WO2016177052A1 - Procédé et appareil d'authentification d'utilisateur - Google Patents

Procédé et appareil d'authentification d'utilisateur Download PDF

Info

Publication number
WO2016177052A1
WO2016177052A1 PCT/CN2016/075243 CN2016075243W WO2016177052A1 WO 2016177052 A1 WO2016177052 A1 WO 2016177052A1 CN 2016075243 W CN2016075243 W CN 2016075243W WO 2016177052 A1 WO2016177052 A1 WO 2016177052A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
personal digital
mobile terminal
user
digital certificate
Prior art date
Application number
PCT/CN2016/075243
Other languages
English (en)
Chinese (zh)
Inventor
孙向东
龙卉
李涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016177052A1 publication Critical patent/WO2016177052A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a user authentication method and apparatus.
  • the embodiment of the invention provides a user authentication method and device, which is used to solve the problem that the existing static password user authentication method has low security.
  • the embodiment of the present invention provides a user authentication method, where the step of the mobile terminal side includes: when attempting to log in to the application server, acquiring login information, and acquiring a personal digital certificate stored in the TF card; using the TF card to store The private key performs signature processing on the login information to obtain a login information signature; and sends the personal digital certificate, the login information, and the login information signature to an authentication server, so that the authentication server is based on the personal digital certificate, The login information and the login information signature perform user authentication; and the authentication result fed back by the authentication server is received, and if the authentication passes, the application server is allowed to log in.
  • the step of the mobile terminal side further includes: after the authentication is passed, receiving an encryption key encrypted by the authentication server by using the personal digital certificate; using the private key stored in the TF card to the encryption key Performing a decryption process; encrypting the application password input by the user by using the decrypted encryption key; and transmitting the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password Receiving the verification result fed back by the authentication server, if the verification is passed, the application service provided by the application server is allowed to be used.
  • the embodiment of the present invention further provides a user authentication method, where the step of the authentication server includes: receiving a personal digital certificate, login information, and login information signature from the mobile terminal; wherein the personal digital certificate is the mobile terminal
  • the login information signature obtained in the TF card is that the mobile terminal uses the private key stored in the TF to register the Obtaining information obtained by performing signature processing; performing user authentication on the mobile terminal based on the personal digital certificate, login information, and login information signature; and transmitting an authentication result to the mobile terminal.
  • the step of the authentication server side further includes: generating an encryption key if the authentication result is the authentication pass; encrypting the encryption key by using the personal digital certificate; and encrypting the encrypted key
  • the encryption key is sent to the mobile terminal.
  • the step of the authentication server side further includes: after transmitting the encrypted encryption key to the mobile terminal, receiving an application password that is sent by the mobile terminal and encrypted by using the encryption key; After decrypting the application password, performing password verification on the application password; and transmitting the password verification result to the mobile terminal.
  • the embodiment of the present invention further provides a user authentication method.
  • the step of the CA center side includes: acquiring user information of a legal user after connecting the TF card; calling the TF card as the legal user in the TF card Generating a key pair; generating a personal digital certificate according to the user information and the public key in the key pair; storing the personal digital certificate into the TF card, so that the mobile terminal inserts its interface
  • the personal digital certificate and the key pair are obtained in the TF card for user authentication.
  • the embodiment of the present invention further provides a user authentication apparatus, where the apparatus configured in the mobile terminal includes: an obtaining module, configured to acquire login information, and obtain a personal digital certificate stored in the TF card when attempting to log in to the application server. a signature module, configured to perform signature processing on the login information by using a private key stored in the TF card to obtain a login information signature; the first sending module is configured to set the personal digital certificate, the login information, and the Sending the login information signature to the authentication server, so that the authentication server performs user authentication based on the personal digital certificate, the login information, and the login information signature; the first receiving module is configured to receive the authentication fed back by the authentication server As a result, if the authentication is passed, it is allowed to log in to the application server.
  • an obtaining module configured to acquire login information, and obtain a personal digital certificate stored in the TF card when attempting to log in to the application server.
  • a signature module configured to perform signature processing on the login information by using a private key stored in the TF card to obtain
  • the device provided in the mobile terminal further includes a first encryption and decryption module; the first receiving module is further configured to: after the authentication is passed, receive the encryption key encrypted by the authentication server by using the personal digital certificate Key; the first encryption and decryption module is configured to decrypt the encryption key by using a private key stored in the TF card; and encrypt the application password input by the user by using the decrypted encryption key;
  • the first sending module is further configured to send the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password; the first receiving module is further configured to receive The verification result fed back by the authentication server is allowed to use the application service provided by the application server if the verification is passed.
  • the embodiment of the present invention further provides a user authentication apparatus, where the apparatus disposed in the authentication server includes: a second receiving module, configured to receive a personal digital certificate, login information, and login information signature from the mobile terminal;
  • the personal digital certificate is obtained by the mobile terminal from its TF card, and the login information signature is obtained by the mobile terminal performing signature processing on the login information by using a private key stored in the TF;
  • an authentication module And being configured to perform user authentication on the mobile terminal based on the personal digital certificate, login information, and login information signature; and the second sending module is configured to send the authentication result to the mobile terminal.
  • the device that is set in the authentication server further includes: a first generation module and a second encryption and decryption module; and the first generation module is configured to generate an encryption key if the authentication result is authenticated.
  • the secret module is configured to perform encryption processing on the encryption key by using the personal digital certificate; and the second sending module is further configured to send the encrypted encryption key to the mobile terminal.
  • the second receiving module is further configured to: after transmitting the encrypted encryption key to the mobile terminal, receive an application password that is sent by the mobile terminal and encrypted by using the encryption key.
  • the second encryption and decryption module is further configured to perform password verification on the application password after decrypting the application password; the second sending module is further configured to move the password verification result to the mobile The terminal sends.
  • the embodiment of the present invention further provides a user authentication apparatus, where the apparatus disposed in the CA center includes: a connection module, configured to acquire user information of a legitimate user after connecting the TF card; and calling the module, and setting the call to the
  • the TF card generates a key pair for the legal user in the TF card;
  • the second generating module is configured to generate a personal digital certificate according to the user information and the public key in the key pair;
  • a storage module It is arranged to store the personal digital certificate into the TF card, so that the mobile terminal acquires the personal digital certificate and the key pair from the TF card inserted into its interface for user authentication.
