 业务提供服务器为用户 MN创建随机数 R2或者指定用户名的条目; 步骤 318、 业务提供服务器向用户返回业务访问响应, 以 R2或者用户名 作为用户在业务提供服务器的标识向用户提供业务。 Step 317: After the foregoing verification is passed, the service providing server creates a random number R2 or an entry of the specified user name for the user MN; Step 318: The service providing server returns a service access response to the user, and uses R2 or the user name as the user to provide the service to the user in the identifier of the service providing server.
如图 4所示, 为本发明由身份提供服务器发起的单点登录方法实施例的 信令流程图, 该方法包括以下步骤: As shown in FIG. 4, it is a signaling flowchart of an embodiment of a single sign-on method initiated by an identity providing server according to the present invention. The method includes the following steps:
步骤 401、 MN、 ASN以及认证中心之间进行接入认证, 认证通过后, 身 份位置分离网络为用户分配接入标识 AID;  Step 401: The access authentication is performed between the MN, the ASN, and the authentication center. After the authentication is passed, the identity separation network allocates an access identifier AID to the user.
此后, 用户终端发送的报文通过 AID进行传输, ASN为用户分配 RID, 并通过 RID进行路由选路找到 ISN, ISN从报文中获取用户的 AID, 并转换 成 IPv4/IPv6地址发送到传统 IP网络。  After that, the packet sent by the user terminal is transmitted by the AID, the ASN allocates the RID to the user, and the routing is selected by the RID to find the ISN. The ISN obtains the AID of the user from the packet, and converts the packet into an IPv4/IPv6 address and sends the packet to the traditional IP address. The internet.
步骤 402、 MN向身份提供服务器发起业务访问请求;  Step 402: The MN initiates a service access request to the identity providing server.
步骤 403、 MN在身份提供服务器页面上选择将要访问的业务, 并向身份 提供服务器发送匿名服务请求;  Step 403: The MN selects a service to be accessed on the identity providing server page, and sends an anonymous service request to the identity providing server.
步骤 404、 身份提供服务器从报文中获取到用户的接入标识 AID, 确认 用户通过接入认证; 并检查它自身和业务提供服务器间是否存在共享密钥 Ks, 如果不存在, 则认证业务提供服务器, 认证通过后, 生成共享密钥 Ks。 检查不存在 AID对应的假名或对应的假名 lifetime过期;  Step 404: The identity providing server obtains the access identifier AID of the user from the packet, confirms that the user passes the access authentication, and checks whether there is a shared key Ks between the server and the service providing server. If not, the authentication service provides After the server passes the authentication, the shared key Ks is generated. Check that there is no pseudonym corresponding to the AID or the corresponding pseudonym expires;
步骤 405、 身份提供服务器根据用户的匿名服务请求, 向 NMS发送匿名 身份请求消息, 请求消息中携带用户的 AID、 业务提供服务器 URL;  Step 405: The identity providing server sends an anonymous identity request message to the NMS according to the anonymous service request of the user, where the request message carries the user's AID and the service providing server URL;
步骤 406、 NMS接收到匿名身份请求消息后, 生成随机数 R2以及默认 的 lifetime, 作为相应用户的假名, 并构建一条 MN的 AID、 业务提供服务器 URL和 R2、 lifetime对应的条目, 如表 1所示;  Step 406: After receiving the anonymous identity request message, the NMS generates a random number R2 and a default lifetime as the pseudonym of the corresponding user, and constructs an AID of the MN, a service provider server URL, and an entry corresponding to R2, lifetime, as shown in Table 1. Show
步骤 407、 NMS向身份提供服务器发送匿名身份响应消息, 响应消息中 携带用户的 AID、 业务提供服务器 URL、 随机数 R2以及 lifetime;  Step 407: The NMS sends an anonymous identity response message to the identity providing server, where the response message carries the user's AID, the service provider server URL, the random number R2, and the lifetime;
步骤 408、 身份提供服务器向用户发送匿名服务响应消息, 响应消息中 携带业务提供服务器 URL、 随机数 R2和 lifetime;  Step 408: The identity providing server sends an anonymous service response message to the user, where the response message carries the service providing server URL, the random number R2, and the lifetime;
步骤 409、 用户通过终端向身份提供服务器发送指定的用户名及其 lifetime; 用户可将随机数 R2修改为指定的用户名即期望展现的用户名 ,并指定期 望的 lifetime; Step 409: The user sends the specified username and its lifetime to the identity providing server through the terminal. The user can modify the random number R2 to the specified user name, that is, the user name desired to be presented, and specify the desired lifetime;
步骤 410、 身份提供服务器向 NMS发送匿名更新请求消息, 消息中携带 用户的 AID、 随机数 R2、 用户指定的假名和 lifetime;  Step 410: The identity providing server sends an anonymous update request message to the NMS, where the message carries the user's AID, the random number R2, the user-specified pseudonym, and the lifetime;