  • the key pair (public key and private key) and the personal digital certificate of the legal user are stored in a separate TF card in advance through the CA center, and then the TF card is inserted into the mobile terminal, and the user is authenticated at the authentication server.
  • the side performs user authentication based on the personal digital certificate inserted into the TF card of the mobile terminal.
  • the invention can avoid the problem that the static password user authentication mode is low in security, and the private key stored in the TF card cannot be obtained, counterfeited, and tampered with, and the security of the user authentication is high.
  • FIG. 1 is a flowchart of a user authentication method according to a first embodiment of the present invention
  • FIG. 2 is a flowchart of a user authentication method according to a second embodiment of the present invention.
  • FIG. 3 is a flowchart of a user authentication method according to a third embodiment of the present invention.
  • FIG. 4 is a flowchart of a password verification step on an authentication server side according to a fourth embodiment of the present invention.
  • FIG. 5 is a flowchart of a password verification step on the mobile terminal side according to the fourth embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a user authentication system according to a fifth embodiment of the present invention.
  • Figure 7 is a structural diagram of a user authentication apparatus according to a sixth embodiment of the present invention.
  • Figure 8 is a structural diagram of a user authentication apparatus according to a seventh embodiment of the present invention.
  • Figure 9 is a structural diagram of a user authentication apparatus according to an eighth embodiment of the present invention.
  • FIG. 1 is a flowchart of a user authentication method according to the first embodiment of the present invention. This embodiment is executed on the mobile terminal side.
  • step S110 when attempting to log in to the application server, the login information is acquired, and the personal digital certificate stored in the TF card of the mobile terminal is obtained, and the login information is signed and processed by using the private key stored in the TF card to obtain the login information signature.
  • a personal digital certificate is a legal user's identity mark and is used to represent a legitimate user.
  • the personal digital certificate includes: user information of the legitimate user, the public key of the legitimate user, the user information of the legitimate user and the signature of the public key, and the validity period of the personal digital certificate.
  • the signature of the user information and the public key is obtained by the certificate authority (CA) center using the CA center private key to perform signature processing on the user information and the public key of the legitimate user.
  • CA certificate authority
  • TF card is Micro SD Card
  • TF card is a chip with built-in encryption module and storage module.
  • TF card supports asymmetric, symmetric, and hash algorithms, supports personal digital certificate and key storage, and provides signature encryption interface.
  • the package form is TF.
  • the personal digital certificate in the TF card is generated on the CA center side. For details, refer to Embodiment 3.
  • the mobile terminal is a portable intelligent terminal such as a mobile phone, a tablet computer or a notebook that supports a peripheral interface of a TF (Trans-Flash) card.
  • the TF card storing the personal digital certificate can be inserted into the TF card interface of the mobile terminal to enable the connection between the mobile terminal and the TF card to obtain the personal digital certificate from the TF card.
  • the login information includes: an Internet Protocol Address (IP) of the mobile terminal, a Media Access Control (MAC) address, and a time of attempting to log in.
  • IP Internet Protocol Address
  • MAC Media Access Control
  • the mobile terminal invokes the cryptographic module of the TF card to sign the login information, and generates a login information signature.
  • the TF card further stores a key pair of a legitimate user, where the key pair includes a public key and a private key of the legitimate user.
  • the public key of the legitimate user is the same as the public key in the personal digital certificate.
  • the cryptographic module of the TF card can perform signature processing on the login information by using the private key in the key pair to obtain the login information signature.
  • step S120 the personal digital certificate, the login information, and the login information signature are sent to the authentication server, so that the authentication server performs the user authentication using the personal digital certificate, the login information, and the login information signature.
  • Step S130 Receive an authentication result fed back by the authentication server, and if the authentication passes, be allowed to log in to the application server; otherwise, end the process.
  • the mobile terminal can communicate with the application server, and the application server can communicate with the authentication server; the mobile terminal sends the personal digital certificate, the login information, and the login information signature to the authentication server through the application server; after the authentication server obtains the authentication result, The application server sends the authentication result to the mobile terminal, so that the user identity is authenticated, and the application server can know at the first time that if the user identity passes the authentication, the mobile terminal is allowed to log in to the application server, and vice versa, the mobile terminal is denied to log in.
  • FIG. 2 is a flowchart of a user authentication method according to a second embodiment of the present invention. This embodiment is executed on the authentication server side.
  • Step S210 receiving a personal digital certificate, login information, and login information signature from the mobile terminal.
  • the personal digital certificate is obtained by the mobile terminal from its TF card, and the login information signature is obtained by the mobile terminal signing the login information by using the private key of the legal user in the TF card.
  • Step S220 performing user authentication on the mobile terminal based on the personal digital certificate, the login information, and the login information signature.
  • the Lightweight Directory Access Protocol (LDAP) server stores information related to legitimate users, including: user information, personal digital certificates, revocation records of personal digital certificates, and CA center public keys.
  • LDAP Lightweight Directory Access Protocol
  • obtaining a personal digital certificate A containing the user information from the LDAP server based on the personal digital certificate B from the mobile terminal, and the personal digital certificate A obtained from the LDAP server, Perform user authentication.
  • the personal digital certificate B from the mobile terminal is validated. If the validity verification fails, the authentication fails; if the validity verification is passed, the signature is signed according to the login information. The login information is used for integrity verification. If the integrity verification fails, the authentication fails. If the integrity verification passes, the authentication passes.
  • the validity verification includes: judging whether the public key in the personal digital certificate A and the public key in the personal digital certificate B are the same. If not, the validity verification fails, and if so, the CA central public key is obtained from the LDAP server, and the utilization is performed.
  • the CA central public key de-signs the signature of the user information and the public key in the personal digital certificate B, and performs signature verification. If the signature verification fails, the validity verification fails; if the signature verification is passed, the personal digital certificate is used.
  • the validity period in B determines whether the personal digital certificate B is within the validity period. If not, the validity verification fails. If yes, the revocation record of the personal digital certificate is obtained from the LDAP server to determine whether the personal digital certificate B is revoked. If yes, the validity verification fails, and if not, the personal digital certificate B is legal and the validity verification is passed.
  • the signature verification is, for example, determining whether the user information and the public key after de-signing are the same as the user information in the personal digital certificate B and the public key of the legal user. If they are all the same, the signature verification is passed; otherwise, the signature verification is not by.
  • the integrity verification includes: using the personal digital certificate A or B to de-sign the login information signature, that is, using the public key of the legal user in the personal digital certificate A or B to de-sign the login information signature, and verify the login information signature. . For example, according to the login information obtained after the de-signature is obtained; whether the login information of the de-signature and the login information from the mobile terminal are the same, if the same, the integrity verification is passed, and if different, the integrity verification fails.
  • Step S230 transmitting an authentication result to the mobile terminal.
  • the authentication server transmits the message that the authentication is passed or the message that the authentication fails, to the mobile terminal through the application server.
  • FIG. 3 is a flowchart of a user authentication method according to a third embodiment of the present invention. This embodiment is performed on the CA center side and is performed before user authentication.
  • Step S310 after connecting the TF card, obtain user information of the legal user.
  • the CA center connects to the TF card of the mobile terminal, and obtains the user information of the legitimate user according to the operation of the legitimate user.
  • the user registers with the CA center and registers as a legitimate user.
  • the legal user inserts a separate TF card into the TF card interface provided by the CA center to implement the connection between the TF card and the CA center.
  • the legal user inputs the user in the CA center.
  • the information is used to log in to the CA center, and the CA center obtains the user information input by the legitimate user.
  • Step S320 calling the TF card to generate a key pair in the TF card for the legitimate user.
  • the CA center invokes the encryption module in the TF card to generate a key pair for the legitimate user, and the key pair includes the public key and the private key of the legitimate user.
  • the encryption module in the TF card directly generates a key pair in the TF card, which ensures the security of the key pair.
  • Step S330 generating a personal digital certificate according to the user information and the public key in the key pair.
  • the CA Center uses the CA center private key to sign the user information and the public key, and generates a personal digital certificate based on the user information, the public key, and the signature of the user information and the public key.
  • the personal digital certificate also includes the validity period of the personal digital certificate.
  • Step S340 storing the personal digital certificate into the TF card, and transmitting the personal digital certificate to the LDAP server.
  • the TF card After storing the personal digital certificate in the TF card, the TF card includes a personal digital certificate and a key pair. Inserting a TF card storing a personal digital certificate and a key pair into an interface provided by the mobile terminal, so that the mobile terminal can acquire the personal digital certificate, the public key, and the private key from the TF card inserted into its interface For use in user authentication.
  • the personal digital certificate and the key pair are directly stored in the TF card, thereby avoiding the personal digital certificate and the key pair security problem caused by the communication process, and storing in the TF card.
  • the private key cannot be obtained, spoofed, and tampered with.
  • the CA Center has high security, and the personal digital certificate generated by the CA Center is also unthrowable. Therefore, the validity of the validity verification of the personal digital certificate is high.
  • the private key stored in the TF card is not readable
  • the signature of the login information signed by the private key cannot be imitated, so the security of the login information integrity verification is high. Therefore, the user authentication result of this embodiment is highly secure.
  • the application password can be set for the application service provided by the application service, and the application service can be used only after the correct application password is entered. Then, after the mobile terminal is allowed to log in to the application server, further user authentication may be performed on the mobile terminal, which is password verification of the application password.
  • FIG. 4 is a flow chart showing the steps of password verification on the authentication server side according to the fourth embodiment of the present invention.
  • Step S410 When the authentication result is that the authentication is passed, an encryption key is generated.
  • the encryption key is used to encrypt the application password input by the user on the mobile terminal side.
  • the decryption key opposite the encryption key is stored in the authentication server.
  • the application password corresponds to a legitimate user.
  • a legitimate user can use the application service provided by the application server only by using the correct application password.
  • the application server can set an initial application password for the legitimate user, so that the legitimate user can use the application service for the first time, and the legal user can subsequently set the application password.
  • the application password is sent by the application server to the LDAP server through the authentication server, and the application password and the user information are stored in the LDAP server.
  • Step S420 encrypting the encryption key by using a personal digital certificate.
  • the encryption key is encrypted by using the public key of the legitimate user in the personal digital certificate.
  • Step S430 the encrypted encryption key is sent to the mobile terminal.
  • the authentication server transmits the encrypted encryption key to the mobile terminal through the application server.
  • Step S440 receiving an application password sent by the mobile terminal and encrypted by using an encryption key.
  • the mobile terminal collects the application password input by the user, decrypts the encryption key by using the private key of the legal user in the TF card, and encrypts the application password by using the decrypted encryption key.
  • Step S450 after decrypting the application password, performing password verification on the application password.
  • the application password is decrypted using a decryption key as opposed to the encryption key.
  • the authentication server After the user authenticates the user through the second embodiment, the authentication server has obtained the user information in the personal digital certificate of the legal user.
  • the authentication server obtains the user information in the LDAP server according to the user information.
  • Corresponding application password determining whether the application password sent by the mobile terminal is the same as the correct application password in the LDAP server, and if so, the password verification is passed, and if not, the password verification fails.
  • Step S460 transmitting a password verification result to the mobile terminal.
  • the mobile terminal If the password verification is passed, the mobile terminal is allowed to use the application service corresponding to the application password, and vice versa, the mobile terminal is denied to use the application service corresponding to the application password.
  • FIG. 5 is a flowchart of a password verification step on the mobile terminal side according to the fourth embodiment of the present invention.
  • Step S510 receiving an encryption key encrypted by the authentication server by using a personal digital certificate.
  • the mobile terminal receives an encryption key sent by the authentication server through the application server.
  • Step S520 decrypting the encryption key using a private key stored in the TF card.
  • the private key stored in the TF card is opposite to the public key in the personal digital certificate and, therefore, can be used to decrypt the encryption key.
  • Step S530 encrypting the application password input by the user by using the decrypted encryption key.
  • the user is prompted to input an application password, and the application password is collected in the process of inputting the application password, and the decrypted encryption key is used for encryption processing.
  • Step S540 Send the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password.
  • the encrypted application password is sent to the authentication server through the application server.
  • Step S550 receiving the verification result fed back by the authentication server, if the verification is passed, the application service provided by the application server is allowed to be used, otherwise, the process ends.
  • FIG. 6 is a schematic structural diagram of a user authentication system according to a fifth embodiment of the present invention.
  • the system includes a mobile terminal, an LDAP server, an authentication server, a CA center, and an application server.
  • the authentication server can perform validity verification of the personal digital certificate, integrity verification of the login information, verification of the correctness of the application password, and the like.
  • the LDAP server is configured to store user information of a legitimate user, a personal digital certificate, an application password, a CA center public key, and the like.
  • the CA Center is set up to generate key pairs, issue and maintain personal digital certificates for legitimate users.
  • the application server is configured to provide application services and can process business data of legitimate users.
  • the system needs to perform the following steps before user authentication:
  • Step 1 The user registers the user information in the CA center and submits a personal digital certificate application.