步骤 411、 NMS在添加用户指定的假名和更新完 lifetime后, 向身份提供 服务器发送匿名更新响应消息, 消息中携带更新成功或失败的结果;  Step 411: After adding the user-specified pseudonym and updating the lifetime, the NMS sends an anonymous update response message to the identity providing server, where the message carries the result of the successful or failed update.
步骤 412、 身份提供服务器根据当前时间戳生成随机数 R1 , 构建认证响 应消息, 认证响应消息中包含断言信息, 该断言信息中携带随机数 Rl、 业务 提供服务器 URL、 身份提供服务器 URL、 NMS生成的假名 R2或者用户指 定的用户名、 签名算法、 以及 Ks的签名结果;  Step 412: The identity providing server generates a random number R1 according to the current timestamp, and constructs an authentication response message, where the authentication response message includes the assertion information, where the assertion information carries the random number R1, the service provider server URL, the identity providing server URL, and the NMS generated. Kana R2 or user-specified username, signature algorithm, and signature result of Ks;
步骤 413、 身份提供服务器通过 HTTP重定向将认证响应消息发送到业 务提供服务器;  Step 413: The identity providing server sends an authentication response message to the service providing server by using HTTP redirection;
步骤 414、 业务提供服务器通过和身份提供服务器之间的共享密钥 Ks验 证断言的完整性, 以及检查 R1是否是最近生成, 是否重复等;  Step 414: The service providing server verifies the integrity of the assertion by using the shared key Ks with the identity providing server, and checks whether R1 is recently generated, whether it is repeated, or the like;
步骤 415、 在上述验证通过后, 业务提供服务器为用户 MN创建随机数 R2或者指定用户名的条目;  Step 415: After the foregoing verification is passed, the service providing server creates a random number R2 or an entry of the specified user name for the user MN;
步骤 416、 业务提供服务器向用户返回业务访问响应, 以 R2或者用户名 作为用户在业务提供服务器的标识向用户提供业务。  Step 416: The service providing server returns a service access response to the user, and uses R2 or the user name as the user to provide the service to the user in the identifier of the service providing server.
由于本实施例中的步骤 403- 416和上述实施例中的步骤 305-318的处理 相似, 因此本实施例中不再赘述。  Since steps 403-416 in this embodiment are similar to the processes in steps 305-318 in the above embodiment, they are not described in detail in this embodiment.
如图 5所示, 为本发明身份提供服务器实施例的结构示意图, 该身份提 供服务器包括确认模块 51和断言信息处理模块 52, 其中: As shown in FIG. 5, it is a schematic structural diagram of an embodiment of an identity providing server according to the present invention. The identity providing server includes a confirming module 51 and an assertion information processing module 52, where:
确认模块 51 , 设置为确认用户通过接入认证;  The confirmation module 51 is set to confirm that the user passes the access authentication;
断言信息处理模块 52, 设置为在所述确认模块 51确认用户通过接入认 证后, 根据所述身份提供服务器和所述用户欲访问的业务提供服务器间的共 享密钥生成对用户的断言信息,并向所述业务提供服务器发送所述断言信息。 另外, 所述身份提供服务器还包括: 密钥生成模块, 设置为在断言信息 处理模块生成对用户的断言信息之前, 在接收到所述业务提供服务器发送的 认证请求或所述用户发送的业务访问请求后, 检查是否存在所述共享密钥, 若不存在, 则在所述业务提供服务器通过认证后, 生成所述共享密钥。 The assertion information processing module 52 is configured to: after the confirmation module 51 confirms that the user passes the access authentication, generate the assertion information for the user according to the shared key between the identity providing server and the service providing server that the user wants to access, And transmitting the assertion information to the service providing server. In addition, the identity providing server further includes: a key generating module, configured to receive an authentication request sent by the service providing server or a service access sent by the user before the assertion information processing module generates the assertion information for the user After the request, it is checked whether the shared key exists, and if not, the shared key is generated after the service providing server passes the authentication.
为了避免用户的身份信息泄露, 所述身份提供服务器还包括: 获得模块, 设置为在所述确认模块确认所述用户通过接入认证之后, 所述断言信息处理 模块生成对用户的断言信息之前, 为所述用户获得假名及与所述假名对应的 生存期。 具体地, 所述获得模块, 是设置为根据所述用户的匿名服务请求向 名字映射服务器(NMS )发送匿名身份请求, 以及接收所述 NMS返回的根 据所述匿名身份请求生成的该用户的假名及与所述假名对应的生存期。另夕卜, 用户还可以修改用户名, 故所述获得模块, 还设置为接收所述用户发送的携 带指定用户名及相应生存期的匿名更新请求,并向所述 NMS发送所述匿名更 新请求, 以及接收所述 NMS返回的更新结果。  In order to avoid the disclosure of the identity information of the user, the identity providing server further includes: an obtaining module, configured to: after the confirming module confirms that the user passes the access authentication, before the assertion information processing module generates the assertion information for the user, Obtaining a pseudonym for the user and a lifetime corresponding to the pseudonym. Specifically, the obtaining module is configured to send an anonymous identity request to a name mapping server (NMS) according to the anonymous service request of the user, and receive a pseudonym of the user generated by the NMS according to the anonymous identity request. And the lifetime corresponding to the pseudonym. In addition, the user may also modify the username, so the obtaining module is further configured to receive an anonymous update request sent by the user and carrying the specified user name and the corresponding lifetime, and send the anonymous update request to the NMS. And receiving an update result returned by the NMS.