  • the user information includes information such as a user name and a user ID. Further, the user registers user information and submits a personal digital certificate application on the CA center terminal.
  • Step 2 The CA center audits the user information. If the audit is approved, the user's personal digital certificate application is approved, otherwise the user's personal digital certificate application is rejected.
  • Step 3 After the CA center approves the personal digital certificate application, the user inserts the TF card into the interface of the CA center, and logs in to the CA center by using the user information; after logging in to the CA center, the personal digital certificate and the key pair are obtained from the CA center, for example, Click the Get button.
  • the CA Center generates a personal digital certificate for the user and invokes the TF card to generate a key pair for the user. Since the key pair is generated in the TF card and already stored in the TF card, the CA center needs to store the user's personal digital certificate in the TF card.
  • the CA Center also needs to publish the user's personal digital certificate to the LDAP server.
  • Step 1 Insert the TF card storing the personal digital certificate and the key pair into the mobile terminal; when the mobile terminal attempts to log in to the application server, the user authentication request carrying the personal digital certificate, the login information, and the login information signature is sent to the application server.
  • Step 2 After receiving the user authentication request, the application server forwards the request to the authentication server.
  • Step 3 The authentication server receives the user authentication request, obtains the personal digital certificate of the user from the LDAP server, and performs validity verification on the personal digital certificate in the user authentication request; if the validity verification is passed, the login information is used to log in. The information is integrity verified. If the integrity verification is also passed, the authentication passes; otherwise, the authentication fails, and the authentication process ends.
  • the application server provides the application password with the application password. Before the user uses the service provided by the application server, the password verification is also applied, as follows:
  • Step 1 After the user authentication is passed, the authentication server generates an encryption key and encrypts it using a personal digital certificate. The authentication server sends the encrypted encryption key to the mobile terminal through the application server.
  • Step 2 The mobile terminal receives the encryption key, prompts the user to input the application password, and then decrypts the encryption key with the private key in the TF card, encrypts the application password input by the user using the decrypted encryption key, and sends the application password to the application.
  • the server is forwarded by the application server to the authentication server for password verification.
  • Step 3 The authentication server receives the application password, and decrypts the application password by using a pre-generated decryption key. Obtaining an application password corresponding to the user from the LDAP server, performing password verification on the decrypted application password by using the correct application password, and then returning the verification result to the mobile terminal through the application server. If the verification is passed, the user may provide the application server. The business service otherwise ends the process.
  • FIG. 7 is a structural diagram of a user authentication apparatus according to a sixth embodiment of the present invention.
  • the device is in the mobile terminal and can act as a client in the mobile terminal.
  • the device disposed in the mobile terminal includes:
  • the obtaining module 710 is configured to obtain login information and obtain a personal digital certificate stored in the TF card when attempting to log in to the application server.
  • the signing module 720 is configured to perform signature processing on the login information by using the private key stored in the TF to obtain a login information signature.
  • the first sending module 730 is configured to send the personal digital certificate, the login information, and the login information signature to the authentication server, so that the authentication server performs the user authentication using the personal digital certificate, the login information, and the login information signature.
  • the first receiving module 740 is configured to receive the authentication result fed back by the authentication server, and if the authentication passes, is allowed to log in to the application server; otherwise, the process ends.
  • the apparatus provided in the mobile terminal further includes a first encryption and decryption module (not shown).
  • the first receiving module 740 is further configured to receive an encryption key encrypted by the authentication server by using a personal digital certificate after the authentication is passed.
  • the first encryption and decryption module is configured to decrypt the encryption key using the private key stored in the TF card; and encrypt the application password input by the user by using the decrypted encryption key.
  • the first sending module 730 is further configured to send the encrypted application password to the authentication server, so that the authentication server performs password verification on the application password.
  • the first receiving module 740 is further configured to receive the verification result fed back by the authentication server, and if the verification is passed, the application service provided by the application server is allowed to be used.
  • FIG. 8 is a structural diagram of a user authentication apparatus according to a seventh embodiment of the present invention.
  • the device is in the authentication server.
  • the device disposed in the authentication server includes:
  • the second receiving module 810 is configured to receive a personal digital certificate, login information, and login information signature from the mobile terminal, where the personal digital certificate is obtained by the mobile terminal from the TF card, and the login information signature is used by the mobile terminal in the TF card.
  • the stored private key is obtained by signing the login information.
  • the authentication module 820 is configured to perform user authentication of the mobile terminal based on the personal digital certificate, login information, and login information signature.
  • the second sending module 830 is configured to send the authentication result to the mobile terminal.
  • the apparatus provided in the authentication server further includes a first generation module (not shown) and a second encryption and decryption module (not shown).
  • the first generation module is configured to generate an encryption key if the authentication result is the authentication pass.
  • the second encryption and decryption module is configured to encrypt the encryption key by using a personal digital certificate.
  • the second sending module 830 is further configured to send the encrypted encryption key to the mobile terminal.
  • the second receiving module 810 is further configured to: after transmitting the encrypted encryption key to the mobile terminal, receive an application password that is sent by the mobile terminal and encrypted by using an encryption key.
  • the second encryption and decryption module is further configured to perform password verification on the application password after decrypting the application password.
  • the second sending module 830 is further configured to send the password verification result to the mobile terminal.
  • FIG. 9 is a structural diagram of a user authentication apparatus according to an eighth embodiment of the present invention.
  • the device is on the CA center side.
  • the device disposed in the CA center includes:
  • the connection module 910 is configured to obtain user information of a legitimate user after connecting the TF card.
  • the calling module 920 is configured to invoke the TF card to generate a key pair in the TF card for the legal user; the key pair includes a public key and a private key.
  • the second generation module 930 is configured to generate a personal digital certificate according to the user information and the public key in the key pair.
  • a storage module 940 configured to store the personal digital certificate into the TF card, so that the mobile terminal acquires the personal digital certificate and the key pair (public key) from the TF card inserted into its interface And private key) for user authentication.
  • a key pair public key and private key
  • a personal digital certificate of a legal user are stored in a separate TF card by the CA center, and then the TF card is inserted into the mobile terminal to perform user authentication.
  • user authentication is performed on the authentication server side based on the personal digital certificate in the TF card that has been inserted into the mobile terminal.
  • the invention can avoid the problem that the static password user authentication method has low security, and the private key stored in the TF card cannot be obtained, counterfeited, and tampered with.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