其中, 所述断言信息中携带有随机数、 所述身份提供服务器的身份信息、 所述业务提供服务器的身份信息、 所述用户的身份信息、 签名算法以及所述 身份提供服务器根据所述共享密钥计算出的签名结果; 其中, 所述用户的身 份信息包括所述假名或所述指定用户名。  The assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server according to the shared secret The signature result calculated by the key; wherein the identity information of the user includes the pseudonym or the specified username.
上述业务提供服务器在确认用户通过接入认证后, 向业务提供服务器提 供对该用户的断言信息, 使得用户在访问业务提供服务器时, 不需要输入认 证信息成为可能。  After confirming that the user passes the access authentication, the service providing server provides the service providing server with the assertion information of the user, so that the user does not need to input the authentication information when accessing the service providing server.
如图 6所示, 为本发明业务提供服务器实施例的结构示意图, 该业务提 供服务器包括接收模块 61和验证模块 62 , 其中: As shown in FIG. 6, FIG. 6 is a schematic structural diagram of an embodiment of a service providing server according to the present invention. The service providing server includes a receiving module 61 and a verifying module 62, where:
接收模块 61 , 设置为接收身份提供服务器发送的对欲访问所述业务提供 服务器的用户的断言信息;  The receiving module 61 is configured to receive the assertion information sent by the identity providing server to the user who wants to access the service providing server;
验证模块 62, 设置为根据所述业务提供服务器和所述身份提供服务器之 间的共享密钥险证所述断言信息。  The verification module 62 is configured to assert the information according to the shared key insurance between the service providing server and the identity providing server.
另外, 所述业务提供服务器还包括: 业务提供模块, 设置为所述验证模 块验证通过所述断言信息后, 创建与所述断言信息中包含的用户的身份信息 对应的条目, 并向所述用户提供业务。 In addition, the service providing server further includes: a service providing module, configured to be the verification mode After the block verification passes the assertion information, an entry corresponding to the identity information of the user included in the assertion information is created, and the service is provided to the user.
上述验证模块根据断言信息中携带的业务提供服务器 URL、身份提供服 务器 URL、 NMS生成的假名 R2或者用户指定的用户名和与身份提供服务器 协商的共享密钥使用断言信息中携带的签名算法计算出签名结果, 并将该签 名结果和断言信息中携带的签名结果进行比较, 若二者一致, 则断言完整; 同时,根据 R1的生成时间判断其是否是最近生成且是否重复; 若是最近生成 且不重复, 则险证通过。  The verification module calculates the signature according to the service providing server URL carried in the assertion information, the identity providing server URL, the pseudonym R2 generated by the NMS, or the user-specified username and the shared key negotiated with the identity providing server using the signature algorithm carried in the assertion information. As a result, the signature result is compared with the signature result carried in the assertion information, and if the two are consistent, the assertion is complete; and at the same time, it is determined according to the generation time of R1 whether it is recently generated and repeated; if it is recently generated and is not repeated , then the danger certificate passed.
上述业务提供服务器, 根据身份提供服务器发送的对用户的断言信息完 成用户的单点登录, 且有效保护了用户的隐私。  The service providing server performs the single sign-on of the user according to the assertion information sent by the server according to the identity providing server, and effectively protects the privacy of the user.
如图 7 所示, 为本发明名字映射服务器实施例的结构示意图, 该 NMS 包括接收模块 71和生成发送模块 72 , 其中: As shown in FIG. 7, it is a schematic structural diagram of an embodiment of a name mapping server according to the present invention. The NMS includes a receiving module 71 and a generating and transmitting module 72, where:
接收模块 71 , 设置为接收身份提供服务器发送的匿名身份请求, 所述匿 名身份请求中携带有用户的身份标识;  The receiving module 71 is configured to receive an anonymous identity request sent by the identity providing server, where the anonymous identity request carries the identity of the user;
生成发送模块 72, 设置为根据所述接收模块接收的所述匿名身份请求生 份提供服务器返回所述用户的假名及与所述假名对应的生存期。  The generating and sending module 72 is configured to return the pseudonym of the user and the lifetime corresponding to the pseudonym according to the anonymous identity requesting the receiving server received by the receiving module.