La présente invention concerne un procédé et un appareil d'authentification d'utilisateur. Le procédé comprend, sur un côté terminal mobile, de : lorsqu'on tente de se connecter sur un serveur d'application, envoyer, à un serveur d'authentification, des informations de connexion, une signature d'informations de connexion et un certificat numérique personnel stocké sur une carte TF ; et recevoir un résultat d'authentification renvoyé par le serveur d'authentification. Le procédé comprend, sur un côté serveur d'authentification : sur la base d'un certificat numérique personnel, des informations de connexion et d'une signature d'informations de connexion d'un terminal mobile, exécuter une authentification d'utilisateur ; et envoyer un résultat d'authentification au terminal mobile. Le procédé sur un côté centre CA comprend de : après la connexion à une carte TF, acquérir des informations d'utilisateur sur un utilisateur légitime ; appeler la carte TF pour générer une paire de clés sur la carte TF pour l'utilisateur légitime ; en fonction des informations d'utilisateur et d'une clé publique de la paire de clés, générer un certificat numérique personnel ; et stocker le certificat numérique personnel sur la carte TF. La présente invention peut éviter le problème de faible sécurité d'authentification d'utilisateur par mot de passe statique, et une clé privée stockée sur une carte TF ne peut pas être acquise, contrefaite et falsifiée, et est hautement sécurisée.
PCT/CN2016/075243 2015-08-21 2016-03-01 Procédé et appareil d'authentification d'utilisateur WO2016177052A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510519150.8A CN106470201A (zh) 2015-08-21 2015-08-21 一种用户认证方法和装置
CN201510519150.8 2015-08-21

Publications (1)

Publication Number Publication Date
WO2016177052A1 true WO2016177052A1 (fr) 2016-11-10

Family

ID=57217364

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/075243 WO2016177052A1 (fr) 2015-08-21 2016-03-01 Procédé et appareil d'authentification d'utilisateur

Country Status (2)

Country Link
CN (1) CN106470201A (fr)
WO (1) WO2016177052A1 (fr)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109412812A (zh) * 2018-08-29 2019-03-01 中国建设银行股份有限公司 数据安全处理系统、方法、装置和存储介质
CN111625804A (zh) * 2020-05-22 2020-09-04 浙江大华技术股份有限公司 一种登录方法及设备
CN111954211A (zh) * 2020-09-07 2020-11-17 北京计算机技术及应用研究所 一种移动终端新型认证密钥协商系统
CN112202556A (zh) * 2020-10-30 2021-01-08 联通物联网有限责任公司 安全认证方法、装置和系统
CN112836206A (zh) * 2019-11-22 2021-05-25 腾讯科技(深圳)有限公司 登录方法、装置、存储介质和计算机设备
CN113132976A (zh) * 2021-05-11 2021-07-16 国网信息通信产业集团有限公司 一种分布式无线通信配电网差动保护方法及系统
CN113472720A (zh) * 2020-03-31 2021-10-01 山东云海安全认证服务有限公司 数字证书密钥处理方法、装置、终端设备及存储介质
CN113541935A (zh) * 2021-06-08 2021-10-22 西安电子科技大学 一种支持密钥托管的加密云存储方法、系统、设备、终端
CN113886860A (zh) * 2021-12-06 2022-01-04 山东确信信息产业股份有限公司 一种基于移动终端的电子数据保全系统和方法
CN115499191A (zh) * 2022-09-14 2022-12-20 中国建设银行股份有限公司 基于智能指纹卡的授权认证方法、系统及存储介质
CN115913579A (zh) * 2023-02-21 2023-04-04 飞天诚信科技股份有限公司 一种智能卡证书的注册应用方法及装置
CN116842490A (zh) * 2023-07-04 2023-10-03 广州启睿信息科技有限公司 一种统一用户账户密码的管理方法、装置及系统