另外, 为了可以对用户的假名进行修改, 所述生成发送模块, 还设置为 接收所述身份提供服务器发送的来自所述用户的携带指定用户名及相应生存 期的匿名更新请求, 根据匿名更新请求进行更新处理, 并返回更新结果。  In addition, in order to modify the user's pseudonym, the generating and sending module is further configured to receive an anonymous update request from the user that carries the specified user name and the corresponding lifetime, which is sent by the identity providing server, according to the anonymous update request. Perform update processing and return the update results.
其中, 图 7所示的名字映射服务器和图 5所示的身份提供服务器可以合 设, 二者合设后的装置如图 8所示, 该装置中相关模块的功能与图 5和图 7 中相应模块的功能相同, 此处不再赘述。  The name mapping server shown in FIG. 7 and the identity providing server shown in FIG. 5 can be combined. The device after the combination is as shown in FIG. 8. The functions of the related modules in the device are shown in FIG. 5 and FIG. The functions of the corresponding modules are the same and will not be described here.
对应上述隐私增强的单点登录方法, 本发明实施例还提供了一种单点登 录系统, 如图 9所示, 该系统包括业务提供服务器 91、 身份提供服务器 92 和名字映射服务器 93 , 该系统中相关模块的功能与图 5-图 7中相应模块的功 能相同, 此处不再赘述。 The embodiment of the present invention further provides a single sign-on system. As shown in FIG. 9, the system includes a service providing server 91, an identity providing server 92, and a name mapping server 93. The system includes a single sign-on method. The function of the relevant module in the middle and the function of the corresponding module in Figure 5-7 Can be the same, will not repeat them here.
总之, 本发明实施例中, 身份提供服务器在接收到业务提供服务器的认 证请求或者用户的业务访问请求后,检查是否存在共享密钥 Ks,如果不存在, 则认证业务提供服务器, 认证通过后, 生成共享密钥 Ks, 身份提供服务器根 据用户的身份标识确认用户通过接入认证, 并根据用户的匿名服务请求通过 名字映射服务器( NMS , Name Mapping Server )产生假名的方式对用户身份 进行保护, 同时为业务提供服务器生成该用户的断言信息, 业务提供服务器 接收到身份提供服务器的断言信息后, 验证断言信息的合法性, 如果验证通 过, 则创建假名对应的条目, 并向用户提供业务。  In summary, in the embodiment of the present invention, after receiving the authentication request of the service providing server or the service access request of the user, the identity providing server checks whether the shared key Ks exists, and if not, the authentication service providing server, after the authentication is passed, The shared key Ks is generated, and the identity providing server confirms the user's access authentication according to the user's identity, and protects the user's identity by generating a pseudonym through a name mapping server (NMS, Name Mapping Server) according to the anonymous service request of the user. The service providing server generates the assertion information of the user, and after receiving the assertion information of the identity providing server, the service providing server verifies the validity of the assertion information, and if the verification passes, creates an entry corresponding to the pseudonym and provides the service to the user.
当然, 如果只需要解决多次认证的问题, 上述系统中可以不包含名字映 射服务器, 相应地, 身份提供服务器中也不需要包含获得模块。  Of course, if only the problem of multiple authentication needs to be solved, the name mapping server may not be included in the above system, and accordingly, the obtaining module is not required to be included in the identity providing server.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 上述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 One of ordinary skill in the art will appreciate that all or a portion of the above steps may be accomplished by a program that instructs the associated hardware to be stored in a computer readable storage medium, such as a read only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
以上实施例仅用以说明本发明的技术方案而非限制, 仅仅参照较佳实施 例对本发明进行了详细说明。 本领域的普通技术人员应当理解, 可以对本发 明的技术方案进行修改或者等同替换, 而不脱离本发明技术方案的精神和范 围, 均应涵盖在本发明的权利要求范围当中。  The above embodiments are only intended to illustrate the technical solutions of the present invention and are not to be construed as limiting the invention. It should be understood by those skilled in the art that the present invention may be modified or equivalently substituted without departing from the spirit and scope of the invention.
工业实用性 本发明实施例, 通过重利用接入认证, 很好地解决了用户访问互联网多 次注册认证的问题, 通过生成假名对用户隐私起到了保护的作用, 避免了用 户隐私的泄露。 Industrial Applicability In the embodiment of the present invention, by reusing access authentication, the problem of user accessing the Internet for multiple registration authentication is well solved, and the pseudonym is used to protect the privacy of the user, thereby avoiding leakage of user privacy.