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106792677A (zh) * 2017-03-28 2017-05-31 浙江神州量子网络科技有限公司 一种移动终端绑定针对性服务的认证方法和认证系统
CN107094156B (zh) * 2017-06-21 2020-02-28 北京明朝万达科技股份有限公司 一种基于p2p模式的安全通信方法及系统
CN107332667A (zh) * 2017-07-04 2017-11-07 四川云物益邦科技有限公司 一种采用数字证书的查询系统
CN108390758B (zh) * 2018-04-04 2022-02-22 广州赛姆科技资讯股份有限公司 用户口令处理方法、装置和内控安全监察系统
CN110932858B (zh) * 2018-09-19 2023-05-02 阿里巴巴集团控股有限公司 认证方法和系统
CN109756485B (zh) * 2018-12-14 2022-11-18 平安科技(深圳)有限公司 电子合同签署方法、装置、计算机设备及存储介质
CN109657454B (zh) * 2018-12-20 2021-08-17 成都三零瑞通移动通信有限公司 一种基于tf密码模块的安卓应用可信验证方法
CN110505199A (zh) * 2019-07-05 2019-11-26 南京航空航天大学 基于轻量级非对称身份的Email安全登录方法
CN110324361A (zh) * 2019-08-05 2019-10-11 中国工商银行股份有限公司 信息认证的方法、装置、计算设备和介质
CN114390524B (zh) * 2021-12-22 2024-04-23 支付宝(杭州)信息技术有限公司 一键登录业务的实现方法和装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030115468A1 (en) * 2001-12-19 2003-06-19 Aull Kenneth W. Assignment of user certificates/private keys in token enabled public key infrastructure system
CN101465019A (zh) * 2009-01-14 2009-06-24 北京华大智宝电子系统有限公司 实现网络认证的方法及系统
CN101931532A (zh) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 基于电信智能卡的数字证书管理方法及电信智能卡
CN102523095A (zh) * 2012-01-12 2012-06-27 公安部第三研究所 具有智能卡保护的用户数字证书远程更新方法
US8392703B2 (en) * 2009-06-16 2013-03-05 Ares International Corporation Electronic signature verification method implemented by secret key infrastructure
CN103164738A (zh) * 2013-02-06 2013-06-19 厦门盛华电子科技有限公司 一种基于移动支付多通道数字认证的手机用户识别卡

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1323508C (zh) * 2003-12-17 2007-06-27 上海市高级人民法院 一种基于数字证书的单点登录方法
US7810143B2 (en) * 2005-04-22 2010-10-05 Microsoft Corporation Credential interface
CN102006306B (zh) * 2010-12-08 2013-07-31 高新兴科技集团股份有限公司 一种web服务的安全认证方法
CN104253801B (zh) * 2013-06-28 2017-09-22 中国电信股份有限公司 实现登录认证的方法、装置和系统
CN103716794A (zh) * 2013-12-25 2014-04-09 北京握奇数据系统有限公司 一种基于便携式设备的双向安全验证方法及系统
CN104113556A (zh) * 2014-07-31 2014-10-22 国家超级计算深圳中心(深圳云计算中心) 网络登录验证方法和系统及移动终端和应用服务器
CN105101205B (zh) * 2015-06-19 2018-12-18 广州密码科技有限公司 一种一键登录认证方法、装置及系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030115468A1 (en) * 2001-12-19 2003-06-19 Aull Kenneth W. Assignment of user certificates/private keys in token enabled public key infrastructure system
CN101465019A (zh) * 2009-01-14 2009-06-24 北京华大智宝电子系统有限公司 实现网络认证的方法及系统
US8392703B2 (en) * 2009-06-16 2013-03-05 Ares International Corporation Electronic signature verification method implemented by secret key infrastructure
CN101931532A (zh) * 2009-09-08 2010-12-29 北京握奇数据系统有限公司 基于电信智能卡的数字证书管理方法及电信智能卡
CN102523095A (zh) * 2012-01-12 2012-06-27 公安部第三研究所 具有智能卡保护的用户数字证书远程更新方法
CN103164738A (zh) * 2013-02-06 2013-06-19 厦门盛华电子科技有限公司 一种基于移动支付多通道数字认证的手机用户识别卡

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109412812A (zh) * 2018-08-29 2019-03-01 中国建设银行股份有限公司 数据安全处理系统、方法、装置和存储介质
CN109412812B (zh) * 2018-08-29 2021-12-03 中国建设银行股份有限公司 数据安全处理系统、方法、装置和存储介质
CN112836206A (zh) * 2019-11-22 2021-05-25 腾讯科技(深圳)有限公司 登录方法、装置、存储介质和计算机设备
CN113472720A (zh) * 2020-03-31 2021-10-01 山东云海安全认证服务有限公司 数字证书密钥处理方法、装置、终端设备及存储介质
CN113472720B (zh) * 2020-03-31 2024-02-06 山东云海安全认证服务有限公司 数字证书密钥处理方法、装置、终端设备及存储介质
CN111625804B (zh) * 2020-05-22 2023-08-11 浙江大华技术股份有限公司 一种登录方法及设备
CN111625804A (zh) * 2020-05-22 2020-09-04 浙江大华技术股份有限公司 一种登录方法及设备
CN111954211A (zh) * 2020-09-07 2020-11-17 北京计算机技术及应用研究所 一种移动终端新型认证密钥协商系统
CN111954211B (zh) * 2020-09-07 2023-05-02 北京计算机技术及应用研究所 一种移动终端新型认证密钥协商系统
CN112202556A (zh) * 2020-10-30 2021-01-08 联通物联网有限责任公司 安全认证方法、装置和系统
CN112202556B (zh) * 2020-10-30 2023-07-04 联通物联网有限责任公司 安全认证方法、装置和系统
CN113132976A (zh) * 2021-05-11 2021-07-16 国网信息通信产业集团有限公司 一种分布式无线通信配电网差动保护方法及系统
CN113132976B (zh) * 2021-05-11 2022-08-12 国网信息通信产业集团有限公司 一种分布式无线通信配电网差动保护方法及系统
CN113541935B (zh) * 2021-06-08 2022-06-03 西安电子科技大学 一种支持密钥托管的加密云存储方法、系统、设备、终端
CN113541935A (zh) * 2021-06-08 2021-10-22 西安电子科技大学 一种支持密钥托管的加密云存储方法、系统、设备、终端
CN113886860A (zh) * 2021-12-06 2022-01-04 山东确信信息产业股份有限公司 一种基于移动终端的电子数据保全系统和方法
CN115499191A (zh) * 2022-09-14 2022-12-20 中国建设银行股份有限公司 基于智能指纹卡的授权认证方法、系统及存储介质
CN115913579A (zh) * 2023-02-21 2023-04-04 飞天诚信科技股份有限公司 一种智能卡证书的注册应用方法及装置
CN115913579B (zh) * 2023-02-21 2023-06-13 飞天诚信科技股份有限公司 一种智能卡证书的注册应用方法及装置
CN116842490A (zh) * 2023-07-04 2023-10-03 广州启睿信息科技有限公司 一种统一用户账户密码的管理方法、装置及系统

Also Published As

Publication number Publication date
CN106470201A (zh) 2017-03-01

Similar Documents

Publication Publication Date Title
WO2016177052A1 (fr) Procédé et appareil d'authentification d'utilisateur
CN109088889B (zh) 一种ssl加解密方法、系统及计算机可读存储介质
US9838205B2 (en) Network authentication method for secure electronic transactions
US9231925B1 (en) Network authentication method for secure electronic transactions
US8532620B2 (en) Trusted mobile device based security
KR101265873B1 (ko) 분산된 단일 서명 서비스 방법
JP5619019B2 (ja) 認証のための方法、システム、およびコンピュータ・プログラム(1次認証済み通信チャネルによる2次通信チャネルのトークンベースのクライアント・サーバ認証)
JP4746333B2 (ja) コンピューティングシステムの効率的かつセキュアな認証
US8214890B2 (en) Login authentication using a trusted device
US8719952B1 (en) Systems and methods using passwords for secure storage of private keys on mobile devices
US8112787B2 (en) System and method for securing a credential via user and server verification
EP2289220B1 (fr) Auxiliaire de réseau pour authentification entre un jeton et des vérificateurs
EP2316097B1 (fr) Protocole pour une association dispositif à station
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
WO2019020051A1 (fr) Procédé et appareil d'authentification de sécurité
CN109728909A (zh) 基于USBKey的身份认证方法和系统
US20130145447A1 (en) Cloud-based data backup and sync with secure local storage of access keys
US20030070068A1 (en) Method and system for providing client privacy when requesting content from a public server
US8397281B2 (en) Service assisted secret provisioning
TWI632798B (zh) 伺服器、行動終端機、網路實名認證系統及方法
JP2001186122A (ja) 認証システム及び認証方法
CN114513339A (zh) 一种安全认证方法、系统及装置
JP2024501326A (ja) アクセス制御方法、装置、ネットワーク側機器、端末及びブロックチェーンノード
Rana et al. Computational efficient authenticated digital content distribution frameworks for DRM systems: Review and outlook
Binu et al. A mobile based remote user authentication scheme without verifier table for cloud based services

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16789046

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16789046

Country of ref document: EP

Kind code of ref document: A1