Claims

权 利 要 求 书 Claim
1、 一种单点登录的方法, 该方法包括: 身份提供服务器确认用户通过接入认证;  A method for single sign-on, the method comprising: the identity providing server confirming that the user passes the access authentication;
所述身份提供服务器根据自身和所述用户欲访问的业务提供服务器间的 共享密钥生成对用户的断言信息, 并向所述业务提供服务器发送所述断言信 息。  The identity providing server generates assertion information for the user according to the shared key between the server and the service providing server that the user wants to access, and sends the assertion information to the service providing server.
2、 根据权利要求 1所述的方法, 其中:  2. The method of claim 1 wherein:
所述身份提供服务器根据自身和所述用户欲访问的业务提供服务器间的 共享密钥生成对用户的断言信息之前, 所述方法还包括:  The method further includes: before the identity providing server generates the assertion information for the user according to the shared key between the service providing server and the service provider that the user wants to access, the method further includes:
所述身份提供服务器在接收到所述业务提供服务器发送的认证请求或所 述用户发送的业务访问请求后, 检查是否存在所述共享密钥, 若不存在, 则 在所述业务提供服务器通过认证后, 生成所述共享密钥。  After receiving the authentication request sent by the service providing server or the service access request sent by the user, the identity providing server checks whether the shared key exists, and if not, the service providing server passes the authentication. After that, the shared key is generated.
3、 根据权利要求 1或 2所述的方法, 其中:  3. A method according to claim 1 or 2, wherein:
所述身份提供服务器生成对用户的断言信息之前, 所述方法还包括:  Before the identity providing server generates the assertion information for the user, the method further includes:
4、 根据权利要求 3所述的方法, 其中: 4. The method of claim 3, wherein:
步骤包括: The steps include:
所述身份提供服务器根据所述用户的匿名服务请求向名字映射服务器 ( NMS )发送匿名身份请求, 以及接收所述 NMS返回的根据所述匿名身份 请求生成的该用户的假名及与所述假名对应的生存期。  The identity providing server sends an anonymous identity request to the name mapping server (NMS) according to the anonymous service request of the user, and receives a pseudonym of the user generated according to the anonymous identity request returned by the NMS and corresponds to the pseudonym The lifetime.
5、 根据权利要求 4所述的方法, 其中: 后, 所述方法还包括:  5. The method according to claim 4, wherein: the method further comprises:
所述身份提供服务器接收所述用户发送的携带指定用户名及相应生存期 的匿名更新请求,并向所述 NMS发送所述匿名更新请求,以及接收所述 NMS 返回的更新结果。 The identity providing server receives an anonymous update request sent by the user and carries a specified user name and a corresponding lifetime, and sends the anonymous update request to the NMS, and receives an update result returned by the NMS.
6、 根据权利要求 5所述的方法, 其中: 6. The method of claim 5, wherein:
所述断言信息中携带有随机数、 所述身份提供服务器的身份信息、 所述 业务提供服务器的身份信息、 所述用户的身份信息、 签名算法以及所述身份 提供服务器根据所述共享密钥计算出的签名结果; 其中, 所述用户的身份信 息包括所述假名或所述指定用户名。  The assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server calculates according to the shared key. The signature result of the user; wherein the identity information of the user includes the pseudonym or the specified username.
7、 一种单点登录的方法, 该方法包括: 业务提供服务器接收身份提供服务器发送的对欲访问所述业务提供服务 器的用户的断言信息; 所述业务提供服务器根据自身和所述身份提供服务器之间的共享密钥验 证所述断言信息。  A method for single sign-on, the method comprising: receiving, by a service providing server, assertion information sent by an identity providing server to a user who wants to access the service providing server; the service providing server providing a server according to itself and the identity The shared key verifies the assertion information.
8、 根据权利要求 7所述的方法, 其中:  8. The method of claim 7 wherein:
所述业务提供服务器根据自身和所述身份提供服务器之间的共享密钥验 证所述断言信息之后, 所述方法还包括:  After the service providing server verifies the assertion information according to the shared key between the server and the identity providing server, the method further includes:
如果验证通过, 则所述业务提供服务器创建与所述断言信息中包含的用 户的身份信息对应的条目, 并向所述用户提供业务; 所述用户的身份信息为 所述用户的^^名或指定用户名。  If the verification is passed, the service providing server creates an entry corresponding to the identity information of the user included in the assertion information, and provides a service to the user; the identity information of the user is the name of the user or Specify a username.
9、 根据权利要求 7或 8所述的方法, 其中:  9. A method according to claim 7 or 8, wherein:
所述业务提供服务器接收身份提供服务器发送的对欲访问所述业务提供 服务器的用户的断言信息之前, 所述方法还包括:  Before the service providing server receives the assertion information sent by the identity providing server to the user who wants to access the service providing server, the method further includes:
所述业务提供服务器接收到所述用户发送的业务访问请求之后, 生成随 机数, 并向所述身份提供服务器发送携带所述随机数的认证请求。  After receiving the service access request sent by the user, the service providing server generates a random number, and sends an authentication request carrying the random number to the identity providing server.
10、 根据权利要求 9所述的方法, 其中:  10. The method of claim 9 wherein:
所述断言信息中携带有所述随机数、 所述身份提供服务器的身份信息、 所述业务提供服务器的身份信息、 所述用户的身份信息、 签名算法以及所述 身份提供服务器根据所述共享密钥计算出的签名结果;  The assertion information carries the random number, the identity information of the identity providing server, the identity information of the service providing server, the identity information of the user, a signature algorithm, and the identity providing server according to the shared secret The signature result calculated by the key;
所述业务提供服务器根据自身和所述身份提供服务器之间的共享密钥验 证所述断言信息的步骤包括: 所述业务提供服务器根据所述身份提供服务器的身份信息、 所述业务提 供服务器的身份信息、 所述用户的身份信息、 所述签名算法和所述共享密钥 计算出签名结果, 并比较自己计算出的签名结果与所述身份提供服务器计算 出的签名结果是否一致; 以及 The step of the service providing server verifying the assertion information according to the shared key between the service provider and the identity providing server includes: The service providing server calculates a signature result according to the identity information of the identity providing server, the identity information of the service providing server, the identity information of the user, the signature algorithm, and the shared key, and compares the calculation by itself. Whether the signed result is consistent with the signature result calculated by the identity providing server;
判断所述随机数的生成时间是否是当前最近的且所述随机数是否唯一。 It is determined whether the generation time of the random number is currently the most recent and whether the random number is unique.
11、 一种信息处理方法, 该方法包括: 11. An information processing method, the method comprising:
名字映射服务器(NMS )接收身份提供服务器发送的匿名身份请求, 所 述匿名身份请求中携带有用户的身份标识;  The name mapping server (NMS) receives an anonymous identity request sent by the identity providing server, and the anonymous identity request carries the identity of the user;
所述 NMS根据所述匿名身份请求生成与该身份标识对应的用户的假名 及与所述假名对应的生存期, 并向所述身份提供服务器返回所述用户的假名 及与所述假名对应的生存期。  Generating, according to the anonymous identity request, the pseudonym of the user corresponding to the identity identifier and the lifetime corresponding to the pseudonym, and returning, to the identity providing server, the pseudonym of the user and the survival corresponding to the pseudonym period.
12、 根据权利要求 11所述的方法, 其中:  12. The method of claim 11 wherein:
所述 NMS 向所述身份提供服务器发送所述用户的假名及与所述假名对 应的生存期之后, 所述方法还包括:  After the NMS sends the user's pseudonym and the lifetime corresponding to the pseudonym to the identity providing server, the method further includes:
所述 NMS接收所述身份提供服务器发送的来自所述用户的携带指定用 户名及相应生存期的匿名更新请求, 根据匿名更新请求进行更新处理, 并返 回更新结果。  The NMS receives an anonymous update request from the user that carries the specified username and corresponding lifetime sent by the identity providing server, performs an update process according to the anonymous update request, and returns an update result.
13、 一种身份提供服务器, 该身份提供服务器包括:  13. An identity providing server, the identity providing server comprising:
确认模块, 其设置为确认用户通过接入认证; 以及  a confirmation module, which is set to confirm that the user passes the access authentication;
断言信息处理模块,其设置为在所述确认模块确认用户通过接入认证后, 根据所述身份提供服务器和所述用户欲访问的业务提供服务器间的共享密钥 生成对用户的断言信息, 并向所述业务提供服务器发送所述断言信息。  An assertion information processing module, configured to: after the confirmation module confirms that the user passes the access authentication, generate an assertion information to the user according to the shared key between the identity providing server and the service providing server that the user wants to access, and The assertion information is sent to the service providing server.
14、根据权利要求 13所述的身份提供服务器, 所述身份提供服务器还包 括:  The identity providing server according to claim 13, wherein the identity providing server further comprises:
密钥生成模块, 其设置为: 在断言信息处理模块生成对用户的断言信息 之前, 在接收到所述业务提供服务器发送的认证请求或所述用户发送的业务 访问请求后, 检查是否存在所述共享密钥, 若不存在, 则在所述业务提供服 务器通过认证后, 生成所述共享密钥。 a key generation module, configured to: after the assertion information processing module generates the assertion information for the user, after receiving the authentication request sent by the service providing server or the service access request sent by the user, checking whether the The shared key, if not present, generates the shared key after the service providing server passes the authentication.
15、根据权利要求 14所述的身份提供服务器, 所述身份提供服务器还包 括: The identity providing server according to claim 14, wherein the identity providing server further comprises:
获得模块, 其设置为: 在所述确认模块确认所述用户通过接入认证之后, 以及所述断言信息处理模块生成对用户的断言信息之前, 为所述用户获得假 名及与所述假名对应的生存期。  Obtaining a module, configured to: after the confirmation module confirms that the user passes the access authentication, and before the assertion information processing module generates the assertion information for the user, obtain a pseudonym for the user and correspond to the pseudonym Survival period.
16、 根据权利要求 15所述的身份提供服务器, 其中:  16. The identity providing server according to claim 15, wherein:
所述获得模块, 是设置为: 根据所述用户的匿名服务请求向名字映射服 务器(NMS )发送匿名身份请求, 以及接收所述 NMS返回的根据所述匿名 身份请求生成的该用户的假名及与所述假名对应的生存期。  The obtaining module is configured to: send an anonymous identity request to a name mapping server (NMS) according to the anonymous service request of the user, and receive a pseudonym and a user of the user generated according to the anonymous identity request returned by the NMS The pseudonym corresponds to the lifetime.
17、 根据权利要求 16所述的身份提供服务器, 其中:  17. The identity providing server according to claim 16, wherein:
所述获得模块, 还设置为: 接收所述用户发送的携带指定用户名及相应 生存期的匿名更新请求,并向所述 NMS发送所述匿名更新请求, 以及接收所 述 NMS返回的更新结果。  The obtaining module is further configured to: receive an anonymous update request that is sent by the user and carry a specified user name and a corresponding lifetime, and send the anonymous update request to the NMS, and receive an update result returned by the NMS.
18、 根据权利要求 17所述的身份提供服务器, 其中:  18. The identity providing server according to claim 17, wherein:
所述断言信息中携带有随机数、 所述身份提供服务器的身份信息、 所述 业务提供服务器的身份信息、 所述用户的身份信息、 签名算法以及所述身份 提供服务器根据所述共享密钥计算出的签名结果; 其中, 所述用户的身份信 息包括所述假名或所述指定用户名。  The assertion information carries a random number, identity information of the identity providing server, identity information of the service providing server, identity information of the user, a signature algorithm, and the identity providing server calculates according to the shared key. The signature result of the user; wherein the identity information of the user includes the pseudonym or the specified username.
19、 一种业务提供服务器, 该业务提供服务器包括:  19. A service providing server, the service providing server comprising:
接收模块, 其设置为接收身份提供服务器发送的对欲访问所述业务提供 服务器的用户的断言信息; 以及  a receiving module, configured to receive the assertion information sent by the identity providing server to the user who wants to access the service providing server;
验证模块 , 其设置为根据所述业务提供服务器和所述身份提供服务器之 间的共享密钥险证所述断言信息。  And a verification module configured to assert the information according to a shared key insurance certificate between the service providing server and the identity providing server.
20、根据权利要求 19所述的业务提供服务器, 所述业务提供服务器还包 括:  The service providing server according to claim 19, wherein the service providing server further comprises:
业务提供模块, 其设置为: 所述验证模块验证通过所述断言信息后, 创 建与所述断言信息中包含的用户的身份信息对应的条目, 并向所述用户提供 业务。 And a service providing module, configured to: after the verifying module verifies, by using the assertion information, create an entry corresponding to the identity information of the user included in the assertion information, and provide a service to the user.
21、 一种名字映射服务器(NMS ) , 该 NMS包括: 21. A name mapping server (NMS), the NMS comprising:
接收模块, 其设置为: 接收身份提供服务器发送的匿名身份请求, 所述 匿名身份请求中携带有用户的身份标识; 以及  a receiving module, configured to: receive an anonymous identity request sent by the identity providing server, where the anonymous identity request carries the identity of the user;
生成发送模块, 其设置为: 根据所述接收模块接收的所述匿名身份请求 身份提供服务器返回所述用户的假名及与所述假名对应的生存期。  And generating a sending module, configured to: return, according to the anonymous identity request received by the receiving module, the pseudonym of the user and a lifetime corresponding to the pseudonym.
22、 根据权利要求 21所述的 NMS, 其中:  22. The NMS of claim 21, wherein:
所述生成发送模块, 还设置为: 接收所述身份提供服务器发送的来自所 述用户的携带指定用户名及相应生存期的匿名更新请求, 根据匿名更新请求 进行更新处理, 并返回更新结果。  The generating and sending module is further configured to: receive an anonymous update request from the user that carries the specified user name and the corresponding lifetime, and perform an update process according to the anonymous update request, and return an update result.
23、 一种信息处理系统, 该系统包括权利要求 16-18任一权利要求所述 的身份提供服务器和权利要求 21-22任一权利要求所述的名字映射服务器。  An information processing system comprising the identity providing server according to any of claims 16-18 and the name mapping server according to any of claims 21-22.
24、 一种单点登录系统, 该系统包括权利要求 13-18任一权利要求所述 的身份提供服务器和权利要求 19-20任一权利要求所述的业务提供服务器。  A single sign-on system comprising the identity providing server of any of claims 13-18 and the service providing server of any of claims 19-20.
25、 一种单点登录系统, 该系统包括权利要求 16-18任一权利要求所述 的身份提供服务器、 权利要求 21-22任一权利要求所述的名字映射服务器和 权利要求 19-20任一权利要求所述的业务提供服务器。  25. A single sign-on system, the system comprising the identity providing server of any of claims 16-18, the name mapping server of any of claims 21-22, and claims 19-20 A service providing server as claimed in the preceding claims.
PCT/CN2012/079709 2011-09-20 2012-08-06 Single sign-on method and system, and information processing method and system WO2013040957A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110279495.2A CN103023856B (en) 2011-09-20 2011-09-20 Method, system and the information processing method of single-sign-on, system
CN201110279495.2 2011-09-20

Publications (1)

Publication Number Publication Date
WO2013040957A1 true WO2013040957A1 (en) 2013-03-28

Family

ID=47913855

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/079709 WO2013040957A1 (en) 2011-09-20 2012-08-06 Single sign-on method and system, and information processing method and system

Country Status (2)

Country Link
CN (2) CN103023856B (en)
WO (1) WO2013040957A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3090259A1 (en) * 2018-12-18 2020-06-19 Orange Method and system for authenticating a client terminal by a target server, by triangulation via an authentication server.
US11075752B2 (en) 2016-07-16 2021-07-27 Huawei Technologies Co., Ltd. Network authentication method, and related device and system

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2800900T3 (en) * 2014-03-31 2021-01-05 Deutsche Telekom Ag Method and system to protect and / or anonymize the user identity and / or user data of a subscriber of a data protection service, mobile communication network, program and computer program product
WO2018014535A1 (en) * 2016-07-16 2018-01-25 华为技术有限公司 Network verification method and associated apparatus and system
US11194931B2 (en) * 2016-12-28 2021-12-07 Sony Corporation Server device, information management method, information processing device, and information processing method
CN106790272A (en) * 2017-02-16 2017-05-31 济南浪潮高新科技投资发展有限公司 A kind of system and method for single-sign-on, a kind of application server
CN106713367A (en) * 2017-03-02 2017-05-24 山东浪潮云服务信息科技有限公司 Authentication method, authentication platform, business system and authentication system
CN107770183B (en) * 2017-10-30 2020-11-20 新华三信息安全技术有限公司 Data transmission method and device
CN110351721A (en) * 2018-04-08 2019-10-18 中兴通讯股份有限公司 Access method and device, the storage medium, electronic device of network slice
CN110378135A (en) * 2019-07-08 2019-10-25 武汉东湖大数据交易中心股份有限公司 Intimacy protection system and method based on big data analysis and trust computing

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399671A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Cross-domain authentication method and system thereof
CN101771722A (en) * 2009-12-25 2010-07-07 中兴通讯股份有限公司 System and method for WAPI terminal to access Web application site
US20110067095A1 (en) * 2009-09-14 2011-03-17 Interdigital Patent Holdings, Inc. Method and apparatus for trusted authentication and logon
CN101998407A (en) * 2009-08-31 2011-03-30 中国移动通信集团公司 WLAN access authentication based method for accessing services

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7836305B2 (en) * 2004-05-06 2010-11-16 Telefonaktiebolaget L M Ericsson (Publ) Method of and system for storage of I-WLAN temporary identities
EP1754391A1 (en) * 2004-05-28 2007-02-21 Koninklijke Philips Electronics N.V. Privacy-preserving information distributing system
CN101938465B (en) * 2010-07-05 2013-05-01 北京广电天地科技有限公司 Method and system based on webservice authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399671A (en) * 2008-11-18 2009-04-01 中国科学院软件研究所 Cross-domain authentication method and system thereof
CN101998407A (en) * 2009-08-31 2011-03-30 中国移动通信集团公司 WLAN access authentication based method for accessing services
US20110067095A1 (en) * 2009-09-14 2011-03-17 Interdigital Patent Holdings, Inc. Method and apparatus for trusted authentication and logon
CN101771722A (en) * 2009-12-25 2010-07-07 中兴通讯股份有限公司 System and method for WAPI terminal to access Web application site

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11075752B2 (en) 2016-07-16 2021-07-27 Huawei Technologies Co., Ltd. Network authentication method, and related device and system
FR3090259A1 (en) * 2018-12-18 2020-06-19 Orange Method and system for authenticating a client terminal by a target server, by triangulation via an authentication server.
EP3672193A1 (en) * 2018-12-18 2020-06-24 Orange Method and system for authenticating a client terminal by a target server, by triangulation via an authentication server
US11503016B2 (en) 2018-12-18 2022-11-15 Orange Method and system for the authentication of a client terminal by a target server, by triangulation via an authentication server

Also Published As

Publication number Publication date
CN103023856A (en) 2013-04-03
CN106254386B (en) 2019-07-05
CN106254386A (en) 2016-12-21
CN103023856B (en) 2018-07-13

Similar Documents

Publication Publication Date Title
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
JP4782139B2 (en) Method and system for transparently authenticating mobile users and accessing web services
JP5980961B2 (en) Multi-factor certificate authority
WO2019137067A1 (en) Key distribution method, device and system
EP1713289A1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
US20080222714A1 (en) System and method for authentication upon network attachment
US20160380999A1 (en) User Identifier Based Device, Identity and Activity Management System
WO2019137030A1 (en) Safety certification method, related device and system
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
WO2013056619A1 (en) Method, idp, sp and system for identity federation
WO2007079698A1 (en) An entity authentication method and system, an authentication method and system of end to end and an authentication center
WO2013013481A1 (en) Access authentication method, device, server and system
JP2023529951A (en) Secure communication methods, related equipment and systems
WO2013023475A1 (en) Method for sharing user data in network and identity providing server
WO2011063658A1 (en) Method and system for unified security authentication
WO2011131002A1 (en) Method and system for identity management
CN102694779B (en) Combination attestation system and authentication method
WO2011017921A1 (en) System and method for visiting a visited service provider
US9485654B2 (en) Method and apparatus for supporting single sign-on in a mobile communication system
WO2013060224A1 (en) Secure connection method, system and network element
CN103428694A (en) Split terminal single sign-on combined authentication method and system
JP5780648B2 (en) Host device
US10841283B2 (en) Smart sender anonymization in identity enabled networks
KR100904004B1 (en) Authenticating users
CN116545710A (en) Edge-assisted intelligent equipment identity verification method in network physical system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12834504

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12834504

Country of ref document: EP

Kind code of ref document: A1